diff --git a/.gitbook/assets/image (1) (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1) (1).png
new file mode 100644
index 00000000..e70bceed
Binary files /dev/null and b/.gitbook/assets/image (1) (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (1).png b/.gitbook/assets/image (1) (1) (1).png
index e70bceed..847a8c4e 100644
Binary files a/.gitbook/assets/image (1) (1) (1).png and b/.gitbook/assets/image (1) (1) (1).png differ
diff --git a/.gitbook/assets/image (1) (1) (2).png b/.gitbook/assets/image (1) (1) (2).png
deleted file mode 100644
index 847a8c4e..00000000
Binary files a/.gitbook/assets/image (1) (1) (2).png and /dev/null differ
diff --git a/.gitbook/assets/image (1).png b/.gitbook/assets/image (1).png
index 78abb789..14a78557 100644
Binary files a/.gitbook/assets/image (1).png and b/.gitbook/assets/image (1).png differ
diff --git a/.gitbook/assets/image (13) (2).png b/.gitbook/assets/image (13) (2).png
new file mode 100644
index 00000000..3688bd40
Binary files /dev/null and b/.gitbook/assets/image (13) (2).png differ
diff --git a/.gitbook/assets/image (13).png b/.gitbook/assets/image (13).png
index 3688bd40..54935ced 100644
Binary files a/.gitbook/assets/image (13).png and b/.gitbook/assets/image (13).png differ
diff --git a/.gitbook/assets/image (2) (1) (2).png b/.gitbook/assets/image (2) (1) (2).png
deleted file mode 100644
index 0f8a8673..00000000
Binary files a/.gitbook/assets/image (2) (1) (2).png and /dev/null differ
diff --git a/.gitbook/assets/image (2) (1).png b/.gitbook/assets/image (2) (1).png
index ce61d494..0f8a8673 100644
Binary files a/.gitbook/assets/image (2) (1).png and b/.gitbook/assets/image (2) (1).png differ
diff --git a/.gitbook/assets/image (2) (4).png b/.gitbook/assets/image (2) (4).png
new file mode 100644
index 00000000..ce61d494
Binary files /dev/null and b/.gitbook/assets/image (2) (4).png differ
diff --git a/.gitbook/assets/image (2).png b/.gitbook/assets/image (2).png
index 14a78557..64b0c5b0 100644
Binary files a/.gitbook/assets/image (2).png and b/.gitbook/assets/image (2).png differ
diff --git a/.gitbook/assets/image (6) (2).png b/.gitbook/assets/image (6) (2).png
new file mode 100644
index 00000000..5e036118
Binary files /dev/null and b/.gitbook/assets/image (6) (2).png differ
diff --git a/.gitbook/assets/image (6).png b/.gitbook/assets/image (6).png
index 5e036118..e7036425 100644
Binary files a/.gitbook/assets/image (6).png and b/.gitbook/assets/image (6).png differ
diff --git a/.gitbook/assets/image (70).png b/.gitbook/assets/image (70).png
index 54935ced..619cc354 100644
Binary files a/.gitbook/assets/image (70).png and b/.gitbook/assets/image (70).png differ
diff --git a/.gitbook/assets/image (73).png b/.gitbook/assets/image (73).png
index 619cc354..1982f5d0 100644
Binary files a/.gitbook/assets/image (73).png and b/.gitbook/assets/image (73).png differ
diff --git a/.gitbook/assets/image (78) (1).png b/.gitbook/assets/image (78) (1).png
deleted file mode 100644
index 7e07102b..00000000
Binary files a/.gitbook/assets/image (78) (1).png and /dev/null differ
diff --git a/.gitbook/assets/image (78).png b/.gitbook/assets/image (78).png
index e7036425..7e07102b 100644
Binary files a/.gitbook/assets/image (78).png and b/.gitbook/assets/image (78).png differ
diff --git a/.gitbook/assets/image (8) (2).png b/.gitbook/assets/image (8) (2).png
deleted file mode 100644
index fa756fb5..00000000
Binary files a/.gitbook/assets/image (8) (2).png and /dev/null differ
diff --git a/.gitbook/assets/image (8).png b/.gitbook/assets/image (8).png
index 1982f5d0..fa756fb5 100644
Binary files a/.gitbook/assets/image (8).png and b/.gitbook/assets/image (8).png differ
diff --git a/.gitbook/assets/image (81) (1).png b/.gitbook/assets/image (81) (1).png
deleted file mode 100644
index 169a0842..00000000
Binary files a/.gitbook/assets/image (81) (1).png and /dev/null differ
diff --git a/.gitbook/assets/image (81).png b/.gitbook/assets/image (81).png
index 37ab1a51..169a0842 100644
Binary files a/.gitbook/assets/image (81).png and b/.gitbook/assets/image (81).png differ
diff --git a/.gitbook/assets/image (9) (2).png b/.gitbook/assets/image (9) (2).png
new file mode 100644
index 00000000..0f391e25
Binary files /dev/null and b/.gitbook/assets/image (9) (2).png differ
diff --git a/.gitbook/assets/image (9).png b/.gitbook/assets/image (9).png
index 0f391e25..78abb789 100644
Binary files a/.gitbook/assets/image (9).png and b/.gitbook/assets/image (9).png differ
diff --git a/.gitbook/assets/image.png b/.gitbook/assets/image.png
index 64b0c5b0..37ab1a51 100644
Binary files a/.gitbook/assets/image.png and b/.gitbook/assets/image.png differ
diff --git a/forensics/basic-forensic-methodology/linux-forensics.md b/forensics/basic-forensic-methodology/linux-forensics.md
index 6714850d..7ec964a6 100644
--- a/forensics/basic-forensic-methodology/linux-forensics.md
+++ b/forensics/basic-forensic-methodology/linux-forensics.md
@@ -1,7 +1,7 @@
# Linux Forensics
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -168,7 +168,7 @@ ThisisTheMasterSecret
```
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -233,7 +233,7 @@ find /sbin/ –exec rpm -qf {} \; | grep "is not"
```
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -376,7 +376,7 @@ usbrip ids search --pid 0002 --vid 0e0f #Search for pid AND vid
More examples and info inside the github: [https://github.com/snovvcrash/usbrip](https://github.com/snovvcrash/usbrip)
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -466,7 +466,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md
index 853ea5bf..7f31164a 100644
--- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md
+++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md
@@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% hint style="danger" %}
-
+
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -238,7 +238,7 @@ C:\Users\test\Desktop\test>pyinstaller --onefile hello.py
* [https://blog.f-secure.com/how-to-decompile-any-python-binary/](https://blog.f-secure.com/how-to-decompile-any-python-binary/)
{% hint style="danger" %}
-
+
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/generic-methodologies-and-resources/brute-force.md b/generic-methodologies-and-resources/brute-force.md
index 40a2292e..2cd8dca6 100644
--- a/generic-methodologies-and-resources/brute-force.md
+++ b/generic-methodologies-and-resources/brute-force.md
@@ -1,7 +1,7 @@
# Brute Force - CheatSheet
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -84,7 +84,7 @@ python3 cupp.py -h
* [**https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm**](https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm)
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -441,7 +441,7 @@ crackmapexec winrm -d -u usernames.txt -p passwords.txt
```
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -641,7 +641,7 @@ crackpkcs12 -d /usr/share/wordlists/rockyou.txt ./cert.pfx
```
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -808,7 +808,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/generic-methodologies-and-resources/python/README.md b/generic-methodologies-and-resources/python/README.md
index 051cd226..b4400c79 100644
--- a/generic-methodologies-and-resources/python/README.md
+++ b/generic-methodologies-and-resources/python/README.md
@@ -1,7 +1,7 @@
# Python Sandbox Escape & Pyscript
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -51,7 +51,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/generic-methodologies-and-resources/python/bypass-python-sandboxes/README.md b/generic-methodologies-and-resources/python/bypass-python-sandboxes/README.md
index ec167af6..e4617987 100644
--- a/generic-methodologies-and-resources/python/bypass-python-sandboxes/README.md
+++ b/generic-methodologies-and-resources/python/bypass-python-sandboxes/README.md
@@ -1,7 +1,7 @@
# Bypass Python sandboxes
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -322,7 +322,7 @@ with (a as b):
```
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -710,7 +710,7 @@ You can check the output of this script in this page:
{% endcontent-ref %}
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -1118,7 +1118,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/generic-methodologies-and-resources/python/venv.md b/generic-methodologies-and-resources/python/venv.md
index 790417ac..c90b26af 100644
--- a/generic-methodologies-and-resources/python/venv.md
+++ b/generic-methodologies-and-resources/python/venv.md
@@ -1,7 +1,7 @@
# venv
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -62,7 +62,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/generic-methodologies-and-resources/python/web-requests.md b/generic-methodologies-and-resources/python/web-requests.md
index 46334aac..30f307bb 100644
--- a/generic-methodologies-and-resources/python/web-requests.md
+++ b/generic-methodologies-and-resources/python/web-requests.md
@@ -1,7 +1,7 @@
# Web Requests
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -142,7 +142,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/generic-methodologies-and-resources/search-exploits.md b/generic-methodologies-and-resources/search-exploits.md
index 9c9e0729..06448d46 100644
--- a/generic-methodologies-and-resources/search-exploits.md
+++ b/generic-methodologies-and-resources/search-exploits.md
@@ -1,7 +1,7 @@
# Search Exploits
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -85,7 +85,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/linux-hardening/privilege-escalation/docker-breakout/README.md b/linux-hardening/privilege-escalation/docker-breakout/README.md
index a2216061..6504721f 100644
--- a/linux-hardening/privilege-escalation/docker-breakout/README.md
+++ b/linux-hardening/privilege-escalation/docker-breakout/README.md
@@ -1,7 +1,7 @@
# Docker Basics & Breakout
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -124,7 +124,7 @@ tar -zcvf private_keys_backup.tar.gz ~/.docker/trust/private
When I changed Docker host, I had to move the root keys and repository keys to operate from the new host.
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -254,7 +254,7 @@ docker run -it --security-opt=no-new-privileges:true nonewpriv
For more **`--security-opt`** options check: [https://docs.docker.com/engine/reference/run/#security-configuration](https://docs.docker.com/engine/reference/run/#security-configuration)
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -397,7 +397,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/linux-hardening/useful-linux-commands/README.md b/linux-hardening/useful-linux-commands/README.md
index 54553cf8..19787906 100644
--- a/linux-hardening/useful-linux-commands/README.md
+++ b/linux-hardening/useful-linux-commands/README.md
@@ -1,7 +1,7 @@
# Useful Linux Commands
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -148,7 +148,7 @@ sudo chattr -i file.txt #Remove the bit so you can delete it
```
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -327,7 +327,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/mobile-pentesting/android-app-pentesting/README.md b/mobile-pentesting/android-app-pentesting/README.md
index 5bf00826..d90d21ec 100644
--- a/mobile-pentesting/android-app-pentesting/README.md
+++ b/mobile-pentesting/android-app-pentesting/README.md
@@ -1,7 +1,7 @@
# Android Applications Pentesting
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -63,7 +63,7 @@ adb pull /data/app/com.android.insecurebankv2- Jnf8pNgwy3QA_U5f-n_4jQ==/base.apk
```
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -246,7 +246,7 @@ An application may contain secrets (API keys, passwords, hidden urls, subdomains
{% endcontent-ref %}
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -496,7 +496,7 @@ Probably you know about this kind of vulnerabilities from the Web. You have to b
* [**Secure Flag** in cookies](../../pentesting-web/hacking-with-cookies/#cookies-flags)
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -687,7 +687,7 @@ python androwarn.py -i my_application_to_be_analyzed.apk -r html -v 3
### [MARA Framework](https://github.com/xtiankisutsa/MARA\_Framework)
- (1).png>)
+.png>)
**MARA** is a **M**obile **A**pplication **R**everse engineering and **A**nalysis Framework. It is a tool that puts together commonly used mobile application reverse engineering and analysis tools, to assist in testing mobile applications against the OWASP mobile security threats. Its objective is to make this task easier and friendlier to mobile application developers and security professionals.
@@ -705,7 +705,7 @@ It is able to:
Useful to detect malware: [https://koodous.com/](https://koodous.com)
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -802,7 +802,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md b/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md
index 627e7889..4b2e8527 100644
--- a/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md
+++ b/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md
@@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% hint style="danger" %}
-
+
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -154,7 +154,7 @@ In this tutorial you have hooked methods using the name of the mathod and _.impl
You can see that in [the next tutorial](frida-tutorial-2.md).
{% hint style="danger" %}
-
+
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.md b/mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.md
index 2e32bf17..cb7d8dc0 100644
--- a/mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.md
+++ b/mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.md
@@ -127,7 +127,7 @@ This is also usefull if somehow you are **unable to get some readable source cod
android hooking list activities
```
- (1).png>)
+.png>)
```
android hooking list services
diff --git a/mobile-pentesting/android-checklist.md b/mobile-pentesting/android-checklist.md
index ad6e6f29..15e1c8bf 100644
--- a/mobile-pentesting/android-checklist.md
+++ b/mobile-pentesting/android-checklist.md
@@ -1,7 +1,7 @@
# Android APK Checklist
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -97,7 +97,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/network-services-pentesting/15672-pentesting-rabbitmq-management.md b/network-services-pentesting/15672-pentesting-rabbitmq-management.md
index 6f9c1be8..3a303380 100644
--- a/network-services-pentesting/15672-pentesting-rabbitmq-management.md
+++ b/network-services-pentesting/15672-pentesting-rabbitmq-management.md
@@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% hint style="danger" %}
-
+
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -67,7 +67,7 @@ Content-Length: 267
* `port:15672 http`
{% hint style="danger" %}
-
+
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/network-services-pentesting/8086-pentesting-influxdb.md b/network-services-pentesting/8086-pentesting-influxdb.md
index 890af3cf..9d9064cb 100644
--- a/network-services-pentesting/8086-pentesting-influxdb.md
+++ b/network-services-pentesting/8086-pentesting-influxdb.md
@@ -1,7 +1,7 @@
# 8086 - Pentesting InfluxDB
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -164,7 +164,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/network-services-pentesting/pentesting-postgresql.md b/network-services-pentesting/pentesting-postgresql.md
index bc9c782a..4face778 100644
--- a/network-services-pentesting/pentesting-postgresql.md
+++ b/network-services-pentesting/pentesting-postgresql.md
@@ -1,7 +1,7 @@
# 5432,5433 - Pentesting Postgresql
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -99,7 +99,7 @@ ORDER BY 1;
```
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -179,7 +179,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/network-services-pentesting/pentesting-ssh.md b/network-services-pentesting/pentesting-ssh.md
index 98006610..25899251 100644
--- a/network-services-pentesting/pentesting-ssh.md
+++ b/network-services-pentesting/pentesting-ssh.md
@@ -16,7 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
+
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -311,7 +311,7 @@ id_rsa
* You can find interesting guides on how to harden SSH in [https://www.ssh-audit.com/hardening\_guides.html](https://www.ssh-audit.com/hardening\_guides.html)
* [https://community.turgensec.com/ssh-hacking-guide](https://community.turgensec.com/ssh-hacking-guide)
-
+
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/network-services-pentesting/pentesting-web/jboss.md b/network-services-pentesting/pentesting-web/jboss.md
index c3f6f2dd..ab16e35b 100644
--- a/network-services-pentesting/pentesting-web/jboss.md
+++ b/network-services-pentesting/pentesting-web/jboss.md
@@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% hint style="danger" %}
-
+
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -47,7 +47,7 @@ inurl:status EJInvokerServlet
```
{% hint style="danger" %}
-
+
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/network-services-pentesting/pentesting-web/moodle.md b/network-services-pentesting/pentesting-web/moodle.md
index bdbe5940..601a0a1c 100644
--- a/network-services-pentesting/pentesting-web/moodle.md
+++ b/network-services-pentesting/pentesting-web/moodle.md
@@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% hint style="danger" %}
-
+
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -127,7 +127,7 @@ find / -name "config.php" 2>/dev/null | grep "moodle/config.php"
```
{% hint style="danger" %}
-
+
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/pentesting-web/command-injection.md b/pentesting-web/command-injection.md
index e83c6f3d..7ff85d66 100644
--- a/pentesting-web/command-injection.md
+++ b/pentesting-web/command-injection.md
@@ -1,7 +1,7 @@
# Command Injection
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -101,7 +101,7 @@ Here are the top 25 parameters that could be vulnerable to code injection and si
```
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -187,7 +187,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/pentesting-web/crlf-0d-0a.md b/pentesting-web/crlf-0d-0a.md
index 86e6f70b..4d628673 100644
--- a/pentesting-web/crlf-0d-0a.md
+++ b/pentesting-web/crlf-0d-0a.md
@@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% hint style="danger" %}
-
+
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -212,7 +212,7 @@ The best prevention technique is to not use users input directly inside response
* [**https://www.acunetix.com/websitesecurity/crlf-injection/**](https://www.acunetix.com/websitesecurity/crlf-injection/)
{% hint style="danger" %}
-
+
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/pentesting-web/deserialization/exploiting-__viewstate-parameter.md b/pentesting-web/deserialization/exploiting-__viewstate-parameter.md
index cb94cad0..c6f8b49d 100644
--- a/pentesting-web/deserialization/exploiting-__viewstate-parameter.md
+++ b/pentesting-web/deserialization/exploiting-__viewstate-parameter.md
@@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% hint style="danger" %}
-
+
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -202,7 +202,7 @@ out of band request with the current username
* [**https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/**](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/)
{% hint style="danger" %}
-
+
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/pentesting-web/email-header-injection.md b/pentesting-web/email-header-injection.md
index a27ca9f9..13ca4db8 100644
--- a/pentesting-web/email-header-injection.md
+++ b/pentesting-web/email-header-injection.md
@@ -1,7 +1,7 @@
# Email Injections
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -118,7 +118,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/pentesting-web/file-inclusion/phar-deserialization.md b/pentesting-web/file-inclusion/phar-deserialization.md
index 244d8cd0..d6dee42d 100644
--- a/pentesting-web/file-inclusion/phar-deserialization.md
+++ b/pentesting-web/file-inclusion/phar-deserialization.md
@@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% hint style="danger" %}
-
+
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -96,7 +96,7 @@ php vuln.php
{% embed url="https://blog.ripstech.com/2018/new-php-exploitation-technique/" %}
{% hint style="danger" %}
-
+
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/pentesting-web/nosql-injection.md b/pentesting-web/nosql-injection.md
index 2f2fff69..7095dabe 100644
--- a/pentesting-web/nosql-injection.md
+++ b/pentesting-web/nosql-injection.md
@@ -1,7 +1,7 @@
# NoSQL injection
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -121,7 +121,7 @@ Using the **$func** operator of the [MongoLite](https://github.com/agentejo/cock
.png>)
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -272,7 +272,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/pentesting-web/race-condition.md b/pentesting-web/race-condition.md
index 05ca5a25..f02402a4 100644
--- a/pentesting-web/race-condition.md
+++ b/pentesting-web/race-condition.md
@@ -1,7 +1,7 @@
# Race Condition
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -125,7 +125,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/pentesting-web/rate-limit-bypass.md b/pentesting-web/rate-limit-bypass.md
index a7124a9a..8af90900 100644
--- a/pentesting-web/rate-limit-bypass.md
+++ b/pentesting-web/rate-limit-bypass.md
@@ -1,7 +1,7 @@
# Rate Limit Bypass
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -84,7 +84,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/pentesting-web/xs-search.md b/pentesting-web/xs-search.md
index 36cfb684..88f3c209 100644
--- a/pentesting-web/xs-search.md
+++ b/pentesting-web/xs-search.md
@@ -1,7 +1,7 @@
# XS-Search
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -84,7 +84,7 @@ You can access the tool in [https://xsinator.com/](https://xsinator.com/)
{% endhint %}
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -196,7 +196,7 @@ You can perform the same attack with **`portal`** tags.
Applications often use [postMessage broadcasts](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage) to share information with other origins. Listening to this messages one could find **sensitive info** (potentially if the the `targetOrigin` param is not used). Also, the fact of receiving some message can be **used as an oracle** (you only receive this kind of message if you are logged in).
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -278,7 +278,7 @@ Browsers use sockets to communicate with servers. As the operating system and th
For more info: [https://xsleaks.dev/docs/attacks/timing-attacks/connection-pool/](https://xsleaks.dev/docs/attacks/timing-attacks/connection-pool/)
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -817,7 +817,7 @@ In an execution timing it's possible to **eliminate** **network factors** to obt
* **Code Example**: [https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#cross-window-timing-attacks](https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#cross-window-timing-attacks)
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -935,7 +935,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/windows-hardening/active-directory-methodology/ad-certificates.md b/windows-hardening/active-directory-methodology/ad-certificates.md
index 61366629..dcd0b27b 100644
--- a/windows-hardening/active-directory-methodology/ad-certificates.md
+++ b/windows-hardening/active-directory-methodology/ad-certificates.md
@@ -117,7 +117,7 @@ The **security descriptor** configured on the **Enterprise CA** defines these ri
This ultimately ends up setting the Security registry value in the key **`HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration`** on the CA server. We have encountered several AD CS servers that grant low-privileged users remote access to this key via remote registry:
-
+
Low-privileged users can also **enumerate this via DCOM** using the `ICertAdminD2` COM interface’s `GetCASecurity` method. However, normal Windows clients need to install the Remote Server Administration Tools (RSAT) to use it since the COM interface and any COM objects that implement it are not present on Windows by default.
@@ -129,7 +129,7 @@ Other requirements could be in place to control who can get a certificate.
**CA certificate manager approval** results in the certificate template setting the `CT_FLAG_PEND_ALL_REQUESTS` (0x2) bit on the AD object’s `msPKI-EnrollmentFlag` attribute. This puts all **certificate requests** based on the template into the **pending state** (visible in the “Pending Requests” section in `certsrv.msc`), which requires a certificate manager to **approve or deny** the request before the certificate is issued:
-
+
#### Enrolment Agents, Authorized Signatures, and Application Policies
@@ -175,7 +175,7 @@ The “NTAUTH certificate store” mentioned here refers to an AD object AD CS i
This means that when **AD CS creates a new CA** (or it renews CA certificates), it publishes the new certificate to the **`NTAuthCertificates`** object by adding the new certificate to the object’s `cacertificate` attribute:
-
+
During certificate authentication, the DC can then verify that the authenticating certificate chains to a CA certificate defined by the **`NTAuthCertificates`** object. CA certificates in the **`NTAuthCertificates`** object must in turn chain to a root CA. The big takeaway here is the **`NTAuthCertificates`** object is the root of trust for certificate authentication in Active Directory!
@@ -184,13 +184,13 @@ During certificate authentication, the DC can then verify that the authenticatin
Schannel is the security support provider (SSP) Windows leverages when establishing TLS/SSL connections. Schannel supports **client authentication** (amongst many other capabilities), enabling a remote server to **verify the identity of the connecting user**. It accomplishes this using PKI, with certificates being the primary credential.\
During the **TLS handshake**, the server **requests a certificate from the client** for authentication. The client, having previously been issued a client authentication certificate from a CA the server trusts, sends its certificate to the server. The **server then validates** the certificate is correct and grants the user access assuming everything is okay.
-
+
When an account authenticates to AD using a certificate, the DC needs to somehow map the certificate credential to an AD account. **Schannel** first attempts to **map** the **credential** to a **user** account use Kerberos’s **S4U2Self** functionality. \
If that is **unsuccessful**, it will follow the attempt to map the **certificate to a user** account using the certificate’s **SAN extension**, a combination of the **subject** and **issuer** fields, or solely from the issuer. By default, not many protocols in AD environments support AD authentication via Schannel out of the box. WinRM, RDP, and IIS all support client authentication using Schannel, but it **requires additional configuration**, and in some cases – like WinRM – does not integrate with Active Directory.\
One protocol that does commonly work – assuming AD CS has been setup - is **LDAPS**. The cmdlet `Get-LdapCurrentUser` demonstrates how one can authenticate to LDAP using .NET libraries. The cmdlet performs an LDAP “Who am I?” extended operation to display the currently authenticating user:
-
+
## AD CS Enumeration
diff --git a/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md b/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md
index 7431ded1..5cf32106 100644
--- a/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md
+++ b/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md
@@ -192,7 +192,7 @@ certutil -config "CA_HOST\CA_NAME" -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJ
A certificate authority itself has a **set of permissions** that secure various **CA actions**. These permissions can be access from `certsrv.msc`, right clicking a CA, selecting properties, and switching to the Security tab:
-
+
This can also be enumerated via [**PSPKI’s module**](https://www.pkisolutions.com/tools/pspki/) with `Get-CertificationAuthority | Get-CertificationAuthorityAcl`:
@@ -204,9 +204,9 @@ The two main rights here are the **`ManageCA`** right and the **`ManageCertifica
If you have a principal with **`ManageCA`** rights on a **certificate authority**, we can use **PSPKI** to remotely flip the **`EDITF_ATTRIBUTESUBJECTALTNAME2`** bit to **allow SAN** specification in any template ([ECS6](domain-escalation.md#editf\_attributesubjectaltname2-esc6)):
-
+
-
+
This is also possible in a simpler form with [**PSPKI’s Enable-PolicyModuleFlag**](https://www.sysadmins.lv/projects/pspki/enable-policymoduleflag.aspx) cmdlet.
@@ -261,7 +261,7 @@ Another limitation of NTLM relay attacks is that they **require a victim account
Certify.exe cas
```
-
+
Enterprise CAs also **store CES endpoints** in their AD object in the `msPKI-Enrollment-Servers` property. **Certutil.exe** and **PSPKI** can parse and list these endpoints:
@@ -269,14 +269,14 @@ Enterprise CAs also **store CES endpoints** in their AD object in the `msPKI-Enr
certutil.exe -enrollmentServerURL -config CORPDC01.CORP.LOCAL\CORP-CORPDC01-CA
```
-
+
```powershell
Import-Module PSPKI
Get-CertificationAuthority | select Name,Enroll* | Format-List *
```
-
+
## References
diff --git a/windows-hardening/active-directory-methodology/ad-certificates/domain-persistence.md b/windows-hardening/active-directory-methodology/ad-certificates/domain-persistence.md
index a299b0f4..ebda2b2a 100644
--- a/windows-hardening/active-directory-methodology/ad-certificates/domain-persistence.md
+++ b/windows-hardening/active-directory-methodology/ad-certificates/domain-persistence.md
@@ -16,11 +16,57 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+## Forging Certificates with Stolen CA Certificates - DPERSIST1
+How can you tell that a certificate is a CA certificate?
+* The CA certificate exists on the **CA server itself**, with its **private key protected by machine DPAPI** (unless the OS uses a TPM/HSM/other hardware for protection).
+* The **Issuer** and **Subject** for the cert are both set to the **distinguished name of the CA**.
+* CA certificates (and only CA certs) **have a “CA Version” extension**.
+* There are **no EKUs**
+The built-in GUI supported way to **extract this certificate private key** is with `certsrv.msc` on the CA server.\
+However, this certificate **isn't different** from other certificates stored in the system, so for example check the [**THEFT2 technique**](certificate-theft.md#user-certificate-theft-via-dpapi-theft2) to see how to **extract** them.
+Once you have the **CA cert** with the private key in `.pfx` format you can use [**ForgeCert**](https://github.com/GhostPack/ForgeCert) **** to create valid certificates:
+```bash
+# Create new certificate with ForgeCert
+ForgeCert.exe --CaCertPath ca.pfx --CaCertPassword Password123! --Subject "CN=User" --SubjectAltName localadmin@theshire.local --NewCertPath localadmin.pfx --NewCertPassword Password123!
+
+# Use new certificate with Rubeus to authenticate
+Rubeus.exe asktgt /user:localdomain /certificate:C:\ForgeCert\localadmin.pfx /password:Password123!
+```
+
+{% hint style="warning" %}
+**Note**: The target **user** specified when forging the certificate needs to be **active/enabled** in AD and **able to authenticate** since an authentication exchange will still occur as this user. Trying to forge a certificate for the krbtgt account, for example, will not work.
+{% endhint %}
+
+This forged certificate will be **valid** until the end date specified and as **long as the root CA certificate is valid** (usually from 5 to **10+ years**). It's also valid for **machines**, so combined with **S4U2Self**, an attacker can **maintain persistence on any domain machine** for as long as the CA certificate is valid.\
+Moreover, the **certificates generated** with this method **cannot be revoked** as CA is not aware of them.
+
+## Trusting Rogue CA Certificates - DPERSIST2
+
+The object `NTAuthCertificates` defines one or more **CA certificates** in its `cacertificate` **attribute** and AD uses it: During authentication, the **domain controller** checks if **`NTAuthCertificates`** object **contains** an entry for the **CA specified** in the authenticating **certificate’s** Issuer field. If **it is, authentication proceeds**.
+
+An attacker could generate a **self-signed CA certificate** and **add** it to the **`NTAuthCertificates`** object. Attackers can do this if they have **control** over the **`NTAuthCertificates`** AD object (in default configurations only **Enterprise Admin** group members and members of the **Domain Admins** or **Administrators** in the **forest root’s domain** have these permissions). With the elevated access, one can **edit** the **`NTAuthCertificates`** object from any system with `certutil.exe -dspublish -f C:\Temp\CERT.crt NTAuthCA126` , or using the [**PKI Health Tool**](https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/import-third-party-ca-to-enterprise-ntauth-store#method-1---import-a-certificate-by-using-the-pki-health-tool).
+
+The specified certificate should **work with the previously detailed forgery method with ForgeCert** to generate certificates on demand.
+
+## Malicious Misconfiguration - DPERSIST3
+
+There is a myriad of opportunities for **persistence** via **security descriptor modifications of AD CS** components. Any scenario described in the “[Domain Escalation](domain-escalation.md)” section could be maliciously implemented by an attacker with elevated access, as well as addition of “control rights'' (i.e., WriteOwner/WriteDACL/etc.) to sensitive components. This includes:
+
+* **CA server’s AD computer** object
+* The **CA server’s RPC/DCOM server**
+* Any **descendant AD object or container** in the container **`CN=Public Key Services,CN=Services,CN=Configuration,DC=,DC=`** (e.g., the Certificate Templates container, Certification Authorities container, the NTAuthCertificates object, etc.)
+* **AD groups delegated rights to control AD CS by default or by the current organization** (e.g., the built-in Cert Publishers group and any of its members)
+
+For example, an attacker with **elevated permissions** in the domain could add the **`WriteOwner`** permission to the default **`User`** certificate template, where the attacker is the principal for the right. To abuse this at a later point, the attacker would first modify the ownership of the **`User`** template to themselves, and then would **set** **`mspki-certificate-name-flag`** to **1** on the template to enable **`ENROLLEE_SUPPLIES_SUBJECT`** (i.e., allowing a user to supply a Subject Alternative Name in the request). The attacker could then **enroll** in the **template**, specifying a **domain administrator** name as an alternative name, and use the resulting certificate for authentication as the DA.
+
+## References
+
+* All the information of this page was taken from [https://www.specterops.io/assets/resources/Certified\_Pre-Owned.pdf](https://www.specterops.io/assets/resources/Certified\_Pre-Owned.pdf)
diff --git a/windows-hardening/active-directory-methodology/dcsync.md b/windows-hardening/active-directory-methodology/dcsync.md
index f2725b8e..ba539187 100644
--- a/windows-hardening/active-directory-methodology/dcsync.md
+++ b/windows-hardening/active-directory-methodology/dcsync.md
@@ -1,7 +1,7 @@
# DCSync
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -45,7 +45,7 @@ Get-ObjectAcl -DistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -ResolveG
```
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -106,7 +106,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.md b/windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.md
index ed3fc042..ddab45e5 100644
--- a/windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.md
+++ b/windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.md
@@ -87,13 +87,13 @@ In the previous flow it was used the trust hash instead of the **clear text pass
The cleartext password can be obtained by converting the \[ CLEAR ] output from mimikatz from hexadecimal and removing null bytes ‘\x00’:
- (1) (2).png>)
+ (1).png>)
Sometimes when creating a trust relationship, a password must be typed in by the user for the trust. In this demonstration, the key is the original trust password and therefore human readable. As the key cycles (30 days), the cleartext will not be human-readable but technically still usable.
The cleartext password can be used to perform regular authentication as the trust account, an alternative to requesting a TGT using the Kerberos secret key of the trust account. Here, querying root.local from ext.local for members of Domain Admins:
- (1) (2).png>)
+ (1) (1).png>)
## References
diff --git a/windows-hardening/active-directory-methodology/kerberoast.md b/windows-hardening/active-directory-methodology/kerberoast.md
index ec1e327d..cbb1467a 100644
--- a/windows-hardening/active-directory-methodology/kerberoast.md
+++ b/windows-hardening/active-directory-methodology/kerberoast.md
@@ -1,7 +1,7 @@
# Kerberoast
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -77,7 +77,7 @@ When a TGS is requested, Windows event `4769 - A Kerberos service ticket was req
{% endhint %}
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -144,7 +144,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/windows-hardening/active-directory-methodology/silver-ticket.md b/windows-hardening/active-directory-methodology/silver-ticket.md
index dd4efac3..7c9eb787 100644
--- a/windows-hardening/active-directory-methodology/silver-ticket.md
+++ b/windows-hardening/active-directory-methodology/silver-ticket.md
@@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% hint style="danger" %}
-
+
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -175,7 +175,7 @@ mimikatz(commandline) # lsadump::dcsync /dc:pcdc.domain.local /domain:domain.loc
{% endcontent-ref %}
{% hint style="danger" %}
-
+
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/windows-hardening/windows-local-privilege-escalation/acls-dacls-sacls-aces.md b/windows-hardening/windows-local-privilege-escalation/acls-dacls-sacls-aces.md
index ea7c3db0..2c233b14 100644
--- a/windows-hardening/windows-local-privilege-escalation/acls-dacls-sacls-aces.md
+++ b/windows-hardening/windows-local-privilege-escalation/acls-dacls-sacls-aces.md
@@ -1,7 +1,7 @@
# ACLs - DACLs/SACLs/ACEs
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -83,7 +83,7 @@ The canonical order ensures that the following takes place:
* All **explicit ACEs are processed before any inherited ACE**. This is consistent with the concept of discretionary access control: access to a child object (for example a file) is at the discretion of the child's owner, not the owner of the parent object (for example a folder). The owner of a child object can define permissions directly on the child. The result is that the effects of inherited permissions are modified.
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
@@ -209,7 +209,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% hint style="danger" %}
-.png>)
+.png>)
\
Use [**Trickest**](https://trickest.io/) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
diff --git a/windows-hardening/windows-local-privilege-escalation/dll-hijacking.md b/windows-hardening/windows-local-privilege-escalation/dll-hijacking.md
index 32d3372a..8962c798 100644
--- a/windows-hardening/windows-local-privilege-escalation/dll-hijacking.md
+++ b/windows-hardening/windows-local-privilege-escalation/dll-hijacking.md
@@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% hint style="danger" %}
-
+
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -224,7 +224,7 @@ BOOL APIENTRY DllMain (HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReser
```
{% hint style="danger" %}
-
+
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
diff --git a/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md b/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
index 372f0655..b2a4ccb9 100644
--- a/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
+++ b/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
@@ -17,7 +17,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
{% hint style="danger" %}
-
+
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -358,7 +358,7 @@ Find more Autoruns like registries in [https://www.microsoftpressstore.com/artic
* [https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\&seqNum=2](https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\&seqNum=2)
{% hint style="danger" %}
-
+
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
 (1) (1).png)
+ (1) (1) (1).png)
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -154,7 +154,7 @@ In this tutorial you have hooked methods using the name of the mathod and _.impl
You can see that in [the next tutorial](frida-tutorial-2.md).
{% hint style="danger" %}
- (1) (1).png)
+ (1) (1) (1).png)
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -67,7 +67,7 @@ Content-Length: 267
* `port:15672 http`
{% hint style="danger" %}
- (1) (1).png)
+ (1) (1) (1).png)
If you are interested in **hacking carer** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
@@ -47,7 +47,7 @@ inurl:status EJInvokerServlet
```
{% hint style="danger" %}
-.png)
 (2).png)
.png)
 (2).png)
.png)
 (2).png)
 (2).png)
.png)
 (1).png)
 (4).png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)